FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-24-2008, 01:00 PM
"Jordi Gutiérrez Hermoso"
 
Default Various questions on encrypted partitions

So when I installed Debian, I told d-i to wipe the hard disk and
encrypt my lappy's hard drive. My tinfoil-hatted heart loves it.
They'll never take me or my data alive.

I am curious, though, as to the exact nature of the encryption. I'd
rtfm, but I don't know where to begin. I understand the encryption is
AES-256, supposedly good enough to keep spooks at bay, but how exactly
does it work? I chose a ridiculous 25-character random printable ASCII
password that I have committed to my cerebellum and muscle memory,
because I thought that AES-256 actually uses my password to encrypt
the hard drive. Is this true?

I also see that it uses something called LUKS, and I understand that
LUKS is the way to change my encryption password. How does that work,
exactly, at the mathematical level? If I change the encryption
password, does the hard drive get reencrypted a different way, or
what?

My last question is about potential data loss. Is an encrypted hard
drive more vulnerable to data loss than an unencrypted one? Suppose I
have a hardware failure or something. Will the encryption make it
harder to recover my data than if I weren't using encryption? That is,
if a few bytes are off, can AES-256 still decrypt gracefully?

Thanks,
- Jordi G. H.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-24-2008, 04:52 PM
"Digby Tarvin"
 
Default Various questions on encrypted partitions

n Thu, Apr 24, 2008 at 08:00:39AM -0500, Jordi Guti0xe9rrez Hermoso wrote:
> So when I installed Debian, I told d-i to wipe the hard disk and
> encrypt my lappy's hard drive. My tinfoil-hatted heart loves it.
> They'll never take me or my data alive.
>
> I am curious, though, as to the exact nature of the encryption. I'd
> rtfm, but I don't know where to begin. I understand the encryption is
> AES-256, supposedly good enough to keep spooks at bay, but how exactly
> does it work? I chose a ridiculous 25-character random printable ASCII
> password that I have committed to my cerebellum and muscle memory,
> because I thought that AES-256 actually uses my password to encrypt
> the hard drive. Is this true?
>
> I also see that it uses something called LUKS, and I understand that
> LUKS is the way to change my encryption password. How does that work,
> exactly, at the mathematical level? If I change the encryption
> password, does the hard drive get reencrypted a different way, or
> what?
>
> My last question is about potential data loss. Is an encrypted hard
> drive more vulnerable to data loss than an unencrypted one? Suppose I
> have a hardware failure or something. Will the encryption make it
> harder to recover my data than if I weren't using encryption? That is,
> if a few bytes are off, can AES-256 still decrypt gracefully?
>
> Thanks,
> - Jordi G. H.

try looking at the manual entries for cryptsetup and luksformat...

The encryption algorithm used will depend on the options you chose when
you setup your filesystems. I think it defaults to AES-256.

And no, it doesn't use your password to encrypt all the data. It generates
a random key for that. Your password is used to encrypt the random key,
and the resuld stored in the LUKS header. So when you change your password,
all that happens is the random key gets re-encrypted with the new password
and replaced. It even allows you to assign multiple passwords, by storing
multiple copies of the random key, encrypted by each of the passwords.

I think the man pages above, and the other resouces they site, should
answer your other questions.

Regards,
DigbyT


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-03-2008, 04:56 PM
 
Default Various questions on encrypted partitions

On Thu, Apr 24, 2008 at 08:00:39AM -0500, Jordi Guti?rrez Hermoso wrote:
> So when I installed Debian, I told d-i to wipe the hard disk and
> encrypt my lappy's hard drive. My tinfoil-hatted heart loves it.
> They'll never take me or my data alive.

Hee hee. I'm more paranoid than you because I don't trust the hash
algorithm (that maps the password into a bit vector) not to introduce
statistical bias. I've agitated a little bit on the luks mailing list
for a feature that allows the key to be entered directly as a
hexadecimal number but wasn't able to drum up any support.

Another missing feature is to have the exit code from cryptsetup
encode the number of the keyslot as part of a defense against "rubber
hose" attacks. When the attacker compels you to surrender the key, you
provide an alternative to the usual one, which decrypts the disk
normally but is detected during the boot sequence by a script that
feeds him disinformation by altering particularly sensitive files in
advance.

An attacker who's aware of this countermeasure could defeat it by
mounting the root volume from a rescue cd, but it may find a niche in
the U.S.. Prosecutors there have been trying lately to subvert the
fifth amendment right of non-self-incrimination by compelling a
defendant to perform the decryption himself rather than telling them
the key.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org