FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 06-23-2008, 10:45 AM
Rumen Yotov
 
Default Loop-AES versus DM-Crypt versus ???

On (23/06/08 06:26) Chris Walters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Sorry if this subject has been hashed and rehashed again, but I was
> wondering
> which Gentoo partition encryption scheme is considered the best, in terms
> of:
>
> 1. Security
> 2. Ease of setup and use
> 3. Number and type of ciphers available
>
> This question is inspired by my current use of loop-AES on my home
> directories,
> and my desire to encrypt my whole filesystem - except for a boot loader
> partition.
>
> Regards,
> Chris
Hi,

i use loop-aes, read a discussion about it being more secure.
Not using any encrypted partitions but think both will give you the ability
to do this, just select which one to use.
Not much information but count it as a vote :-)
HTH. Rumen
> --
> gentoo-user@lists.gentoo.org mailing list
>
 
Old 06-23-2008, 11:45 AM
Dirk Heinrichs
 
Default Loop-AES versus DM-Crypt versus ???

Am Montag, 23. Juni 2008 schrieb ext Chris Walters:
> Sorry if this subject has been hashed and rehashed again, but I was
> wondering which Gentoo partition encryption scheme is considered the
> best, in terms of:
>
> 1. Security

Don't know, I'm not a crypto expert.

> 2. Ease of setup and use

dm-crypt with LUKS is IMHO the easier one to setup.

> 3. Number and type of ciphers available

Maybe I'm wrong, but the name loop-aes tells this, right? With LUKS, one can
use (nearly?) any cipher/hash supported by the kernel.

> This question is inspired by my current use of loop-AES on my home
> directories, and my desire to encrypt my whole filesystem - except for a
> boot loader partition.

Gentoo has support for both. Big plus of LUKS is the ability to assign more
than one key (so my wife can boot the laptop with her own key).

HTH...

Dirk
--
Dirk Heinrichs | Tel: +49 (0)162 234 3408
Configuration Manager | Fax: +49 (0)211 47068 111
Capgemini Deutschland | Mail: dirk.heinrichs@capgemini.com
Wanheimerstraße 68 | Web: http://www.capgemini.com
D-40468 Düsseldorf | ICQ#: 110037733
GPG Public Key C2E467BB | Keyserver: wwwkeys.pgp.net
 
Old 06-23-2008, 03:46 PM
Chris Walters
 
Default Loop-AES versus DM-Crypt versus ???

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dirk Heinrichs wrote:
| Am Montag, 23. Juni 2008 schrieb ext Chris Walters:
[snip]
|> 3. Number and type of ciphers available
|
| Maybe I'm wrong, but the name loop-aes tells this, right? With LUKS, one can
| use (nearly?) any cipher/hash supported by the kernel.
[snip]
| Gentoo has support for both. Big plus of LUKS is the ability to assign more
| than one key (so my wife can boot the laptop with her own key).
|
| HTH...
|
| Dirk

Actually, there are extra ciphers available for use with loop-aes. Just can't
figure out how to compile them with the loop-aes kernel patch, yet.

I might try LUKS. Does it have support for multi-key encryption? How about
random key encryption?

Regards,
Chris
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJIX8VMAAoJEIAhA8M9p9DAS6YP/000mZKdzG/KhI3MgQ9SxtIW
jNrk/L16i7h/vzGY7BAb7a0lKnKddh7VgODGtA8XzlMPKgAScLl9r6Uyf74zOA kJ
kb+sbYO7I8iy+lQZRYjAst7DLWJm4KAQ2/Vc4zw2YP4Vtmnw4Q/1n4nHjGEtypOz
LjAgLfhrIfJnK9X41Xv9ot5OZK2HwvVeyWxcXxJuhtZ8HHwqsx GmDqMqNI60+bkH
DwrmDTxaaTZtBRyPb1g5OUEqTKhm3y2L7lj6ffmpwzMvxcc1HL Thq88IsvxtURT1
Rf/7qKo2RNOIFeo0pOe3rb+HrpX0bE3MDS5imzchlIu1WisQx40hW JAZAbkR1Qhm
/UcWIvfRO7G7cLCRHuPd8zIXSCMmZXcSBwVa6hroQr8z6zkRB6k zv9FZNpBNraOb
1DlB0ldrsn8A66rwMqno7qoU3mcNoLtIvR1lQ5EY2blRAWpd1r ndALPxqPVCQLTS
zA4KXmzIa5jqFhUJhfyRFBtkknk6vCWWELJsrUKSyCrIm9yVC2 MRZlkaNbF0ayxw
cQgz4v9ObN7aphi9e+RxS9z2E8nNuZRGHNDG54X4A7fYG+XRZh quxJenR2OGA744
Irt+J3vDIeuvAFfqJA7eSnCRaLi8IZEfltAtoYAzADTQo2t6DM pMJoyaxLnekEeK
ymNM8pUJO8mzpZvFOR9y
=TbGz
-----END PGP SIGNATURE-----
--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-23-2008, 05:14 PM
Dirk Heinrichs
 
Default Loop-AES versus DM-Crypt versus ???

Am Montag, 23. Juni 2008 schrieb Chris Walters:

> I might try LUKS. *Does it have support for multi-key encryption? *How
> about random key encryption?

Hmm, didn't I mention this? Yes to both. See also http://luks.endorphin.org.

Bye...

Dirk
 
Old 06-23-2008, 06:21 PM
Sebastian Wiesner
 
Default Loop-AES versus DM-Crypt versus ???

Chris Walters <cjw2004d@comcast.net> at Monday 23 June 2008, 17:46:23
> Dirk Heinrichs wrote:
> | Am Montag, 23. Juni 2008 schrieb ext Chris Walters:
>
> [snip]
>
> |> 3. Number and type of ciphers available
> |
> | Maybe I'm wrong, but the name loop-aes tells this, right? With LUKS,
> | one can use (nearly?) any cipher/hash supported by the kernel.
>
> [snip]
>
> | Gentoo has support for both. Big plus of LUKS is the ability to assign
> | more than one key (so my wife can boot the laptop with her own key).
> |
> | HTH...
> |
> | Dirk
>
> Actually, there are extra ciphers available for use with loop-aes.

Does it matter? AES is on of the best algorithms available, there is no
reason to change to another.

> I might try LUKS. Does it have support for multi-key encryption?

Yes, it has.

> How about random key encryption?

That's not a matter of the encryption software itself, random keys should be
possible with any encryption thing out there.

Actually, multi-key encryption somehow requires random keys. In such a
setup, there is a random master key, which itself is ciphered with the
individual user keys. When adding or removing user keys, the software
stores a individually encrypted copy of the random master key (or removes
it).

--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)
 
Old 06-27-2008, 03:41 AM
7v5w7go9ub0o
 
Default Loop-AES versus DM-Crypt versus ???

Chris Walters wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sorry if this subject has been hashed and rehashed again, but I was
wondering
which Gentoo partition encryption scheme is considered the best, in
terms of:


1. Security


"....Another thing: If I remember correctly, LUKS keeps the actual key
on the encrypted disk, itself encrypted with a passphrase. Naturally
this means that an attacker only has to break the passphrase, which gets
him the key"


FYI; I don't know if the above is correct.

http://blog.pioto.org/2008/05/encrypting-almost-your-entire.html

HTH
--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-27-2008, 01:08 PM
Sebastian Wiesner
 
Default Loop-AES versus DM-Crypt versus ???

7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> at Friday 27 June 2008, 05:41:15
> Chris Walters wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Sorry if this subject has been hashed and rehashed again, but I was
> > wondering
> > which Gentoo partition encryption scheme is considered the best, in
> > terms of:
> >
> > 1. Security
>
> "....Another thing: If I remember correctly, LUKS keeps the actual key
> on the encrypted disk, itself encrypted with a passphrase. Naturally
> this means that an attacker only has to break the passphrase, which gets
> him the key"

Naturally ... if the user wants to use passphrases, the key needs to be
related to the passphrase somehow, whether by it being derived from the
passphrase through hashing or it being encrypted with a second key, that is
derived from the passphrase.

But a decent hard disk encrpytion system should be able to store the key
file on a USB stick or on a smart card. Beside a increased security,
because there is weak passphrase, it provides increased comfort: You don't
have to enter a silly passphrase on every boot

--
Freedom is always the freedom of dissenters.
(Rosa Luxemburg)
 
Old 06-27-2008, 05:19 PM
7v5w7go9ub0o
 
Default Loop-AES versus DM-Crypt versus ???

Sebastian Wiesner wrote:

7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> at Friday 27 June 2008, 05:41:15

Chris Walters wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Sorry if this subject has been hashed and rehashed again, but I was
wondering
which Gentoo partition encryption scheme is considered the best, in
terms of:

1. Security

"....Another thing: If I remember correctly, LUKS keeps the actual key
on the encrypted disk, itself encrypted with a passphrase. Naturally
this means that an attacker only has to break the passphrase, which gets
him the key"


Naturally ... if the user wants to use passphrases, the key needs to be
related to the passphrase somehow, whether by it being derived from the
passphrase through hashing or it being encrypted with a second key, that is
derived from the passphrase.


But a decent hard disk encrpytion system should be able to store the key
file on a USB stick or on a smart card. Beside a increased security,
because there is weak passphrase, it provides increased comfort: You don't
have to enter a silly passphrase on every boot




Yes.

But If I understand his comment, the LUKS standard requires a copy to be
stored on the HD - even if using the more secure dongle - and keeping a
passphrase-encrypted copy on the HD permanently renders the HD integrity
compromised.


ISTM the better way to use a passphrase would be to passphrase-encrypt
the encryption key and store it somewhere on a boot sector. On the boot
sector - but not within the encrypted disk - as having it on the disk
weakens the disk integrity. If you later acquire a USB, you simply
transfer the whole encryption key to the USB and remove the passphrase
obscuration programs from the boot sector.


So IIUC the question becomes, can one configure LUKS to NOT keep a copy
of the passphrase-protected encryption key on the HD (or is keeping it
there part of the LUKS "standard")?


--
gentoo-user@lists.gentoo.org mailing list
 
Old 06-27-2008, 08:46 PM
Dirk Heinrichs
 
Default Loop-AES versus DM-Crypt versus ???

Am Freitag, 27. Juni 2008 schrieb 7v5w7go9ub0o:

> So IIUC the question becomes, can one configure LUKS to NOT keep a copy
> of the passphrase-protected encryption key on the HD (or is keeping it
> there part of the LUKS "standard")?

Well, LUKS means "Linux Unified Key Setup", that's what LUKS is all about. But
hey, maybe I didn't write it often enough: http://luks.endorphin.org should
answer all your questions. Your question is already answered in the FAQ
(via "Docs Wiki" tab).

HTH...

Dirk
 

Thread Tools




All times are GMT. The time now is 06:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org