Whole Disk Encryption - Linux

[loftrat]

Anybody got any good solutions for providing whole disk encryption on a linux system (laptop)?

I would like to fully encrypt my netbook, and at least one other laptop in the house, but can't find any way of doing this.

I'm running Windows at the moment, because I've happily been able to fully encrypt the drive using TrueCrypt - the same approach doesn't work under Linux though.

Ideally I think I need some sort of hardware based encryption (a nice, self encrypting, HDD would be nice - then I could probably have a dual-boot system as well ;) ) - unfortunately I can't seem to find a vendor willing/able to sell me one.

What are you guys using, if anything?

[stingwray]

Linux supports full disk encryption. Look for LUKS with a LVM.

I don't think hardware encryption on disk drives is that great and you normally end up paying way too much of a premium because they are aimed for business use.

I've used LUKS with LVM on ubuntu and fedora now and they work well, I'm moving away from encryption on my mobile devices now as it causes problems with certain aspects of the law. Its easier and more secure in my opinion to remote into a machine and do any sensitive work from there. Works especially well if the machine is located somewhere outside the laws jurisdiction.

[loftrat]

Linux supports full disk encryption. Look for LUKS with a LVM.

I'll take a look at that, thanks.

I don't think hardware encryption on disk drives is that great and you normally end up paying way too much of a premium because they are aimed for business use.

Yeah, the ones I managed to find were a) very expensive, and B) normally only being sold to laptop vendors. It's the only solution that I can think of that will allow proper dual booting though.

I've used LUKS with LVM on ubuntu and fedora now and they work well, I'm moving away from encryption on my mobile devices now as it causes problems with certain aspects of the law. Its easier and more secure in my opinion to remote into a machine and do any sensitive work from there. Works especially well if the machine is located somewhere outside the laws jurisdiction.

That's fine if you a) have a machine to remot into, or B) have a route to the machine that you want to remote into. Sensitive work sometimes has to be carried out locally unfortunately, and the information on the laptop therefore needs to be secured accordingly. I'd looked at running a VM within a host and then just storing the VM in an encrypted container. It's not an ideal solution as you still get some paging outside of the container, and obviously you get a performance hit - unfortunately that's not even a goer as one of the machines I want to run on is a netbook.....and it doesn't like VMs :D

I'll take a look at LUKS/LVM and see what that gives me.

Thanks.

[digininja]

I agree that LUKS is a good way to go, I've got external drives fully encrypted just in case they go walk about.

For added security, a tip I got from Twitchy when he did the PSW podcast is to put the kernel on a USB drive, that way the machine can't even start the boot process without it. That was a little too paranoid for me but I can see it working quite well.

[gEEEk]

Ubuntu 9.04 has an integrated encryption feature, you might want to take a look at that.

Good luck!

/gEEEk

[stingwray]

I agree that LUKS is a good way to go, I've got external drives fully encrypted just in case they go walk about.

For added security, a tip I got from Twitchy when he did the PSW podcast is to put the kernel on a USB drive, that way the machine can't even start the boot process without it. That was a little too paranoid for me but I can see it working quite well.

I've had it so that part of the key is stored on the USB drive, then when booted, the system has access to part of the key to access the USB drive's encrypted partition. But never the kernel on the USB drive, I'm going to have to try that.

[barry99705]

DMCRYPT/LUKS works pretty well. That's what Ubuntu uses for whole disk encryption. The only part that isn't encrypted is /boot. There's a how-to on the ubuntu forums somewhere that shows how to use it with key files. I had a machine using a key file stored on a thumb drive. With the drive inserted the machine would boot, without it would ask for the key. Just make sure you back up that file!

[digininja]

I've never been brave enough to go for full disk encryption on a machine, I just have visions of getting on a train, opening the laptop and finding it won't decrypt for some reason. I go for either file based encryption or keeping sensitive stuff on a server and accessing it through ssh/vpn.

Last train journey I took I upgrade wireshark before I left home, that upgraded a library that mplayer relied on so bang went watching videos for the trip.

[loftrat]

Thanks for the continued thoughts guys, much appreciated.

I've installed Ubuntu 9.04 using the alternate CD and setup the encryption that way (must really learn how to do it manually.....maybe one day ;) ).

Going to play with that for a while and then pull the drive and run it through a forensic analysis and see if I can pull anything back, in theory I shouldn't be able to but it never hurts to check :)

[digininja]

If you do get anything then there will be a very worried linux community out there!

[barry99705]

I've never been brave enough to go for full disk encryption on a machine, I just have visions of getting on a train, opening the laptop and finding it won't decrypt for some reason. I go for either file based encryption or keeping sensitive stuff on a server and accessing it through ssh/vpn.

Last train journey I took I upgrade wireshark before I left home, that upgraded a library that mplayer relied on so bang went watching videos for the trip.

I know a guy that screwed up his truecrypt encrypted laptop, in the middle of shmoocon. We gave him all kinds of shit for that one.

[stingwray]

I know a guy that screwed up his truecrypt encrypted laptop, in the middle of shmoocon. We gave him all kinds of shit for that one.

I killed my laptops OS about 7 times while at CCC last Christmas. I reinstalled it 3 talks in a row one day. Most of the time I was being way to fast for my own good and ended up doing too much damage worth fixing, so out came the USB key.

[loftrat]

If you do get anything then there will be a very worried linux community out there!

LoL

Worrying people is something I do well :D

[3w`Sparky]

I am wondering if there is a way to make the live disto encrypted but still bootable ?

I have a Custom ubuntu 8.10 live cd that contains all sorts of nice additions but i'm thinking it would kick arse if it required a password to be able to boot from it. . . .

Possible ?

anyone already done this ?

[stingwray]

I am wondering if there is a way to make the live disto encrypted but still bootable ?

I have a Custom ubuntu 8.10 live cd that contains all sorts of nice additions but i'm thinking it would kick arse if it required a password to be able to boot from it. . . .

Possible ?

anyone already done this ?

Very possibly, haven't done it, you likely to take quite a big hit in performance if your running it on a optical disk. USB flash would be very good though.

[3w`Sparky]

well loading the media to ram would overcome this maybe ? thats the plan anyway

[digininja]

loftrat, how is it going? Notice any performance hits since you installed it? Accidentally trashed it yet by by trying to tweak it?

Did you get any forensics info out of it?

[blackriver]

I never dared full disc encryption either, so I settled for encfs on my Eee 701 running Debian Lenny. It basically enables you to encrypt directories. It works really well for what I want to do, which is just keeping my personal data safe when I lose my laptop. I'm sure I'd leave some traces in temp files and whatnot, but at least I don't have my full email correspondence viewable for the whole world.

[loftrat]

loftrat, how is it going? Notice any performance hits since you installed it? Accidentally trashed it yet by by trying to tweak it?

Did you get any forensics info out of it?

Ubuntu 9.04, installed using the alternate CD, and it's as stable as you like.

Have it running on one of the dev machines at work, trying to use it as often as I can for as wide a range of tasks as I can, haven't had a chance to throw encase at it yet - I'll probably aim to do that next week.

Looking at the mechanics of it I'm thinking that might be a waste of time though, the main reason I'm doing it is to make sure that Ubuntu's not caching anything enywhere unusual - although I can't see that being the case.

[loftrat]

Oh, sorry, missed a bit of your question :S

Nope, no performance hits that I can notice - everything's running just fine. I've not managed to break it yet, but that's more because it just seems to work quite nicely than because of any particular lack of effort on my part.

[3w`Sparky]

Right I have been tackling this in the background and found something that seems to fit the bill(so far).

encrypted CD's

i have extracted the whole squashfs to a local drive installed encfs and created an encrypted folder

moved everything from the squashfs into the encrypted folder , unmounted encfs leaving the folder with just encrypted files & folders

run mksquash on the encrypted folder - i can then mount the suqashfs and mount the encrypted files inside that by running encfs /mountpoint-of-squash /test

everything can be seen as in the orginal squashfs

but now i'm stuck - is it going to be possible to get the cd to boot and point it to the squashfs

A) decrypt it via password prompt and

B) mount it in /somewhere then allow it to pull the required from that /somewhere?

clearly the cd mounts the squashfs and pulls files from it but where would i find this part of the process ?

[loftrat]

Can I ask why you want to encrypt a live CD?

[3w`Sparky]

course you may ask ,

the main reason is because it contains a certificate and vpn credentials that should be kept safe, it will also contain documents and software that i would rather people didnt get hold of should it fall out of my pocket or be left in a desktop PC.

I think a bootable encrypted cd is a good idea.