Jump to content

Disk Encryption


Infatuas

Recommended Posts

I just installed truecrypt on my drive. I haven't had a chance to take an indepth look at it, but it seems very well thought out, and I only hear good things. check out:

http://aolradio.podcast.aol.com/sn/SN-133.mp3

This is a podcast I listen to religiously every wednesday. They had a whole episode devoted to analyzing truecrypt. the beginning of the episode is news and general talk.

Link to comment
Share on other sites

Dmcrypt luks is an install option. That's what I use. If you really want to have fun with it, you can configure a boot file and point it to a thumb drive. If the drive is inserted before boot it will just boot, no questions asked. No drive, not boot!

Link to comment
Share on other sites

The article mentioned luks and I think that's what I'm going to go with. Picked up some cryptography books for some added fun. I really want to analyze the raw data and try to use some decryption techniques to pickup as much metadata as possible without decryption the drive. Using the USB drive technique you mentioned it would be sweet to use a hardware encrypted thumb drive on top of that.

Link to comment
Share on other sites

The article mentioned luks and I think that's what I'm going to go with. Picked up some cryptography books for some added fun. I really want to analyze the raw data and try to use some decryption techniques to pickup as much metadata as possible without decryption the drive. Using the USB drive technique you mentioned it would be sweet to use a hardware encrypted thumb drive on top of that.

There are very few encrypted thumb drives that would actually work. Most encrypted thumb drives require software on the host machine to unlock them before they can be mounted or read. During the boot process you wouldn't easily be able to run that software (and even if you could you probably wouldn't want to).

The thumb drives which would work are the ones which have hardware to authenticate the user and decrypt the drive without software on the host system. They also tend to be prohibitively expensive.

Link to comment
Share on other sites

I believe int0x80 did a few episodes covering how to do this, with one of them putting the boot files and uuid stuff on a thumb drive for user data so a system wouldn't be able to boot without the thumb drive. Search the episodes from like a season or two ago though, pretty sure he covered a number of ways to do it.

Link to comment
Share on other sites

There are very few encrypted thumb drives that would actually work. Most encrypted thumb drives require software on the host machine to unlock them before they can be mounted or read. During the boot process you wouldn't easily be able to run that software (and even if you could you probably wouldn't want to).

The thumb drives which would work are the ones which have hardware to authenticate the user and decrypt the drive without software on the host system. They also tend to be prohibitively expensive.

With what I'm talking about the /boot partition isn't encrypted, everything else is. Grub has the ability to mount encrypted file systems if it has the key/password. You can also tell it to use a file, which can be anything really. I've used randomly generated text files, to a picture of princess leia in her jabba slave bikini. If you wanted to get real fancy, you could use a file on your phone and as long as it's plugged in while booting, it will work. Pretty sure you can remove the drive once the computer is booted, never tried though.

Link to comment
Share on other sites

I believe int0x80 did a few episodes covering how to do this, with one of them putting the boot files and uuid stuff on a thumb drive for user data so a system wouldn't be able to boot without the thumb drive. Search the episodes from like a season or two ago though, pretty sure he covered a number of ways to do it.

I used to use two factor authentication for full disk encryption until my Arch install broke. Now I just use a very lengthy passphrase (length > complexity in my opinion). dm_crypt can read specific files to use as keyfiles. The key file can be any sort of file, from a text file, a video file, a song file, so long as it gets the key from the file. I would recommend just using a textfile containing the key, unless you know how dm_crypt reads those files. Thats just what I did in the past, I'm sure there are better solutions.

Edited by nvemb3r
Link to comment
Share on other sites

With what I'm talking about the /boot partition isn't encrypted, everything else is. Grub has the ability to mount encrypted file systems if it has the key/password. You can also tell it to use a file, which can be anything really. I've used randomly generated text files, to a picture of princess leia in her jabba slave bikini. If you wanted to get real fancy, you could use a file on your phone and as long as it's plugged in while booting, it will work. Pretty sure you can remove the drive once the computer is booted, never tried though.

I get that, I was responding specifically to:

Using the USB drive technique you mentioned it would be sweet to use a hardware encrypted thumb drive on top of that.

As I had quoted.

Having your key file on a hardware-encrypted USB key that requires host-side software to unlock is generally not going to work very well. Sure, you could put the software to unlock the USB key into your unencrypted boot partition, but I'm not sure it would improve the security of your encrypted partition to do so. It may even increase your attack surface to do so.

Link to comment
Share on other sites

I get that, I was responding specifically to:

As I had quoted.

Having your key file on a hardware-encrypted USB key that requires host-side software to unlock is generally not going to work very well. Sure, you could put the software to unlock the USB key into your unencrypted boot partition, but I'm not sure it would improve the security of your encrypted partition to do so. It may even increase your attack surface to do so.

Ah! I missed that part. My bad... :-)
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...