Infatuas Posted July 10, 2013 Share Posted July 10, 2013 (edited) I'm interested in encrypting my entire disk as I'm getting ready to install a fresh Ubuntu Image. Any recommendations for encryption? Edited July 10, 2013 by Infatuas Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted July 10, 2013 Share Posted July 10, 2013 I just installed truecrypt on my drive. I haven't had a chance to take an indepth look at it, but it seems very well thought out, and I only hear good things. check out: http://aolradio.podcast.aol.com/sn/SN-133.mp3 This is a podcast I listen to religiously every wednesday. They had a whole episode devoted to analyzing truecrypt. the beginning of the episode is news and general talk. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 10, 2013 Share Posted July 10, 2013 Dmcrypt luks is an install option. That's what I use. If you really want to have fun with it, you can configure a boot file and point it to a thumb drive. If the drive is inserted before boot it will just boot, no questions asked. No drive, not boot! Quote Link to comment Share on other sites More sharing options...
Infatuas Posted July 10, 2013 Author Share Posted July 10, 2013 The article mentioned luks and I think that's what I'm going to go with. Picked up some cryptography books for some added fun. I really want to analyze the raw data and try to use some decryption techniques to pickup as much metadata as possible without decryption the drive. Using the USB drive technique you mentioned it would be sweet to use a hardware encrypted thumb drive on top of that. Quote Link to comment Share on other sites More sharing options...
Sitwon Posted July 11, 2013 Share Posted July 11, 2013 The article mentioned luks and I think that's what I'm going to go with. Picked up some cryptography books for some added fun. I really want to analyze the raw data and try to use some decryption techniques to pickup as much metadata as possible without decryption the drive. Using the USB drive technique you mentioned it would be sweet to use a hardware encrypted thumb drive on top of that. There are very few encrypted thumb drives that would actually work. Most encrypted thumb drives require software on the host machine to unlock them before they can be mounted or read. During the boot process you wouldn't easily be able to run that software (and even if you could you probably wouldn't want to). The thumb drives which would work are the ones which have hardware to authenticate the user and decrypt the drive without software on the host system. They also tend to be prohibitively expensive. Quote Link to comment Share on other sites More sharing options...
digip Posted July 11, 2013 Share Posted July 11, 2013 I believe int0x80 did a few episodes covering how to do this, with one of them putting the boot files and uuid stuff on a thumb drive for user data so a system wouldn't be able to boot without the thumb drive. Search the episodes from like a season or two ago though, pretty sure he covered a number of ways to do it. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 12, 2013 Share Posted July 12, 2013 There are very few encrypted thumb drives that would actually work. Most encrypted thumb drives require software on the host machine to unlock them before they can be mounted or read. During the boot process you wouldn't easily be able to run that software (and even if you could you probably wouldn't want to). The thumb drives which would work are the ones which have hardware to authenticate the user and decrypt the drive without software on the host system. They also tend to be prohibitively expensive. With what I'm talking about the /boot partition isn't encrypted, everything else is. Grub has the ability to mount encrypted file systems if it has the key/password. You can also tell it to use a file, which can be anything really. I've used randomly generated text files, to a picture of princess leia in her jabba slave bikini. If you wanted to get real fancy, you could use a file on your phone and as long as it's plugged in while booting, it will work. Pretty sure you can remove the drive once the computer is booted, never tried though. Quote Link to comment Share on other sites More sharing options...
Lost In Cyberia Posted July 12, 2013 Share Posted July 12, 2013 Once a drive is mounted, all encryption is bypassed right? It's the mounting of it, that requires the password/key? Quote Link to comment Share on other sites More sharing options...
nvemb3r Posted July 12, 2013 Share Posted July 12, 2013 (edited) I believe int0x80 did a few episodes covering how to do this, with one of them putting the boot files and uuid stuff on a thumb drive for user data so a system wouldn't be able to boot without the thumb drive. Search the episodes from like a season or two ago though, pretty sure he covered a number of ways to do it. I used to use two factor authentication for full disk encryption until my Arch install broke. Now I just use a very lengthy passphrase (length > complexity in my opinion). dm_crypt can read specific files to use as keyfiles. The key file can be any sort of file, from a text file, a video file, a song file, so long as it gets the key from the file. I would recommend just using a textfile containing the key, unless you know how dm_crypt reads those files. Thats just what I did in the past, I'm sure there are better solutions. Edited July 12, 2013 by nvemb3r Quote Link to comment Share on other sites More sharing options...
Sitwon Posted July 12, 2013 Share Posted July 12, 2013 With what I'm talking about the /boot partition isn't encrypted, everything else is. Grub has the ability to mount encrypted file systems if it has the key/password. You can also tell it to use a file, which can be anything really. I've used randomly generated text files, to a picture of princess leia in her jabba slave bikini. If you wanted to get real fancy, you could use a file on your phone and as long as it's plugged in while booting, it will work. Pretty sure you can remove the drive once the computer is booted, never tried though. I get that, I was responding specifically to: Using the USB drive technique you mentioned it would be sweet to use a hardware encrypted thumb drive on top of that. As I had quoted. Having your key file on a hardware-encrypted USB key that requires host-side software to unlock is generally not going to work very well. Sure, you could put the software to unlock the USB key into your unencrypted boot partition, but I'm not sure it would improve the security of your encrypted partition to do so. It may even increase your attack surface to do so. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted July 12, 2013 Share Posted July 12, 2013 I get that, I was responding specifically to: As I had quoted. Having your key file on a hardware-encrypted USB key that requires host-side software to unlock is generally not going to work very well. Sure, you could put the software to unlock the USB key into your unencrypted boot partition, but I'm not sure it would improve the security of your encrypted partition to do so. It may even increase your attack surface to do so. Ah! I missed that part. My bad... :-) Quote Link to comment Share on other sites More sharing options...
Infatuas Posted July 15, 2013 Author Share Posted July 15, 2013 Good information guys. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.