Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: TRUECRYPT - FULL SYSTEM ENCRYPTION

  1. #11
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,700

    Default Re: TRUECRYPT - FULL SYSTEM ENCRYPTION

    Remember drive in windows means partition. So when you say full drive in a windows reference you are speaking about a partition. You can install Linux on a single partition thus a single drive in windows speak. And encrypt it.

  2. #12

    Default Re: TRUECRYPT - FULL SYSTEM ENCRYPTION

    Quote Originally Posted by gogalthorp View Post
    Remember drive in windows means partition. So when you say full drive in a windows reference you are speaking about a partition. You can install Linux on a single partition thus a single drive in windows speak. And encrypt it.
    What a surprise! And how exactly are you going to boot it then?

    Last time I checked the best you could do was to use two partitions. One of them has to be unencrypted and should contain GRUB or something alike. And the rest can be encrypted. However, not every Linux supports that and normally they also require "/" and "/usr" to be unencrypted.

    I do not know how good Truecrypt is, but on top of all this misery with LUKS and friends the only out-of-the-box solutions do not allow you to use anything but plain password as a way of authentication. So if you are among those who are truly concerned about security and prefers to use things like security tokens then you have to hack that bootloader yourself, hoping that if you get it right your patch won't be wiped out by the next software update. This also means a lot of wasted time.

  3. #13
    dd@home.dk NNTP User

    Default Re: TRUECRYPT - FULL SYSTEM ENCRYPTION

    On 07/19/2012 01:06 PM, rtvd wrote:
    > This also means a lot of wasted time.


    this is an over three year old thread (the post replied to is over two
    years old, also replying to a stale thread)..

    the thread dealt with versions no longer supported, and hints no longer
    (if ever) valid..

    if you ('rtvd') are searching for answers to a problem you have, i
    hereby commend you for doing that
    --thank you--
    but be cautious before putting to use what may (or may not) have worked
    in a no longer supported version....because, this Linux is a FAST moving
    train...lots of stuff that worked one way in openSUSE 11.4 is no longer
    valid if one attempts to apply it to openSUSE 12.1 (and the same for
    12.1 to 12.2, etc)

    pay attention to the posting dates and versions discussed..

    --
    dd

  4. #14
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,050

    Default Re: TRUECRYPT - FULL SYSTEM ENCRYPTION

    On Thu, 19 Jul 2012 11:06:02 +0000, rtvd wrote:

    > I do not know how good Truecrypt is, but on top of all this misery with
    > LUKS and friends the only out-of-the-box solutions do not allow you to
    > use anything but plain password as a way of authentication. So if you
    > are among those who are truly concerned about security and prefers to
    > use things like security tokens then you have to hack that bootloader
    > yourself, hoping that if you get it right your patch won't be wiped out
    > by the next software update. This also means a lot of wasted time.


    Truecrypt supports the use of key files as well.

    Truecrypt, however, does not support full-disk encryption and booting
    Linux - only Windows. From what I've read on the Truecrypt forums,
    they're not likely to add it because FDE doesn't provide actual plausible
    deniability.

    I've been toying with the idea, though, of combining a bootable USB flash
    drive with a full disk encryption setup - the idea being you should be
    able to boot from a flash drive and (optionally) use a key file on the
    flash drive (or a secondary flash drive, sdcard, or the like) for
    authentication.

    The thing that I haven't worked out (logically) is updating the kernel.
    Since the initrd is not on the system but would need to be on the flash
    drive, So a kernel update would likely be more involved to make this work.

    But the argument I'd make with the truecrypt folks as well is that FDE
    isn't always about plausible deniability, but it might be about fully
    securing a portable device like a laptop. Yes, I can encrypt my home
    directory/partition and that helps, but it doesn't help protect installed
    programs, configurations, etc, and that may cause other compromises. For
    example, a VPN config stored in /etc/NetworkManager wouldn't be protected
    if the home partition is the only thing encrypted.

    I use FDE on an external USB drive not because I need plausible
    deniability, but because I have sensitive data that, should the drive
    crash, I need to be sure is unrecoverable. I had an enclosure with 2
    500GB drives and one crashed hard - and I had no easy way to guarantee
    the data was unreadable using forensic tools - and for peace of mind, I
    wanted to be sure that they weren't readable since I had things like old
    tax returns backed up there.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

  5. #15
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,492
    Blog Entries
    3

    Default Re: TRUECRYPT - FULL SYSTEM ENCRYPTION

    Quote Originally Posted by hendersj View Post
    For example, a VPN config stored in /etc/NetworkManager wouldn't be protected if the home partition is the only thing encrypted.
    An encrypted LVM would take care of that. I'm not sure if that is possible with truecrypt, but it does work well with LUKS encryption.

    For your other issue, using a usb drive as a key, I think kernel updates should work as long as you have the usb mounted as "/boot" during the update.

    You could probably have a local "/boot" for when the usb is not mounted. In that case a kernel update should still work, except that you would have to manually synchronize the usb with the local "/boot". Unfortunately, there's a fly in the ointment if using grub2. A kernel update presumably runs "mkinitrd", and with grub2, "mkinitrd" reinstalls grub2. And that could be a problem if the usb is not mounted.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  6. #16
    Join Date
    Jul 2008
    Location
    Seattle, WA
    Posts
    17,050

    Default Re: TRUECRYPT - FULL SYSTEM ENCRYPTION

    On Thu, 19 Jul 2012 17:36:02 +0000, nrickert wrote:

    > hendersj;2475247 Wrote:
    >> For example, a VPN config stored in /etc/NetworkManager wouldn't be
    >> protected if the home partition is the only thing encrypted.

    >
    > An encrypted LVM would take care of that. I'm not sure if that is
    > possible with truecrypt, but it does work well with LUKS encryption.


    Yeah, that would take care of it - but for a challenge (probably more
    than anything), I thought I'd see about designing something that worked
    with truecrypt specifically.

    > For your other issue, using a usb drive as a key, I think kernel updates
    > should work as long as you have the usb mounted as "/boot" during the
    > update.


    One of my goals as well is that the flash drive is just used for boot and
    then can be disconnected from the system. Obviously it would need to be
    present when the kernel was updated, though. My thinking is that if it's
    just where initrd comes from and gets the system to the point where the
    encrypted drive is decrypted and then hands off to the system to finish
    the boot.

    So in that case, thinking about it, a kernel update shouldn't break
    anything. The trick becomes defining the filesystem after truecrypt is
    in memory decrypting the encrypted device.

    > You could probably have a local "/boot" for when the usb is not mounted.
    > In that case a kernel update should still work, except that you would
    > have to manually synchronize the usb with the local "/boot".
    > Unfortunately, there's a fly in the ointment if using grub2. A kernel
    > update presumably runs "mkinitrd", and with grub2, "mkinitrd" reinstalls
    > grub2. And that could be a problem if the usb is not mounted.


    Yeah, and I do want to be able to remove the flash drive after the system
    is running. One reason for that is that if the flash drive with the keys
    is plugged in and someone nicks the laptop, then one purpose of
    encrypting the drive is defeated. So the flash drive would be unplugged
    and carried in a pocket or a bag separate from the laptop itself.

    Jim

    --
    Jim Henderson
    openSUSE Forums Administrator
    Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •