I’m planning on encrypting my system with TrueCrypt, I’ll have multiple partitions. The scheme will be:
1GB for /boot (Unencrypted)
60GB for “/”. This partition will have password A.
8GB for “/swap”. This partition will have password B.
The rest (about 852GB) for /home, this partition will have password C.
I couldn’t find any conclusive help on the web so I’m counting with people who already did it on opensuse or any other Linux distro.
I plan to mount ALL partitions before boot, kind of like the same way when you encrypt partitions using the default encryption tool, but I don’t want to use that.
> I plan to mount ALL partitions before boot, kind of like the same way
> when you encrypt partitions using the default encryption tool, but I
> don’t want to use that.
No, partitions are always mounted after boot.
Early, but after the kernel has control (thus booted), and it runs
scripts located in initrd.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
So there is a way of mounting all partitions with no problems at all (with TC)? All I want is to be able to mount them with no problems (/home, /swap etc)
> So there is a way of mounting all partitions with no problems at all
> (with TC)? All I want is to be able to mount them with no problems
> (/home, /swap etc)
I have never used TC.
I have a virtual machine where I’m attempting to setup encryption of
root without using an LVM, but so far I’m stuck. Too much food in my
plate, meaning too many things to do.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
On Fri, 09 Aug 2013 13:06:01 +0000, amarildojr wrote:
> I plan to mount ALL partitions before boot
You probably won’t be able to do that, based on my experiences.
I attempted to add truecrypt (even a custom build with most of the
libraries statically linked) to initrd, and it just wouldn’t go.
You have to make the binary and several libraries available ahead of
startup, and the list just gets too long and complex. I did a custom
build of truecrypt to get rid of the GUI, and still found I had to link
in things like (IIRC) QT, which surprised me.
This is one thing I wish the Truecrypt folks would address - they do full
system encryption for Windows but not Linux, and they say they won’t do
it because they can’t provide full plausible deniability with Linux.
But not all of us need plausible deniability like that - we just want a
fully encrypted system.
Dare I ask why you don’t want to use the built-in encryption
functionality?
I have to admit that plausible deniability is a “must” on my concepts. I don’t think they need to limit themselves on “if we can’t implement that feature than we won’t implement almost the whole thing”. If they can implement System encryption then they should do it.
Dare I ask why you don’t want to use the built-in encryption
functionality?
I’m doing extensive readings on that today. I’m looking for cryptanalisys of it, breaches, vulnerabilities etc.
The main reason is the fact that I can’t chose the algorithm upon install. If I’m able to customize my encryption settings, even if after install, then I sure will use it. Also, I’m willing to learn about which places can contain data, like /tmp, /var, /swap and so on and if I’m able to encrypt those places.
For all I’m seeing there are few alternatives to TrueCrypt. If I stumble upon one I shall report how it went (the encryption process) with a tutorial as well.
On Fri, 09 Aug 2013 19:56:01 +0000, amarildojr wrote:
> I have to admit that plausible deniability is a “must” on my concepts. I
> don’t think they need to limit themselves on “if we can’t implement that
> feature than we won’t implement almost the whole thing”.
See, I’m not doing anything that requires deniability - I just want to
make sure the data is completely unrecoverable in the event of a head
crash (having lost a drive to a head crash and not being able to
selectively delete stuff like old tax returns after recovering them was a
problem for me - but the drive was under warranty so I was able to
exchange it for a new one, which ruled out destruction for me).
>> Dare I ask why you don’t want to use the built-in encryption
>> functionality?
>
> I’m doing extensive readings on that today. I’m looking for
> cryptanalisys of it, breaches, vulnerabilities etc.
Makes sense. I don’t think I’ve heard of any vulnerabilities, but having
flexibility in choosing the encryption algorithm is useful, I’ll agree.
> The main reason is the fact that I can’t chose the algorithm upon
> install. If I’m able to customize my encryption settings, even if after
> install, then I sure will use it. Also, I’m willing to learn about which
> places can contain data, like /tmp, /var, /swap and so on.
>
> For all I’m seeing there are few alternatives to TrueCrypt. If I stumble
> upon one I shall report how it went (the encryption process) with a
> tutorial as well.
Yeah, TrueCrypt does provide a lot of flexibility. I use my external
drive as a mounted data store after the system is up and running, so I
just manually mount it (the system stays on all the time anyways). I did
play with doing a bootable USB flash drive that could be used to boot,
but that’s where I ran into problems - even at installation - with
getting the installer to recognize the mounted-but-unformatted encrypted
drive.
Hmm
I had it yesterday, a replacement for TrueCrypt, from Bruce Schneier’s site. Now I have to find a way to encrypt “/” without using LVM, or at least learn how to re-install the system (with LVM) without losing my /home folder.
Yes, that is the default, with the addition of “RIPEMD-160” being the password hash. Not that I don’t trust these, but there are paid tools that claim to be able to break this specific combination.
The combination I want is “Serpent/Whirlpool” for my partitions.
Can’t believe I’m gonna have to go back to Windows LOL
On 2013-08-10 14:36, amarildojr wrote:
>
> Hmm
> I had it yesterday, a replacement for TrueCrypt, from Bruce Schneier’s
> site. Now I have to find a way to encrypt “/” without using LVM, or at
> least learn how to re-install the system (with LVM) without losing my
> /home folder.
Thank you, but backup isn’t an option. I rather have “/” and /home partitions separated (and both encrypted) so that in the case of a re-install my encrypted /home is still there.
I don’t know why openSUSE doesn’t offer an option to encrypt “/” without the need of LVM.
On 2013-08-10 15:36, amarildojr wrote:
>
> Hi Carlos.
>
> Thank you, but backup isn’t an option. I rather have “/” and /home
> partitions separated (and both encrypted) so that in the case of a
> re-install my encrypted /home is still there.
There is no other way I can think of - backup and reinstall fresh.
> I don’t know why openSUSE doesn’t offer an option to encrypt “/”
> without the need of LVM.
Me neither.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
Do the vendors claiming this provide documented evidence to support their claims?
I believe you can get the combination you desire. I checked on one Suse 12.3 box running a Suse 3.7.10-1.16-desktop kernel, on which I ran modinfo serpent_generic and modinfo wp512, after which both were shown in cat /proc/crypto.
To view the available cipers and hashes you can run ‘make menuconfig’ in /usr/src/linux and look under the cryptographic API from the main kernel config menu.
I’m no expert in cryptsetup, but don’t you just need to load the modules to have them be available to cryptsetup? If then added to the initrd, would this provide what your seeking?