USB encryption in Linux

Discussion in 'all things UNIX' started by raspb3rry, Dec 10, 2010.

Thread Status:
Not open for further replies.
  1. raspb3rry

    raspb3rry Registered Member

    Joined:
    Jun 8, 2010
    Posts:
    37
    What should be the best tool for encrypting a partition on an USB-pen in Linux?
    The program should preferable be CLI-based.

    Truecrypt is not an option, since I want to try something else.
     
  2. katio

    katio Guest

    cryptsetup
    It's Linux only, though there's a bit flaky implementation for Windows (FreeOTFE). If cross platform is important Truecrypt with a FAT partition is the only sensible option.
    If you don't need that cryptsetup is great, it comes preinstalled with most distros (the important part is right in the kernel, if the user space program is missing it's just one apt/yum away).

    You use it like:
    cryptsetup luksFormat /dev/sdb1
    cryptsetup luksOpen /dev/sdb1 somename
    format it with
    mkfs.fat /dev/mapper/somename
    then
    mount /dev/mapper/somename /mntpoint
    after using it
    umount /mountpoint
    cryptsetup luksClose somename
    (no guarantees, please read the man page, especially see the luksFormat section for different encryption options, don't use the wrong /dev/sd* or you ruin your hdd...)

    Next time you only need the luksOpen, mount, umount and luksClose commands.
    Modern distros/DEs also support it with graphical utilities (Ubuntu and Fedora GNOME editions do) but there you have the cli way.
     
  3. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
  4. firefox2008

    firefox2008 Registered Member

    Joined:
    May 17, 2007
    Posts:
    125
    Truecrypt
     
  5. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    More widely supported (Linux mainline kernel, NetBSD, and windows through FreeOTFE support it): LUKS

    Supposedly more cryptographically secure (edit: according to the author), but you'll have to patch your own kernel since it is not included in mainline: Loop-aes
     
    Last edited: Dec 11, 2010
  6. katio

    katio Guest

    That's what I already posted.
    "Supposedly" is the key. Got any sources to back that up?

    cryptsetup works with a lot of different ciphers, hashes, keysizes and modes.
    According to this README http://loop-aes.sourceforge.net/loop-AES.README
    loop-aes can only use AES with CBC and does not support ESSIV. XTS is where it's at now used by pretty much ever current encryption software except loop-aes. I haven't looked into loop-aes design in detail, I just see it got it's own way of protecting against watermarks by using gpg encrypted multi-key files so I'll refrain from making any conclusive statement whether it's actually weaker than LUKS/dm-crypt. But I'd expect the same in return, or hard data.
     
  7. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    No need to be confrontational here. As you are probably aware, cryptsetup was originally written without LUKS (and still can be used without it); a more enhanced version is now being maintained by Fruhwirth which includes support for LUKS (which looking on your post, your commands reference the newer enhanced version).
    You are correct. I said "supposedly," for a reason instead of "it is more secure" or "I believe it to be more secure." You really shouldn't tilt at windmills. Don Quixote is a poor role model ;)

    As for the author's claims that his is more secure, just read section eight of the readme you linked. That's what he says, and that's why I said "supposedly" due to the strength against the water mark attacks.

    In re XTS, yes it has become the latest fashion for
    on disk encryption. I've been lucky enough to use it since 2008 on my OpenBSD system, and FreeBSD STABLE just got it imported a few months ago so I'm using it on my laptop as well.

    Cheers,

    Alphalutra1 (the windmill)
     
  8. katio

    katio Guest

    I'm not trying to fight against you, honestly :) I admit my first comment was absolutely not needed and is explained by my agitation about point two.

    I'm just glad we clarified this. It wasn't about you, it's about those who read the thread who may mistake your statement as a fact instead of what it is, an assumption. And those are always dangerous for that very reason.

    It's true that dm-crypt was vulnerable to watermark attacks and loop-aes might have addressed that sooner (their archive doesn't reach back far enough to check that). But that's obsolete for about 6 years since ESSIV was introduced in the 2.6.10 kernel.

    BTW, what's your OpenBSD encryption setup look like? I remember doing some research on available FDE options a while back and wasn't too successful.
     
  9. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    I just edited it to make sure this won't happen; good suggestion since a little extra clarification is worth it to avoid confusion
    Full disk encryption still is a no go, but after reading a bit of the developers rationale behind their lack of motivation to program and support it, I'm ok with it. Their rationale goes that encrypting non-personal data components (binaries, ports trees, libs, etc.) does not gain any security since you are concerned with only your private data. Also, since these components are fairly standardized (eg /bin/sh on my system will be the same on my system as it will be on another install), they can serve as aids in decryption in full disk encryption since they are known to exist in your encrypted partition. Again, that's some of their rationale.

    On my system, I use softraid for the encryption of my data partitions, /var, and /tmp (swap is already encrypted by default so I don't have to do anything there). Though you could definitely encrypt everything except for / (which contains very little on an openbsd install due to the partitioning layout)

    Cheers,

    Alphalutra1
     
Loading...
Thread Status:
Not open for further replies.