Comments on: Disk Encryption on Linux

By: JC

JC — Thu, 18 Feb 2010 05:45:25 +0000

Yes, this is the same idea (a random password), but you will have to add a startup script to mount /tmp properly.

For instance, check :
http://www.maxsworld.org/index.php/how-tos/encrypt-tmp-swap-home

By: kirm

kirm — Wed, 17 Feb 2010 23:08:52 +0000

Hey! I tried your routine for encrypting a USB key and it worked but I couldn’t access it. I then realized I had to create a partition first and then go through the steps with the partition. So, to anyone out there, make sure you’ve created your partition before encrypting the key.

Works like a charm. Thanks a million!

BTW, I’m not to worried about encrypting the swap as I see that, with 4 GBs of memory, it doesn’t seem to be used but I sure would like to encrypt the /tmp and /var/tmp directories. Is there a way to do that in the same manner as your swap method (Don’t want to be bothered with passphrase)? I can do it in OpenSuse through the Partitioner but then I’m going to be prompted for 4 passphrases just to get to the login prompt.

By: JC

JC — Mon, 25 Aug 2008 17:22:16 +0000

I disagree. The user password is indeed stored in /, but it is a MD5 hash with a salt.
A md5 hash is not reversible.

Plus, if the password is strong enough, because of the salt, it will take much much more than 5 minutes to crack. Rainbow tables won’t help you.

So it is not yet a piece of cake to recover passwords from the /etc/shadow file, and that’s good news, otherwise it would be a major security issue for all Linux distribs (not only considering encryption).

The only solution left to the attacker is to brute force, but in that case it doesn’t differ much from brute forcing even a full encrypted disk (if the user password is tricky enough, as I recommended it in the article).

The attacker would better use a cold boot attack.

The goal of the article was suggestion an encryption that protect the user from 99% of thiefs that could steal a laptop and try to access to personal data (sure, not against government agencies with huge processing power).

I think it does, though a better alternative is to use hardware encryption.

Or maybe you have a way to crack the shadow passwords in a very short time ? I doubt, but if so, please share it.

By: anon

anon — Mon, 25 Aug 2008 14:57:42 +0000

This is so incredibly broken its beyond belief!!!!( For encrypting home)

I really hope that someone will read this comment before attempting to do encryption like this, because as given all these steps give no more security(ie none) than not using encryption.

The reasoning is simple, every users password has a “hash” or ID that is stored on the root “/” partition, and you are using this password to decrypt the encrypted /home partition.

If someone takes your laptop, they can extract the real password from the hash in roughly ~1-5min, then login to the system with it and have access to your “encrypted” home.

Not a good solution.

If you want to only use one password then encrypt the entire drive(including root partition) and setup a script to auto-login a user. Leaving the root partition un-encrypted then using information off of it to decrypt home is a recipe for disaster.

By: JC

JC — Thu, 22 Nov 2007 00:40:51 +0000

You are talking about the swap, right ?
Because the home partition is encrypted while the user log in.
Locking your machine while you go away will provide a quite good level of security.
About the swap, at boot time, it is empty – so nothing to get for someone who would boot your machine.
Ok, a hacker may access to the swap while the computer is on, but he fisrt needs an account on your machine…
So, it is globally a strong protection against steal, what is an important matter for a laptop owner nowadays.
Of course in no way it is a protection against a system hacking, but just another and important brick on your security wall.

By: Robbin

Robbin — Wed, 21 Nov 2007 17:12:15 +0000

What is the point? If it gets “unencrypted” at boot, it is still accessable to whoever steals your laptop or hacks your system. It’s not like someone is going to pluck your computer apart and then steal your harddrive.

By: JC

JC — Tue, 20 Nov 2007 09:00:55 +0000

Sorry, this is a typo – a space got inserted…
I should be :
-c aes-cbc-essiv:sh256

Now corrected in the article. Thanks !

By: Nick

Nick — Tue, 20 Nov 2007 01:18:50 +0000

on 7.10, i get an error trying this:
# cryptsetup luksformat -c aes -cbc -essiv:sh256 /dev/sda1
-essiv:sh256: unknown option

also tried –essiv:sh256 but I get the same error

By: egan

egan — Mon, 19 Nov 2007 09:55:02 +0000

There is another (and simpler) solution for encrypting a partition or a folder : http://www.tomatarium.pwp.blueyonder.co.uk/cryptkeeper.html

I use Cryptkeeper and this is very convenient.

By: JC

JC — Sun, 18 Nov 2007 20:59:44 +0000

Oh, sure ! Thank you for reporting, it is now corrected.