Want an easy to use Linux disk encryption scheme

11

4

In the interests of protecting personal info in case a laptop gets stolen, I'm looking for the best way to encrypt a Linux system.

Disadvantages of whole disk encryption including swap:

  • Pre-boot password prompt is kind of ugly and unpolished, appearing hidden amongst the boot messages (can something like Splashy handle this?)
  • Need to log in twice (if you have a GDM login screen and need multiple users)

Disadvantages of individual folder encryption using libpam-mount or similar:

  • Only the user's home folder is encrypted (whereas /etc, /var etc might contain sensitive information too).
  • Swap file isn't encrypted, so likely to be leakage of sensitive data in there
  • No way to securely hibernate.

I'm using Debian Linux if it matters. Doesn't need to be ridiculously secure, but want peace of mind that a thief cannot steal my identity, bank account details, VPN logins etc. if it is stolen while off/hibernating.

Do you know of ways to solve any of my above problems?

thomasrutter

Posted 2010-01-12T01:32:19.660

Reputation: 1 473

Answers

7

Your problem is a common one: mainly, the difficult balance between security and usability.

My suggestion is to use a slightly modified version of a mixed approach:

  • using cross-platform software like TrueCrypt prepare one or more encrypted volumes for your personal data that you DO NOT use daily (bank details, saved passwords, medical records, etc)
  • the reason to use more than one volume is that you might want to back them up on different media, or use different encryption schemes: for example, you might want to share your health records with somebody else and tell them your passphrase (which should be different for the one used for other volumes)
  • using a "standard" cross-platform software means you'll be able to recover your data from another OS on-the-fly, if your laptop is stolen/damaged
  • whole-disk encryption is often cumbersome and difficult. Although there are attacks for it (see the Evil Maid Attack it turns out to be useful if you're afraid of what could happen if people have access to the whole system. For example, if you're using a company laptop, have no administrative access and there are VPN keys that should not get stolen
  • cached passwords for mail/web/apps are another issue: perhaps you might want to encrypt only your home directory? To optimize performance and security/usability you could:
    • encrypt all home dir
    • softlink to a non-encrypted directory on your filesystem for data you don't care about losing (music, video, etc)

Again, do not forget that everything boils down on the value of what you have to lose, compared to the value of your time and cost of recovery.

lorenzog

Posted 2010-01-12T01:32:19.660

Reputation: 1 962

Your advice is all good, though for me personally I would rather go with dm-crypt/luks than Truecrypt simply because it is supported by my distro. In case you're interested, it is possible to decrypt and mount such a volume from Windows, or another boot disk now. – thomasrutter – 2010-01-20T01:10:24.740

Does TrueCrypt secure encrypted volumes during hibernation? – Craig McQueen – 2010-01-20T01:21:19.537

@thomasrutter: I understand. Being a mac user I preferred to go with a solution with a broader range of supported OSs at the time. – lorenzog – 2010-01-20T08:37:58.783

I've awarded the bounty to your answer because while it doesn't solve all my problems, it is helpful and contains some good pointers. Ta! – thomasrutter – 2010-01-21T01:19:06.737

2

I don't encrypt the whole hard drive, its just too much of admin/management thingie.

So I use dm-encrypt to crate a logical encrypted partition.

I crated a script around it, which I use daily, see if it helps you. I call this under .bashrc

http://bitbucket.org/chinmaya/linux-scripts/src/tip/ch-enc

chinmaya

Posted 2010-01-12T01:32:19.660

Reputation: 311

1

You can use pend drive for storing encryption keys. For best security it should be password protected but it doesn't have to.

http://loop-aes.sourceforge.net/loop-AES.README look at example 7.

Maciek Sawicki

Posted 2010-01-12T01:32:19.660

Reputation: 1 072

Thanks for the suggestion, though I am uneasy about the USB stick getting stolen, lost, etc, I probably favour another password over it. – thomasrutter – 2010-01-12T07:20:36.110

1

I'm still relatively new to Linux, but I thought when you when to install the system there was a way to turn on whole-disk encryption. Also, TrueCrypt has a .deb package.

I hadn't used disk encryption on Linux yet, so perhaps these options have problems like you describe above. As far as the multiuser logon, perhaps TrueCrypt can be setup to use a key file on a USB drive. That way all you need is the laptop and the USB drive to access the files on the laptop.

I'm still learning Linux myself, so I hope this helps.

Scott McClenning

Posted 2010-01-12T01:32:19.660

Reputation: 3 519

Yes, Debian (and probably other distros) can do whole disk encryption in the installer, and it is good too - but suffers from the problems in that first set of bullet points I posted. Other than that, this option (ie Luks volume with logical volumes on it) is probably the best option I'm aware of so far. – thomasrutter – 2010-01-12T03:17:12.623

0

What are you worried about? What attack vectors? Before you can get serious about security, you have to have answers to these two questions.

"Personal info" suggests that you are worried about things like identity theft, casual snoopers, &c. Something like keychain software is enough to protect bank login details, &c, but is impractical for large amounts of information.

If you have a lot of data you want to protect, information that you don't need fast access to, and for which you are willing to pay a small recurring free, then then Amazon's S4 is a good option, totally removing worries about physical access, so that security is reduced to key management, which, again, is adequately solved by keychain software. Amazon don't see the contents of what you store this way, but only the encrypted result. Of course this means that if you mess up and lose the keys, Amazon can't help you.

In the third case case, where you want relatively fast access to a large amount of data, I recommend using not whole disk encryption, but whole partition encryption, per chinmaya's suggestion. Per directory encryption is a nuisance, and I don't recommend it: get the filing system to do the work.

Charles Stewart

Posted 2010-01-12T01:32:19.660

Reputation: 2 624

Attack vector: thief steals my notebook while it is either turned off or in hibernation mode. Thief wants to find out information about me, photos of me, or my passwords on various websites, what websites I visit or am a member of or bank at, etc. – thomasrutter – 2010-01-20T01:01:20.330

Asked: 2010-01-12T01:32:19.660

Viewed: 1 878 times

Active: 2010-01-20T01:02:55.803