[Gllug] [OT] Disk Encryption

Richard Jones rich at annexia.org
Sat Mar 6 12:16:48 UTC 2010 

On Thu, Mar 04, 2010 at 06:36:09PM +0000, John Edwards wrote:
> On Thu, Mar 04, 2010 at 06:27:56PM +0000, Dennis Furey wrote:
> > On Thu, Mar 04, 2010 at 06:07:43PM +0000, Benjamin Donnachie wrote:
> >> On 4 March 2010 18:05, Dennis Furey <dennis at basis.uklinux.net> wrote:
> >>> Any reason no one has mentioned LUKS? It's well supported, based on
> >>> AES encryption, and I've used it for years without any issues.
> >> 
> >> I'm happy to be corrected, but I don't believe LUKS is available for MacOS.
> >
> > True, it's only for Linux. I didn't notice MacOS in the original
> > post. Back to lurking.
> 
> No worries.
> 
> How do you use LUKS?

I click the "encrypt the disk" box when installing Fedora :-)  Other
distros also support this.

Configuring LUKS manually is a bit of a pain in the derriere, although
I've done that too.  This seems to cover the basics:

http://feraga.com/library/howto_use_cryptsetup_with_luks_support_0

> Certain files, whole filesystem, root filesystem?

This depends a lot on your threat model.  If you just want to ensure
that thieves can't browse through the contents of your laptop if it is
stolen, then I would just use whole disk encryption (ie. check the
"encrypt the disk" box), and make sure you turn the laptop off instead
of suspending it when it's not under your control.

There's some performance penalty for encrypting data, so there is an
argument for not encrypting the OS volume (only /home).  However I
wouldn't bother with that: (a) the penalty is really small because
CPUs are very fast compared to hard drives, and (b) personal data can
be stored in parts of the OS volume (eg. /tmp or /var) unless you are
very careful.  Encrypting the whole lot is just much easier.

You should be aware that if you use whole-disk encryption on a server,
then you must be physically present to type in a passphrase when the
server boots.  For servers this is usually not so convenient!

For VMs, libvirt now supports storing encryption keys.  I've not
actually tried this feature, but I believe the idea is that libvirt
manages the secret passphrase and both keeps it secure and provides it
at boot time so no manual intervention is necessary.
(http://libvirt.org/formatstorageencryption.html)

Finally, if you want to hide personal / sensitive / illegal
information from authorities, then you would want a two-level system,
where you use another layer of encryption that cannot be detected or
you can plausibly deny knowledge of.  TrueCrypt can allegedly do this
(it's called a "hidden volume" -- I've never tried).  LUKS can't do
this, except by just obfuscating the file so it will still be quite
obvious to anyone looking that there is some encrypted data they
cannot read.  There's a BZ open for a long time for supporting hidden
volumes in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=454855

Rich.

-- 
Richard Jones
Red Hat
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list