1 |
On Fri, 2008-02-15 at 18:09 -0500, Randy Barlow wrote: |
2 |
> I am probably being paranoid, but I'd like to encrypt my /home/username |
3 |
> folder on my laptop. I tried EncFS using [1], but KDE didn't seem to |
4 |
> work under that setup because of the restriction that the filesystem |
5 |
> doesn't support hardlinks. So now I am playing around with [2]. The |
6 |
> only problem I have here is that it seems like I have to know in advance |
7 |
> what size I want to use for my home folder (I am using a file as a |
8 |
> loopback device rather than a partition, mostly because I already have a |
9 |
> system up and don't want to mess with resizing partitions). Is there |
10 |
> any way to resize the loopback device on the fly, or do you just have to |
11 |
> create a new one and copy the files into it every time you need to resize? |
12 |
> |
13 |
> Another question I have: I am pretty new to ciphers. One thing I have |
14 |
> learned is that the avalanche effect is desirable, meaning that one bit |
15 |
> flipped in the plaintext should cause about half of the ciphertext bits |
16 |
> to flip. Does the dm-crypt setup have much correlation between |
17 |
> encryption blocks to where this avalanche effect would change the whole |
18 |
> file, or just a few encryption blocks? To illustrate, I'm looking to |
19 |
> encrypt probably something like 40 GB of data. If I change 1 bit |
20 |
> somewhere in my plaintext, how many bytes of that 40 GB of total data on |
21 |
> my loopback device should I expect that bit flip to have an effect on? |
22 |
> |
23 |
> Thanks for any enlightenment you can offer! |
24 |
> |
25 |
> [1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS |
26 |
> [2] http://gentoo-wiki.com/SECURITY_dmcrypt |
27 |
> |
28 |
|
29 |
1. dmcrypt allows online resizing. If it's a loopback device, just |
30 |
expand it with dmcrypt, then the FS on top of it. If it's a partition/ |
31 |
logical volume, you have to expand this at first. |
32 |
|
33 |
2. With good ciphers, for example aes-lrw-benbi:sha256 (keysize 384) |
34 |
dmcrypt should be fine. But you have to understand that it's encrypted |
35 |
block by block. If you change one bit, only the block it's within is |
36 |
changed. dmcrypt doesn't know about files and filesystems, it just knows |
37 |
blocks. However, this doesn't mean that two blocks identical in |
38 |
plaintext look exactly the same when encrypted. The encryption changes |
39 |
after every block. |
40 |
|
41 |
By the way, I use pam_mount and cryptsetup-luks to mount my encrypted |
42 |
home-partition with my login password on the fly. If you want a short |
43 |
howto and my configuration, just ask, I can answer again in 10 hours |
44 |
(Sat Feb 16 19:00:00 UTC). |