Gentoo Archives: gentoo-security

From: Florian Philipp <lists@××××××××××××××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Encrypting a user home folder on a laptop
Date: Sat, 16 Feb 2008 09:05:14
Message-Id: 1203152670.6240.94.camel@NOTE_GENTOO64.PHHEIMNETZ
In Reply to: [gentoo-security] Encrypting a user home folder on a laptop by Randy Barlow
On Fri, 2008-02-15 at 18:09 -0500, Randy Barlow wrote:
> I am probably being paranoid, but I'd like to encrypt my /home/username > folder on my laptop. I tried EncFS using [1], but KDE didn't seem to > work under that setup because of the restriction that the filesystem > doesn't support hardlinks. So now I am playing around with [2]. The > only problem I have here is that it seems like I have to know in advance > what size I want to use for my home folder (I am using a file as a > loopback device rather than a partition, mostly because I already have a > system up and don't want to mess with resizing partitions). Is there > any way to resize the loopback device on the fly, or do you just have to > create a new one and copy the files into it every time you need to resize? > > Another question I have: I am pretty new to ciphers. One thing I have > learned is that the avalanche effect is desirable, meaning that one bit > flipped in the plaintext should cause about half of the ciphertext bits > to flip. Does the dm-crypt setup have much correlation between > encryption blocks to where this avalanche effect would change the whole > file, or just a few encryption blocks? To illustrate, I'm looking to > encrypt probably something like 40 GB of data. If I change 1 bit > somewhere in my plaintext, how many bytes of that 40 GB of total data on > my loopback device should I expect that bit flip to have an effect on? > > Thanks for any enlightenment you can offer! > > [1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS > [2] http://gentoo-wiki.com/SECURITY_dmcrypt >
1. dmcrypt allows online resizing. If it's a loopback device, just expand it with dmcrypt, then the FS on top of it. If it's a partition/ logical volume, you have to expand this at first. 2. With good ciphers, for example aes-lrw-benbi:sha256 (keysize 384) dmcrypt should be fine. But you have to understand that it's encrypted block by block. If you change one bit, only the block it's within is changed. dmcrypt doesn't know about files and filesystems, it just knows blocks. However, this doesn't mean that two blocks identical in plaintext look exactly the same when encrypted. The encryption changes after every block. By the way, I use pam_mount and cryptsetup-luks to mount my encrypted home-partition with my login password on the fly. If you want a short howto and my configuration, just ask, I can answer again in 10 hours (Sat Feb 16 19:00:00 UTC).

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-security] Encrypting a user home folder on a laptop Mansour Moufid <mansourmoufid@×××××.com>
Re: [gentoo-security] Encrypting a user home folder on a laptop Naga Toro <nagatoro@×××××.com>