| 1 |
On Fri, 2008-02-15 at 18:09 -0500, Randy Barlow wrote: |
| 2 |
> I am probably being paranoid, but I'd like to encrypt my /home/username |
| 3 |
> folder on my laptop. I tried EncFS using [1], but KDE didn't seem to |
| 4 |
> work under that setup because of the restriction that the filesystem |
| 5 |
> doesn't support hardlinks. So now I am playing around with [2]. The |
| 6 |
> only problem I have here is that it seems like I have to know in advance |
| 7 |
> what size I want to use for my home folder (I am using a file as a |
| 8 |
> loopback device rather than a partition, mostly because I already have a |
| 9 |
> system up and don't want to mess with resizing partitions). Is there |
| 10 |
> any way to resize the loopback device on the fly, or do you just have to |
| 11 |
> create a new one and copy the files into it every time you need to resize? |
| 12 |
> |
| 13 |
> Another question I have: I am pretty new to ciphers. One thing I have |
| 14 |
> learned is that the avalanche effect is desirable, meaning that one bit |
| 15 |
> flipped in the plaintext should cause about half of the ciphertext bits |
| 16 |
> to flip. Does the dm-crypt setup have much correlation between |
| 17 |
> encryption blocks to where this avalanche effect would change the whole |
| 18 |
> file, or just a few encryption blocks? To illustrate, I'm looking to |
| 19 |
> encrypt probably something like 40 GB of data. If I change 1 bit |
| 20 |
> somewhere in my plaintext, how many bytes of that 40 GB of total data on |
| 21 |
> my loopback device should I expect that bit flip to have an effect on? |
| 22 |
> |
| 23 |
> Thanks for any enlightenment you can offer! |
| 24 |
> |
| 25 |
> [1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS |
| 26 |
> [2] http://gentoo-wiki.com/SECURITY_dmcrypt |
| 27 |
> |
| 28 |
|
| 29 |
1. dmcrypt allows online resizing. If it's a loopback device, just |
| 30 |
expand it with dmcrypt, then the FS on top of it. If it's a partition/ |
| 31 |
logical volume, you have to expand this at first. |
| 32 |
|
| 33 |
2. With good ciphers, for example aes-lrw-benbi:sha256 (keysize 384) |
| 34 |
dmcrypt should be fine. But you have to understand that it's encrypted |
| 35 |
block by block. If you change one bit, only the block it's within is |
| 36 |
changed. dmcrypt doesn't know about files and filesystems, it just knows |
| 37 |
blocks. However, this doesn't mean that two blocks identical in |
| 38 |
plaintext look exactly the same when encrypted. The encryption changes |
| 39 |
after every block. |
| 40 |
|
| 41 |
By the way, I use pam_mount and cryptsetup-luks to mount my encrypted |
| 42 |
home-partition with my login password on the fly. If you want a short |
| 43 |
howto and my configuration, just ask, I can answer again in 10 hours |
| 44 |
(Sat Feb 16 19:00:00 UTC). |
Archives