Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
To: gentoo-security@g.o
From: Christian Spoo <mail@...>
Subject: Re: Encrypting a user home folder on a laptop
Date: Sat, 16 Feb 2008 08:47:54 +0100
<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hi,</div><div><br class="webkit-block-placeholder"></div><div>if you use dd like this:</div><div><br class="webkit-block-placeholder"></div><div>dd if=/dev/null bs=1 seek=1GB of=/whatever</div><div><br class="webkit-block-placeholder"></div><div>you're creating a so-called sparse file. Because of the seek-parameter, the kernel knows that the file actually doesn't contain any information between the first byte and the byte after the first GB in the file. In this case the kernel doesn't allocate the whole space for the file on your filesystem. But if you tell dd to explicitly write zeroes into the file the kernel must allocate all the space for the zeroes because it can't know that the zeroes are only placeholders.</div><div><br class="webkit-block-placeholder"></div><div>For speed reasons it's thus far better to create loopback images from /dev/null than /dev/zero.</div><div><br class="webkit-block-placeholder"></div><div>You will notice that the amount of used disk space will increase each time when you fill a byte in your sparse file. The kernel tries to optimize the sparse blocks so that the actual space consumption of the file is minimized. Note, that the same sparse file consumes different amounts of disk space when stored on different file system. Reiser3 is IMHO not best for storing such files. Ext3 and Reiser4 do better (the usually need less that 50 KB for storing such a file assuming it's really empty, Reiser3 could eat several MBytes because its algorithms for handling sparse files are not that good).</div><div><br class="webkit-block-placeholder"></div><div><br class="webkit-block-placeholder"></div><div>Regards,</div><div><br class="webkit-block-placeholder"></div><div>Christian Spoo</div><br><div><div>Am 16.02.2008 um 01:08 schrieb Randy Barlow:</div><br class="Apple-interchange-newline"><blockquote type="cite"><a href="mailto:bmicek@...">bmicek@...</a> wrote:<br><blockquote type="cite">I spent time about a year ago looking into good encryption. &nbsp;At that<br></blockquote><blockquote type="cite">time, cryptsetup was the best bet. &nbsp;Its really easy to use. &nbsp;With<br></blockquote><blockquote type="cite">cryptsetup, your best off encrypting an entire filesystem/partition so<br></blockquote><blockquote type="cite">there are no restrictions regarding size.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">As far as ciphers, there are three popular ones that are 256 bits in the<br></blockquote><blockquote type="cite">Linux kernel. &nbsp;You'll have to pick the one(s) you like best. &nbsp;Generally,<br></blockquote><blockquote type="cite">everyone agrees Serpent is the strongest, followed by AES then followed<br></blockquote><blockquote type="cite">by TwoFish. &nbsp;From my tests, performance of the algorithms is in reverse<br></blockquote><blockquote type="cite">order (meaning TwoFish is the fastest). &nbsp;Linux is a bit behind last I<br></blockquote><blockquote type="cite">checked regarding encription modes of operation and seems to only offer<br></blockquote><blockquote type="cite">ECB or CBC. &nbsp;CBC is Chain Block Cipher and is based on an IV which is<br></blockquote><blockquote type="cite">like an index into your media. &nbsp;The IV is used to encript a block of<br></blockquote><blockquote type="cite">data so a previous identical block wont be identically encrypted. &nbsp;As<br></blockquote><blockquote type="cite">far as your question regarding one-bit changes, a one bit change will<br></blockquote><blockquote type="cite">have the effect you mentioned but only for one encrypted block.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I'd recommend reading up on the ciphers to see what you like. &nbsp;There has<br></blockquote><blockquote type="cite">been some talk about TwoFish being broken however I find it hard to<br></blockquote><blockquote type="cite">believe. &nbsp;There has been a lot of talk about TrueCrypt on Linux. &nbsp;From<br></blockquote><blockquote type="cite">what I can tell, it seems a bit more advanced and supports different<br></blockquote><blockquote type="cite">(more modern?) modes of encryption. <br></blockquote><br>Thanks for the reply Brian! &nbsp;In a course I am taking this semester, we<br>have learned the nitty gritty of AES, and I think I am pretty happy with<br>that one given a long enough key (256 is way plenty!) &nbsp;I have been<br>playing around with the creation of the file for the loopback block<br>device for dm-crypt, and I have learned some surprising things about<br>filesystems. &nbsp;Can anybody explain the following to me?<br><br>If I create a file like this:<br><br>dd if=/dev/zero bs=1000000000 of=/path/to/crytped/file<br><br>it makes a file that takes up 1 GB of hard drive space. &nbsp;It takes a<br>while to write to disk, and you will notice that the file is 1 GB with<br>ls -l and you will also notice a change in the space for the partition<br>using df.<br><br>If I create a file like this:<br><br>dd bs=1 seek=1GB if=/dev/null of=/path/to/crypted/file<br><br>it makes a file that reports itself to be 1 GB long by ls -l, but<br>doesn't seem to write 1 GB to the disk. &nbsp;Also, df doesn't report 1 GB<br>less than before you run the command.<br><br>What's happening here? &nbsp;I had assumed before I did this that the output<br>of ls -l is the actual number of bits consumed by a file, but that<br>doesn't seem to be the case anymore.<br><br>I created a file using the second command, and now as I copy files into<br>it I can see the disk space going down bit by bit. &nbsp;This is really what<br>I wanted in the first place, but I am just confused as to what is really<br>going on. &nbsp;Could anybody explain, please?<br><br>-- <br>Randy Barlow<br><a href=""></a><br>-- <br><a href="mailto:gentoo-security@g.o">gentoo-security@g.o</a> mailing list<br><br></blockquote></div><br></body></html>
PGP.sig (This is a digitally signed message part)
Re: Encrypting a user home folder on a laptop
-- bmicek
Re: Encrypting a user home folder on a laptop
-- Randy Barlow
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Encrypting a user home folder on a laptop
Next by thread:
Re: Encrypting a user home folder on a laptop
Previous by date:
Re: Encrypting a user home folder on a laptop
Next by date:
Re: Encrypting a user home folder on a laptop

Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.