On Fri, 2008-02-15 at 18:09 -0500, Randy Barlow wrote:
> I am probably being paranoid, but I'd like to encrypt my /home/username
> folder on my laptop. I tried EncFS using , but KDE didn't seem to
> work under that setup because of the restriction that the filesystem
> doesn't support hardlinks. So now I am playing around with . The
> only problem I have here is that it seems like I have to know in advance
> what size I want to use for my home folder (I am using a file as a
> loopback device rather than a partition, mostly because I already have a
> system up and don't want to mess with resizing partitions). Is there
> any way to resize the loopback device on the fly, or do you just have to
> create a new one and copy the files into it every time you need to resize?
> Another question I have: I am pretty new to ciphers. One thing I have
> learned is that the avalanche effect is desirable, meaning that one bit
> flipped in the plaintext should cause about half of the ciphertext bits
> to flip. Does the dm-crypt setup have much correlation between
> encryption blocks to where this avalanche effect would change the whole
> file, or just a few encryption blocks? To illustrate, I'm looking to
> encrypt probably something like 40 GB of data. If I change 1 bit
> somewhere in my plaintext, how many bytes of that 40 GB of total data on
> my loopback device should I expect that bit flip to have an effect on?
> Thanks for any enlightenment you can offer!
>  http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS
>  http://gentoo-wiki.com/SECURITY_dmcrypt
1. dmcrypt allows online resizing. If it's a loopback device, just
expand it with dmcrypt, then the FS on top of it. If it's a partition/
logical volume, you have to expand this at first.
2. With good ciphers, for example aes-lrw-benbi:sha256 (keysize 384)
dmcrypt should be fine. But you have to understand that it's encrypted
block by block. If you change one bit, only the block it's within is
changed. dmcrypt doesn't know about files and filesystems, it just knows
blocks. However, this doesn't mean that two blocks identical in
plaintext look exactly the same when encrypted. The encryption changes
after every block.
By the way, I use pam_mount and cryptsetup-luks to mount my encrypted
home-partition with my login password on the fly. If you want a short
howto and my configuration, just ask, I can answer again in 10 hours
(Sat Feb 16 19:00:00 UTC).