Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Florian Philipp <lists@...>
Subject: Re: Encrypting a user home folder on a laptop
Date: Sat, 16 Feb 2008 10:04:30 +0100
On Fri, 2008-02-15 at 18:09 -0500, Randy Barlow wrote:
> I am probably being paranoid, but I'd like to encrypt my /home/username
> folder on my laptop.  I tried EncFS using [1], but KDE didn't seem to
> work under that setup because of the restriction that the filesystem
> doesn't support hardlinks.  So now I am playing around with [2].  The
> only problem I have here is that it seems like I have to know in advance
> what size I want to use for my home folder (I am using a file as a
> loopback device rather than a partition, mostly because I already have a
> system up and don't want to mess with resizing partitions).  Is there
> any way to resize the loopback device on the fly, or do you just have to
> create a new one and copy the files into it every time you need to resize?
> 
> Another question I have: I am pretty new to ciphers.  One thing I have
> learned is that the avalanche effect is desirable, meaning that one bit
> flipped in the plaintext should cause about half of the ciphertext bits
> to flip.  Does the dm-crypt setup have much correlation between
> encryption blocks to where this avalanche effect would change the whole
> file, or just a few encryption blocks?  To illustrate, I'm looking to
> encrypt probably something like 40 GB of data.  If I change 1 bit
> somewhere in my plaintext, how many bytes of that 40 GB of total data on
> my loopback device should I expect that bit flip to have an effect on?
> 
> Thanks for any enlightenment you can offer!
> 
> [1] http://gentoo-wiki.com/HOWTO_Encrypt_Your_Home_Directory_Using_EncFS
> [2] http://gentoo-wiki.com/SECURITY_dmcrypt
> 

1. dmcrypt allows online resizing. If it's a loopback device, just
expand it with dmcrypt, then the FS on top of it. If it's a partition/
logical volume, you have to expand this at first.

2. With good ciphers, for example aes-lrw-benbi:sha256 (keysize 384)
dmcrypt should be fine. But you have to understand that it's encrypted
block by block. If you change one bit, only the block it's within is
changed. dmcrypt doesn't know about files and filesystems, it just knows
blocks. However, this doesn't mean that two blocks identical in
plaintext look exactly the same when encrypted. The encryption changes
after every block.

By the way, I use pam_mount and cryptsetup-luks to mount my encrypted
home-partition with my login password on the fly. If you want a short
howto and my configuration, just ask, I can answer again in 10 hours
(Sat Feb 16 19:00:00 UTC).
Attachment:
signature.asc (This is a digitally signed message part)
Replies:
Re: Encrypting a user home folder on a laptop
-- Mansour Moufid
Re: Encrypting a user home folder on a laptop
-- Naga Toro
References:
Encrypting a user home folder on a laptop
-- Randy Barlow
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Encrypting a user home folder on a laptop
Next by thread:
Re: Encrypting a user home folder on a laptop
Previous by date:
Re: Encrypting a user home folder on a laptop
Next by date:
Re: Encrypting a user home folder on a laptop


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.