Gentoo Archives: gentoo-security

From: bmicek@×××××××××.net
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Encrypting a user home folder on a laptop
Date: Fri, 15 Feb 2008 23:46:48
I spent time about a year ago looking into good encryption.  At that time, cryptsetup was the best bet.  Its really easy to use.  With cryptsetup, your best off encrypting an entire filesystem/partition so there are no restrictions regarding size.

As far as ciphers, there are three popular ones that are 256 bits in the Linux kernel.  You'll have to pick the one(s) you like best.  Generally, everyone agrees Serpent is the strongest, followed by AES then followed by TwoFish.  From my tests, performance of the algorithms is in reverse order (meaning TwoFish is the fastest).  Linux is a bit behind last I checked regarding encription modes of operation and seems to only offer ECB or CBC.  CBC is Chain Block Cipher and is based on an IV which is like an index into your media.  The IV is used to encript a block of data so a previous identical block wont be identically encrypted.  As far as your question regarding one-bit changes, a one bit change will have the effect you mentioned but only for one encrypted block.

I'd recommend reading up on the ciphers to see what you like.  There has been some talk about TwoFish being broken however I find it hard to believe.  There has been a lot of talk about TrueCrypt on Linux.  From what I can tell, it seems a bit more advanced and supports different (more modern?) modes of encryption. 


On Friday February 15 2008 6:09 pm, Randy Barlow wrote:
> I am probably being paranoid, but I'd like to encrypt my /home/username
> folder on my laptop.  I tried EncFS using [1], but KDE didn't seem to
> work under that setup because of the restriction that the filesystem
> doesn't support hardlinks.  So now I am playing around with [2].  The
> only problem I have here is that it seems like I have to know in advance
> what size I want to use for my home folder (I am using a file as a
> loopback device rather than a partition, mostly because I already have a
> system up and don't want to mess with resizing partitions).  Is there
> any way to resize the loopback device on the fly, or do you just have to
> create a new one and copy the files into it every time you need to resize?
> Another question I have: I am pretty new to ciphers.  One thing I have
> learned is that the avalanche effect is desirable, meaning that one bit
> flipped in the plaintext should cause about half of the ciphertext bits
> to flip.  Does the dm-crypt setup have much correlation between
> encryption blocks to where this avalanche effect would change the whole
> file, or just a few encryption blocks?  To illustrate, I'm looking to
> encrypt probably something like 40 GB of data.  If I change 1 bit
> somewhere in my plaintext, how many bytes of that 40 GB of total data on
> my loopback device should I expect that bit flip to have an effect on?
> Thanks for any enlightenment you can offer!
> [1]
> [2]
> --
> Randy Barlow

-- gentoo-security@l.g.o mailing list


Subject Author
Re: [gentoo-security] Encrypting a user home folder on a laptop Randy Barlow <randy@×××××××××××××××××.com>