1 |
On Saturday, 6 June 2020 08:49:54 BST Dale wrote: |
2 |
> J. Roeleveld wrote: |
3 |
> > On 6 June 2020 06:37:23 CEST, Dale <rdalek1967@×××××.com> wrote: |
4 |
> >> Howdy, |
5 |
> >> |
6 |
> >> I think I got a old 3TB hard drive to work. After dd'ing it, redoing |
7 |
> >> partitions and such, it seems to be working. Right now, I'm copying a |
8 |
> >> bunch of data to it to see how it holds up. Oh, it's a PMR drive too. |
9 |
> >> lol Once I'm pretty sure it is alive and working well, I want to play |
10 |
> >> with encryption. At some point, I plan to encrypt /home. I found a |
11 |
> >> bit |
12 |
> >> of info with startpage but some is dated. This is one link that seems |
13 |
> >> to be from this year, at least updated this year. |
14 |
> >> |
15 |
> >> https://linoxide.com/linux-how-to/encrypt-linux-filesystem/ |
16 |
> >> |
17 |
> >> It seems like a nice one since it has commands and what it should look |
18 |
> >> like when it is performing the commands. I like knowing what I'm doing |
19 |
> >> sort of matches what the howto shows. It also seems to use LVM which I |
20 |
> >> will be using as well. I think I can follow that and get a working |
21 |
> >> encrypted storage. Later, I can attempt this on /home without doing it |
22 |
> >> blind. I also have the options in the kernel as well. I'll post them |
23 |
> >> at the bottom. I enabled quite a lot a while back. ;-) |
24 |
> >> |
25 |
> >> Is this a secure method or is there a more secure way? Is there any |
26 |
> >> known issues with using this? Anyone here use this method? Keep in |
27 |
> >> mind, LVM. BTFRS, SP?, may come later. |
28 |
> >> |
29 |
> >> One other question, can one change the password every once in a while? |
30 |
> >> Or once set, you stuck with it from then on? |
31 |
> >> |
32 |
> >> If anyone has links to even better howtos, I'd love to check them out. |
33 |
> >> |
34 |
> >> Dale |
35 |
> >> |
36 |
> >> :-) :-) |
37 |
> >> |
38 |
> >> root@fireball / # zcat /proc/config.gz | grep crypt | grep =y |
39 |
> >> CONFIG_ARCH_HAS_MEM_ENCRYPT=y |
40 |
> >> CONFIG_DM_CRYPT=y |
41 |
> >> CONFIG_CRYPTO=y |
42 |
> >> CONFIG_CRYPTO_ALGAPI=y |
43 |
> >> CONFIG_CRYPTO_ALGAPI2=y |
44 |
> >> CONFIG_CRYPTO_AEAD=y |
45 |
> >> CONFIG_CRYPTO_AEAD2=y |
46 |
> >> CONFIG_CRYPTO_SKCIPHER=y |
47 |
> >> CONFIG_CRYPTO_SKCIPHER2=y |
48 |
> >> CONFIG_CRYPTO_HASH=y |
49 |
> >> CONFIG_CRYPTO_HASH2=y |
50 |
> >> CONFIG_CRYPTO_RNG=y |
51 |
> >> CONFIG_CRYPTO_RNG2=y |
52 |
> >> CONFIG_CRYPTO_RNG_DEFAULT=y |
53 |
> >> CONFIG_CRYPTO_AKCIPHER2=y |
54 |
> >> CONFIG_CRYPTO_AKCIPHER=y |
55 |
> >> CONFIG_CRYPTO_KPP2=y |
56 |
> >> CONFIG_CRYPTO_ACOMP2=y |
57 |
> >> CONFIG_CRYPTO_MANAGER=y |
58 |
> >> CONFIG_CRYPTO_MANAGER2=y |
59 |
> >> CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y |
60 |
> >> CONFIG_CRYPTO_GF128MUL=y |
61 |
> >> CONFIG_CRYPTO_NULL=y |
62 |
> >> CONFIG_CRYPTO_NULL2=y |
63 |
> >> CONFIG_CRYPTO_CRYPTD=y |
64 |
> >> CONFIG_CRYPTO_AUTHENC=y |
65 |
> >> CONFIG_CRYPTO_SIMD=y |
66 |
> >> CONFIG_CRYPTO_GLUE_HELPER_X86=y |
67 |
> >> CONFIG_CRYPTO_RSA=y |
68 |
> >> CONFIG_CRYPTO_ECHAINIV=y |
69 |
> >> CONFIG_CRYPTO_CBC=y |
70 |
> >> CONFIG_CRYPTO_ECB=y |
71 |
> >> CONFIG_CRYPTO_LRW=y |
72 |
> >> CONFIG_CRYPTO_XTS=y |
73 |
> >> CONFIG_CRYPTO_NHPOLY1305=y |
74 |
> >> CONFIG_CRYPTO_NHPOLY1305_SSE2=y |
75 |
> >> CONFIG_CRYPTO_NHPOLY1305_AVX2=y |
76 |
> >> CONFIG_CRYPTO_ESSIV=y |
77 |
> >> CONFIG_CRYPTO_HMAC=y |
78 |
> >> CONFIG_CRYPTO_CRC32C=y |
79 |
> >> CONFIG_CRYPTO_XXHASH=y |
80 |
> >> CONFIG_CRYPTO_BLAKE2B=y |
81 |
> >> CONFIG_CRYPTO_CRCT10DIF=y |
82 |
> >> CONFIG_CRYPTO_MD5=y |
83 |
> >> CONFIG_CRYPTO_RMD128=y |
84 |
> >> CONFIG_CRYPTO_RMD160=y |
85 |
> >> CONFIG_CRYPTO_RMD256=y |
86 |
> >> CONFIG_CRYPTO_RMD320=y |
87 |
> >> CONFIG_CRYPTO_SHA1=y |
88 |
> >> CONFIG_CRYPTO_SHA1_SSSE3=y |
89 |
> >> CONFIG_CRYPTO_SHA256_SSSE3=y |
90 |
> >> CONFIG_CRYPTO_SHA512_SSSE3=y |
91 |
> >> CONFIG_CRYPTO_SHA256=y |
92 |
> >> CONFIG_CRYPTO_SHA512=y |
93 |
> >> CONFIG_CRYPTO_WP512=y |
94 |
> >> CONFIG_CRYPTO_AES=y |
95 |
> >> CONFIG_CRYPTO_AES_TI=y |
96 |
> >> CONFIG_CRYPTO_ARC4=y |
97 |
> >> CONFIG_CRYPTO_BLOWFISH=y |
98 |
> >> CONFIG_CRYPTO_BLOWFISH_COMMON=y |
99 |
> >> CONFIG_CRYPTO_BLOWFISH_X86_64=y |
100 |
> >> CONFIG_CRYPTO_CAMELLIA=y |
101 |
> >> CONFIG_CRYPTO_CAMELLIA_X86_64=y |
102 |
> >> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y |
103 |
> >> CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y |
104 |
> >> CONFIG_CRYPTO_DES=y |
105 |
> >> CONFIG_CRYPTO_SERPENT=y |
106 |
> >> CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y |
107 |
> >> CONFIG_CRYPTO_TWOFISH=y |
108 |
> >> CONFIG_CRYPTO_TWOFISH_COMMON=y |
109 |
> >> CONFIG_CRYPTO_TWOFISH_X86_64=y |
110 |
> >> CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y |
111 |
> >> CONFIG_CRYPTO_ANSI_CPRNG=y |
112 |
> >> CONFIG_CRYPTO_DRBG_MENU=y |
113 |
> >> CONFIG_CRYPTO_DRBG_HMAC=y |
114 |
> >> CONFIG_CRYPTO_DRBG=y |
115 |
> >> CONFIG_CRYPTO_JITTERENTROPY=y |
116 |
> >> CONFIG_CRYPTO_USER_API=y |
117 |
> >> CONFIG_CRYPTO_USER_API_HASH=y |
118 |
> >> CONFIG_CRYPTO_USER_API_SKCIPHER=y |
119 |
> >> CONFIG_CRYPTO_USER_API_RNG=y |
120 |
> >> CONFIG_CRYPTO_LIB_AES=y |
121 |
> >> CONFIG_CRYPTO_LIB_ARC4=y |
122 |
> >> CONFIG_CRYPTO_LIB_DES=y |
123 |
> >> CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y |
124 |
> >> CONFIG_CRYPTO_LIB_SHA256=y |
125 |
> >> CONFIG_CRYPTO_HW=y |
126 |
> >> root@fireball / # |
127 |
> >> |
128 |
> >> Just wanted to have a few extras. ROFL |
129 |
|
130 |
Nowt wrong with that, as long as you remember MD5, SHA1 and some other |
131 |
offerings from your list above have been compromised and should not be used if |
132 |
strong encryption/integrity is required. |
133 |
|
134 |
|
135 |
> > A gentoo centric manual/howto: |
136 |
> > |
137 |
> > https://wiki.gentoo.org/wiki/Dm-crypt |
138 |
> |
139 |
> Thanks for both replies. I found one other Gentoo one but it was |
140 |
> encrypting the whole thing, /boot and all, plus they used efi. I didn't |
141 |
> find the one you linked too. |
142 |
> |
143 |
> First drive seems to have died. Got part way copying files and things |
144 |
> got interesting. When checking smartctrl, it even puked on my |
145 |
> keyboard. Drive only had a few hundred hours on it so maybe the drive |
146 |
> was iffy from the start or that enclosure did damage somehow. Either |
147 |
> way, drive two being tested. Running smartctrl test first and then |
148 |
> restart from scratch and fill it up with files or something. |
149 |
> |
150 |
> Thanks much. |
151 |
> |
152 |
> Dale |
153 |
> |
154 |
> :-) :-) |
155 |
|
156 |
There is also ecryptfs, kernel ext4 fs encryption, CryFS, if encrypting a |
157 |
directory/file may be desired, rather than encrypting a whole block device. |
158 |
CryFS in particular supports cloud storage as a use case. |
159 |
|
160 |
I have not tried any of them and don't know how they compare. I wanted to |
161 |
look into ext4 native kernel encryption, but the Gentoo wiki only describes a |
162 |
systemd-centric implementation. :-( |
163 |
|
164 |
Of particular interest to me is recovery of encrypted files/partitions, using |
165 |
a different installation than the original. Having to keep a copy of the |
166 |
original installation kernel keys for ext4 with any data backups and |
167 |
additionally remembering to refresh them every time a new kernel is installed, |
168 |
adds to the user-un-friendliness of an encryption method. |
169 |
|
170 |
For block level encryption there's also veracrypt. |
171 |
|
172 |
https://wiki.gentoo.org/wiki/User:Maffblaster/Drafts/eCryptfs |
173 |
https://wiki.gentoo.org/wiki/Ext4_encryption |