[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [opensuse-security] Encrypted Hard Drive
-----BEGIN PGP SIGNED MESSAGE-----
The Monday 2007-09-24 at 20:14 -0700, Kai Ponte wrote:
> > > Can anyone say what level or form of encryption is used on the encrypted
> > > filesystems (ext3) under opensuse 10.2?
> > The line in fstab for encrypted partitions (created by YaST) includes the
> > phrase
> > encryption=twofish256
> > There might be other choices, I'm not sure, but that is what YaST seemed to
> > default to.
> That is what the Novell guys thought, too.
However, there are many more posibilities. The man page is hidden under
Enable data encryption. Following encryption
types are recognized:
NONE Use no encryption (default).
XOR Use a simple XOR encryption.
Use 128 bit AES encryption. Password is
hashed with SHA-256 by default.
AES192 Use 192 bit AES encryption. Password is
hashed with SHA-384 by default.
AES256 Use 256 bit AES encryption. Password is
hashed with SHA-512 by default.
twofish128 twofish160 twofish192 twofish256
blowfish128 blowfish160 blowfish192 blowfish256
serpent128 serpent192 serpent256 mars128 mars192
mars256 rc6-128 rc6-192 rc6-256 tripleDES
These encryption types are available if
they are enabled in kernel configuration
or corresponding modules have been loaded
Then there are more options of obscure effects:
Sets encryption password seed pseed which is
appended to user supplied password before hash-
ing. Using different seeds for different parti-
tions makes dictionary attacks slower but does
not prevent them if user supplied password is
guessable. Seed is not used in multi-key mode.
Then, there is something named "multi-key mode", which is not explained. The
man page assumes you already knows the subject and you only need a refresher
- - which is not the case. :-(
This document explains how to create encrypted file systems using the
Cryptoloop functionality. Cryptoloop is part of the CryptoAPI in the 2.6
Linux kernel series.
This HOWTO describes how to use the Cryptoloop loop device encryption in
the 2.6 Linux kernel series. Cryptoloop makes it possible to create encrypted
file systems within a partition or another file in the file system. These
encrypted files can the be moved to a CD, DVD, USB memory stick, etc.
Cryptoloop makes use of the loop device. This device is a pseudo-device which
serves as a "loop" through which each call to a the file system has to pass.
This way, data can be processed in order to encrypt and decrypt it. Since
kernel 2.6, the Crypto API has been integrated into the main kernel, and
setting up an encrypted file system has become much easier. No additional
kernel patches are required. An update of some userspace utilities is
necessary. Unfortunately, the use of Cryptoloop is not very well-documented
so far. This HOWTO is an attempt to make it easy everyone to create an
encrypted file system using the standard Cryptoloop functionality. Cryptoloop
is based on the Crypto API in the 2.6 Linux kernel. It should not be confused
with Loop-AES, which is a completely separate project. Cryptoloop is similar
to the Crypto API that was available as a separate patch for the 2.4 kernel
series. The new version is not compatible with the older one.
Note from the 10.3 release notes:
It is still possible to use cryptoloop via losetup and mount. Since we
dropped the crude loop-AES patch from the util-linux package, some
parameters for losetup (such as itercountk and pseed) no longer exist. If
any of these settings are used in /etc/fstab the device is cannot be mounted
directly any more. Migrate these settings to /etc/crypttab where boot.crypto
contains the necessary compatability code.
A method is described for encrypting a hard disk, either in whole or in part,
with the encryption key stored on an external medium for increased security.
(written for kernel 2.4)
This document explains how to make your personal data secure by encrypting
your Linux root filesystem using strong cryptography.
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Made with pgp4pine 1.76
-----END PGP SIGNATURE-----
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx