Locking Up Linux, Creating a Cryptobook

Tom's Hardware has a nice overview about some of the latest ways to secure your data looking specifically at open source solutions that wont lock down your credit card. Since many people presented performance issues for why they don't implement encryption there was also special attention given to how well your system will perform after implementation of encryption. From the article: "At least where LUKS is concerned, performance is hardly an issue - one must expect to pay some penalty for additional encryption facilities that handle unencrypted data transparently. All of these solutions are simple to set up and use on a daily basis, but LUKS is portable across Windows and Linux platforms."

Re:encryption vs security

[CastrTroy]

Well, I'm running an encrypted swap partition, and frankly, I haven't noticed any slow down. Granted, I have 1 gig of RAM, so I don't go into swap too often, but I find that it doesn't actually slow down your computer too much. You might notice if you don't have enough RAM, or if you encrypt your home partition, and then try to use if for video editing and other hard storage usage applications. However, if your using it on your laptop for business, you probably won't notice much of a difference.

TrueCrypt?

[SirClicksalot]

A pity they don't mention TrueCrypt [truecrypt.org].

Besides encrypting your data, TrueCrypt can also create hidden volumes:
"The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created* and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way."

So even if you reveal your password, the hidden volume stays safe. Not a bad feature, considering it is a crime in many countries to refuse to give your encryption key to the authorities...

Re:encryption vs security

[Anonymous Coward]

"But remember, encrypted filesystems are vulnerable to cryptanalysis since they contain specific information at specific blocks even if encrypted(ext3 header etc..)"

If the encyrption is done properly, then naturally whole partition is encrypted (including ext3 header etc..).

"Performance WILL be an issue, don't be blinded with those luks graphs"

No it won't, unless you will run a file server or something similar. Do you think that in the average use it will matter wherever your HDD's read speed is 20MB/s instead of 50MB/s?

Re:encryption vs security

[Anonymous Coward]

Not only is the parent post not insightful, it's just plain wrong. A correctly implemented encrypted disk won't have "specific information at specific blocks", and unless you routinely run your computer at full-steam all the time, performance WON'T be an issue.

Formats and upgrades

[pe1chl]

A problem with Linux encrypted partitions is that there are several formats, and no migration path.
As usual, when new and better solutions are developed, the Linux developer scene does not really care about backward compatability. The new method is sooo good that the old one should be left in the dust and its adopters must backup and restore.
Developers who suggest backup and restore must be unaware of the current market situation w.r.t. backup solutions and their capacity vs that of IDE disks...

Recently I decided to move two disks from my main system, encrypted under SuSE 9.2, to another box that I want to dedicate to background storage.
I remembered that I had read about some issue in 9.3, but I believed that it had been long solved so I installed SUSE 10.0 on this new box.

There was NO WAY I could get the disks mounted. I tried all the tricks found in several articles on Internet, but I kept getting errors.
The SuSE knowledge base stated that everything would be fine when I just upgraded the OS, but I don't believe that because I tried the solutions equivalent to what would happen when upgrading. I don't want to risk it.

Finally, the only solution was to install 9.2 on the new box, and the disks worked OK. Then, I have bought more disks (as was the plan) and copied the data from encrypted to unencrypted disks. Next step will be to install 10.0 again, but I am not so sure if I will encrypt the disks again as the 10.0 system is (I believe) not LUKS so probably at 11.0 I will again face the same problem because the "all new and better LUKS" is now the supported system.

I will not even think about what would happen when I would want to change the distribution from SuSE to RedHat or Ubuntu or whatever.
Chances must be about zero that I can still access the data.

There is not even a tool that would in-place decrypt (or encrypt, for that matter) the data on a partition. Even when one wants to take the risk that it interrupts halfway and destroys everything. So you always need a source and destination device with enough space.

Please keep this in mind before you encrypt your terabyte volumes...