| View previous topic :: View next topic |
| Author |
Message |
chrism
Guru
Joined: 15 Jul 2004
Posts: 526
|
 Posted: Mon Oct 25, 2004 2:24 pm Post subject: Securing home partition |
 |
|
Hi,
what is the best way to secure my home directory? If I encrypt my whole partition, which method would be the best/
Thanks,
Chris |
|
| Back to top |
|
 |
inode77
Veteran
Joined: 20 Jan 2004
Posts: 1303
Location: Heart of Europe
|
| Posted: Mon Oct 25, 2004 9:37 pm Post subject: |
|
|
| I recommend dm_crypt and the newest baselayout to automate as far as possible. |
|
| Back to top |
|
|
chrism
Guru
Joined: 15 Jul 2004
Posts: 526
|
| Posted: Wed Nov 10, 2004 9:51 pm Post subject: |
|
|
How secure would that be? Is it possible to break into it when I am using a 20 caracter password?
Chris |
|
| Back to top |
|
|
inode77
Veteran
Joined: 20 Jan 2004
Posts: 1303
Location: Heart of Europe
|
| Posted: Wed Nov 10, 2004 10:14 pm Post subject: |
|
|
The partition is only vulnerable if it's mounted, so keep those times as short as possible. You can choose what alogrithm is used for hashing and encrypting/decrypting, so it's as safe as is can be for somebody that can't understand the maths to their full extent behind the theory (like me).
I'd say the ratio data value to data security for normal home user data is good enough. |
|
| Back to top |
|
|
tuxophil
Tux's lil' helper
Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg
|
| Posted: Tue Jan 04, 2005 1:23 pm Post subject: Re: Securing home partition |
|
|
| yellowhippy wrote: | | what is the best way to secure my home directory? If I encrypt my whole partition, which method would be the best |
Shameless plug: you could have a look at my howto on using pam_mount to mount your encrypted home. It has the disadvantage that your home will nearly always be mounted. The obvious advantage is that there's no additional password involved. |
|
| Back to top |
|
|
aspenhydrowave
n00b
Joined: 08 Dec 2004
Posts: 41
|
| Posted: Sat Jan 08, 2005 3:35 am Post subject: Re: Securing home partition |
|
|
| yellowhippy wrote: | Hi,
what is the best way to secure my home directory? If I encrypt my whole partition, which method would be the best/
Thanks,
Chris |
You can just encrypt /home if it's on a separate partition.
What I do is have an initrd do a looped search for /dev/sda1/passphrase and use that to mount /dev/loop0 (encrypted hda3) using cryptoloop support in the kernel. That way as long as the usb key is plugged in bootup is completely automatic (no password required) and if it's not in, the computer sits their until plugged in.
aes-256 is as far as I know not breakable in reasonable time if implemented properly. Ignoring what the NSA is rumored to have in their basement, etc. XES, i think it is, something near 1024 bit from somewhere in britain, is supposed to be faster and more secure but I have no experience with it. aes throughput on no-load p4 2.4G is about 50MB/sec fyi.
One thing to keep in mind is that journalised FSs (i.e. ext3) at least have certain areas that are for all intents and purposes plaintext. It is entirely reasonable to create pre-hashed tables of these sectors using the most common few thousand passwords and then if your password is one of those decrypting your hard drive is a matter of a few seconds. I don't know if this flaw applies to non-journalised FSs or not.
Also I believe aes and the password hashing functions are directional so knowing the encrypted 'plaintext sector' doesn't automatically mean knowing your password, i.e. you can't decrypted other sectors but have to do trial-and-error (or search prehashed table) to obtain the password.
Basically what I'm saying is, the most important thing is to choose a strong passphrase. Copy some bytes from /dev/random (I'd advise more than 8 since I don't know if I trust the psuedorandomness) to a usb key and use that, is my advice. Don't use normal words or even a sentence as length does not make up for non-randomness. |
|
| Back to top |
|
|
aspenhydrowave
n00b
Joined: 08 Dec 2004
Posts: 41
|
| Posted: Sat Jan 08, 2005 3:38 am Post subject: Re: Securing home partition |
|
|
| If someone could confirm for me that using a passphrase that falls outside of the range of plausible prehashed tables with ext3 is safe I would appreciate it. |
|
| Back to top |
|
|
|
Networking & Security
