Best way to encrypt your system?

FizzyWidget · Posted: Sat Jul 17, 2010 6:14 pm Post subject: Best way to encrypt your system?

I am looking to encrypt the gentoo part of my dual boot systems, which is the best way to do this? Truecrypt, which is already used to protect the windows partition and comes up on boot, or should i use this - http://en.gentoo-wiki.com/wiki/Root_filesystem_over_LVM2,_DM-Crypt_and_RAID ?

I dont mind having to reinstall gentoo, might do that anyway as im bored, or would people just suggest encrypting the /home dir like Ubuntu does instead of doing full system encryption?
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23066

DM-Crypt works well for this. It is up to you whether to encrypt system directories, and depends in large part on your threat model. If you assume that you will be aware of when an attacker gains access to the system, then encrypting the system directories is optional, but you should not trust their contents after you regain ownership of the system. This threat model applies for laptops that might be stolen, but are otherwise safe. If you are worried about the evil maid, encrypting all the volumes and keeping the key material on a token that remains in your possession may be a better choice.

FizzyWidget · Posted: Sat Jul 17, 2010 8:23 pm Post subject:

I'm just concerned in case any of my systems ever get stolen
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23066

In that case, it is probably adequate to encrypt only the filesystems which will hold private content. This may require encrypting / or relocating /root if you plan to store anything sensitive there.

tuber · Apprentice Joined: 12 Nov 2004 Posts: 267

There's also loop-aes.

FizzyWidget · Posted: Sun Jul 18, 2010 8:23 am Post subject:

Hu · Administrator Joined: 06 Mar 2007 Posts: 23066

loop-aes is a poor choice. If I recall correctly, it is said to interact poorly with journals when used with file backed loop device. Additionally, its cipher choices are less flexible than DM-Crypt.

No, encrypting / is not the same as full drive encryption. There are also swap, /home, /usr, and /var to consider.

[Edit: added italicized portion in response to correction from tuber. I had not researched the details, and knew only that it was said to be unsafe in some cases.]

FizzyWidget · Posted: Sun Jul 18, 2010 4:22 pm Post subject:

have decided to use truecrypt and encrypt /home only - tried a few other ways earlier and it all went mad

how big should i make /var and /log? first to be done will be laptop and after i give 80GB to windows i will have 150GB to spare, norm a do

boot - 100M
swap - 4GB
/ - 15G
home - rest

when i used FreeBSD i used 4GB for var and log, think 4GB might be overkill for /log
_________________
I know 43 ways to kill with a SKITTLE, so taste my rainbow bitch.

tuber · Apprentice Joined: 12 Nov 2004 Posts: 267

Hu · Administrator Joined: 06 Mar 2007 Posts: 23066

chithanh · Posted: Sun Jul 18, 2010 7:54 pm Post subject:

Using dm-crypt (luks) is probably the method of choice nowadays. You can encrypt a whole system except for /boot. A luks capable initramfs can be created easily with genkernel (leave out modules and it works with non-genkernel kernels too).

If you only encrypt /home, be aware that password hashes and other interesting data may be stored in /etc/shadow, /var/* and so on.

mv · Watchman Joined: 20 Apr 2005 Posts: 6780