T o n g wrote: > Hi, > > I'm thinking to do the disk partition encryptions now.
[...] > - First very noob question, I don't want whole disk encryption, just want > to encrypt some selected already partitioned partitions. If someone mount > the encrypted partitions, will it shows up as empty or, there are some > hints that the partition have been encrypted? It depends. Mounting will just fail, or the mount command will ask for the passphrase. Truecrypt has the feature of hidden containers, so it should't be possible to see if there is encrypted data in that case, but I've never tried that myself. > - The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of > cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why > it is better than others. man cryptsetup says: cryptsetup - setup cryptographic volumes for dm-crypt (including LUKS extension). So cryptsetup is just a wrapper around dm-crypt which means technically they're the same. > - In terms of encryption used, TrueCrypt supports the following > encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish- > Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these > hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5] > > 5. http://www.informit.com/articles/article.aspx?p=1276279 > > So I need a bit of explanation why the chosen algorithm is better than > others. I use the grml-crypt's defaults because I trust they are OK. It's a hard task to say "that algorithm is better than that other one" if you're not a specialist in the crypto area. The mathematics behind the different algorithms is hard, the implementation details are even harder. :) A rule of thumb: Use default algorithms (someone with (hopefully) more knowledge than you trusts in them). > - Is your choice as cross-platform as TrueCrypt? My choice is grml-crypt, because I only use debian-based systems anyway. In case grml-crypt is not there yet, a simple git clone git://git.grml.org/grml-crypt.git will do for me. > - Since I need to encrypt more than one selected partitions, is there any > alternative to typing in passphrase for each one of them when mounting > them? You can setup /etc/crypttab to contain a key file that contains the passphrase. But then you should make sure that key file resides on an encrypted partition itself and only root can read it :-) > - how passphrase are cached? Do I have to repeately typing in passphrase > each time I do the mount? I also heard of passphrase-less disk > encryptions. Hmm... I don't want to go there so maybe I can skip that. See above for /etc/crypttab :) Passphrase-less disk encryption is useless. Everybody can still read your data, so it just costs performance. Don't do it. > BTW, I just need a mini how-to about disk encryption, it does not need to > be in-depth or comprehensive but rather short and to the point, to allow > anyone with a minimum of linux disk encryption knowledge to create > encrypted memory sticks, USB disks, or partitions in minutes. Linux disk encryption in 4 commands: # get grml-crypt :) git clone git://git.grml.org/grml-crypt.git # create encrypted partition, format it with ext3 grml-crypt -vvv -text3 format /dev/sdaX # mount encrypted partition grml-crypt -vvv -F mount /dev/sdaX /mnt/test # umount encrypted partition grml-crypt -vvv stop /mnt/test You can skip the -vvv part if you don't want to see what happens in every shining detail. > Thanks a lot. Bye, Thomas -- Thomas Köhler Email: [email protected] <>< WWW: http://gott-gehabt.de IRC: tkoehler PGP public key available from Homepage!
signature.asc
Description: Digital signature
_______________________________________________ Grml mailing list - [email protected] http://lists.mur.at/mailman/listinfo/grml join #grml on irc.freenode.org grml-devel-blog: http://grml.supersized.org/
