[clug] Ubuntu encrypted file systems

Daniel Pittman daniel at rimspace.net
Tue Aug 18 07:12:59 MDT 2009 

Ian McLeod <ianmcleod75 at gmail.com> writes:
> Wally wrote:
>> You can always consider third party options.
>>
>>  http://www.truecrypt.org/
>
> I am considering this one - I'll see if it can handle /var /tmp /home
> encryption - definitely good for removable media and Windows though.

Well, any of the options can handle that.  Personally, I would prefer dmcrypt
and luks to truecrypt: the former is part of the upstream kernel, fully open
code, and shipped as part of the distribution.

Of those the "upstream kernel" and "shipped" are the most important: they give
you a pretty reasonable assurance that this encryption will work with *ANY*
new kernel, from *ANY* distribution[1].

It also gives you a pretty reasonable assurance that it will be integrated
with the distribution.

For example, for your use case where /var is encrypted you *MUST* get it
mounted very, very, very early in the boot process, ideally with the tools in
place as part of the initramfs before the on-disk root is mounted.

If you can't be absolutely certain of getting that in place yourself[2], and
you are not absolutely certain that you can mount an encrypted /var with
TrueCrypt before it is needed, I *strongly* advise you to go with what is
integrated and supported in the distribution.

Regards,
        Daniel

No, seriously, "integrated" trumps most things, especially since you are only
interested in a defence against casual snooping.  At that point single-DES[3]
is almost certainly more than strong enough for your needs.

Footnotes: 
[1]  Obviously a distribution can compile out the feature, but that is the
     /only/ reason it won't work.  No worries about building kernel modules
     yourself or anything.

[2]  ...and this isn't all that easy, unfortunately.

[3]  The stuff that you can crack in real-time for less than US $100,000.

-- 
✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons
   Looking for work?  Love Perl?  In Melbourne, Australia?  We are hiring.

More information about the linux mailing list