Preserving privacy by encrypting block devices
Rules of Thumb
The risk of forgetting a passphrase can lead to really bad habits, such as using very simple passphrases or writing them down. With this in mind, I have a couple of rules of thumb.
- If you need to encrypt a file or a just a few files, use something like 7-Zip, which compresses the files and encrypts the archive as well. The simplicity of this method not only empowers the user to make the decision about what to encrypt but also puts the responsibility of encryption and decryption and remembering the passphrase on the user.
- If you need to encrypt directory trees (e.g., if someone is working on a project or data storage is structured), then you have a couple of options. The first, EncFS [9], allows the user to control what they want to encrypt and where it should be mounted. Again, this puts the management of passphrases and encryption in the hands of the user, with all the benefits and disadvantages. The second option, eCryptfs [10], can encrypt a directory structure, but that is under the control of the administrator. Creating an encrypted directory for each user to use to encrypt their data is fairly easy. Although the user has the responsibility of copying the data to this folder to encrypt it, remembering the passphrase again falls to the administrator.
If the situation is such that all, or virtually all, data needs to be encrypted, then using a block device encryption tool such as DMCrypt or TrueCrypt works very well. Alternatively, you could use an SED, but the effects on users and administrators is almost the same for either approach. In the case of software encryption such as DMCrypt or TrueCrypt, it might require an extra command or a different command to mount and unmount the block device. In the case of SEDs, the administrator just has to remember the passphrase when the disk is accessed (usually before the system boots). After that, all the admin commands are the same.
I wish you good luck in your encryption mission; if you choose to accept it, I have one last word of advice: hAS(*ja[p18a8@asj.
Info
- DMCrypt: http://en.wikipedia.org/wiki/Dm-crypt
- Crypto API: http://en.wikipedia.org/wiki/Crypto_API_%28Linux%29
- LUKS and cryptsetup: http://code.google.com/p/cryptsetup/
- Passphrase, Wikipedia (CC BY-SA 3..0): http://en.wikipedia.org/wiki/Passphrase
- TrueCrypt: http://www.truecrypt.org/
- TrueCrypt licensing: http://en.wikipedia.org/wiki/TrueCrypt#Licensing_and_Open_Source_status
- Open Source Initiative: http://opensource.org/
- Keyfiles: http://www.truecrypt.org/docs/keyfiles
- EncFS: http://www.arg0.net/encfs
- eCryptfs: http://ecryptfs.org/
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs