[opensuse] full disk encryption for OpenSuSE
Hello listmates, If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for? Boris. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, Apr 19, 2010 at 5:46 PM, Boris Epstein
Hello listmates,
If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for?
I have no idea what the question is, but ... If FDE was available for my laptop, I would consider it. But my laptop dual boots with XP, so I need to keep that and I suspect FDE would kill XP. Also, normally I want it to lock/encrypt when it sleeps, but sometimes I need to do a long download or something, and I need it to continue even though I'm not actively using the laptop. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2010-04-19 at 17:54 -0400, Greg Freemyer wrote:
On Mon, Apr 19, 2010 at 5:46 PM, Boris Epstein
wrote: Hello listmates,
If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for?
I have no idea what the question is, but ...
If FDE was available for my laptop, I would consider it.
But my laptop dual boots with XP, so I need to keep that and I suspect FDE would kill XP.
There is an interesting posibilty, that is hardware (or firmware) HD encription. Aparently many (all?) hard disks are capable of encripting in firmware, in a way transparent to the operating system. As it does not use the cpu (I think) it should also be faster than oS encription. It is mentioned in man hdparm: ATA Security Feature Set These switches are DANGEROUS to experiment with, and might not work with every kernel. USE AT YOUR OWN RISK. --security-help Display terse usage info for all of the --security-* flags. --security-freeze Freeze the drive´s security settings. The drive does not accept any security commands until next power-on reset. Use this function in combination with --secu‐ rity-unlock to protect drive from any attempt to set a new password. Can be used standalone, too. --security-unlock PWD Unlock the drive, using password PWD. Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-master switch. THIS FEA‐ TURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-set-pass PWD Lock the drive, using password PWD (Set Password) (DANGEROUS). Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-master switch and the applicable security mode with the --security-mode switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-disable PWD Disable drive locking, using password PWD. Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-master switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-erase PWD Erase (locked) drive, using password PWD (DANGEROUS). Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-mas‐ ter switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-erase-enhanced PWD Enhanced erase (locked) drive, using password PWD (DANGEROUS). Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The appli‐ cable drive password is selected with the --user-master switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --user-master USER Specifies which password (user/master) to select. Defaults to master. Only useful in combination with --security-unlock, --security-set-pass, --security-disable, --security-erase or --security-erase- enhanced. u user password m master password THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-mode MODE Specifies which security mode (high/maxi‐ mum) to set. Defaults to high. Only useful in combination with --security- set-pass. h high security m maximum security THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. Has anybody used this? I think that if this is enabled on a disk needed for booting, it has to be supported by the bios, to ask for the pasword. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkvM3dYACgkQtTMYHG2NR9WXUACglKElnp1aI/NPb2ER9RbMx3Gi pJsAn37KoY379zCcSfF5vU0Ll/Wdi4Mp =3kHn -----END PGP SIGNATURE-----
On Monday 19 April 2010 23:46:08 Boris Epstein wrote:
Hello listmates,
If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for?
Works out of the box on openSUSE 11.2. What's the problem you have? Btw. the spelling is openSUSE, Andreas -- Andreas Jaeger, Program Manager openSUSE, aj@{novell.com,opensuse.org} Twitter: jaegerandi | Identica: jaegerandi SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
On Tue, Apr 20, 2010 at 3:27 AM, Andreas Jaeger
On Monday 19 April 2010 23:46:08 Boris Epstein wrote:
Hello listmates,
If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for?
Works out of the box on openSUSE 11.2. What's the problem you have?
Btw. the spelling is openSUSE, Andreas -- Andreas Jaeger, Program Manager openSUSE, aj@{novell.com,opensuse.org} Twitter: jaegerandi | Identica: jaegerandi SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
Thanks Andreas! OK, looked at the manuals... one thing seems to be missing from them - or I missed it. They don't seem to describe what algorithm/technology openSUSE uses for encryption. Would anyone happen to know what it is? Thanks. Boris. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/20/2010 02:27 AM, Andreas Jaeger wrote:
Btw. the spelling is openSUSE, Andreas
or just suse if you want to save on the typing :-) -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/21/2010 09:57 PM, David C. Rankin pecked at the keyboard and wrote:
On 04/20/2010 02:27 AM, Andreas Jaeger wrote:
Btw. the spelling is openSUSE, Andreas
or just suse if you want to save on the typing :-)
No, it is openSUSE :-) just like your last name is Rankin not kin -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2010-04-19 at 17:46 -0400, Boris Epstein wrote:
Hello listmates,
If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for?
Boris.
What do you mean by "full disk" ? If you mean the usual mount points, just use 11.2 with luks. You can encrypt everything, _except_ /boot. (and boot sectors, partition table ofcourse).*** If still using m$, use truecrypt for those partitions. otoh if you want to encrypt every single disk-sector, you need one of those most recent drives, that do hw-encryption on the drive instead of the system. (btw, i've never seen them...) Both have their pro's and con's Doing encryption by the system, means that it takes cpu-cycles, but you are not stuck with one particular type of hdd. Furthermore one could do a blind dd from one disk to another, for a raw security backup. *** i was told that even that limitation can be circumvent with linux-bios and grub2, How secure do you want to be? And remember real strong [two, three factor] authentication (with either tpm, smartcards, tokens and limited attempts) are a blessing and a curse: You are "safer" as long as you don't lose the pin or ar struck by hw-failure. If a key is lost, it's lost forever, and so will your data. And finally, what do you try to obtain? Data-lock-out after theft? Perhaps FDE is an overkill, as what is so secret about the system config? If for other reasons, FDE might not even be enough: after a succesful boot from an encrypted drive, _all_ is open. And you even might consider multi-level encryption scheme's: -drive -specific mountpoints (seperate mountpoint for each home-directory) that gets mounted while logged-in, or while a specific application runs -file encryption. How paranoid do you want to get? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2010-04-20 10:14, Hans Witvliet wrote:
otoh if you want to encrypt every single disk-sector, you need one of those most recent drives, that do hw-encryption on the drive instead of the system. (btw, i've never seen them...)
I think the seagates I have been buying for some time (two years at least) have it. And not only seagates. A friend of mine activated that when deleting a disk using a windows program, and was stuck not even being able to partition the disk without having the password. The disk was unreadable.
And finally, what do you try to obtain? Data-lock-out after theft? Perhaps FDE is an overkill, as what is so secret about the system config?
Denial of use of the disk by the robber. Lost monney (for him). That would be reason enough for me even if the data is trivial. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iF4EAREIAAYFAkvN920ACgkQja8UbcUWM1yougD/erLFjQhBUNDj3OtUi7RWGGoI ZuKd8TNKswwPh3ClGBkA/2mLI4QhlVZPwBhssifLVEr+g1xmiEqWWwMZsagnjnOe =XNGd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Apr 20, 2010 at 2:50 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2010-04-20 10:14, Hans Witvliet wrote:
otoh if you want to encrypt every single disk-sector, you need one of those most recent drives, that do hw-encryption on the drive instead of the system. (btw, i've never seen them...)
I think the seagates I have been buying for some time (two years at least) have it. And not only seagates. A friend of mine activated that when deleting a disk using a windows program, and was stuck not even being able to partition the disk without having the password. The disk was unreadable.
And finally, what do you try to obtain? Data-lock-out after theft? Perhaps FDE is an overkill, as what is so secret about the system config?
Denial of use of the disk by the robber. Lost monney (for him). That would be reason enough for me even if the data is trivial.
- -- Cheers / Saludos,
Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iF4EAREIAAYFAkvN920ACgkQja8UbcUWM1yougD/erLFjQhBUNDj3OtUi7RWGGoI ZuKd8TNKswwPh3ClGBkA/2mLI4QhlVZPwBhssifLVEr+g1xmiEqWWwMZsagnjnOe =XNGd -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
OK, everybody, thanks for thoughtful input. Now, let's get a little more specific: what is your thinking on TrueCrypt ( http://www.truecrypt.org/ )? Cheeers, Boris. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2010-04-21 at 13:46 -0400, Boris Epstein wrote:
OK, everybody, thanks for thoughtful input.
Now, let's get a little more specific: what is your thinking on TrueCrypt ( http://www.truecrypt.org/ )?
Cheeers,
Boris.
It's a nice general purpose tool for creating encrypted containers, either on linux, or on winddoze machines. It used to be available on the security-branch in the build-service (http://ftp5.gwdg.de/pub/opensuse/repositories/security:/privacy/ ), but it's gone since a couple of months ;-( But you don't need that when just using SuSE: yast + luks yust do the same job. Allthough they mention the use of smartcards: http://www.truecrypt.org/docs/?s=keyfiles I remember people mentioning recently difficulties with truecrypt on the opensc mailing list. ymmv -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (7)
-
Andreas Jaeger
-
Boris Epstein
-
Carlos E. R.
-
David C. Rankin
-
Greg Freemyer
-
Hans Witvliet
-
Ken Schneider - openSUSE