Differences

This shows you the differences between two versions of the page.

--- linux:filesystems:crypto_raid [2014/02/02 20:50]
tkilla
+++ linux:filesystems:crypto_raid [2016/06/20 22:22] (current)
tkilla [CryptFile]
@@ Line 12: / Line 12: @@
   mkfs.ext4 -j -m 1 -O dir_index,filetype -L binaryblob /dev/mapper/cryptname   # Format
   mount /dev/mapper/cryptname /mnt/crypt                                        # mount the opened container
@@ Line 28: / Line 29: @@
   badblocks -c 10240 -s -w -t random -v /dev/sdY
-"Warning: Do not use badblocks here. It only generate a random pattern which just repeats its randomness over and over again." uups
+"Warning: **Do not use badblocks here**. It only generates a random pattern which just repeats its randomness over and over again." uups
-or slower and more secure:
+slower and more secure:
   dd if=/dev/urandom of=/dev/sdX
@@ Line 38: / Line 40: @@
 wait some hours or days..
-FIXME some howtos suggest to run this step over the partitions, not the whole device.. unknown..
+ubuntu suggests to randomize only the start of the partition:
+  dd if=/dev/urandom bs=1M count=8 of=/dev/sdX
+best practice: use some random AES ciphers - this is faster and should be secure:
+  openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy
 ----
@@ Line 115: / Line 126: @@
 **Encrypting the Block Devices**
-  cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/mdX [/path/to/keyfile]
+  cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 -y luksFormat /dev/mdX [/path/to/keyfile]
 If you add a key file, leave out "-y"
-aes-cbc-essiv:sha256 is deprecated: http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html
+**ciphers:**
+  * aes-cbc-essiv:sha256 is deprecated: http://www.heise.de/security/artikel/Erfolgreicher-Angriff-auf-Linux-Verschluesselung-2072199.html
+  * aes-xts-plain64 with --key-size ( = -s) 512 <bits> and sha512 as hashing algo is a good choice
+  * "twofish" and "serpent" are trusted as well and "Whirlpool" can be used as hashing algo
+Another example using twofish:
+  cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy
-updated to use cipher: aes-xts-plain64 with --key-size, -s 512 <bits>
 ----
@@ Line 232: / Line 248: @@
   * http://linuxgazette.net/140/pfeiffer.html
   * http://www.saout.de/tikiwiki/tiki-index.php
-  *
+  * https://thesimplecomputer.info/full-disk-encryption-with-ubuntu
@@ Line 241: / Line 259: @@
 create a file full of random data, setup loop device, luksFormat & format
-  dd if=/dev/urandom of=testfile bs=1M count=3900    #=MB
+  dd if=/dev/urandom of=/cryptfile bs=1M count=3900    #=MB
-  losetup /dev/loop32 cryptfile
+  losetup /dev/loop32 /cryptfile
   cryptsetup luksFormat /dev/loop32
   cryptsetup luksOpen /dev/loop32 cryptfs
   mkfs.ext4 -L homecrypt /dev/mapper/cryptfs
+===== btrfs on top of luks =====
+Create a crypto partition as described above, then format the opened crypto container filesystem:
+  mkfs.btrfs /dev/mapper/<cryptname>
+  # recommended options for rotational discs (for ssds set 'sdd' option):
+  mount -o noatime,compress=lzo,noauto,autodefrag /dev/mapper/<cryptname> /<mountpoint>
+===== Recommended options for installing on a pendrive, a SD card or a slow SSD drive =====
+/dev/sdaX / btrfs x-systemd.device-timeout=0,noatime,compress=lzo,commit=0,ssd_spread,autodefrag 0 0
+* https://wiki.debian.org/Btrfs

fr33.info

User Tools

Site Tools

Differences

Page Tools