This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:filesystems:crypto_raid [2015/07/11 00:27] tkilla |
linux:filesystems:crypto_raid [2016/06/20 22:22] (current) tkilla [CryptFile] |
||
---|---|---|---|
Line 13: | Line 13: | ||
mount / | mount / | ||
- | FIXME find best ciphers | ||
- | |||
- | 1.try: | ||
- | cryptsetup -c aes-cbc-essiv: | ||
Line 33: | Line 29: | ||
badblocks -c 10240 -s -w -t random -v / | badblocks -c 10240 -s -w -t random -v / | ||
- | " | + | " |
- | or slower and more secure: | + | |
+ | slower and more secure: | ||
dd if=/ | dd if=/ | ||
Line 43: | Line 40: | ||
wait some hours or days.. | wait some hours or days.. | ||
- | FIXME some howtos suggest | + | ubuntu suggests |
+ | |||
+ | dd if=/ | ||
+ | |||
+ | |||
+ | best practice: use some random AES ciphers - this is faster and should be secure: | ||
+ | |||
+ | openssl enc -aes-256-ctr -pass pass:" | ||
+ | |||
---- | ---- | ||
Line 120: | Line 126: | ||
**Encrypting the Block Devices** | **Encrypting the Block Devices** | ||
- | cryptsetup -c aes-xts-plain64 -s 512 -y luksFormat /dev/mdX [/ | + | cryptsetup -c aes-xts-plain64 --key-size |
If you add a key file, leave out " | If you add a key file, leave out " | ||
- | aes-cbc-essiv: | + | **ciphers: |
+ | * aes-cbc-essiv: | ||
+ | * aes-xts-plain64 with --key-size ( = -s) 512 < | ||
+ | * " | ||
+ | |||
+ | Another example using twofish: | ||
+ | cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy | ||
- | updated to use cipher: aes-xts-plain64 with --key-size, -s 512 < | ||
---- | ---- | ||
Line 237: | Line 248: | ||
* http:// | * http:// | ||
* http:// | * http:// | ||
- | * | + | * https:// |
+ | |||
Line 246: | Line 259: | ||
create a file full of random data, setup loop device, luksFormat & format | create a file full of random data, setup loop device, luksFormat & format | ||
| | ||
- | dd if=/ | + | dd if=/ |
- | losetup /dev/loop32 cryptfile | + | losetup / |
cryptsetup luksFormat /dev/loop32 | cryptsetup luksFormat /dev/loop32 | ||
cryptsetup luksOpen /dev/loop32 cryptfs | cryptsetup luksOpen /dev/loop32 cryptfs | ||
mkfs.ext4 -L homecrypt / | mkfs.ext4 -L homecrypt / | ||
+ | |||
+ | |||
+ | ===== btrfs on top of luks ===== | ||
+ | |||
+ | Create a crypto partition as described above, then format the opened crypto container filesystem: | ||
+ | |||
+ | mkfs.btrfs / | ||
+ | | ||
+ | # recommended options for rotational discs (for ssds set ' | ||
+ | mount -o noatime, | ||
+ | |||
+ | |||
+ | ===== Recommended options for installing on a pendrive, a SD card or a slow SSD drive ===== | ||
+ | |||
+ | |||
+ | /dev/sdaX / btrfs x-systemd.device-timeout=0, | ||
+ | |||
+ | |||
+ | * https:// |