Seeking Current Info on Linux Encrypted FS? 297
slick_rick asks: "I'm looking for info on encrypted file systems under Linux to help my employers company move away from Microsoft centric solutions. However the latest HOWTO is two years old, the latest kernel patch dates back to April (and 2.4.3) and even the Sourceforge project has nearly zero documentation and appears to be very dead. Are slashdotters using encrypted file systems? If so, what are your experiences?" We last talked about this topic, just
over a year ago, in this article.
CFS (Score:2, Interesting)
It works well. I'm no security expert buy I can see a couple of problems with it. Firstly it uses triple-DES. Probably secure enough, but not so fast. There are certainly more suitable ciphers out there.
The key comes from a pass phrase. cfs forces you to have a pass-phrase with at least enough bits to fill the DES keys, but obviously unless you like memorizing long strings of random charcters there will be far less entropy than required in the key.
Secondly meta-data is not encrypted. So, although Eve can't tell what is in a particular file, she can see the directory structure (but not filenames) and when a file was created/modified/accesses.
Apart from these criticisms it seems quite good. Users can create/attach/detach encrypted filesystems without special priveledges. You can specify a timeout on a file store so it is dettached after a certain period.
Maybe for you.... (Score:5, Interesting)
Personally, I don't want my doctor to have deniability about his records regarding me. Or my lawyer. Or my accountant. And most especially not my banker, financial adviser, etc.
In fact, for these people deniability makes a solution look much less attractive. People get *really* nervous when their accountant or lawyer has strong deniability about what the advice they gave you, about where your money went, etc.
Re:SuSE does this out of the box... (Score:5, Interesting)
Also, you can get all of the patches [ftp.gwdg.de] that SuSE use on their kernel, not only this one. Please note that this link is
Re:It's Really Pretty Trivial (Score:3, Interesting)
Maybe having an encrypted file system could be part of the install process for upcoming Linux distributions - an easy to use system for encryption in the partitioning stage of the install. Couple that with a runtime tool that can create encrypted partitions after the install, and you immediately have another big plus point over Windows, especially for people in government who have a habit of leaving laptops with top secret material on in taxi cabs.
In other news, the UK government is going to buy 500,000 copies of Windows XP. As a taxpayer, I disagree with this use of my tax money, and with the close relationship that the current government has with Microsoft. I feel that the best solution for the taxpayers is not being researched in the name of PR and photo opportunities for government ministers. And why does the government need to upgrade their computer system to Windows XP? What is wrong with 2000 - a proven OS now, not a just released one...
Re:It's Really Pretty Trivial (Score:3, Interesting)
I constantly have to defend myself against being called part of a cult that is "drinking the Kool-Aid" and this type of attitude does not help. I am proud to be a geek/nerd, but the moment anyone thinks of me as arrogant or haughty, I feel bad.
The International Kernel Patch (Score:2, Interesting)
Something needs to be done about the block size problem - the solution from cryptoapi doesn't seem "the right way"
The best things about kerneli are the possibility to choose between different encryption algorithms and that it's not filesystem dependent. Though I miss the oppertunity to use the encryption algorithms in userspace programs. (Same thing about the digest algorithms, do thay have any function except for enlarging the kernel size?)
I'm currently testing a pam module that mounts kerneli encrypted home directories, release scheduled a few weeks into the future.
Lame, Windows XP implementation (Score:4, Interesting)
Bzztt... wrong...
Turns out that NTFS cannot be used on removable disks, even though the NTFS semantics are better suited (think what happens when a disk is unmounted unexpectedly.
The main reason I use an encrypted disk is that I have a lot of client sensitive info on my machine, including high level strategic plans for a Nasdaq 100 company.
Encrypted disks should be used as a matter of course on machines used by lawyers, doctors, accountants, anyone with a professional confidentiality duty. Laptops get stolen, machines get sold with confidential information still on the drives.
I am more skeptical about the need for encrypting file systems for geeks, after all most sysops would do better to keep less secrets rather than more.
Re:Here is how to do it (Score:1, Interesting)
http://security-archive.merton.ox.ac.uk/bugtraq
I'm trying to do this (Score:2, Interesting)
I'm not a crypto whiz and am having serious trouble finding enough information about how filesystems work in order to implement all of the required interfaces. Does anybody know where this information is, or should I look through Linux/BSD sources - and hope that BSD is applicable to OS X?
My current version is pretty much a library that allows you to like apps against it, but doesn't support native operation. The next release will add networking support, but I really need to go native to make it useful to people.
Also, can anybody help decrease the usefulness of the algorithm for decryption so that I can GPL the thing? You can see what I've done from here. [unimelb.edu.au]
- Malcolm