Tong,

For a less intimidating (but still quite effective) HD encryption strategy, check out the grml2hd manpage.  It includes straightforward examples of switching to LUKS-managed encrypted /home and swap partitions after installation, as well as examples of mounting directories for temporary files as tmpfs ramdisks.  I am using more or less the exact setup described in the man page on my netbook.

You can easily set up passphrases for each encrypted partition if you wish.

Best,
Will


On Jan 25, 2011 12:18 PM, T o n g <mlist4suntong at yahoo.com> wrote:

Hi,



I'm thinking to do the disk partition encryptions now. However



"Hard drive encryption sounds like an intimating concept, mostly because

it is. The thought of taking your precious files, then using a

mathematical formula to convert them into random noise before scattering

them back across your disk is a hard sell. " [1]



1. http://www.maximumpc.com/article/howtos/

how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt



So I need some demystify of the whole disk/partition encryption thing.

The official "Disk Encryption HOWTO" from tldp.org [2] is only dated as

2004-11-17, so I would assume it is *way* outdated. In terms of security,

I tend to turn to people that I trust for help. Having tldp.org failed on

me, I need your help, people from the grml community, instead of some

random blogs found on the interent.



2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/



Linux Encryption HOWTO

http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html

v0.2.2, 04 October 2000



Here are my questions,



- First very noob question, I don't want whole disk encryption, just want

to encrypt some selected already partitioned partitions. If someone mount

the encrypted partitions, will it shows up as empty or, there are some

hints that the partition have been encrypted?



- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of

cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why

it is better than others.



3. http://www.humboldt.edu/its/security-encryption-linuxubuntu

4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/



- In terms of encryption used, TrueCrypt supports the following

encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-

Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these

hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]



5. http://www.informit.com/articles/article.aspx?p=1276279



So I need a bit of explanation why the chosen algorithm is better than

others.



- Is your choice as cross-platform as TrueCrypt?



- Since I need to encrypt more than one selected partitions, is there any

alternative to typing in passphrase for each one of them when mounting

them?



- how passphrase are cached? Do I have to repeately typing in passphrase

each time I do the mount? I also heard of passphrase-less disk

encryptions. Hmm... I don't want to go there so maybe I can skip that.



BTW, I just need a mini how-to about disk encryption, it does not need to

be in-depth or comprehensive but rather short and to the point, to allow

anyone with a minimum of linux disk encryption knowledge to create

encrypted memory sticks, USB disks, or partitions in minutes.



Thanks a lot.
--
Tong (remove underscore(s) to reply)

http://xpt.sourceforge.net/techdocs/

http://xpt.sourceforge.net/tools/



_______________________________________________

Grml mailing list - Grml at mur.at

http://lists.mur.at/mailman/listinfo/grml

join #grml on irc.freenode.org

grml-devel-blog: http://grml.supersized.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mur.at/pipermail/grml/attachments/20110125/11498865/attachment.html>

[...]
It depends. Mounting will just fail, or the mount command will
ask for the passphrase.
Truecrypt has the feature of hidden containers, so it should't be
possible to see if there is encrypted data in that case, but I've
never tried that myself.
man cryptsetup says:
cryptsetup - setup cryptographic volumes for dm-crypt
(including LUKS extension).
So cryptsetup is just a wrapper around dm-crypt which means
technically they're the same.
I use the grml-crypt's defaults because I trust they are OK.

It's a hard task to say "that algorithm is better than that other
one" if you're not a specialist in the crypto area. The
mathematics behind the different algorithms is hard, the
implementation details are even harder. :)
A rule of thumb: Use default algorithms (someone with (hopefully)
more knowledge than you trusts in them).
My choice is grml-crypt, because I only use debian-based systems
anyway. In case grml-crypt is not there yet, a simple

git clone git://git.grml.org/grml-crypt.git

will do for me.
You can setup /etc/crypttab to contain a key file that contains
the passphrase. But then you should make sure that key file
resides on an encrypted partition itself and only root can read
it :-)
See above for /etc/crypttab :)
Passphrase-less disk encryption is useless. Everybody can still
read your data, so it just costs performance. Don't do it.
Linux disk encryption in 4 commands:
# get grml-crypt :)
git clone git://git.grml.org/grml-crypt.git
# create encrypted partition, format it with ext3
grml-crypt -vvv -text3 format /dev/sdaX
# mount encrypted partition
grml-crypt -vvv -F mount /dev/sdaX /mnt/test
# umount encrypted partition
grml-crypt -vvv stop /mnt/test

You can skip the -vvv part if you don't want to see what happens
in every shining detail.
Bye,
Thomas
--
Thomas K?hler Email: jean-luc at picard.franken.de
<>< WWW: http://gott-gehabt.de
IRC: tkoehler
PGP public key available from Homepage!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.mur.at/pipermail/grml/attachments/20110126/fde0729b/attachment.pgp>

* T o n g wrote [25.01.11 18:02]:
Hi,
There is also a thread on reddit about a similar topic.

http://www.reddit.com/r/linux/comments/f9mtk/recommended_full_disk_encryption/
initial setup:
--------------
cryptsetup luksFormat $DEVICE
cryptsetup luksOpen $DEVICE $NAME
mkfs.$WHATEVER /dev/mapper/$NAME
mount /dev/mapper/$NAME /mnt/

closing:
--------
umount /mnt
cryptsetup luksClose $NAME

open:
-----
cryptsetup luksOpen $DEVICE $NAME
mount /dev/mapper/$NAME /mnt

done :)

Hi,

I'm thinking to do the disk partition encryptions now. However

"Hard drive encryption sounds like an intimating concept, mostly because
it is. The thought of taking your precious files, then using a
mathematical formula to convert them into random noise before scattering
them back across your disk is a hard sell. " [1]

1. http://www.maximumpc.com/article/howtos/
how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt

So I need some demystify of the whole disk/partition encryption thing.
The official "Disk Encryption HOWTO" from tldp.org [2] is only dated as
2004-11-17, so I would assume it is *way* outdated. In terms of security,
I tend to turn to people that I trust for help. Having tldp.org failed on
me, I need your help, people from the grml community, instead of some
random blogs found on the interent.

2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/

Linux Encryption HOWTO
http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html
v0.2.2, 04 October 2000

Here are my questions,

- First very noob question, I don't want whole disk encryption, just want
to encrypt some selected already partitioned partitions. If someone mount
the encrypted partitions, will it shows up as empty or, there are some
hints that the partition have been encrypted?

- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of
cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why
it is better than others.

3. http://www.humboldt.edu/its/security-encryption-linuxubuntu
4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/

- In terms of encryption used, TrueCrypt supports the following
encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-
Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these
hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]

5. http://www.informit.com/articles/article.aspx?p=1276279

So I need a bit of explanation why the chosen algorithm is better than
others.

- Is your choice as cross-platform as TrueCrypt?

- Since I need to encrypt more than one selected partitions, is there any
alternative to typing in passphrase for each one of them when mounting
them?

- how passphrase are cached? Do I have to repeately typing in passphrase
each time I do the mount? I also heard of passphrase-less disk
encryptions. Hmm... I don't want to go there so maybe I can skip that.

BTW, I just need a mini how-to about disk encryption, it does not need to
be in-depth or comprehensive but rather short and to the point, to allow
anyone with a minimum of linux disk encryption knowledge to create
encrypted memory sticks, USB disks, or partitions in minutes.

Thanks a lot.

Tong,

For a less intimidating (but still quite effective) HD encryption strategy, check out the grml2hd manpage. &nbsp;It includes straightforward examples of switching to LUKS-managed encrypted /home and swap partitions after installation, as well as examples of mounting directories for temporary files as tmpfs ramdisks. &nbsp;I am using more or less the exact setup described in the man page on my netbook.

You can easily set up passphrases for each encrypted partition if you wish.

Best,
Will


On Jan 25, 2011 12:18 PM, T o n g &lt;mlist4suntong at yahoo.com&gt; wrote:

Hi,



I'm thinking to do the disk partition encryptions now. However



"Hard drive encryption sounds like an intimating concept, mostly because

it is. The thought of taking your precious files, then using a

mathematical formula to convert them into random noise before scattering

them back across your disk is a hard sell. " [1]



1. http://www.maximumpc.com/article/howtos/

how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt



So I need some demystify of the whole disk/partition encryption thing.

The official "Disk Encryption HOWTO" from tldp.org [2] is only dated as

2004-11-17, so I would assume it is *way* outdated. In terms of security,

I tend to turn to people that I trust for help. Having tldp.org failed on

me, I need your help, people from the grml community, instead of some

random blogs found on the interent.



2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/



Linux Encryption HOWTO

http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html

v0.2.2, 04 October 2000



Here are my questions,



- First very noob question, I don't want whole disk encryption, just want

to encrypt some selected already partitioned partitions. If someone mount

the encrypted partitions, will it shows up as empty or, there are some

hints that the partition have been encrypted?



- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of

cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why

it is better than others.



3. http://www.humboldt.edu/its/security-encryption-linuxubuntu

4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/



- In terms of encryption used, TrueCrypt supports the following

encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-

Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these

hash algorithms: RIPEMD-160, SHA-512 &amp; Whirlpool [5]



5. http://www.informit.com/articles/article.aspx?p=1276279



So I need a bit of explanation why the chosen algorithm is better than

others.



- Is your choice as cross-platform as TrueCrypt?



- Since I need to encrypt more than one selected partitions, is there any

alternative to typing in passphrase for each one of them when mounting

them?



- how passphrase are cached? Do I have to repeately typing in passphrase

each time I do the mount? I also heard of passphrase-less disk

encryptions. Hmm... I don't want to go there so maybe I can skip that.



BTW, I just need a mini how-to about disk encryption, it does not need to

be in-depth or comprehensive but rather short and to the point, to allow

anyone with a minimum of linux disk encryption knowledge to create

encrypted memory sticks, USB disks, or partitions in minutes.



Thanks a lot.
--
Tong (remove underscore(s) to reply)

http://xpt.sourceforge.net/techdocs/

http://xpt.sourceforge.net/tools/



_______________________________________________

Grml mailing list - Grml at mur.at

http://lists.mur.at/mailman/listinfo/grml

join #grml on irc.freenode.org

grml-devel-blog: http://grml.supersized.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.grml.org/pipermail/grml/attachments/20110125/11498865/attachment-0002.html>

[...]
It depends. Mounting will just fail, or the mount command will
ask for the passphrase.
Truecrypt has the feature of hidden containers, so it should't be
possible to see if there is encrypted data in that case, but I've
never tried that myself.
man cryptsetup says:
cryptsetup - setup cryptographic volumes for dm-crypt
(including LUKS extension).
So cryptsetup is just a wrapper around dm-crypt which means
technically they're the same.
I use the grml-crypt's defaults because I trust they are OK.

It's a hard task to say "that algorithm is better than that other
one" if you're not a specialist in the crypto area. The
mathematics behind the different algorithms is hard, the
implementation details are even harder. :)
A rule of thumb: Use default algorithms (someone with (hopefully)
more knowledge than you trusts in them).
My choice is grml-crypt, because I only use debian-based systems
anyway. In case grml-crypt is not there yet, a simple

git clone git://git.grml.org/grml-crypt.git

will do for me.
You can setup /etc/crypttab to contain a key file that contains
the passphrase. But then you should make sure that key file
resides on an encrypted partition itself and only root can read
it :-)
See above for /etc/crypttab :)
Passphrase-less disk encryption is useless. Everybody can still
read your data, so it just costs performance. Don't do it.
Linux disk encryption in 4 commands:
# get grml-crypt :)
git clone git://git.grml.org/grml-crypt.git
# create encrypted partition, format it with ext3
grml-crypt -vvv -text3 format /dev/sdaX
# mount encrypted partition
grml-crypt -vvv -F mount /dev/sdaX /mnt/test
# umount encrypted partition
grml-crypt -vvv stop /mnt/test

You can skip the -vvv part if you don't want to see what happens
in every shining detail.
Bye,
Thomas
--
Thomas K?hler Email: jean-luc at picard.franken.de
<>< WWW: http://gott-gehabt.de
IRC: tkoehler
PGP public key available from Homepage!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://ml.grml.org/pipermail/grml/attachments/20110126/fde0729b/attachment-0002.pgp>

* T o n g wrote [25.01.11 18:02]:
Hi,
There is also a thread on reddit about a similar topic.

http://www.reddit.com/r/linux/comments/f9mtk/recommended_full_disk_encryption/
initial setup:
--------------
cryptsetup luksFormat $DEVICE
cryptsetup luksOpen $DEVICE $NAME
mkfs.$WHATEVER /dev/mapper/$NAME
mount /dev/mapper/$NAME /mnt/

closing:
--------
umount /mnt
cryptsetup luksClose $NAME

open:
-----
cryptsetup luksOpen $DEVICE $NAME
mount /dev/mapper/$NAME /mnt

done :)

Hi,

I'm thinking to do the disk partition encryptions now. However

"Hard drive encryption sounds like an intimating concept, mostly because
it is. The thought of taking your precious files, then using a
mathematical formula to convert them into random noise before scattering
them back across your disk is a hard sell. " [1]

1. http://www.maximumpc.com/article/howtos/
how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt

So I need some demystify of the whole disk/partition encryption thing.
The official "Disk Encryption HOWTO" from tldp.org [2] is only dated as
2004-11-17, so I would assume it is *way* outdated. In terms of security,
I tend to turn to people that I trust for help. Having tldp.org failed on
me, I need your help, people from the grml community, instead of some
random blogs found on the interent.

2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/

Linux Encryption HOWTO
http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html
v0.2.2, 04 October 2000

Here are my questions,

- First very noob question, I don't want whole disk encryption, just want
to encrypt some selected already partitioned partitions. If someone mount
the encrypted partitions, will it shows up as empty or, there are some
hints that the partition have been encrypted?

- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of
cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why
it is better than others.

3. http://www.humboldt.edu/its/security-encryption-linuxubuntu
4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/

- In terms of encryption used, TrueCrypt supports the following
encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-
Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these
hash algorithms: RIPEMD-160, SHA-512 & Whirlpool [5]

5. http://www.informit.com/articles/article.aspx?p=1276279

So I need a bit of explanation why the chosen algorithm is better than
others.

- Is your choice as cross-platform as TrueCrypt?

- Since I need to encrypt more than one selected partitions, is there any
alternative to typing in passphrase for each one of them when mounting
them?

- how passphrase are cached? Do I have to repeately typing in passphrase
each time I do the mount? I also heard of passphrase-less disk
encryptions. Hmm... I don't want to go there so maybe I can skip that.

BTW, I just need a mini how-to about disk encryption, it does not need to
be in-depth or comprehensive but rather short and to the point, to allow
anyone with a minimum of linux disk encryption knowledge to create
encrypted memory sticks, USB disks, or partitions in minutes.

Thanks a lot.

Tong,

For a less intimidating (but still quite effective) HD encryption strategy, check out the grml2hd manpage. &nbsp;It includes straightforward examples of switching to LUKS-managed encrypted /home and swap partitions after installation, as well as examples of mounting directories for temporary files as tmpfs ramdisks. &nbsp;I am using more or less the exact setup described in the man page on my netbook.

You can easily set up passphrases for each encrypted partition if you wish.

Best,
Will


On Jan 25, 2011 12:18 PM, T o n g &lt;mlist4suntong at yahoo.com&gt; wrote:

Hi,



I'm thinking to do the disk partition encryptions now. However



"Hard drive encryption sounds like an intimating concept, mostly because

it is. The thought of taking your precious files, then using a

mathematical formula to convert them into random noise before scattering

them back across your disk is a hard sell. " [1]



1. http://www.maximumpc.com/article/howtos/

how_to_encrypt_your_entire_hard_drive_for_free_using_true_crypt



So I need some demystify of the whole disk/partition encryption thing.

The official "Disk Encryption HOWTO" from tldp.org [2] is only dated as

2004-11-17, so I would assume it is *way* outdated. In terms of security,

I tend to turn to people that I trust for help. Having tldp.org failed on

me, I need your help, people from the grml community, instead of some

random blogs found on the interent.



2. http://www.tldp.org/HOWTO/html_single/Disk-Encryption-HOWTO/



Linux Encryption HOWTO

http://encryptionhowto.sourceforge.net/Encryption-HOWTO.html

v0.2.2, 04 October 2000



Here are my questions,



- First very noob question, I don't want whole disk encryption, just want

to encrypt some selected already partitioned partitions. If someone mount

the encrypted partitions, will it shows up as empty or, there are some

hints that the partition have been encrypted?



- The Ubuntu [3] and CentOS [4] seems to endorse dm-crypt, instead of

cryptsetup-luks that grml-crypt uses. So I need a bit of explanation why

it is better than others.



3. http://www.humboldt.edu/its/security-encryption-linuxubuntu

4. http://beginlinux.com/blog/2009/04/centos-53-encrypted-block-devices/



- In terms of encryption used, TrueCrypt supports the following

encryption algorithms: AES, Serpent, Twofish, AES-Twofish, AES-Twofish-

Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent; And these

hash algorithms: RIPEMD-160, SHA-512 &amp; Whirlpool [5]



5. http://www.informit.com/articles/article.aspx?p=1276279



So I need a bit of explanation why the chosen algorithm is better than

others.



- Is your choice as cross-platform as TrueCrypt?



- Since I need to encrypt more than one selected partitions, is there any

alternative to typing in passphrase for each one of them when mounting

them?



- how passphrase are cached? Do I have to repeately typing in passphrase

each time I do the mount? I also heard of passphrase-less disk

encryptions. Hmm... I don't want to go there so maybe I can skip that.



BTW, I just need a mini how-to about disk encryption, it does not need to

be in-depth or comprehensive but rather short and to the point, to allow

anyone with a minimum of linux disk encryption knowledge to create

encrypted memory sticks, USB disks, or partitions in minutes.



Thanks a lot.
--
Tong (remove underscore(s) to reply)

http://xpt.sourceforge.net/techdocs/

http://xpt.sourceforge.net/tools/



_______________________________________________

Grml mailing list - Grml at mur.at

http://lists.mur.at/mailman/listinfo/grml

join #grml on irc.freenode.org

grml-devel-blog: http://grml.supersized.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.grml.org/pipermail/grml/attachments/20110125/11498865/attachment-0003.html>

[...]
It depends. Mounting will just fail, or the mount command will
ask for the passphrase.
Truecrypt has the feature of hidden containers, so it should't be
possible to see if there is encrypted data in that case, but I've
never tried that myself.
man cryptsetup says:
cryptsetup - setup cryptographic volumes for dm-crypt
(including LUKS extension).
So cryptsetup is just a wrapper around dm-crypt which means
technically they're the same.
I use the grml-crypt's defaults because I trust they are OK.

It's a hard task to say "that algorithm is better than that other
one" if you're not a specialist in the crypto area. The
mathematics behind the different algorithms is hard, the
implementation details are even harder. :)
A rule of thumb: Use default algorithms (someone with (hopefully)
more knowledge than you trusts in them).
My choice is grml-crypt, because I only use debian-based systems
anyway. In case grml-crypt is not there yet, a simple

git clone git://git.grml.org/grml-crypt.git

will do for me.
You can setup /etc/crypttab to contain a key file that contains
the passphrase. But then you should make sure that key file
resides on an encrypted partition itself and only root can read
it :-)
See above for /etc/crypttab :)
Passphrase-less disk encryption is useless. Everybody can still
read your data, so it just costs performance. Don't do it.
Linux disk encryption in 4 commands:
# get grml-crypt :)
git clone git://git.grml.org/grml-crypt.git
# create encrypted partition, format it with ext3
grml-crypt -vvv -text3 format /dev/sdaX
# mount encrypted partition
grml-crypt -vvv -F mount /dev/sdaX /mnt/test
# umount encrypted partition
grml-crypt -vvv stop /mnt/test

You can skip the -vvv part if you don't want to see what happens
in every shining detail.
Bye,
Thomas
--
Thomas K?hler Email: jean-luc at picard.franken.de
<>< WWW: http://gott-gehabt.de
IRC: tkoehler
PGP public key available from Homepage!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://ml.grml.org/pipermail/grml/attachments/20110126/fde0729b/attachment-0003.pgp>

* T o n g wrote [25.01.11 18:02]:
Hi,
There is also a thread on reddit about a similar topic.

http://www.reddit.com/r/linux/comments/f9mtk/recommended_full_disk_encryption/
initial setup:
--------------
cryptsetup luksFormat $DEVICE
cryptsetup luksOpen $DEVICE $NAME
mkfs.$WHATEVER /dev/mapper/$NAME
mount /dev/mapper/$NAME /mnt/

closing:
--------
umount /mnt
cryptsetup luksClose $NAME

open:
-----
cryptsetup luksOpen $DEVICE $NAME
mount /dev/mapper/$NAME /mnt

done :)