[TriLUG] Opinions on whole Disk encryption (for Linux)

[Alan Porter]

> Ok, I wanted to solicit any experience/opinions on whole disk
> encryption.


I would recommend using LUKS.  This is the Linux Unified Key Setup,
a standard on-disk layout for managing encrypted partitions and keys.

It uses a master key to encrypt the partition, and then has 15 slots
that can contain encrypted copies of the master key.  That is, you
can have up to 15 passphrases.  Or you change change your passphrase
without re-encrypting the entire disk (a pain if you use loop-aes).

Take a look at this article to explain it a little better.

   The point of this how-to is to describe the way to migrate to
   a full-encrypted LVM system (rootfs + data) (only the boot
   partition obviously stays unencrypted), either coming from
   an LVM system, either from a simple ext3 system. All you need
   is some kind of external storage.

   URL: http://www.debian-administration.org/articles/577

LUKS is not really a set of tools, but really more of a standardized
layout of a partition.  The 'cryptsetup' tools support the LUKS
standard.  You can manually mount an encrypted partition using "pmount".
Ubuntu 7.10 recognizes LUKS partitions on removable media and it
prompts you for a passphrase as soon as you plug the drive in.
All of these make use of the new dm_crypt, the successor to
cryptoloop that uses the new device-mapper facility (the same
tool that used to make RAID and LVM work).

On Windows, you can view FAT filesystems on a LUKS partition using
FreeOTFE (Free On-The-Fly Encryption).  I use this to access my
encrypted thumb drive on Windows machines.

So LUKS is a fairly well-supported standard for laying out an
encrypted partition and managing the keys.

But closer to your question, the article linked above should set
you straight.  You can choose to put LVM on your LUKS partition,
or you could just put a straight filesystem on it.

Alan






.