Security :: Traces Of Deleted Data On LUKS Filesystem ?
Apr 25, 2010
Recently, I started protecting all user-accessible filesystems on my Sidux desktop machine with LUKS. Before that, I would regularly erase traces of deleted data, and I wonder if this is still necessary.
It would be most valuable to me to be pointed towards a good introductory article on the underlying mechanics of LUKS and cryptsetup, as there are a few more minor questions to be answered. Unfortunately, I lack the necessary mathematic and cryptographic background to understand scientific papers.
I'm about to have a web server at home for the first time. I've always missed having full control and not having to contact my hosting company when I need to do some specific changes - and some changes they won't do for you at all.I've chosen the non-GUI Ubuntu Server with LAMP, and nothing more is installed really except for a couple of command line tools from the repository. The LAMP software has been locked down as good as I can by following some guides on the net and using common sense. Like Apache 2 don't have access to the file system except for the www folder, and setting the headers to Prod. MySQL has skip-networking and I've commented out the listen string to localhost. PHP has a truckload of functions that I've disabled in the php.ini, also by following some guides on the net, among some other security enhancing php.ini editing.
The only thing the server will serve is a well known PHP forum and some html docs, and that's all. Nothing advanced or complicated stuff, and I'm definitely not programming PHP myself or letting anyone do it for me.But I do want to sleep well at night knowing that my server is always on and sitting on the edge of my home network! And can I do that? I've heard that you don't need to be worried about getting your Linux server box hacked, but you should be worried about anyone getting root access to it. But is it really that simple? Ubuntu is shipped without root account and you must have the sudo password, right? What's the odds for anyone to get full access to my system?An issue: I've heard that Apache never must run as root. When I do a ps -ef, I see that there are several www-data processes running apache, but there's one root process running apache too. Is this normal and is it safe?An issue: I've heard that PHP can fail pretty easily. But isn't PHP running under apache 2 and limited by the www-data filesystem access?An issue: MySQL is running as a MySQL user, and I guess that's an unprivileged user right?
I just created a LUKS filesystem following these instructions. Everything seemed okay at first. It mounted with no problem and I moved some files there. I then unmounted it and remounted it to see if I would need to use a special command. It mounted right away and even allowed access to normal users. So, I rebooted to see if anything would change. Before I go on I should say that my partitioning scheme is weird. Not knowing any better I 'upgraded' to 11.04 when my update manager told me a new version was out. This didn't go well and I had to do a fresh install to put 10.10 back on my machine. After this the way it partitions the drive has been weird. What I had was /dev/sda1 which has my installation on it including /home. But, where it gets weird is /dev/sda2 would not manually mount. Looking at the disk in gparted it showed /dev/sda2 THEN under that, as if they were sub partitions or something, I had sda6 and sda7. I had been using 6 and 7 for various things and they mounted fine, so I decided to encrypt 7. After reboot I only have sda1. Everything else shows up as unallocated and ever way I try to mount I get device does not exist.
I only did the procedure for sda7 but 6 has been affected as well. There is no longer a sda2 the way there was before. This always bothered me anyway since I wanted sda2 for my /home but it wanted to call it sda6 and put it under sda2 like I said, I could never fix that, now this.
I am trying to decide whether or not to use LUKS with LVM install for NAS Box, mysql, postfix, ddns, bind, NFS, sshd, Appletalk, maybe samba. I have decided to give LVMs a try but not sure how LUKS will affect access to services. LAN includes Standalone headless web server(not on LVM, no LUKS). Aren't permissions,iptables and firewalls sufficient? Not sure how services are supose to interract if everything is encrypted especially root?
So far what I have read recommends vgOS /, swap, /var, /tmp encription and vgdata /home encryption but no one tells how they did it. The 2 servers I'm working on only have small /home for admin stuff and considering making NAS headless, except i read somewhere that some gui would make it easier to manage mysql which brings me to the question if I don't install X on NAS can I ssh in with my desktop using its gui? I am experimenting with minimal server tagfiles. LUKS and LVMs are new to me. Decided to use LVMs to seperate OS from data, different data types and resizing flexibility. I have read some material on LUKS just wonder if its more complicated than my needs require. Certainly i don't want to leave myself open to someone just distroying my setup for kicks.
1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
I have a LVM logical volume, that contains a LUKS encrypted volume, on which is an ext4 filesystem. I shrank the partition to the minimum size. Next step is to luksClose the device, and then to resize the LVM logical volume. I suspect that LUKS has overhead. So if the ext4 filesystem was resized from, say 1TB to 500G, I have the idea that resizing the LVM LV to 500G does not take LUKS overhead into account and this might corrupt data on the end of the FS. So, what's the smart move to take? How do I calculate the safe minimum LV size? Or should I just give the 500G disk a few gigabytes extra to be sure?
if encrypt my root partition with Luksformat on my laptop and the battery suddenly goes out without a proper shutdown, I stand a big chance on corrupting the luks header or key slot?
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be: HP dv6-3040us Pavillion laptop AMD Phenon II 4GB DDR3
I run fedora 13 on my laptop (dual boot with Windows 7) and I just created a new partion to hold sensible data, encrypted with LUKS. I followed this tutorial for creating it.Now, everything went well and the new partition works well. But I needed something a little different from what the tutorial suggested, because I don't want the partition to be mounted on the system each time it boots, but I would (unlock and) mount it manually when I need it.
To do so I just didn't follow the Tutorial steps from 7 to 13, thinking that without the changes to crypttab and fstab the partition wouldn't be even touched by the start up process. And that's partially true: the partition isn't mapped nor mounted in the system when I boot, but the problem is that it however keeps asking for the passphrase to unlock it even if it doesn't get mounted or mapped.It just asks for it before the system loads all it's parts (udev, filesystems, etc) and I can't understand why, what it uses it for if it doesn't unlock it.So my question is: why does it ask for the passphrase to unlock luks if I haven't set crypttab and fstab to mount the partition on start up?
I'm just wondering - what is the best way to set up your encrypted volumes with dm_crypt and LUKS?
My understanding was that aes-lrw ws better than aes-cbc - and then I stumble upon [url] which says that LRW has some problems, and XTS is better? I dont know enough about encryption theory to be able to say anything, so i'm hoping some folks more enlightened will be able to say something here.
I was previously using aes-lrw-benbi to set up a volume. If xts is truly better - should i be using '-c aes-xts-benbi' then?
I'm simply interested in a more basic discussion of why one would choose one of these methods over the other. What do they offer that the other does not? I'll start with what I know:
- dm-crypt/LUKS --- included in a lot of install images already; in other words, perhaps easier to implement on a fresh install - TrueCrypt --- multiple encryption algorithms possible
[code]....
For me... I have no need for Windows compatibility, though I do use OS X on a dual booting MacBook. I believe TrueCrypt woks with OS X, so that could be a bonus, though I can simply encrypt my home folder on OS X with it's own FireVault and be fine.My setup (after wiping and starting over) will probably be like so:
- /boot on it's own primary partition - / on it's own primary partition with logical partitions within --- /usr, /var, /etc, /opt, and the like on a logical partition --- /home on a logical partition
/home will surely be encrypted and I'm leaning toward encrypting the rest as well, though perhaps it's not necessary. I'm open to input there as well -- is there anything the leaks from normal application use into /var or /tmp that would make one lean toward just encrypting the whole thing?
I opened up TrueCrypt just to look at it and since I can't encrypt a whole partition without losing data... I pretty much have to encrypt from what? A live CD? This could be a drawback -- I think since TrueCrypt isn't coming on install disks, I'd have to go with an unencrypted (or dm-crypt/LUKS) root partition and then use TrueCrypt to make a container (or partition) for /home only. I can't think of another way to do this since I can't encrypt the whole disk as one entity with my dual booting situation...
I have a perfectly OK 2.5 inch disk drive from a dead laptop (graphics card failed).
The hard drive is fine. I know the passphrase.
I had installed Ubuntu 10.04 with full fisk encryption using dm-crypt/luks using the alternate install cd.
I'm not exactly sure of the configuration I selected. Just that its full disk encryption with a pre-boot passphrase prompt.
Now my issue is, I have put the drive into a usb drive docking station, and I simply want to mount the partition on my new laptop, so I can copy the files over.
I've tried googling for various things like "mount dm-crypt drive linux" and "how to mount a luks encrypted partition linux", but I get no results.
I'd like to know if there's a simple way to create a LUKS encryption drive with different passwords? A real one that leads to one set of data, and another that leads to a whole different set of data. Is this even possible with LUKS?
When I upgraded from FC11 to FC12 of the encrypted raid partitions started to request password on boot (in FC11 not having references to encrypted md1 in fstab and crypttab, was enough for FC11 not to ask for passwords on boot) despite the fact that I removed /etc/crypttab and there is nothing in /etc/fstab relating to encrypted md1 (raid array). I want my machine to boot w/o asking me passwords for encrypted devices, and I will open and mount them myself manually after boot.
Anyone had any experience with unlocking a LUKS encrypted root partition via ssh? It is ok to leave /boot unencrypted.
There are a few pages from google with the debians variants, archived by putting dropbear into initrd.
I like to do that with my fedora/centos remote servers, but struggle to find any resources specific to it. Anyone has any suggestions and thoughts as to what might be a suitable way forward?
I'm trying to have a LUKS encrypted partition mounted at startup and to have GDM ask for my key so it will decrypt. Now I followed [URL] to the letter. Except for now, I have it just mounted into /mnt/cryptohome so I'm not messing with my system. My problem is the one everyone mentions in the comments, ubuntu isn't asking for the LUKS key in the X display, it's asking in the first terminal (Ctrl-Alt-F1). This will not do. I need it to ask to mount my drive before I'm even asked to login, so eventually I can encrypt my /home.
I've encrypted my root partition with LUKS and cannot remember my password. My main question is this: is it possible to extract the hash (or key; not sure on the correct terminology here) from the LUKS header and run it through a cracker? The hash type is SHA1 and I can remember the characters I used for the password, just not in the correct order (lots of special characters). That being said, given such a small charset, it should be crackable within a reasonable time, correct? Especially if I used a GPU accelerated cracker. What I don't know how to do is go about getting the hash from the LUKS header. Is any of this possible, or am I SOL? Of course, I have physical access to the system so I can boot it into any utilities I may need to.
I launched a script using rsync and the option -delete-before, however the destination folder was the wrong one. I noticed it only seconds after but it was still too late. In less than 5 sec rsync deleted over 200gb of data on my external hard drive... It is not in my Trash nor on the HDD trash but it's not possible that the data were ereased in less than 5 sec! (I dont know how rsync handle deletions.) I know I am really stupid but is there a way to get back all my data (mainly HD movies in mkv, mp4 and some avi)
I need a FREE solution that can image an entire Luks system encrypted volume and the rest of the used HDD, the MBR and /boot partition. Note: MBR and /boot are not encrypted. Note 2: I want to be able to restore entire drive from image with only a couple of steps. Note 3: Destination HDD space is a factor. Image file must be compressed and the image file must be around 40 to 50 GB or less. The smaller the image the better.
I have used clonezilla live cd before but not for encrypted volumes. I know you can install it in Linux. But, I don't know how to configure it after installation. I would be very happy if someone could tell me how to configure clonezilla in Fedora. How to guides are also welcome. I have one more question. If I image the encrypted volumes and all the stuff I mentioned above while logged in to Fedora, and I restore the drive from the image, will the recovered drive still be encrypted?
Has anyone tried encrypting the boot partition to prevent the kernel from being modified. Iv tried following this but I'm running into issues when building. [URL] Im using the source from bzr checkout [URL] Last time I tried I screwed grub and it wouldnt boot.
I was trying to delete a logical drive in windows xp and the damn disk management tool in windows not only deleted my other windows partition but also my linux /data ext3 partition. Now I have a unallocated space in place of these partitions. The data is still there but the entries in the partition table have been removed. So how do I recover my partition. I was trying to use the following tutorial. [URK]
I used the sudo parted /dev/sda -- and then rescue START END command and could get back the /data partition. But it gives me the following error while mounting the partition. mount: wrong fs type, bad option, bad superblock on /dev/sda7, missing codepage or helper program or other error. In some cases useful info is found in syslog - try dmesg | tail or so.
What does this mean. How to I fix this? Also when I try to recover my windows partition using parted it scans for a while and then does nothing. It doesnot ask for writing the lost partition in the partition table. What do I do?
I have somehow managed to eradicate all of my films and music...I was going to update my external HDD (typical) and so I highlighted everything and went to drag it. My finger kind of slipped while the cursor was in the the same folder and I got a message saying something like:"Source file is in this destination. Cannot move. Do what?"There's me thinking not much can go wrong at this point so I clicked "Skip all".Everything disappeared
The file system says there's still only 500GB free on my 1.5TB, so the files are there but I just can't see them.how I can get them back?There's nothing in my 'Deleted Items' and I had a play with scalpel and PhotoRec and I either couldn't get them to work or they said they'd take way more time than I have.
Edit: Where did that smiling devil come from? That's really not how I feel right now.
I just made a very stupid mistake, and in result I just deleted almost everything on my windows 7 partition. I followed this guide: [URL].. for how to access my windows partition from ubuntu and it worked, but then I decided to rm -r the whole thing thinking it was a copy. I have no restore disks or any other type of backup. I know this maybe be impossible, but is there any way to recover my data?
Has anybody noticed that delete in Ubuntu 10.10 is only compatible with Ubuntu. E.g. I have a usb stick with 2 movies on it. Delete them using ubuntu's Gui just right clicking files and move to thrash so the drive looks empty. then i physically remove the drive and put it into a windows xp machine and all the files are still on the stick just put into a folder called thrash.
I also reformatted the usb stick Fat32 inside ubuntu and when i put it into the windows machine the file names were still there. (The movies were currupt and unplayable in Windows.)But still its very strange I suppose i'll just have to Blow up my usb if i ever need to destroy the data on it.. Just let me know if this has happened to you guys before. (I had Bootable Backtrack 3 on one of my old usb's that I gave to a work colleague.
I know that deleting and reformatting only deletes the indexing info for the OS but i always thought that deleted files couldn't be accessed by the average computer user.
I deleted an old ubuntu partition, I reinstalled Ubuntu but is there any software for Ubuntu or any other Linux operating systems that can recover my data?
I tried to recover deleted data using testdisk tool and now my partition table have some errors. Even though i have 3 partitions and 1 unallocated disk fdisk -l shows only 1 partition
Code: vishnu@vishnu-laptop:~$ sudo fdisk -l [sudo] password for vishnu:
WARNING: GPT (GUID Partition Table) detected on '/dev/sda'! The util fdisk doesn't support GPT. Use GNU Parted.
I deleted by accident a folder containing a VMware server virtual machine, that contains most critical information. The host OS is CentOS 5.5, which I believe by default uses Ext3.I shut down the PC intermediately after noticing this.Is there any chance of recovering the files? Would they be able to mount to the same or another virtual machine?I need to get this information somehow, there are no backups.
I deleted by accident a folder containing a VMware server virtual machine, that contains most critical information. The host OS is CentOS 5.5, which I believe by default uses Ext3.I shut down the PC intermediately after noticing this.Is there any chance of recovering the files? Would they be able to mount to the same or another virtual machine?I need to get this information somehow, there are no backups.Which software can I use?