I'd like to know if there's a simple way to create a LUKS encryption drive with different passwords? A real one that leads to one set of data, and another that leads to a whole different set of data. Is this even possible with LUKS?
View 1 Replies
1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
View 2 Replies View RelatedIs LUKS the best data/system encryption? Or is there one that is even better and stronger?
View 1 Replies View RelatedI'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be:
HP dv6-3040us Pavillion laptop
AMD Phenon II
4GB DDR3
I am not very security minded...I'm aware of it, and always made sure I had up-to-date overall protection in Windows but firewalls, and the blasted passwords are largely a thorn in my side!When I got my iPhone last year I suddenly discovered password managers & "wallets" to keep all that kind of information in and syncable across different devices. My life got so much easier. Of course now I need to figure out encryption keys, and how they work (I'm clueless). I also need to find a program or system that I can move my existing low-tech info (mailnly user name & passwords) that will also accomodate the increased needs of Ubuntu security and still be sync-able. I started a little research weeks ago, but my current "wallet" only exports .csv so I quit since I'm going to have to do a lot of data entry whatever I go with.So here goes:
1) what is the difference (bare bones) between using an encryption key (e.k.) vs. a standard user created password? what situations are better suited for e.k.?
2) I have seahorse (default intall with Ubuntu I guess) but the only thing in it is Login under passwords which leads to a login keyring (?) and a drop-down list of about 6-10 of the gazillon passwords I use daily. The other tabs are for keys which I don't have any concept of.
3) I know FF also "remembers" user id & passwords as you choose to have it do so. Is that information transferable into seahorse or another program?
4)I'm also (today) getting ready to really set up my system for user names & security across my little home network. How can I integrate that into whichever program/app I go with to store my pwds and keys?
5)give me links to fairly current documentation on this stuff?
6) Any program/app recommendations.Pros/cons uses, what they can & can't do or be used for, etc.
Is it possible to have two passwords associated with one account, one that is the actual one, and another one, a duress password, that upon entering gives a similar (desktop) environment with "decoy data"?
The idea is to have the bogus password go to an encrypted home drive that looks as if it were the real deal, but it is wiping particular sensitive (encrypted) data that is visible only with the real password in the background, so that the actual data that need to be protected are not compromised. While the person who unlocked the computer tries to find the information on it between all the rubbish files, the real files are securely wiped. The files are very sensitive in nature, so it's better to have then destroyed than have unauthorized people access them, in the event of that happening.
I happen to know that TrueCrypt has a similar option but that requires an entire decoy operating system (and I think that might be a bit conspicuous), but is there a native linux way to do it?
I would like to be able to store all my important details and passwords in such a way that it is encrypted, easy to get the information out and is cross-platform. Basically, I am thinking that if I kick the bucket that I would like to make it as easy as possible for others to be able to access this information using a pre-arranged password.
Ideally I would like the files to contain the program that is needed to extract the data i.e. importantinfoLinux.sh inportantinfoWin.exe (Just like a self-containing zip). I haven't found anything along those lines.
The things I am currently thinking of is:
1) A password database program that is cross-platform like KeePass. WIth the bundle contining the relevant installers for win, linux and OS X and the database file.
2) An AES encrypted zip of the data with relevant programs to open it e.g. 7-zip on windows, peazip on linux and OS X
Has anyone got any thoughts on this? Any self-containing java encryption apps?
I know how to mount it manually. I've seen a howto on how to mount it automatically by loging in with the user, you type your username and password and it mounts your encrypted partition. But that's not what I want. My idea is to call cryptsetup and mount on boot, AND ask me for passphrase like when its loading the system, then if I don't type the right password it shouldn't mount /home, even though i type the correct USER password later when the system is loaded(and then I'd have an empty /home since my home partition wasn't mounted due to wrong passphrase).
This is what I tried: I added the commands to rc.local and I don't even feel like it was executed, no passphrase was asked. As a test if commands there were being executed, I tried simple commands lile mkdir /test and it worked. So commands there are executed, yet, no passphrase was asked to me, I looked on dmesg for crypt and found nothing, I pressed alt+ctrl+F1 desiring to find a passprhase-ask and again, nothing.
I have a perfectly OK 2.5 inch disk drive from a dead laptop (graphics card failed).
The hard drive is fine. I know the passphrase.
I had installed Ubuntu 10.04 with full fisk encryption using dm-crypt/luks using the alternate install cd.
I'm not exactly sure of the configuration I selected. Just that its full disk encryption with a pre-boot passphrase prompt.
Now my issue is, I have put the drive into a usb drive docking station, and I simply want to mount the partition on my new laptop, so I can copy the files over.
I've tried googling for various things like "mount dm-crypt drive linux" and "how to mount a luks encrypted partition linux", but I get no results.
I am new to Linux. I have a new ntfs usb external drive. I have attached to the Linux server but can't locate it. I would like to
1. mount it.
2. format to Linux file system
3. and then create share folders with passwords using samba.
I'm planning to centralize users and passwords and also create controls for user access to some equipment, for example, Linux Servers, Switches, routers and firewalls. In case of failure of the link between the ACS and AD or equipment to the ACS, this device would use local username and password.
At the moment, my AD structure is a Microsoft, Cisco ACS servers and Linux Standalone. I wish that both linuxs servers and network equipment were authorized by Cisco ACS on the accounts that are in Microsoft AD.
The configuration of the Cisco ACS to use the AD is done and no problems, the network equipment is OK too, but am having difficulties configuring the server for this solution.
first i make one partiton ten format it add mount point and fire luksopen command and create secert file and enter this in crypttab but when i rebbot it showes scert file not found and partion remain unlocked
View 1 Replies View RelatedIs it possible to encrypt the entire drive and not be prompted for the passphrase?
I have a request for a demo of our application and I am looking to create a virtual for VMware's player but need to make sure that the vmdk file cannot be mounted and files pulled from it to protect us from reverse engineering of the application.
I've got some old drives using pre-LUKS loopback encryption, and I'm having problems mounting them on OpenSUSE 11.3. What I expected to work, based on past experiences with other distributions, is something along the lines of:
mount -t ext3 /dev/sdc11 tmp -o loop=/dev/loop1,encryption=AES256. When I try this I'm asked for the password, but then get the message "ioctl: LOOP_SET_STATUS: Invalid argument". Anyone have a clue what could be going wrong, or how I can best access these drives from OpenSUSE?
I would like to configure my Debian Jessie system in this way.
Two partitions:
1) /boot on /dev/sda1
2) everything else on /dev/sda2
I want to encrypt the second partition with LUKS. And then install over it a LVM volume. Inside the LVM volume i will create the / (root), /var, /opt and /home virtual partitions. In this way, i'll get asked only once for the password to decrypt all partitions. Because if i don't use LVM, then i'll get asked for the password for each encrypted partition.
I can follow and understand almost everything of this HOW-TO for Archlinux: [URL] ....
Only two passages are unclear to me:
1) Configuring mkinitcpio
I don't understand what i should do here in order to complete this. What should i do in Debian to configure "mkinitcpio"? what is the equivalent thing to do here?
I thought that the kernel would automatically recompile itself with all installed modules on the Debian system, once cryptosetup/LUKS or LVM2 get installed.
2) Configuring the boot loader
I don't understand what should i write in /etc/default/grub. Will GRUB automatically load the LUKS and LVM2 modules? Also, I don't think that i could boot the system in this way:
cryptdevice=/dev/sda2:LVM root=/dev/mapper/LVM-????
Actually the "root=" volume is the whole volume to mount as LVM. It isn't the final root partition.
I'm moving over to Linux when the new SSD arrives. SSD gives increased performance, so I thought that I could encrypt everything.
But then I came to think about TRIM, and garbage collection on the drive. Will a LUKS encrypted drive affect the garbage collection system? (TRIM).
I have set up a Linux software RAID5 on three hard drives and want to encrypt it with cryptsetup/LUKS. My tests showed that the encryption leads to a massive performance decrease that I cannot explain. The RAID5 is able to write 187 MB/s [1] without encryption. With encryption on top of it, write speed is down to about 40 MB/s.
The RAID has a chunk size of 512K and a write intent bitmap. I used -c aes-xts-plain -s 512 --align-payload=2048 as the parameters for cryptsetup luksFormat, so the payload should be aligned to 2048 blocks of 512 bytes (i.e., 1MB). cryptsetup luksDump shows a payload offset of 4096. So I think the alignment is correct and fits to the RAID chunk size.
The CPU is not the bottleneck, as it has hardware support for AES (aesni_intel). If I write on another drive (an SSD with LVM) that is also encrypted, I do have a write speed of 150 MB/s. top shows that the CPU usage is indeed very low, only the RAID5 xor takes 14%.
I also tried putting a filesystem (ext4) directly on the unencrypted RAID so see if the layering is problem. The filesystem decreases the performance a little bit as expected, but by far not that much (write speed varying, but > 100 MB/s).
Summary:
Disks + RAID5: good
Disks + RAID5 + ext4: good
Disks + RAID5 + encryption: bad
SSD + encryption + LVM + ext4: good
The read performance is not affected by the encryption, it is 207 MB/s without and 205 MB/s with encryption (also showing that CPU power is not the problem). What can I do to improve the write performance of the encrypted RAID?
[1] All speed measurements were done with several runs of dd if=/dev/zero of=DEV bs=100M count=100 (i.e., writing 10G in blocks of 100M).
Edit: If this helps: I'm using Ubuntu 11.04 64bit with Linux 2.6.38. Edit2: The performance stays approximately the same if I pass a block size of 4KB, 1MB or 10MB to dd.
I wonder if it is possible to have two passwords for one user account in 9.10. I have a long login password (5 words about 45 characters with spaces caps). I would like to set a shorter password for Authentication, sudo, etc. While retaining the original for logging in.In short:Have long password to login to computer.Have short password for everything after login.
View 6 Replies View RelatedI'm trying to install a luks enabled grub for full system encryption. What modules are required by grub to load a normal ubuntu linux system and what is the type to use?
View 2 Replies View RelatedI just recently upgraded from 10.10 to 11.04, but using the classic desktop instead of unity, mainly because unity sucks big time, but that's a different story, anyway, when I used 10.10 I had a key setup for access to my remote SSH server, but now when I try to set up a new key using passwords and encryption, I get:- "Couldn't configure secure shell keys on remote computer", followed by:- '** (process:2532):WARNING **:couldn't open fd 27:Bad file desciptor' 3 lines of this with different process numbers then I got ''** (process:2535):WARNING **:couldn't open fd 27:Bad file descriptor: Permission Denied. Please try again'
I have not changed anything on the remote server at all. I can access SSH using PuTTy sucessfuly, but I want to set up a key using the ubuntu passwords and encryption key program, but since ugrading to 11.04 I can not do that for some reason.
I am just wondering what encryption method the shadow file uses, so that I may be able to manually change it. I ask this because I am trying to make a web page that will allow people to change their linux password via a browser.
View 4 Replies View RelatedI'm looking to find out exactly how to go about changing the encryption method of shadow passwords from MD5 to something a bit stronger, like SHA. I've been looking around for a bit now and haven't found out how to do it. I've gathered that I'll most likely need to change the /etc/pam.d/system-auth file. Right now, there is a line that looks like this:
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok.I'm guessing the md5 should be changed to something else, like sha256. What else? I know I'll need to reset all passwords once the change is made, but I thought there was someplace else that controls how the passwd command encrypts passwords.
i am wanting to put a list of common passwords on a usb stick, but i want the file to be password protected. I also need to be able to access it from more than one computer (all linux, maybe a mac too).
View 5 Replies View RelatedI have a lot of passwords and keys for FTP and SSH connections that I need to keep. When using the "Passwords and Encryption Keys" the Export menu is sensitive/disabled.
I need to back them up, amongst other things, as I'll be re-partitioning my hard drive which will most likely result in a fresh install of Ubuntu.
I use ubuntu 10.04 as my OS. Im in the look for a good and simple application in order to password protect a folder or two on my portable hard drive. I really dont need high levels of encryptions but I wouldnt mind if the usage is not so complicated.
View 5 Replies View RelatedI am trying to decide whether or not to use LUKS with LVM install for NAS Box, mysql, postfix, ddns, bind, NFS, sshd, Appletalk, maybe samba. I have decided to give LVMs a try but not sure how LUKS will affect access to services. LAN includes Standalone headless web server(not on LVM, no LUKS). Aren't permissions,iptables and firewalls sufficient? Not sure how services are supose to interract if everything is encrypted especially root?
So far what I have read recommends vgOS /, swap, /var, /tmp encription and vgdata /home encryption but no one tells how they did it. The 2 servers I'm working on only have small /home for admin stuff and considering making NAS headless, except i read somewhere that some gui would make it easier to manage mysql which brings me to the question if I don't install X on NAS can I ssh in with my desktop using its gui? I am experimenting with minimal server tagfiles. LUKS and LVMs are new to me. Decided to use LVMs to seperate OS from data, different data types and resizing flexibility. I have read some material on LUKS just wonder if its more complicated than my needs require. Certainly i don't want to leave myself open to someone just distroying my setup for kicks.
I have a LVM logical volume, that contains a LUKS encrypted volume, on which is an ext4 filesystem. I shrank the partition to the minimum size. Next step is to luksClose the device, and then to resize the LVM logical volume. I suspect that LUKS has overhead. So if the ext4 filesystem was resized from, say 1TB to 500G, I have the idea that resizing the LVM LV to 500G does not take LUKS overhead into account and this might corrupt data on the end of the FS. So, what's the smart move to take? How do I calculate the safe minimum LV size? Or should I just give the 500G disk a few gigabytes extra to be sure?
View 4 Replies View Relatedif encrypt my root partition with Luksformat on my laptop and the battery suddenly goes out without a proper shutdown, I stand a big chance on corrupting the luks header or key slot?
View 1 Replies View RelatedI am building an active directory and using BIND9 as my DNS. To allow for secure dynamic updates from the domain, I am enabling GSS-TSIG as detailed here and here. Unfortunately, some of the commands and configurations used here seem to be depreciated, at least in the newer versions that I'm using. My issue is one of keytab encryption. I generated a keytab using ktpass.exe on the Windows Server 2008 domain controller. I have tried DES/MD5, AES128/SHA1 and AES256/SHA1, each have been turned down by ktutil on the kerberos server (FreeBSD). Each time, it outputs the following error: ktutil: AES256/SHA1*: encryption type AES256/SHA1* not supported *Respective to encryption used.
I cannot find a list of suitable encryption schemes that ktutil will accept. The FreeBSD handbook details a means of producing a keytab file, but I'm not sure how to configure the Domain Controller to use the keytab.
