Ubuntu Security :: Encryption, Luks, "auto"-mount, But Ask For Password?
Feb 14, 2010
I know how to mount it manually. I've seen a howto on how to mount it automatically by loging in with the user, you type your username and password and it mounts your encrypted partition. But that's not what I want. My idea is to call cryptsetup and mount on boot, AND ask me for passphrase like when its loading the system, then if I don't type the right password it shouldn't mount /home, even though i type the correct USER password later when the system is loaded(and then I'd have an empty /home since my home partition wasn't mounted due to wrong passphrase).
This is what I tried: I added the commands to rc.local and I don't even feel like it was executed, no passphrase was asked. As a test if commands there were being executed, I tried simple commands lile mkdir /test and it worked. So commands there are executed, yet, no passphrase was asked to me, I looked on dmesg for crypt and found nothing, I pressed alt+ctrl+F1 desiring to find a passprhase-ask and again, nothing.
When 10.04 is released I'll encrypt my /home partition using luks. I've read that xts is good for hard drive encryption and aes is good for cipher encryption. I'm looking for something that is fairly secure without sacrificing a lot of speed.
1.) I am wondering how to enable the lock to an encrypted partition which has been unlocked, using luks? On boot, I am been asked automatically for the pass phrase to unlock my partitions. After doing a back up, I want lock the encrypted partition again, but I don't know the command?! I umounted the partition but after mounting it again, I was not asked for the pass phrase but had access to my data.
2.) How secure is the default fedora version of luks? Is truecrypt better?
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be: HP dv6-3040us Pavillion laptop AMD Phenon II 4GB DDR3
I'd like to know if there's a simple way to create a LUKS encryption drive with different passwords? A real one that leads to one set of data, and another that leads to a whole different set of data. Is this even possible with LUKS?
I'm having a problem auto-mounting a new luks partition. I have crypttab and fstab entries. I already have my primary encrypted partition (root) mounting at boot (from the install), but after creating this one manually, it does not open on boot. It auto-mounts when I run the following command manually after boot: sudo luksOpen /dev/disk/by-uuid/<uuid> mycrypt
I know this has probably been asked too many times here but I need to secure my emails. Personal matters of course. But yeah. I use the program "Password and Encryption Keys" to generate a key to sign my emails with but I do not know what to do. To be blunt, I'm stupid when it comes to this. IF not, steps in creating a key? and giving it (my public key) to the significant other? Finding where both keys are? Implementing it into Thunderbird? If it helps any here's some extra information: Ubuntu distro: Ubuntu 10.04 Email client: Thunderbird
I have a perfectly OK 2.5 inch disk drive from a dead laptop (graphics card failed).
The hard drive is fine. I know the passphrase.
I had installed Ubuntu 10.04 with full fisk encryption using dm-crypt/luks using the alternate install cd.
I'm not exactly sure of the configuration I selected. Just that its full disk encryption with a pre-boot passphrase prompt.
Now my issue is, I have put the drive into a usb drive docking station, and I simply want to mount the partition on my new laptop, so I can copy the files over.
I've tried googling for various things like "mount dm-crypt drive linux" and "how to mount a luks encrypted partition linux", but I get no results.
I've encrypted my root partition with LUKS and cannot remember my password. My main question is this: is it possible to extract the hash (or key; not sure on the correct terminology here) from the LUKS header and run it through a cracker? The hash type is SHA1 and I can remember the characters I used for the password, just not in the correct order (lots of special characters). That being said, given such a small charset, it should be crackable within a reasonable time, correct? Especially if I used a GPU accelerated cracker. What I don't know how to do is go about getting the hash from the LUKS header. Is any of this possible, or am I SOL? Of course, I have physical access to the system so I can boot it into any utilities I may need to.
When I upgraded from FC11 to FC12 of the encrypted raid partitions started to request password on boot (in FC11 not having references to encrypted md1 in fstab and crypttab, was enough for FC11 not to ask for passwords on boot) despite the fact that I removed /etc/crypttab and there is nothing in /etc/fstab relating to encrypted md1 (raid array). I want my machine to boot w/o asking me passwords for encrypted devices, and I will open and mount them myself manually after boot.
When I installed Fedora selected the option to encrypt the hard drive. I want to change the passphrase, is there a way to change the passphrase, or do I have to re-install Fedora?
am fiddling around using an AES encrypted password which is stored in passwd.txt:cat ../passwd/passwd.txt {AES}yTMWTrdbuPtCxikvv5udVDTQ70anBVVKvP+GPQEH1RY=Yet I like to interpret this password on the command line using svn checkout, so I do not have to type in my password ( which is visible on the command line):Exporting the variable SVNPASS reading it from the passwd.txt ( export SVNPASS=`cat <../passwd/passwd.txt`) won't work obviously as it interprets it as "text", so my question is, if there is a proper way to interpret this stored AES password so I can read it from the file?The alternative is to type in the password on the command line, but this needs to be invisible eitehr showing #, * or "hidden". the last option is described: http://www.tech-recipes.com/rx/278/h...-shell-script/
I have two cryptsetup volumes with the same password that I want to open in a bash script, and I want to avoid writing the passphrase twice. I was thinking of using read -s. Is there any security problems with this?The other alternative would be to have a password file on a small partition encrypted with a passphrase. Then only give the passphrase and let the script open up all encrypted volumes using the password file. However this seems overly complicated. But is it more secure?
When installing the latest Distro of Mint (I believe this is not much different, if at all, from Ubuntu as far as this goes) I chose to have my Home folder encrypted using the login password. This was a function of the installation. What I was wondering about was how secure this was and if I should maybe use something to do a better encryption or not.
first i make one partiton ten format it add mount point and fire luksopen command and create secert file and enter this in crypttab but when i rebbot it showes scert file not found and partion remain unlocked
I've got some old drives using pre-LUKS loopback encryption, and I'm having problems mounting them on OpenSUSE 11.3. What I expected to work, based on past experiences with other distributions, is something along the lines of:
mount -t ext3 /dev/sdc11 tmp -o loop=/dev/loop1,encryption=AES256. When I try this I'm asked for the password, but then get the message "ioctl: LOOP_SET_STATUS: Invalid argument". Anyone have a clue what could be going wrong, or how I can best access these drives from OpenSUSE?
I recently installed ubuntu on an old dell. I have the OS installed on an 80GB HD and I have a 500GB drive in the computer as a storage drive. I can see the drive and read and write to it just fine. But before I can I have to mount it and provide my password. Is there a way to set it so that it's already mounted and ready when I start up the computer? The drive is formatted to FAT32 I'm using Ubuntu 9.10
I would like to configure my Debian Jessie system in this way.
Two partitions:
1) /boot on /dev/sda1 2) everything else on /dev/sda2
I want to encrypt the second partition with LUKS. And then install over it a LVM volume. Inside the LVM volume i will create the / (root), /var, /opt and /home virtual partitions. In this way, i'll get asked only once for the password to decrypt all partitions. Because if i don't use LVM, then i'll get asked for the password for each encrypted partition.
I can follow and understand almost everything of this HOW-TO for Archlinux: [URL] ....
Only two passages are unclear to me:
1) Configuring mkinitcpio
I don't understand what i should do here in order to complete this. What should i do in Debian to configure "mkinitcpio"? what is the equivalent thing to do here?
I thought that the kernel would automatically recompile itself with all installed modules on the Debian system, once cryptosetup/LUKS or LVM2 get installed.
2) Configuring the boot loader
I don't understand what should i write in /etc/default/grub. Will GRUB automatically load the LUKS and LVM2 modules? Also, I don't think that i could boot the system in this way:
I have set up a Linux software RAID5 on three hard drives and want to encrypt it with cryptsetup/LUKS. My tests showed that the encryption leads to a massive performance decrease that I cannot explain. The RAID5 is able to write 187 MB/s [1] without encryption. With encryption on top of it, write speed is down to about 40 MB/s.
The RAID has a chunk size of 512K and a write intent bitmap. I used -c aes-xts-plain -s 512 --align-payload=2048 as the parameters for cryptsetup luksFormat, so the payload should be aligned to 2048 blocks of 512 bytes (i.e., 1MB). cryptsetup luksDump shows a payload offset of 4096. So I think the alignment is correct and fits to the RAID chunk size.
The CPU is not the bottleneck, as it has hardware support for AES (aesni_intel). If I write on another drive (an SSD with LVM) that is also encrypted, I do have a write speed of 150 MB/s. top shows that the CPU usage is indeed very low, only the RAID5 xor takes 14%.
I also tried putting a filesystem (ext4) directly on the unencrypted RAID so see if the layering is problem. The filesystem decreases the performance a little bit as expected, but by far not that much (write speed varying, but > 100 MB/s).
Summary: Disks + RAID5: good Disks + RAID5 + ext4: good Disks + RAID5 + encryption: bad SSD + encryption + LVM + ext4: good
The read performance is not affected by the encryption, it is 207 MB/s without and 205 MB/s with encryption (also showing that CPU power is not the problem). What can I do to improve the write performance of the encrypted RAID?
[1] All speed measurements were done with several runs of dd if=/dev/zero of=DEV bs=100M count=100 (i.e., writing 10G in blocks of 100M).
Edit: If this helps: I'm using Ubuntu 11.04 64bit with Linux 2.6.38. Edit2: The performance stays approximately the same if I pass a block size of 4KB, 1MB or 10MB to dd.
I decided to stop using my password to enter Ubuntu (recently installed) and switch to automatic start up. Hit the relevant key, then restart. Received three notices, closed two, entered pass to get encryption code at third, then nothing but a blank, Ubuntu-colour screen. Unable to open Ubuntu. How the heck to I get myself out of this trap?
I'm trying to install a luks enabled grub for full system encryption. What modules are required by grub to load a normal ubuntu linux system and what is the type to use?
I have a 2nd hard drive that I have encrypted using true crypt. Is it possible to set this up with key files (or some other way) to auto mount when linux boots. I need it in true crypt because there are some work programs I dual boot to use in windows, and need to have access to the drive in XP from time to time, and true crypt can mount there as well. But 90+% of my time is in linux and I would like to have it auto mount through fstab (or whatever way it needs to be). My entire linux setup has been set up with encryption through dm crypt and LUKS (except for /boot). So I would think having a key file stored on the computer and an auto mount fstab would be just as secure as however secure my LUKS setup is. So any way to auto mount a true crypt 2nd drive volume?
i have a triple boot of windows XP,7 and ubuntu10.10 netbook remixis it possible to require a password to mount the windows drivesthere is no log on password on the ubuntu but i dont want people to access the other drives unless they have my password
I found a way some times ago to mount a truecrypt volume when opening the session by insertion of the login password in the mounting script instead of putting it in clear in the script. I don't remember to command to read/transfer the password.
I have recently installed CentOS 5.4. I went ahead and enabled encryption for the root partition. everything was fine for the first few days, but today it started refusing my password on boot. The weird thing is after refusing the password several times it accepted it once, then when I rebooted to test refused the password it had accepted moments earlier. I guessed the password file got corrupt or something so I did a clean install. During the install it asked for the password to access the partition and accepted (!) the password. I went ahead and deleted the old partition and reinstalled from scratch just to be sure. And I made extra certain I put in the correct password with no fumble fingers. Sure enough the blasted thing refuses the password I just created during boot. However, if I input the password into the setup it accepts it. What the hell is going on here?
