Encryption:Filesystems

From Linux 101, The beginner's guide to all things Linux.

(Redirected from Encryption - Filesystems)
Jump to: navigation, search


It is possible to encrypt data at the filesystem level by using the Linux kernel loopback driver and CryptoAPI. Encryption can additionally be used to provide added security for "scratch" space, such as /tmp or the swap filesystem.

There are various methods for maintaining keys for swap filesystems. One can use a basic password, or use a "keyfile" that contains a large amount of randomly generated data kept on removeable media, such as a USB memory stick. It is generally a good idea to use a hashing algorithm (MD5, SHA, RIPEMD160, etc) on the traditional short "passphrase" type keys in order to more efficiently use the keyspace of the crypto algorithm. (For example, what is the point in using 256-bit AES when your password is only 8 characters? By using RIPEMD160, for example, you'll end up with a key that's 5 times as long. How hashes work is beyond the scope of this node.)

Encrypted filesystems can also be used to protect your "scratch" space by preventing later recovery. It is possible to use a randomly generated password at every boot cycle to generate a new swap filesystem. This has the effect of preventing the recovery of the swap filesystem's contents from previous sessions. (Indeed, as soon as the power is interrupted, the swap filesystem's data will now be hopelessly mangled). The use of randomly generated keys here is more of a convenience issue than a security one, as it eliminates the need to provide a specific key for the swap filesystem -- you could always keep using the same one, but that's a lot of hassle. This same system can be used to generate a new /tmp filesystem for each boot, which will further prevent the recovery of "temporary" data.

There are now methods for dealing with per-user encrypted filesystems that can be mounted by each user on demand. The Gentoo developers have some docs on this. This author has been too lazy to set up such a system.

See also:

  • EncFS project: EncFS makes it simple to setup encrypted filesystems on demand. The software provides simple prompts for information, and has been translated to nearly two dozen languages.
  • OpenBSD: the OpenBSD project has full filesystem encryption support. There is a wonderful guide here

This article is a stub. You can help Linux 101 by expanding it.

Retrieved from "http://learn.clemsonlinux.org/wiki/Encryption:Filesystems"
Personal tools