Preserving privacy by encrypting block devices

Rules of Thumb

The risk of forgetting a passphrase can lead to really bad habits, such as using very simple passphrases or writing them down. With this in mind, I have a couple of rules of thumb.

  1. If you need to encrypt a file or a just a few files, use something like 7-Zip, which compresses the files and encrypts the archive as well. The simplicity of this method not only empowers the user to make the decision about what to encrypt but also puts the responsibility of encryption and decryption and remembering the passphrase on the user.
  2. If you need to encrypt directory trees (e.g., if someone is working on a project or data storage is structured), then you have a couple of options. The first, EncFS [9], allows the user to control what they want to encrypt and where it should be mounted. Again, this puts the management of passphrases and encryption in the hands of the user, with all the benefits and disadvantages. The second option, eCryptfs [10], can encrypt a directory structure, but that is under the control of the administrator. Creating an encrypted directory for each user to use to encrypt their data is fairly easy. Although the user has the responsibility of copying the data to this folder to encrypt it, remembering the passphrase again falls to the administrator.

If the situation is such that all, or virtually all, data needs to be encrypted, then using a block device encryption tool such as DMCrypt or TrueCrypt works very well. Alternatively, you could use an SED, but the effects on users and administrators is almost the same for either approach. In the case of software encryption such as DMCrypt or TrueCrypt, it might require an extra command or a different command to mount and unmount the block device. In the case of SEDs, the administrator just has to remember the passphrase when the disk is accessed (usually before the system boots). After that, all the admin commands are the same.

I wish you good luck in your encryption mission; if you choose to accept it, I have one last word of advice: hAS(*ja[p18a8@asj.

The Author

Jeff Layton has been in the HPC business for almost 25 years (starting when he was 4 years old). He can be found lounging around at a nearby Frys enjoying the coffee and waiting for sales.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Encrypted Filesystems

    If you’re not a security expert and you're looking for a crypto filesystem, you may be wondering about the alternatives. We took at a look at some popular crypto options for Linux.

  • DM-Crypt

    If you’re serious about keeping secrets, try hard disk encryption with DM-Crypt and LUKS.

  • DM-Crypt/ LUKS

    Encrypting a home directory is easy. Encrypting your whole hard disk – including the root filesystem – takes a little more effort.

  • CD Encryption

    An encrypted hard disk on your server is no help if valuable data on CDs or DVDs falls into the hands of spies. We’ll show you some convenient solutions for encrypting data on removable media.

  • Encrypting with ZFS

    When a computer is lost, your data falling into the wrong hands is often more serious than the loss of hardware. In this article, we explain how to use LUKS and ZFS to encrypt a system so you can keep your privacy when you lose your laptop.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News