Mageia forum

[smizzio77]

Hi i'm an happy new mageai user from 2 months, i have a question:There is a way to encrypt my home folder? (for security reason...).
Now i can't reinstall my notebook because i use it for work.
Thanks to all!

[doktor5000]

Yes it is possible to encrypt your home folder, although it's pretty complex if you don't want to reinstall.
You would essentially need to create another partition of the same size, encrypt it, and then in single-user mode copy everything over to the encrypted partition, then replace your /home partition with the new one in /etc/fstab.

It can supposedly also be done in-place, although that is even more difficult and also more risky.
See e.g. :
https://www.johannes-bauer.com/linux/luksipc/
https://superuser.com/questions/216879/ ... preserving
https://svenfila.wordpress.com/2010/11/ ... ing-linux/

That is, if you have a separate partition for your /home ... ?

[wintpe]

perhaps as an alternative you would like to consider the following

http://www.addonics.com/category/cipherchain.php

there are options for sata /sata 3 and usb harddrives

uses hardware keys , so no password protected cypher stored on the harddrive which is only as strong as the password.

nist certified

regards peter

[doktor5000]

I'm curious, as the standard mode for this seems to be passthrough encryption - what would prevent somebody from picking up the cipherchain box together with the connected harddisk and attaching it to his own box ?

[morgano]

That device seem to just cost money and add power consumption and potential hassle, while letting the system encrypt is very well proven.

@smizzio77, could you tell more what you can and cant do with your laptop?

A full backup of /home, then a full reinstall and copying files back in /home may be the most straightforward and safe.

My favourite is to encrypt "everything", as i then do not need to worry about remnants in swap, or clues to system or my network in /; /etc, /var, /tmp...
I also always apply LVM for reasons you will see below:
LUKS encryption + LVM is easily set up in Mageia installer: choose custom partitioning and set up the following:
(this assumes you need no dual/multi-booting, but you can also have MSWindows partition(s) outside all this, only sharing the EFI partition if used)

Only if you boot using (U)EFI: you need a EFI partition, mounted at /boot/EFI, some 300MB FAT32 is OK
You need a /boot partition, ext4, i use to set it 500MB - enough for a few kernels incl Nvidia driver
Then create the rest of disk as a LVM pv (look for Linux Logical Volume Manager (web search that) on the partition type list), and tick the encryption box, invent a key (and note it down!), let it create volume group vg-mga.

Technically this operation creates a disk partition on which it runs LUKS (web search that), that is then used as the only pv (Physical Volume) in your Volume Group "vg-mga";

After a couple seconds an new tab shows up in diskdrake/installer: the volume group in which you create partitions:
In there create / and /home as ext4, and a swap partition.

- Note, you can in LVM easily using diskdrake later extend the partitions - even on running system - so only make them a bit larger then needed, and save free space so you can later extend what then need be extended. You can (using command line) also make snapshots - that then also will be encrypted.
At boot the system will ask for encryption key for that large physical partition, after that everything works like before, transparently, and "everything" is encrypted.

As you have unencrypted data on the drive now, and the new install only overwrites it with encrypted data when it writes files, it is possible for someone getting access to the drive without the key to scan the drive and find old non-overwritten unencrypted data. The best way to prevent that is to overwrite the whole disk with random data after making your backup, and before creating the new partitions. i.e

Code: Select all

 dd if=/dev/random of=/dev/sdx bs=16k status=progress

I guess you can Alt-F2 to a terminal in the installer before the disk partitioning stage to perform it, but i generally use a prepared USB stick with http://www.system-rescue-cd.org/ which is very good for a lot of system maintenance/change/repair work. There are several ways to delete securely: http://www.system-rescue-cd.org/manual/ ... n_of_Data/

Then there is also the possible occasion the drive (mechanical or SSD) have suffered some soft block sector and transparently substituted its adress with another physical block, so some old unencrypted data with slight error is hidden by the drive unless you go in low level however that is done... etc... The disk/SDD vendor may have tools available for full erase.

[wintpe]

Morgano, i guess your ranting again, and im taking that as a criticism of my post to try to help pass on my experience to others.

they can choose to ignore it or not, but they can work that out for themselves.

everything costs money and software encryption is only as strong as the password.

https://github.com/kholia/lukscrackplus/blob/master/FAQ

as for your comment about power this is a tiny very low power device.

as the entire encryption is on the device, a partially corrupt disk , is just that a partially corrupt disk

and as recoverable as a partially corrupt disk

Corrupt the key area on LUKS and your stuffed.

do you have one, have you ever tried it. I have 6 in total , and have used them for a number of years.

as for hassle, its a hardware device , it could not be simpler, you rubbish it and my suggestion without a clue of weather its a good product.



Doktor your question.

with respect to the usb, device you add your key to the usb device and that is the encryption.

if someone bought another they would need your key.

with the sata device it has a small micro usb dongle no bigger than the connector for an iphone/android phone end

that contains the key, with out that the box canot decrypt your data.

as long as the keys are safe so is your data.

with a key not used to encrypt the HD is like the harddrive was not partitioned and is just new.

there is no trace of encrypted data because its the key that usually gives it away.

so could just as easily be a cat of /dev/random.

it can also encrypt your os drive without needing a password to decrypt it, just the presence of the key at power on.

you can remove the key once its up.#

the encryption is done at the sata level or the USB level, not at the filesystem or device level.

the point being you can carry the keys conveniently with you while you are away from your device, and its totally safe.

it also relieves the cpu on the host of the job of encryption, to some thats a big overhead

regards peter

[doktor5000]

Doktor your question.

with respect to the usb, device you add your key to the usb device and that is the encryption.

Dumb question, key as in physical key like a door key, or like some kind of smartcard, or more like a private/public key or something like that? I didn't really get that from glancing over their descriptions ...

[wintpe]

with the usb device, because its small and can be easily carried with you , you code it initially with a password using a utility.
that translates that password to a long cryto string inside the device that it uses to encode/decode the data.

the usb device has two modes, it can work at file system level, and raw level you choose when you set it up.

as for the sata devices the long crypto string is in the usb/firewire plug like key you get two keys with each device.

one for backup and you can now with the latest one and some software reprogram the key.

however if you loose your key you are stuffed, which is kind of good in a way

as far as the company states, there is no recovery for lost keys , no backdoor .

regards peter

[morgano]

Sorry, i did not want to rant, just give a rather thorough instruction how to set it up encryption in Mageia easily, no fiddling with hardware.
- The physical cryptokludge it is out of question for the op as it is a netbook...

If you want key on USB you can configure LUKS/cryptsetup for that too although Mageia have no GUI tool for that.
I have found the encryption use very little CPU here, i believe usually there is at least one a core with no or low priority work that can work.

For security level there are lot to be said for and against both solutions i think, but this hardware device add a new vector: if you grab the device with power on, just keep it powered, and you can pull it and the disk from the computer, or just connect its port to another computer and read out the whole disk decrypted...

[wintpe]

re new vector

yes that possible, but with the usb dongle version the idea is you only use it while its in your control.

same with lukscrypt once the password is entered , only the screensaver lock protects your data.

whose been watching you type that password in........... mini camera mounted on ceiling, security cameras, we have them all over our ceiling at work.

if someone steals your harddisk, and they dont have your dongle they cant decrypt it, not even with brute force.

with the sata one and the sata one for "laptops which replaces the dvd drive" its screwed in , and you only need the key in at power up.

if the laptop is powered down or the reset switch on the device is pressed the device is locked.

also its very impractical to brute force the enova xwall-MX chip.

http://www.enovatech.com/index.php/products/x-wall-mx/

it also achieves an encryption rate of 472 meg a second, how much would that impact your CPU.

it has a small power on/reset delay, self test and the password is longer than your average user password so a reset new key check for valid data
would take far longer that lukscrack

yes they are both valid ways to achieve the same.

regards peter

[wintpe]

heres another approach especially for laptops

https://www.esecurityplanet.com/network ... 939016.htm

https://www.phoronix.com/scan.php?page= ... rypting-V3

maybe you have one of these drives already, check samsung evo 840 for example

[morgano]

Yes to be really safe the computer should be powered off.
And yes a USB key may be safer than keyboard entry, depending on circumstances.
Then there is always the risk of data access over network...

---

Yes the drives with built-in encryption may be a solution.
I have not checked it out although i do have an evo850 in one of my lappys.
If i understands it correctly, it always encrypt the content, you just set the lock.
http://www.tomshardware.co.uk/answers/i ... 0-ssd.html
https://security.stackexchange.com/ques ... nst-thiefs

Maybe this suits the OP *If* it happens the OPs notebook BIOS can handle password to an encrypted drive, and if it physically can take a drive with encryption.

For converting an existing system from nonencrypted drive, if i understand things correctly:
remove the old drive
plug in the new drive of same size (or larger)
get into bios setting and arrange HDD password
boot on a bootable linux USB stick
and then dd the content from the old drive to the new one
if new drive is larger, possibly expand partitions or other methods to utilise it - with all normal caveats.

[morgano]

I also found this old thread mentioning some alternatives: viewtopic.php?f=5&t=8938
Could be a solution for the OP if he only need to hide away some files and cant reinstall.

We have veracrypt and EncFS packaged.

https://en.wikipedia.org/wiki/EncFS EncFS transparently encrypts files, using an arbitrary directory as storage for the encrypted files. I have not tried it, but search forum to find someone who have.

Veracrypt can do lots of things: https://www.veracrypt.fr/en/Home.html

----
I just did a quick test of veracrypt as newbie:
The easiest configuration is let it make a regular file, which then is mounted as a filesystem. Options for keying in password, or using key file.
While configuring it we can select different encryption and test crypto speed here it reported 5GB/s read and write on a i7 8 core 4GHz for AES 512 bit. This CPU have hardware acceleration for AES.

When the file is mounted it shows up as "disk" in dolphin left panel "places". Just to click and use it You need to mount it every login.

It need root privilegies to mount the "disk". Having sudo installed veracrypt can be launched using "sudo veracrypt", and even "sudo veracrypt /path/to/file" and it asks for user passwird, crypto password, and mounts it.
It works to launch it as user if you have sudo installed *and* edit its configuration to not require sudo to be launched from terminal; veracrypt then ask for users password when needed: in /etc/sudoers prepend the line

Code: Select all

Defaults    requiretty

with a #.
(that may be seen as a lower system security though)

[smizzio77]

@Morgano i use my laptop for work at now it's impossible for me to backup all and reinstall.
If i create a new user on my laptop i can encrypt the home of this user?

[morgano]

Not trivially, but check the links about EncFS and Veracrypt. One thing to think about is when during the boot process you should enter the key, and by keyboard, or by attaching an USB stick. I have never tried any of it for this.

An option worth trying may be encrypting in place per links in first reply of doktor5000. Check if fstab or anything else may need some manual edit.

Whatever you try, it is a good idea to make a full disk image before trying any method.

I do not know your skill level, but in your situation *i* would remove and make a new encrypted /home.
Using a USB booted system like http://www.system-rescue-cd.org/ i would backup /home/yourusername to another disk, overwrite /home with random data so old content is not obtainable, and then delete that partition.

Right now you also have the possibility change sizes of partitions if you feel they could be better adapted.

Then using Mageia installer reuse all remaining partitions, (and not format any of them!), create a new encrypted partition for home (note down the password you give it!), create a special user just for the following and maybe further service use;

Then when rebooted and logged in as that new user, check if your old user login still exist in user administration (i think so, but if not create again your old user same username and number, same groups etc). Then when still NOT logged in as the old user copy back /home/yourusername/

Log out your service user and log in as your old user. Everything should look the same - only difference is you are asked for pass key during boot.

Remember to when backing up and restoring, using a method that preserves files ownership, rights, time, etc. Such as "cp- a". But even better you can instead make an *encrypted* and compressed backup using fsarchive, and a good idea is to use the same password.

Remember that even when /home is encrypted, some user content are visible in swap, /temp, /var, and in rest of / they can see what programs are installed. Which is why I routinely set systems up to simply encrypt everything.

But regardless of disk encryption, naturally someone can look over your shoulder, or attack through web browser, or...

[smizzio77]

@morgano
The best way it's to make a full backup and encrypt full disk.
Thansk to your help!