[ale] Filesystem encryption

Michael H. Warfield mhw at WittsEnd.com
Wed Oct 13 23:07:45 EDT 2010


On Wed, 2010-10-13 at 16:32 -0400, Jim Butler wrote: 
> Hi Linux People!
> I have a question and am looking for some experienced suggestions.
> I saw a server recently that had filesystem encryption applied to the 
> entire root filesystem volume.
> Although I am not sure, I do believe that the encryption scheme probably 
> was not loopback (cryptoloop) because the server did not have a key 
> stored on an external device. My understanding of loopback encryption is 
> that the kernel and initrd have to be stored on at least some kind of 
> un-encrypted media in order to boot to at least a small level sufficient 
> to ask for the pass-key to decrypt/mount the filesystem.
> If the encryption scheme wasn't loopback encryption, what could it have 
> been? What ways are popular right now for encrypting an entire root 
> filesystem without using a thumbdrive or other external storage??
> If someone can help me identify what this was, maybe I can read up on it 
> and implement it on one of my own servers.

If it's a Linux system, it's a very high probability that it's LUKS
(Linux Unified Key System).  A number of distros, including Fedora and
Redhat, support LUKS encryption at install time.  Installing a system
and then converting it to an encrypted file system (of ANY TYPE) is a
monumental PITA that I would find it hard to believe that you've run
into it by chance.  Both crypto-loop and aes-loop suffer from this and
from numerous other problems and were not incorporated into the
mainstream sources.  LUKS (based on dm-mapper) was, a LONG time ago.

My boot systems required only an unencrypted boot partition (either on
the drive or on a USB image drive).  If it's prompting you for a
passphrase, I can guarantee it's LUKS.  None of the distros recognize
any of the other crypto systems and flat out wouldn't know what to do
with the.  Mount a LUKS volume and it will recognize it as LUKS (what
ever the underlying file system) and prompt you for a passphrase.
That's the watch word.  If it recognizes it, it's LUKS.  If it
doesn't...  Well.  You pays your nickel and you takes your chance.

> Thanks in advance,
> Jim Butler
> Linux Network Administrator.
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20101013/03eb4eb4/attachment.bin 


More information about the Ale mailing list