# Is there any viable encrypted filesystem? (tried a few)

## afabbro

I really need an encrypted filesystem so I can store my external drive off-site for backup/DR (it's connected via USB2).  I have tried:

(*) cryptoloop/cryptoAPI.  Total sludge.  Locks up my 2.6.3 kernel constantly, often with no output, often in the middle of mkfs.  Of course, it's barely documented, but I'm following the kerneli.org docs as best as I can.  I'm pretty sure I'm doing things right and it works in "toy" setups (10M), but try it with a 120GB filesystem and bork bork bork.  It also bothers me that the kerneli guys don't care much about continuity, as 2.4.x-era filesystems are not compatible with 2.6.x, so I assume someday when we get to 2.8.x I'll have to go through some hellish conversion.

(Forgot to mention: losetup only prompts you ONCE for a password!  What the hell is that?  I'm typing in a long passphrase and losetup doesn't ask me to type it again!?  Suppose I typo it and then work with it for a week...when I try to remount it, I don't know the password and I'm out of luck.  Bad programming...)

(*) BestCrypt.  Nice package, well-documented.  Unfortunately, raw block devices are hopelessly borked.  I constantly get strange dmesg errors about "bogus i_modes" and such when it's under load and it has repeatedly broken the filesystem in my experiments.  I guess I'll try setting up a big container next...blech.

(*) Haven't tried loop-AES yet.  Replacing my loop device makes me nervous (who knows, I might need it for something else someday).

This seems to be one area where Linux really is behind the ball compared to other OSes.  *BSD (at least OpenBSD) has excellent encrypted filesystems.  Even Windows has this  :Sad: 

----------

## afabbro

Ah, well, loop-aes didn't pan out...have to manually patch util-linux and I'd rather not do that unless it's the only option.  The util-linux in the portage tree doesn't understand loop-aes.  So be it.

Guess I'm left with the one remaining option: BestCrypt, using a big container (instead of a block device).  And in another 5 hours, when it's done setting up a 100Gb container, I'll see how that works...

----------

## grimshaw

Please post your results.  I am interested in how you fare.

I rebuilt my home samba box last November and I did some looking for encrypted filesystems.  I wanted to encrypt both swap and my data partitions (the patriot act and other anti-privacy legislation scares me).  

I read about a number of projects, but there was very little development on most of them and they were not being maintained.  I wound up tabling the idea for a rainy day, but I am interested in reading about your findings.

Cheers.

- John

----------

## lord

There are already a few good posts on full encrypted systems (swap, boot, etc etc)...

Read this article for instance =)

----------

## dogshu

looks like dm-crypt is going to be the future of encrypted filesystems in linux 2.6:

http://kerneltrap.org/node/view/2433

Its also very easy to set up too, if you're using the -mm sources.

----------

## afabbro

OK, I'm going off to look at dm-crypt.  Is that the same stuff that's in 2.6.4?  rc1 is out and there's lots of mentions of dmcrypt in the changelog.

BestCrypt with a big container failed - locked up the system while I was mkfsing.

I don't need/want an encrypted root.  99.9% of it is system binaries that are publicly available.  Anything unique to the system is either (a) off on separate storage (/home is linked off, as is /var/www, /usr/local, etc.), or (b) in /etc...login passwords and config files are sensitive from a break-in-over-the-net point of view, but not in a "someone stole your box and you need to keep it secret" scenario.

I can see encrypted swap but haven't got that far yet.

I just want crypto for backups to a removable disk I can take off-site.  Seems like a simple, reasonable need...I'm guessing it's the size of data (120Gb) I'm using but hey, that's what I need  :Wink: 

----------

## afabbro

I finally got something going...you can read my conclusions here:

https://forums.gentoo.org/viewtopic.php?p=912788#912788

----------

