# [SOLVED] Encrypting filesystem - what and how?

## BeteNoire

Better late that never - I've decided to encrypt some partitions on my systems.

The questions is - what filesystem and what encrypting utility should I use?

I need to encrypt 150 GiB large multimedia partition with my private data, that for 95% of time is only for reading. What filesystem should I use? Until now it was xfs formatted partition as some benchmark told me is most stable and efficient for large partitions with big files - from few MiB to few GiB. Now I'm in doubt if xfs will work correctly when encrypted.

I want to encrypt /home partitions too, which all are reiserfs formatted. These are mostly small, few GiB partitions used to store configs, emails, docs and some other private data in tiny files.

And the basic thing - what encrypting utility should I use? Which one is the most stable and efficient? I am not a tester so I need trusty solution.

----------

## d2_racing

I will double check this thread for sure, because I have no idea on how to do that  :Razz: 

----------

## Rexilion

 *d2_racing wrote:*   

> I will double check this thread for sure, because I have no idea on how to do that 

 

???

 *BeteNoire wrote:*   

> Better late that never - I've decided to encrypt some partitions on my systems.
> 
> The questions is - what filesystem and what encrypting utility should I use?
> 
> I need to encrypt 150 GiB large multimedia partition with my private data, that for 95% of time is only for reading. What filesystem should I use? Until now it was xfs formatted partition as some benchmark told me is most stable and efficient for large partitions with big files - from few MiB to few GiB. Now I'm in doubt if xfs will work correctly when encrypted.
> ...

 

I use luks for encryption, why?

- Allows you to use your own filesystem (ext{2,3,4}, xfs etc etc) (seems like a important feature to you)

- Not distro specific (i.e. Ubuntu encrypts home directory's with ecryptfs, I have no idea on how to move that to gentoo)

-     Luks however works in every distro without having to remember all sorts of parameters and comparing versions (the format is stable/universal).

- All parameters required for decrypting the partition are stored in the partition header (no need for you to specify any unlike ecryptfs)

- It's stable

----------

## zyko

Definitely dm_crypt with LUKS. The front end utility you need is sys-fs/cryptsetup. Google for some tutorials, there are a lot.

----------

## pdr

Already supported by baselayout. Check out /etc/conf.d/dmcrypt

For example I encrypt my home directory. File contains:

```
target=home

source=/dev/sda5
```

When booting while you are getting the green "OK" at the right, will stop and prompt for luks passphrase - then do a luksOpen to create (in my case) /dev/mapper/home and then mount that to /home. I think can use a key on a thumb drive or something, but I use pass phrase. You can also uncomment a line in there to encrypt your swap (to, for example, make sure a copy of your passphrase doesn't end up in there unencrypted).Last edited by pdr on Mon Feb 08, 2010 4:16 pm; edited 1 time in total

----------

## NathanZachary

Is TrueCrypt not recommended much anymore?

----------

## d2_racing

Yeah, I don't see it much nowadays.

----------

## pigeon768

 *BeteNoire wrote:*   

> The questions is - what filesystem and what encrypting utility should I use?

  I use ext4 on top of dm-crypt+luks (I use cryptsetup as a frontend) and it works great.

I don't see why xfs or any other filesystem wouldn't work. dm_crypt uses the same block interface that lvm or mdraid use. It shouldn't be any different than a normal block device.

----------

## WastingBody

If you don't want to enter an extra password to mount an encrypted volume you can use pam_mount. Pam_mount will mount a specified volume when the user logs into via a login manager or a terminal.

----------

## zyko

 *Quote:*   

> Is TrueCrypt not recommended much anymore?

 

Without going into too much details: There are several peculiarities about the TrueCrypt project. For example, TrueCrypt doesn't seem to have a public bugtracker or viable changelogs, which is strange for such a security-sensitive piece of software. I'd say TrueCrypt is the worst choice among all open-source solutions due to its lack of transparency.

----------

## d2_racing

Thanks for the info, I understand a little bit more why we don't see that much on the forum.

----------

## bobspencer123

this looks like a great wiki. I read through it and it is pretty intense and thorough. 

http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

----------

## NathanZachary

 *zyko wrote:*   

>  *Quote:*   Is TrueCrypt not recommended much anymore? 
> 
> Without going into too much details: There are several peculiarities about the TrueCrypt project. For example, TrueCrypt doesn't seem to have a public bugtracker or viable changelogs, which is strange for such a security-sensitive piece of software. I'd say TrueCrypt is the worst choice among all open-source solutions due to its lack of transparency.

 

Thank you very much for the explanation.  I had never even noticed these deficits!  I will look into LUKS+dm_crypt and further information.

----------

## d2_racing

@bobspencer123, thanks, I'm gonna read that wiki for sure  :Razz: 

----------

## NathanZachary

 *d2_racing wrote:*   

> @bobspencer123, thanks, I'm gonna read that wiki for sure 

 

Me too!  :Wink:   Thank you bobspencer123.

----------

## BeteNoire

Thx for all replies, I'll give a chance to dm-crypt and luks, and if fs doesn't matter I'll stay with those chosen before (xfs, rfs).

I have one doubt more: can I mount and access encrypted partition without giving additional password on boot?

Some howtos recommend using pam for this and all of my three gentoo boxes are pamless.

----------

