# Best way to encrypt data or partition?

## jlmcp

All,

Been poking around all morning trying to find some concise directions for encrypting data or a whole partition in Gentoo (linux). Ideally, I would like to:

1. Setup and encrypt a whole partition,

2. Be able to mount this partition with a secondary password maybe,

3. Mount, and drop my sensitive files onto this partition at will,

4. Unmount if desired.

I am coming from the Windows/PGP world of thinking and have used the PGPdisk utility in the past. I have also searched the forums here, and found some scant references to other people doing this, but nothing that explains how to do it and if there is a method that is better than another (performance) etc.

Links? Hints?

Jake

----------

## Roguelazer

An encrypted loopback's your best bet. I use one successfully for awhile. Reccommended reading:

http://gentoo-wiki.com/SECURITY_dmcrypt

https://forums.gentoo.org/viewtopic-t-349474.html

----------

## neuron

no, not loopback, he's talking about performance and a partition, you can use cryptsetup directly and skip the loopback.

For partitions using cryptsetup and encrypting directly is probably the best way, for encrypting a directory fuse+encfs is the best way in my opinion  :Smile: 

----------

## ruben

I used the following site to make an encrypted partition using dmcrypt (admittedly on debian). The site also contains some benchmarks.

----------

## jlmcp

Thanks all -

I had heard of the "loopback" style encryption but wasn't sure that was the way to go either. Have to look into cryptsetup more. I'll report back what I find.

Jake

----------

## jlmcp

So ... after several more hours of research (some trial and error) this is what I have found:

1. You basically need to decide if you want to (a) enncrypt a whole partition, or (b) just create an encrypted file (PGPdisk style) and mount it as a partition. 

2. The assumption is, encrypting the whole partition has better performance than using the file method, but the file method is more ... portable, I guess. Your choice.

3. The directions on the Gentoo Wiki: http://gentoo-wiki.com/SECURITY_dmcrypt (thanks Roguelazer) are pretty darn good. I recommend them.

Remaining questions:

1. I am still trying to find a way to 'auto mount' the encrypted partition when I log in. ruben posted a link to a debian site that outlines how to do this, but my testing seemed to indicate that the process on Gentoo must be somewhat different. Anyone know how to modify the directions at http://deb.riseup.net/storage/encryption/dmcrypt/?

2. I don't mind if I have to enter a second passphrase to mount the encrypted disk, I just want to be auto-prompted after a successful login. I suppose I could just script up the mount and unmount process if I knew where to put login and logout scripts. Anyone know?

Almost there.

Jake

----------

## neuron

http://hollowtube.mine.nu/wiki/index.php/PAM/PamEncfs

I wrote that quite a long time ago for auto mounting encfs volumes on login, a very simple and working system (I haven't had to patch it since I made it), pam_run can be used for auto mounting cryptsetup drives, but it's way more advanced and way more error prone.

encfs is a very nice system in my opinion, you'll be able to do rsync backup's quite easilly (as the files are encrypted seperatly, dont worry, filenames too  :Wink:  ), the only downside is that it's a bit slower than cryptsetup is.

----------

## Sachankara

 *neuron wrote:*   

> http://hollowtube.mine.nu/wiki/index.php/PAM/PamEncfs
> 
> I wrote that quite a long time ago for auto mounting encfs volumes on login, a very simple and working system (I haven't had to patch it since I made it), pam_run can be used for auto mounting cryptsetup drives, but it's way more advanced and way more error prone.
> 
> encfs is a very nice system in my opinion, you'll be able to do rsync backup's quite easilly (as the files are encrypted seperatly, dont worry, filenames too  ), the only downside is that it's a bit slower than cryptsetup is.

 Would it be possible for you to make an ebuild for it and submit it to the bugzilla (or whatever the Gentoo developers prefer)?

----------

## neuron

 *Sachankara wrote:*   

>  *neuron wrote:*   http://hollowtube.mine.nu/wiki/index.php/PAM/PamEncfs
> 
> I wrote that quite a long time ago for auto mounting encfs volumes on login, a very simple and working system (I haven't had to patch it since I made it), pam_run can be used for auto mounting cryptsetup drives, but it's way more advanced and way more error prone.
> 
> encfs is a very nice system in my opinion, you'll be able to do rsync backup's quite easilly (as the files are encrypted seperatly, dont worry, filenames too  ), the only downside is that it's a bit slower than cryptsetup is. Would it be possible for you to make an ebuild for it and submit it to the bugzilla (or whatever the Gentoo developers prefer)?

 

http://hollowtube.mine.nu/releases/snapshots/ebuilds.tar.gz

there's an ebuild there actually, but you should probably grab the snapshot, I made some changes right after release.  If I get around to fixing my svn tree I'll see about making a 0.2 release and submitting an ebuild.

//edit, that ebuild pack is ancient and doesn't contain pam_encfs :p

----------

## neuron

https://bugs.gentoo.org/show_bug.cgi?id=102112

there, also released a new version with some comments "does this work?" and stuff like that :p, everything has worked for more than 4 months now without any problems whatsoever  :Wink: 

also added another of my pam modules for the uber paranoid https://bugs.gentoo.org/show_bug.cgi?id=102113 :p

----------

## Sachankara

Nice...  :Smile:  Hopefully it won't take far too long to reach portage.

Unfortunately I'm not the most experienced "PAM capable" programmer, but I'll take a closer look at the source later.

----------

## jlmcp

Just read the website. This looks pretty cool as well. 

Have to weigh my options now.  :Wink: 

----------

