# Which encrypted filesystem to use?

## Klavs

Hi guys,

I'm looking for a encryption filesystem for my Gentoo. 

I've found the following (but none of them has an ebuild it seems? no Gentoo user uses any of these?):

www.rubberhose.org

Would be the coolest one (because of the feature where you can use several passwords on a filesystem, and depending on which password you use, you'll see different data - on the same file-system - look mom, it's only recipe's I have there  :Smile: 

If it weren't because it seems abandoned and only works with the 2.2.x kernel  :Sad: 

http://linux01.gwdg.de/~alatham/ppdd.html

seems fairly good and stable - no plausable deniability feature though.

http://www.mcdonald.org.uk/StegFS/

Much like rubberhose, except that it clearly states - INSTABLE - and I really need my data to be safe.

What experiences do you guys have?

My idea was to put up a lwm partition and use it with the encrypted filesystem, for better performance than what you get with a loop-backed encrypted file ?

What about dynamic resizing of a encrypted filesystem/file - which supports this? I'm thinking of using it to hold approx. 60gb of data  :Smile: 

----------

## mglauche

look at the cryptoapi stuff in the lates (-r9) gentoo kernel. you can mount encrypted loopback devices with that  :Wink: 

Its quite cool, althougl a bit of a performance drop (but performance is not top priority for encrypted fs anyway ...) You have to provide a password for the cipher in order to mount the cyrpted loopback device, so its one pw for all ..

----------

## Xor

I do have a cryptofile...  but read that the inpact on a crypted fs is rather big... (I use blowfish... but aes might be stronger but not as fast)

I can also imagine taht there are some mounting/unmounting issues at boot/shutdown....

----------

## meyerm

@cryptoapi and cryptofs

They are just mounted as loopback-devices with an aditional option (as I can remember). As long as you don't try to encrypt your "/"...  :Wink: 

When I used SuSE I also tried out the crypto-fs for my home-partition. It simply asked for a PW while booting and if it was not entered within a given timespan it just booted without this fs mounted. Then, of course I had to login as root and mount it before I could login as normal user. (If gentoo is not offering such an init-script I could search through the SuSE-partition here and post that script (as long as it is GPL)).

I don't know anything about the speedimpact since it was my day-to-day-work home and not my development-computer where I'm heavily playing around with many files. But it seemed to be stable, there was no datacorruption or crash in the whole time.

Short: it is already quite usable  :Wink: 

----------

## Klavs

So I just emerge cryptoapi - and it will work with my default gentoo-kernel?

or would I have to emerge crypto-sources and compile a new kernel?

Which utilities do I use for making such an encrypted partition/filesystem?

Do you have any experiences with using a seperate partition for it vs. using a file (that I would mount via loopback)?

How about the ability to resize it - on the fly? I was thinking of putting it on a lvm partition - would that be possible?

Thankyou for all your help so far.

----------

## dingo

When I first made a cryptographic filesystem I decided to do it with a loopback device with the kernel, this meant emerging a kernel that supports it. At that time emerging 'crypto-sources' was the thing to do, but it now looks like 'gentoo-sources' also provides it (or did and I never noticed.) I don't think 'cryptoapi' is needed., they look like maybe pre-made modules. Not sure. Make your own anyway. I used the modules 'serpent', 'cryptoloop', and 'loop'

http://www.ibiblio.org/pub/Linux/docs/HOWTO/Loopback-Encrypted-Filesystem-HOWTO

should explain everything.

> Which utilities do I use for making such an encrypted partition/filesystem?

The sweet thing about encrypted filesystems at the kernel level is that you dont need any utilities other than your average filesystem utilities.

> Do you have any experiences with using a seperate partition for it vs. using a file (that I would mount via loopback)?

> How about the ability to resize it - on the fly? I was thinking of putting it on a lvm partition - would that be possible?

I dont think that would be possible with a loopback. For resizing on the fly I think you'll want to get into the cfs package (not in gentoo portage systems, and its web page service is down, can't seem to find it)

----------

## watersb

I have been using crypto-sources, with an encrypted root partition, since this past summer.

I created a tiny Minix ramdisk image, populated it with a BusyBox/uClibc linux, just enough to run the following script: 

```

#!/bin/sh

PATH=/sbin:/bin:/usr/bin:/usr/sbin

# Mount filesystems in /etc/fstab

/bin/mount -n -t proc none /proc

echo "Mounting encrypted filesystem..."

losetup -e twofish -k 256 /dev/loop/5 /dev/ide/host0/bus0/target0/lun0/part4

echo "0x705" > /proc/sys/kernel/real-root-dev

```

Then I added this entry to my GRUB menu:

```

title=Gentoo 2.4.19

root (hd0,0)

kernel /boot/bzImage

initrd /boot/ramdisks/tiny-linux.gz

```

I have been trying to use pivot_root, as the Gentoo LiveCDs do, but absolutely no success so far. This is cause for slight concern, as the real-root-dev trick will presumably go away with 2.5 and 2.6 kernels.

1) Has anyone else had success in using encrypted root partitions? What script did you use?

2) If folks are interested, my tiny-linux.gz ramdisk image (320K) is at

http://www.aoc.nrao.edu/~bwaters/projects/gentoo/tiny-linux.gz

----------

## revo

 *meyerm wrote:*   

> @cryptoapi and cryptofs
> 
> When I used SuSE I also tried out the crypto-fs for my home-partition. It simply asked for a PW while booting and if it was not entered within a given timespan it just booted without this fs mounted. Then, of course I had to login as root and mount it before I could login as normal user. (If gentoo is not offering such an init-script I could search through the SuSE-partition here and post that script (as long as it is GPL)).
> 
> 

 

hi! 

great idea. will you do this?

or, is there anybody developing cfs for gentoo?

i used to use it with debian, where it was provided as a deb, but i couldn't make it compile it in gentoo.

revo

----------

## taskara

I have been using etx3 for ages, but recently decided to go reiserfs because it's supposed to be faster.. and it IS  :Smile: 

reiser rocks

----------

