Comments on: Securing laptops with ecryptfs, cryptsetup, and tmpfs http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-and-tmpfs/ Back off, man. I'm a scientist. Wed, 03 Mar 2010 22:54:18 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: tyler http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-and-tmpfs/comment-page-1/#comment-129 tyler Fri, 25 Dec 2009 22:15:44 +0000 http://www.tolaris.com/?p=618#comment-129 Chuck, It may be wise to encrypt at least /var/tmp/ or link that into /tmp. However, most of what you'll find there are things like KDE thumbnails and favicons from web pages Konqueror visits. It's not a major security leak, but it is annoying. Worse, the data here is expected to persist, so linking it into /tmp is not the best practice. I wouldn't bother encrypting /var. If you have a server with data there that matters, you might as well encrypt the whole disk. Chuck,

It may be wise to encrypt at least /var/tmp/ or link that into /tmp. However, most of what you’ll find there are things like KDE thumbnails and favicons from web pages Konqueror visits. It’s not a major security leak, but it is annoying. Worse, the data here is expected to persist, so linking it into /tmp is not the best practice.

I wouldn’t bother encrypting /var. If you have a server with data there that matters, you might as well encrypt the whole disk.

]]> By: Chuck http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-and-tmpfs/comment-page-1/#comment-128 Chuck Fri, 25 Dec 2009 21:41:37 +0000 http://www.tolaris.com/?p=618#comment-128 Thanks for the nice guide :) For some time I had an encrypted LVM with /home, /var, /tmp and swap -- but dealing with LUKS and cryptsetup was always a bit of a hassle... I wonder if (for professionals) /var needs to be encrypted too -- but I guess for my private use an encrypted var would be overdone ;) Thanks for the nice guide :)
For some time I had an encrypted LVM with /home, /var, /tmp and swap — but dealing with LUKS and cryptsetup was always a bit of a hassle…
I wonder if (for professionals) /var needs to be encrypted too — but I guess for my private use an encrypted var would be overdone ;)

]]> By: tyler http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-and-tmpfs/comment-page-1/#comment-122 tyler Mon, 16 Nov 2009 11:04:50 +0000 http://www.tolaris.com/?p=618#comment-122 breakpoint, The advantage of using filesystem-based encryption versus volume-based is that different users can have different keys, all on the same filesystem. Some information leakage occurs this way: the number of files, approximate sizes, and the size and depth of the directory hierarchy, but I'm not losing any sleep over that. This won't protect against access to a running system - it's already mounted and readable to the OS - but it will do a lot for hardware loss. We backup our keys, yes, and demand access to and control over company hardware used by employees. I assure you that my key escrow scheme is more secure than most users' habits. :) breakpoint,

The advantage of using filesystem-based encryption versus volume-based is that different users can have different keys, all on the same filesystem. Some information leakage occurs this way: the number of files, approximate sizes, and the size and depth of the directory hierarchy, but I’m not losing any sleep over that. This won’t protect against access to a running system – it’s already mounted and readable to the OS – but it will do a lot for hardware loss.

We backup our keys, yes, and demand access to and control over company hardware used by employees. I assure you that my key escrow scheme is more secure than most users’ habits. :)

]]> By: breakpoint http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-and-tmpfs/comment-page-1/#comment-121 breakpoint Mon, 16 Nov 2009 09:38:18 +0000 http://www.tolaris.com/?p=618#comment-121 Fedora has allowed install-time filesystem encryption for some time. Additionally, it's possible do a manual LVM setup that creates a LUKS encrypted LVM partition which in turn has (secondarily encrypted with another key) LUKS encrypted logical volumes. Whether or not this is actually advantageous vs. just using encryption at only one of those layers depends on your situation-- the only use I've really thought of is allowing somebody to at least get the system to boot using a lower security password but ensure that sensitive systems and data can't be started or accessed-- but it is interesting to note that the performance hit from two layers of crypto was not nearly what I would have expected (admittedly, though, this was running on a stripe set). From a consultant's point of view, the weak point of practically any corporate network is the fact that they're going to want the keys, they're going to want to test them, and they're going to scream bloody murder the first time you try to really lock things down. I've been able to get people to choke down restricted access MUCH easier than password hygiene. I do, however, make people sign things when they reject my advice these days. My contracts almost always include a clause releasing me from liability for any security incident on a system or network not secured to generally accepted standards and practices (i.e., you use strong passwords, sensitive data is encrypted, physical access to machines is restricted to those with a need to service them, etc.). Sounds like your firm has had to react to a few... incidents. Hope none of them were major. Fedora has allowed install-time filesystem encryption for some time. Additionally, it’s possible do a manual LVM setup that creates a LUKS encrypted LVM partition which in turn has (secondarily encrypted with another key) LUKS encrypted logical volumes. Whether or not this is actually advantageous vs. just using encryption at only one of those layers depends on your situation– the only use I’ve really thought of is allowing somebody to at least get the system to boot using a lower security password but ensure that sensitive systems and data can’t be started or accessed– but it is interesting to note that the performance hit from two layers of crypto was not nearly what I would have expected (admittedly, though, this was running on a stripe set).

From a consultant’s point of view, the weak point of practically any corporate network is the fact that they’re going to want the keys, they’re going to want to test them, and they’re going to scream bloody murder the first time you try to really lock things down. I’ve been able to get people to choke down restricted access MUCH easier than password hygiene.

I do, however, make people sign things when they reject my advice these days. My contracts almost always include a clause releasing me from liability for any security incident on a system or network not secured to generally accepted standards and practices (i.e., you use strong passwords, sensitive data is encrypted, physical access to machines is restricted to those with a need to service them, etc.).

Sounds like your firm has had to react to a few… incidents. Hope none of them were major.

]]> By: tyler http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-and-tmpfs/comment-page-1/#comment-119 tyler Sun, 15 Nov 2009 15:58:35 +0000 http://www.tolaris.com/?p=618#comment-119 My only experience with FileVault is reading the relevant wikipedia page, so I can only speculate. From what I read the feature is comparable, but ecryptfs can also be used to encrypt only specific directories. For instance, it is common now to have a ~/Private for this purpose, which is what the ecryptfs-setup-private command does if you just stop there. The biggest advantage I can see is that ecryptfs is open source and FileVault is not. Lack of peer review is very bad for cryptographic security. My only experience with FileVault is reading the relevant wikipedia page, so I can only speculate. From what I read the feature is comparable, but ecryptfs can also be used to encrypt only specific directories. For instance, it is common now to have a ~/Private for this purpose, which is what the ecryptfs-setup-private command does if you just stop there.

The biggest advantage I can see is that ecryptfs is open source and FileVault is not. Lack of peer review is very bad for cryptographic security.

]]> By: Daryl http://www.tolaris.com/2009/11/14/securing-laptops-with-ecryptfs-cryptsetup-and-tmpfs/comment-page-1/#comment-118 Daryl Sun, 15 Nov 2009 12:10:34 +0000 http://www.tolaris.com/?p=618#comment-118 Practical advantages of this over using, say FileVault on the Mac ? (still loves the Ubuntu but use it on the servers... though feel bad I use OSX all the time... =] ). Practical advantages of this over using, say FileVault on the Mac ? (still loves the Ubuntu but use it on the servers… though feel bad I use OSX all the time… =] ).

]]>