An encryption 101 request?

[Panther96]

Hey all, so my berserk level has definitely become excruciatingly elevated as I've acquired general information of What Is going around currently in govermental politics, our modern societies, and environment. Since I've become very comfortable as a primarily Manjaro user, I was wondering how to configure encryption successfully in linux? I don't know much about how encryption works, just what it does. I tried downloading truecrypt from the repos but apparently, disregarding the fact that the project is being audited now that it has been mysteriously abandoned by developers, there is no full system encryption for linux. My system is also UFEI but I have manjaro booted as ¨legacy supported¨ (though windows 8.1 partition is obviously UFEI). How does this affect things?

I saw that Ubuntu has easy during-installation full system partition encryption available, though I don't really trust Ubuntu based upon past history and articles posted around here. Are there any solutions that exist for Manjaro that could be achieved by a novice, or a novice with some serious hand-guidance? Thanks

[viking60]

Good to be aware of these things - you are absolutely right about that.
Truecrypt is indeed not developed anymore as of 05/2014. The reason given is the EOL of Windows XP, which is strange (and suspicious).

Manjaro does actually offer full hd encryption during install - I have done it.
When you boot the boot is interupted and asks for your passphrase that you provided during install:

This is technically not a full disk encryption since the boot partition is not encrypted - the rest is fully encrypted by LUKS (Linux Unified Key Setup) + LVM2(Logical Volume Manager). This goes for swap and tmp too. This is called a system encryption as opposed to data encryption, which typically would be the encryption of /home.

If you want /boot encrypted; you need to boot from an USB dongle.

Now this sounds a bit "Greek" but here is a comparison of the methods.

I am testing Manjaro so I did this with the unstable testing version - but it is official now, so it should be part of the installer. Simply check encryption and LVM and answer the prompts.

After the sucessfull encryption you can check it out with:

Code: Select all

lsblk

Code: Select all

[thomas@manjaro ~]$ lsblk
NAME                        MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
fd0                           2:0    1    4K  0 disk 
sda                           8:0    0 23,3G  0 disk 
sda1                        8:1    0  190M  0 part  /boot
sda2                        8:2    0 23,1G  0 part 
cryptManjaro            254:0    0 23,1G  0 crypt
    ManjaroVG-ManjaroRoot 254:1    0  6,4G  0 lvm   /
    ManjaroVG-ManjaroSwap 254:2    0  2,3G  0 lvm   [SWAP]
    ManjaroVG-ManjaroHome 254:3    0 14,5G  0 lvm   /home
sr0                          11:0    1 1024M  0 rom 

As you can see /, SWAP and /home (sda2) are encrypted.

Regarding UEFI and Windows 8.1 your Linux should be OK -but Windows 8.1 can update the Bios! Naturally Intel can update the Bios too, those updates can be anything and may affect Linux negatively - given Microsoft's attitude towards Linux so far.
The attempts of Microsoft to control the HW are also good for excluding alternatives - and MS are quite aware of that.

That is why many prefer to make a DVD out of Windows 8.1 and put in in a Virtualbox under Linux ( I think Jkerr has done it).

If you want to encrypt your files after install encfs (in the community repo) has a GUI and looks to be the easiest to handle. Ecryptfs is the alternative and comes with the kernel; you will find that ecryptfs-utils is already installed on your system.

[Snorkasaurus]

How is it that so few people seem to think that Microsoft Bought TrueCrypt because they were disappointed with the fact that some people are still unwilling to go buy newer versions of Windows? Isn't this a pretty logical assumption?

Either way, I guess I am sticking with TrueCrypt until I hear of any significant hole.

S.

[viking60]

I believe that this is very plausible:

TrueCrypt is compromised: Proponents of this theory feel that government pressure forced the TrueCrypt developers to either do as ordered or shutter the website similar to what happened to Lavabit

And these things are followed by a GAG order so they are not allowed to say why - National security; you see....

Developers need to get out of the US - if they want to avoid being bullied around by the NSA. But then again the US influence is significant in the whole NATO area so maybe that would not help that much.

The US government regard any successful encryption as an personal insult; by the looks of it. I sure hope this is not true, but so far the NSA has been perfectly capable of going farther than my worst imagination...

[Snorkasaurus]

Developers need to get out of the US

Do you happen to know if there are any countries that are specifically preferable for development purposes? Is it Sweden that has a reasonably progressive position on intellectual property, publishing freedom, and freedom of security?

S.

[viking60]

No! Sweden is dancing to the tunes played in Washington. Julian Assange is fighting that bogus rape charge and will not be sent to Sweden.

It is only constructed so that the Swedes can get hold of him and send him to the US.

Sweden does also intercept all data that passes through the country.

So Sweden is really bad. Norway is not good and is praised as a splendid NATO partner by the US. Iceland is good, I will consider Germany OK and France might be acceptable.

[Snorkasaurus]

Man, that sounds pretty crappy.
Here in Canada our mainstream media is heavily saturated with US owned/influenced information... so we get a pretty good dose of US opinion here. I actually gave up on TV, radio, and newspapers a long time ago. Only more recently have I started finding more independent new sources. I am kind of liking democracynow.org but am looking for more sources that are not just fountains of US information.
S.

[viking60]

Yes Canada is one of those "Splendid" NATO partners too , and one of the Five Eyes

[viking60]

Back on topic panther:
encfs works well in Manjaro - I have tested it. I was extremely paranoid so I tested it on a system that already has system encryption with encrypted partitions.

Here I made the encrypted encfs directory and the mount point and it works well, so the NSA will have to crack two layers of encryption now
I'll write it up under "software".

[Panther96]

Back on topic panther:
encfs works well in Manjaro - I have tested it. I was extremely paranoid so I tested it on a system that already has system encryption with encrypted partitions.

Here I made the encrypted encfs directory and the mount point and it works well, so the NSA will have to crack two layers of encryption now
I'll write it up under "software".

Read my mind. I actually posted a reply here earlier today but I guess it just never went through (and I didn't get the time/chance to verify it went through). The above dicussion is interesting though nonetheless.

Could you explain in depth how-to setup encfs on Manjaro in your write-up? I was able to experiment with encfs with Cryptkeeper, but I'm not sure If I did it correctly/how to properly utilitize the encryption, as this page http://www.howtogeek.com/121737/how-to- ... ith-encfs/ explains that I need to create a private folder too, but the cryptkeeper makes no mention of it (and the command line instructions, only replacing dropbox with spideroak hive, doesn't seem to work for me)?

You mentioned earlier that Manjaro does include full disk encryption option in installer, but you were using the testing version? Is it to be assumed then that the tools will be available in the next release, .8.10, or did it exist but somehow I didn't know where to look with the current .8.9 release?

Would you still recommend full disk encryption, or does protection of passwords/documents/other personal files suffice in these encrypted folderyor protecting information that actually matters (versus against entire remote-accesses)? Lastly, do you believe that full disk encryption noticably hinders system performance?

No! Sweden is dancing to the tunes played in Washington. Julian Assange is fighting that bogus rape charge and will not be sent to Sweden.

It is only constructed so that the Swedes can get hold of him and send him to the US.

Sweden does also intercept all data that passes through the country.

So Sweden is really bad. Norway is not good and is praised as a splendid NATO partner by the US. Iceland is good, I will consider Germany OK and France might be acceptable.

So why do the scandinavian countries pride themselves as this sort of safe NSA-free zone? Hell, there are even companies exploiting this image http://www.jottacloud.com/its-your-stuff-guaranteed/

Surprised you wouldn't place Germany in the ¨good¨ catagory..haven't they been all along combating on the global stage against surveillance programs? The Germans after all have every reason too, all across the board (economically for opportunities, politically because the Germans are the ones usually targeted for industrial and still political espionage, and culturally because they know what it means to lose their fundamentally guarenteed rights in the name of ¨security/patriotism¨). I also surprised by the French for they are usually one of the most independently minded NATO member, though with the recent NSA developements affecting their country they have only given relatively lukewarm protestation. Then again, François Hollande doesn't strike me as one with incredible vigor/passion.

[viking60]

Could you explain in depth how-to setup encfs on Manjaro in your write-up?

Sure and do feel free to arrest me if I fail to do so, or if you want more elaboration on any issue - remember there are no stupid questions-only stupid answers (I'll do my best ).

Here is the write up.

I was able to experiment with encfs with Cryptkeeper, but I'm not sure If I did it correctly/how to properly utilitize the encryption, as this page http://www.howtogeek.com/121737/how-to- ... ith-encfs/ explains that I need to create a private folder too, but the cryptkeeper makes no mention of it (and the command line instructions, only replacing dropbox with spideroak hive, doesn't seem to work for me)?

Cryptkeeper is just a mount helper you need to do the setup before you can use it - I used gencfs.

You mentioned earlier that Manjaro does include full disk encryption option in installer, but you were using the testing version? Is it to be assumed then that the tools will be available in the next release, .8.10, or did it exist but somehow I didn't know where to look with the current .8.9 release?

Would you still recommend full disk encryption, or does protection of passwords/documents/other personal files suffice in these encrypted folderyor protecting information that actually matters (versus against entire remote-accesses)? Lastly, do you believe that full disk encryption noticably hinders system performance?

Full disk encryption is already available in 8.9 you will have the option when you get to the partitioning. There you can access a set of check boxes and there you can check "encryption" and "LVM".
You will be guided (prompted) in a user friendly way so it will be easy.
....
In General the full system encryption is the best and therefor recommended. Even if you encrypt your /home; your data will still be available in /tmp and /swap and that is where the bad guys would attack.
And I have no negative system performance effect whatsoever - so I don't think you will have to worry about that.

The problem is of course that when you already have installed a distro, then you will "destroy" your current partitions because they need to be formatted during install.

Encfs is a good alternative but not as good as the system encryption.

So why do the scandinavian countries pride themselves as this sort of safe NSA-free zone? Hell, there are even companies exploiting this image http://www.jottacloud.com/its-your-stuff-guaranteed/

Well the Americans would say that the Scandinavians love to claim the moral high-ground. This cloud service is thoroughly explaining why it is risky to go for American servers or for servers from American companies.

They boast that it all will be Norwegian servers - but what does that mean?
Stupid patriots here will accept that everything Norwegian is good - but let me remind you that the Norwegian secret police has officially demanded the right to use key loggers on every computer in Norway.
That does not put Norway in the privacy friendly category. What will they be demanding from Jotta?
Norway is no big country and they will dance to the tunes played in Washington.. or else.....Still; this will be better than US clouds IMO.

Surprised you wouldn't place Germany in the ¨good¨ catagory..haven't they been all along combating on the global stage against surveillance programs? The Germans after all have every reason too, all across the board (economically for opportunities, politically because the Germans are the ones usually targeted for industrial and still political espionage, and culturally because they know what it means to lose their fundamentally guarenteed rights in the name of ¨security/patriotism¨). I also surprised by the French for they are usually one of the most independently minded NATO member, though with the recent NSA developements affecting their country they have only given relatively lukewarm protestation. Then again, François Hollande doesn't strike me as one with incredible vigor/passion.

Yup I take it back - Germany is in the "Good" category for the reason you give. They are also not to prone to dance to tunes played anywhere else.
They certainly lost the will to dance to American tunes after their head of state had been spied upon for many years.
France had the Hadopi laws - so I think I have got their no. right.

[dedanna1029]

Surprised you wouldn't place Germany in the ¨good¨ catagory..haven't they been all along combating on the global stage against surveillance programs? The Germans after all have every reason too, all across the board (economically for opportunities, politically because the Germans are the ones usually targeted for industrial and still political espionage, and culturally because they know what it means to lose their fundamentally guarenteed rights in the name of ¨security/patriotism¨). I also surprised by the French for they are usually one of the most independently minded NATO member, though with the recent NSA developements affecting their country they have only given relatively lukewarm protestation. Then again, François Hollande doesn't strike me as one with incredible vigor/passion.

Although viking gave you a pretty good response on this about Germany, imagine the surprise when I came across this.