[ale] Filesystem encryption
Michael H. Warfield
mhw at WittsEnd.com
Wed Oct 13 23:07:45 EDT 2010
On Wed, 2010-10-13 at 16:32 -0400, Jim Butler wrote:
> Hi Linux People!
> I have a question and am looking for some experienced suggestions.
> I saw a server recently that had filesystem encryption applied to the
> entire root filesystem volume.
> Although I am not sure, I do believe that the encryption scheme probably
> was not loopback (cryptoloop) because the server did not have a key
> stored on an external device. My understanding of loopback encryption is
> that the kernel and initrd have to be stored on at least some kind of
> un-encrypted media in order to boot to at least a small level sufficient
> to ask for the pass-key to decrypt/mount the filesystem.
> If the encryption scheme wasn't loopback encryption, what could it have
> been? What ways are popular right now for encrypting an entire root
> filesystem without using a thumbdrive or other external storage??
> If someone can help me identify what this was, maybe I can read up on it
> and implement it on one of my own servers.
If it's a Linux system, it's a very high probability that it's LUKS
(Linux Unified Key System). A number of distros, including Fedora and
Redhat, support LUKS encryption at install time. Installing a system
and then converting it to an encrypted file system (of ANY TYPE) is a
monumental PITA that I would find it hard to believe that you've run
into it by chance. Both crypto-loop and aes-loop suffer from this and
from numerous other problems and were not incorporated into the
mainstream sources. LUKS (based on dm-mapper) was, a LONG time ago.
My boot systems required only an unencrypted boot partition (either on
the drive or on a USB image drive). If it's prompting you for a
passphrase, I can guarantee it's LUKS. None of the distros recognize
any of the other crypto systems and flat out wouldn't know what to do
with the. Mount a LUKS volume and it will recognize it as LUKS (what
ever the underlying file system) and prompt you for a passphrase.
That's the watch word. If it recognizes it, it's LUKS. If it
doesn't... Well. You pays your nickel and you takes your chance.
> Thanks in advance,
> Jim Butler
> Linux Network Administrator.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20101013/03eb4eb4/attachment.bin
More information about the Ale
mailing list