No ecryptfs-util in CentOS 7?

Support for security such as Firewalls and securing linux
owl102
Posts: 354
Joined: 2014/06/10 19:13:41

Re: No ecryptfs-util in CentOS 7?

Post by owl102 » 2014/09/16 20:55:55

XG Dong wrote:BIOS boot password
BTW: Usually a BIOS password can easily be cleared or changed, either by using a master password or by removing the battery for a while. (But this has of course nothing to do with LUKS.)

XG Dong
Posts: 13
Joined: 2014/09/04 19:20:39

Re: No ecryptfs-util in CentOS 7?

Post by XG Dong » 2014/09/17 07:29:55

drk wrote:
XG Dong wrote: Say if someone just plug my hard drive into another computer, will he be able to read my files?
No.
How is this achieved?

XG Dong
Posts: 13
Joined: 2014/09/04 19:20:39

Re: No ecryptfs-util in CentOS 7?

Post by XG Dong » 2014/09/17 07:30:56

owl102 wrote:
XG Dong wrote:BIOS boot password
BTW: Usually a BIOS password can easily be cleared or changed, either by using a master password or by removing the battery for a while. (But this has of course nothing to do with LUKS.)
Yeah...security counter measurement should consider when the bad guys have access to the hardware. That is the point of encrypting files.

drk
Posts: 397
Joined: 2014/01/30 20:38:28

Re: No ecryptfs-util in CentOS 7?

Post by drk » 2014/09/17 16:58:16

XG Dong wrote:
drk wrote:
XG Dong wrote: Say if someone just plug my hard drive into another computer, will he be able to read my files?
No.
How is this achieved?
Here is a link for information on LUKS encryption:
https://access.redhat.com/site/document ... ption.html

This link http://www.eetimes.com/document.asp?doc_id=1279619
suggests that it will take 3.31x10^56 years to brute-force break 256bit AES encryption.

XG Dong
Posts: 13
Joined: 2014/09/04 19:20:39

Re: No ecryptfs-util in CentOS 7?

Post by XG Dong » 2014/09/18 08:41:39

drk wrote:Here is a link for information on LUKS encryption:
https://access.redhat.com/site/document ... ption.html

This link http://www.eetimes.com/document.asp?doc_id=1279619
suggests that it will take 3.31x10^56 years to brute-force break 256bit AES encryption.
Hmm...would it be possible to plug in the hard drive and just sequentially read from it?

XG Dong
Posts: 13
Joined: 2014/09/04 19:20:39

Re: No ecryptfs-util in CentOS 7?

Post by XG Dong » 2014/09/18 09:14:14

Also I am wondering, since I have multiple hard drives in my machine, I was asked for the pass phrase for the SSD partition when I boot the system, but not for the storage partition(which is a RAID 1 of 2 hard drives). Not sure if they are encrypted as well...I did choose "encrypt" when I was installing the system.

My SSD partition is mapped/mounted under /dev/dm-0
My storage partition(s) are mapped under /dev/mapper/luks-blabla(so I guess it is encrypted?) and /dev/dm-2

drk
Posts: 397
Joined: 2014/01/30 20:38:28

Re: No ecryptfs-util in CentOS 7?

Post by drk » 2014/09/18 16:57:07

XG Dong wrote:Hmm...would it be possible to plug in the hard drive and just sequentially read from it?
They can read the drive but the information will essentially be gibberish.

drk
Posts: 397
Joined: 2014/01/30 20:38:28

Re: No ecryptfs-util in CentOS 7?

Post by drk » 2014/09/18 16:58:36

XG Dong wrote:Also I am wondering, since I have multiple hard drives in my machine, I was asked for the pass phrase for the SSD partition when I boot the system, but not for the storage partition(which is a RAID 1 of 2 hard drives). Not sure if they are encrypted as well...I did choose "encrypt" when I was installing the system.

My SSD partition is mapped/mounted under /dev/dm-0
My storage partition(s) are mapped under /dev/mapper/luks-blabla(so I guess it is encrypted?) and /dev/dm-2
Possibly. Post the output of "lsblk"

drk
Posts: 397
Joined: 2014/01/30 20:38:28

Re: No ecryptfs-util in CentOS 7?

Post by drk » 2014/09/18 17:26:20

They can read the drive but the information will essentially be gibberish.
Here is an example of what the LUKS encryption will do using test files instead of actual disks.

Setup a couple of test files to use as block devices and set them up for use as block devices:

Code: Select all

# dd if=/dev/zero of=regular bs=1M count=5
# dd if=/dev/zero of=encrypt bs=1M count=5
# l
total 10240
-rw-r--r--. 1 root root 5242880 Sep 18 10:04 encrypt
-rw-r--r--. 1 root root 5242880 Sep 18 10:04 regular

# losetup -f encrypt
# losetup -f regular
# losetup -a
/dev/loop0: [fd00]:135431 (/tmp/test/encrypt)
/dev/loop1: [fd00]:135405 (/tmp/test/regular)
Put an ext2 filesystem on the "regular" device and mount it:

Code: Select all

# mkfs -text2 /dev/loop1
# mkdir r
# mount /dev/loop1 r
# l r
total 12
drwx------. 2 root root 12288 Sep 18 10:07 lost+found
Encrypt the "encrypted" device, put an ext2 filesystem on and mount it:

Code: Select all

# cryptsetup luksFormat /dev/loop0
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
# cryptsetup luksOpen /dev/loop0 loop0e
Enter passphrase for /dev/loop0:

# mkfs -text2 /dev/mapper/loop0e
# mkdir e
# mount /dev/mapper/loop0e e
# l e
total 12
drwx------. 2 root root 12288 Sep 18 10:13 lost+found
Create a file and copy it to both mounted filesystems:

Code: Select all

# echo klaatu barada necktie > test.txt
# cp test.txt r
# cp test.txt e

# l -R
total 5390
drwxr-xr-x. 3 root root    1024 Sep 18 10:18 e
-rw-r--r--. 1 root root 5242880 Sep 18 10:19 encrypt
drwxr-xr-x. 3 root root    1024 Sep 18 10:18 r
-rw-r--r--. 1 root root 5242880 Sep 18 10:19 regular
-rw-r--r--. 1 root root      22 Sep 18 10:18 test.txt

./e:
total 14
drwx------. 2 root root 12288 Sep 18 10:13 lost+found
-rw-r--r--. 1 root root    22 Sep 18 10:18 test.txt

./r:
total 14
drwx------. 2 root root 12288 Sep 18 10:07 lost+found
-rw-r--r--. 1 root root    22 Sep 18 10:18 test.txt
Now see if you can find the text in the "regular" or "encrypted" files:

Code: Select all

# strings regular
lost+found
test.txt
mselinux
unconfined_u:object_r:file_t:s0
klaatu barada necktie

# strings encrypt
SJ!Jb#
2+DW
 A23
,@/T
k8t=
<more gibberish deleted>

XG Dong
Posts: 13
Joined: 2014/09/04 19:20:39

Re: No ecryptfs-util in CentOS 7?

Post by XG Dong » 2014/09/19 10:18:08

drk wrote:
XG Dong wrote:Also I am wondering, since I have multiple hard drives in my machine, I was asked for the pass phrase for the SSD partition when I boot the system, but not for the storage partition(which is a RAID 1 of 2 hard drives). Not sure if they are encrypted as well...I did choose "encrypt" when I was installing the system.

My SSD partition is mapped/mounted under /dev/dm-0
My storage partition(s) are mapped under /dev/mapper/luks-blabla(so I guess it is encrypted?) and /dev/dm-2
Possibly. Post the output of "lsblk"
Thanks for your testing example, feels much more secured now.

The output of lsblk:
Capture.PNG
output of lsblk
Capture.PNG (16.6 KiB) Viewed 2922 times
Not sure if it is necessary to hide the LUKS ID there, so I just whited it anyway. The file system I am using is BTRFS, the RAID 1 looks quite strange...

Post Reply