Loading
Encrypted File Systems
Here's a good way to protect your files. Mr. Giles explains how to encrypt your entire file system rather than individual files.
The first encryption algorithm learned by most programmers is the lowly xor algorithm. To encrypt the data, we XOR it with the key (modulo the length of the key, if we use multi-byte encryption). To decrypt the data, we XOR it with the key again.
Benefits: fast and exportable
Drawback: trivial to break
Synopsis: stops casual snooper
DES has a controversial past. It was a government-endorsed algorithm for non-classified use, but some people believe that the government deliberately introduced weaknesses. On the other hand, decades of research have revealed only relatively modest weaknesses. It is economically feasible for a large company to build a DES-cracking machine.
Benefits: strong, well-tested, 56-bit keys (The variant known as TRIPLE-DES uses 112-bit keys.)
Drawback: not exportable
Synopsis: a reasonable choice
DES was designed for hardware implementations—and is difficult to implement efficiently in software. IDEA was designed around the low-level operations common on small processors. It is not a U.S. federal standard and wasn't weakened by the dreaded TLAs (three letter acronyms, such as DEC and FBI). On the other hand, while the TLAs have undoubtedly analyzed it, they aren't talking.
Benefits: strong, tested, 64-bit keys (used internally by PGP)
Drawback: not exportable
Synopsis: a reasonable choice
RSA encryption is a relatively ineffective algorithm. Many people feel that the primary weakness with PGP lies in the 1024-bit RSA encryption of the IDEA key, not the IDEA encryption of the actual data.
Benefits: solution to public key encryption problem, 128-bit keys
Drawbacks: requires at least 1024 bits for security comparable to IDEA, very slow
Synopsis: not appropriate
Fools rush in where angels fear to tread. --Alexander Pope
Undoubtedly, some people now feel the urge to run out and write an encrypting file system. The rest of us turn to the Cypherpunks. They have published a set of patches to the 2.0.11 kernel which implement DES and IDEA encryption in “loopback” devices. The primary source for these patches is at: ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux.
There are four patches:
loopfix-2.0.11.patch: modifications to loopback device
export-2.0.11.patch: more patches, mostly to documentation and the makefile
crypto-2.0.11.patch: export-restricted patches: DES and IDEA
mount-2.5k.patch: modification to mount to pass encryption keys.
The U.S. government continues to interpret the International Traffic in Arms Regulation (ITAR) in a manner that prohibits the export of meaningful cryptographic software via electronic means. There are no restrictions on the export of the same material in printed form or its subsequent distribution from sites outside North America.
The source code in crypto-2.0.11.patch implements DES and IDEA encryption and cannot be legally exported, even though this source is readily available worldwide. Violating export restrictions will not aid the effort to promote the free use of strong encryption, since the government could use this as proof of the need for stronger restrictions on domestic distribution.
Building the new kernel is no different than applying any other set of patches. The latest stable kernel release for which this works is 2.0.30. For convenience, I will assume it is stored in /usr/src/linux-2.0.30.tar.gz. Next, build a reference version of the kernel. Then, follow these steps:
Get the latest encrypted file system patches. For convenience, I will assume that they are the 2.0.11 patches and stored in /usr/src/cryptfs.
Apply the patches to the kernel, retaining the reference copy. On my system, this involved making a working directory, and applying the patches and fixing problems. I made the working directory by issuing the following commands:
cd /usr/src rm linux tar xzpf linux-2.0.30.tar.gz mv linux linux-2.0.30.efs ln -s linux-2.0.30.efs linux
I applied the patches using these commands:cd linux patch < ./cryptfs/export-2.0.11.patch patch < ./cryptfs/loopfix-2.0.11.patch patch < ./cryptfs/crypto-2.0.11.patch
I fixed problems using these commands:mv *.h linux/include/linux mv des.c linux/kernel mv idea.c linux/drivers/block mv loopfix.txt linux/Documentation
Configure and build the new kernel. Remember to enable the loopback device and file system encryption.
Get the source for mount and apply the required patch. Build it.
Reboot the system with your new kernel.
At this point everything should be ready to go, but I've encountered problems after builds. I believe my problem was caused by improper application of the patches, perhaps due to order-based instabilities caused by changes between the 2.0.11 and 2.0.30 and above kernels. One recurrent problem occurred with the urandom command:
od -x /dev/urandom | moreGiving this command produced kernel warning messages. If this happens to you, reinstall the kernel source and patches and check your warnings carefully.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- RSS Feeds
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- A Topic for Discussion - Open Source Feature-Richness?
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- What's the tweeting protocol?
- Designing Electronics with Linux
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
1 hour 52 min ago
6 hours 19 min ago
9 hours 55 min ago
10 hours 27 min ago
12 hours 51 min ago
12 hours 54 min ago
12 hours 55 min ago
17 hours 20 min ago
19 hours 11 min ago
1 day 24 min ago