Follow

"What can I use to encrypt my Linux filesystem?":

– LUKS/LVM supports full-disk encryption (and optionally 2FA)
– ext4 supports folder-based encryption
– eCryptFS/encfs are outdated/unmaintained
– GoCryptFS uses modern crypto but leaks metadata
– CryFS uses modern crypto and hides metadata but is slower than GoCryptFS

Thanks to Mr. Schumacher from Magdeburger Institut für Sicherheitsforschung

@infosechandbook Isn't #LVM orthogonal to #LUKS? #Guix SD, for instance, doesn't support LVM yet, but does support LUKS just fine.

@amiloradovsky

– LVM means Logical Volume Manager, a device mapper to provide logical volume management.
– LUKS means Linux Unified Key Setup, and uses dm-crypt to provide full-disk encryption.
– dm-crypt is a device mapper target for transparent disk encryption.

@infosechandbook Sure. My point was just that LUKS may be used with other partitioning formats (MBR/PBR, GPT, BSD disklabels, raw linear, etc.), or no partitioning at all (filesystem right on top of the mapped device).

@GhostSlide

Just search for 2FA/LUKS using your favorite search engine. We may provide an Arch-based guide in future.

@infosechandbook oh, in the far far future or with (luck :-)) this year?

@infosechandbook I've been planning to use lvm and luks but also needed specific encryption for some folder on top. Didn't know about ext4 support for that. Is it stable and secure? Need to look into it. Thanks

@vascorsd @infosechandbook
For what it's worth, you can use LUKS/LVM on virtual block devices.

I forget the exact steps, but basically you fill a file with random data (dd if=/dev/urandom of=/whatever bs=1M count=1000), set up a loopback device for it, and then set up LUKS/LVM for it like it was a drive.

@manchot @infosechandbook interesting, another option I'll need to take a look at. That way would make it independent of a particular fs I guess, whixh could be nice.

@vascorsd @infosechandbook
Well it also means it exists as a regular file.

Just put superSecret.bin on your USB drive and do whatever.

@vascorsd

Linux kernels >= 4.1 support ext4 encryption out of the box.

There is a section in the Arch wiki about this:

wiki.archlinux.org/index.php/E

They recommend reading the following blog post:

blog.quarkslab.com/a-glimpse-o

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.