cryptsetup some folders
Hey all, I'm planning to customise a RPi with Raspbian already running, and using cryptsetup (LUKS) to have a partition more secure for some reasons... So the goal is to move some existing sensitive folders to this new encrypted partition. Some sym-links will be used for those directories. About Tor, if I'm not wrong, those directories can be moved to this encrypted partition : /var/lib/tor : so I'm planning to move /var... So at final, planning to move : /home /var /tmp (why not swap file ?) Any suggestions and master's thoughts are welcome :) -- Petrusko EBE23AE5
On 24.10.2016 09:53, Petrusko wrote:
Any suggestions and master's thoughts are welcome :)
:-) Yes, why not use a full disk encryption? You could encrypt the root partition. I know, it's harder to do this on a running system and Raspbian doesn't offer you encryption within setup. The best thing would be an ssh shell on initrd to start the system. Why not also encrypt the swap partition, if there is one? Raspbian uses a swapfile afaik. http://resources.infosecinstitute.com/luks-swap-root-boot-partitions/ The passphrase to use the encrypted partitions is stored in RAM. If some of the contents of the RAM are kept in the swapfile, you could easily read this. It should be better to encrypt the swap file, too. Swapfile's previous contents remain transparent over reboots. But anyway, the swapfile in Raspbian is located in /var. https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#Using_a_swap_f... You shouldn't encrypt the boot partition unless you know what you are doing. Having a backup of your partitions LUKS headers is important. If a LUKS key slot or the header itself becomes damaged and you don't have a good copy to restore to the encrypted partition, the partition becomes unusable. You can use a key file to automatically decrypt e.g. /home on boot. Store the key files on encrypted partitions. The performance of the SD card could be very slow: https://raspberrypi.stackexchange.com/questions/42100/performance-with-an-en... Regards,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/24/2016 09:53 AM, Petrusko wrote:
Any suggestions and master's thoughts are welcome :) I played few weeks ago with folder based encryption at an EXT4FS, but gave up - it won't work reliable here (hardened stable Gentoo Linux). But maybe with kernel 4.8.x that would work ?
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- iHYEAREIAB4FAlgOUM0XHHRvcmFsZi5mb2Vyc3RlckBnbXguZGUACgkQxOrN3gB2 6U5vbQD+N14LTbuqoW49X/9hgYd423jMjtRr3AjNM/YxreULME0A/3qJLUd7vzTr ir+oHvvqPL3opk9pQXPAlOhYgGOUnkT7 =fWmD -----END PGP SIGNATURE-----
Many thx for your contribution, thx to you 2 :) I was thinking too about the full disk encryption. No problem to backup/restore current files. Sadly Raspbian, and many others OS for the RPi, have not many options like x86 when you set up the system. That's why it can be hard to understand how to proceed with a running system, harder than set up a fresh Debian with the main useful menu with "use full disk encryption" option ;) I'll read the links in your previous mail, it will be helpful. Thx for your lights, to all ;) -- Petrusko EBE23AE5
On 10/24/2016 04:04 PM, Petrusko wrote:
Many thx for your contribution, thx to you 2 :)
I was thinking too about the full disk encryption. No problem to backup/restore current files.
Sadly Raspbian, and many others OS for the RPi, have not many options like x86 when you set up the system. That's why it can be hard to understand how to proceed with a running system, harder than set up a fresh Debian with the main useful menu with "use full disk encryption" option ;)
With Raspbian, you can: 1) install normally; 2) backup with rsync to another device on LAN; 3) wipe root partition; 4) encrypt, and configure LVM2; 5) setup logical volumes, create mount points, and mount them; 6) restore from backup; and 7) fix various broken stuff. Now everything except /boot is encrypted. I have a how-to guide, if you're interested.
I'll read the links in your previous mail, it will be helpful.
Thx for your lights, to all ;)
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 10/25/2016 12:49 AM, Petrusko wrote:
Absolutely interested ! with pleasure :) Will it be a link, or a file...? if you prefer sending it directly to this mail address...
Thx in advance ;)
OK, I've emailed you.
Mirimir :
I have a how-to guide, if you're interested.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 10/25/2016 03:39 AM, Ralph Seichter wrote:
On 25.10.2016 09:58, Mirimir wrote:
OK, I've emailed you.
Any particular reason to let the mailing list know you have useful information but not share it here and make it available for future list archive searches? ;-)
I'm assuming that the list doesn't accept attachments :) Basically, I stopped working on Pi, for several reasons. Mainly the USB NIC. And so my guide is just a first draft. Also, there's nothing novel there about cryptsetup. Raspbian is essentially Debian. But if anyone wants to reuse parts of it, that's cool. Just ask for a copy.
-Ralph _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 26 Oct. 2016, at 10:31, Mirimir <mirimir@riseup.net> wrote:
Any particular reason to let the mailing list know you have useful information but not share it here and make it available for future list archive searches? ;-)
I'm assuming that the list doesn't accept attachments :)
It turns them into links. They work fine. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------
On 10/25/2016 05:40 PM, teor wrote:
On 26 Oct. 2016, at 10:31, Mirimir <mirimir@riseup.net> wrote:
Any particular reason to let the mailing list know you have useful information but not share it here and make it available for future list archive searches? ;-)
I'm assuming that the list doesn't accept attachments :)
It turns them into links. They work fine.
Thanks :) So it's attached. As I said, it's a first draft. Please feel free to share, revise, reuse bits, etc, as you like.
T
Your "draft" looks very good. I'm sure, that it will help. Thanks a lot On 26.10.2016 02:01, Mirimir wrote:
On 10/25/2016 05:40 PM, teor wrote:
On 26 Oct. 2016, at 10:31, Mirimir <mirimir@riseup.net> wrote:
Any particular reason to let the mailing list know you have useful information but not share it here and make it available for future list archive searches? ;-)
I'm assuming that the list doesn't accept attachments :)
It turns them into links. They work fine.
Thanks :)
So it's attached. As I said, it's a first draft. Please feel free to share, revise, reuse bits, etc, as you like.
T
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I am interested too. It would be nice, if you can share it. Thanks a lot On 25.10.2016 08:49, Petrusko wrote:
Absolutely interested ! with pleasure :) Will it be a link, or a file...? if you prefer sending it directly to this mail address...
Thx in advance ;)
Mirimir :
I have a how-to guide, if you're interested.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi folks, I am not sure it is more secure. What are we trying to protect here? As long as the relay is running,it is unencrypted. Disk encryption only prevents physical access - are you at risk of this? At any rate, the relay shouldn't be storing personal data. Having it encrypted also makes remote management an absolute pain. Can someone clarify this? -- D On 24 October 2016 08:53:14 BST, Petrusko <petrusko@riseup.net> wrote:
Hey all,
I'm planning to customise a RPi with Raspbian already running, and using cryptsetup (LUKS) to have a partition more secure for some reasons... So the goal is to move some existing sensitive folders to this new encrypted partition. Some sym-links will be used for those directories.
About Tor, if I'm not wrong, those directories can be moved to this encrypted partition : /var/lib/tor : so I'm planning to move /var...
So at final, planning to move : /home /var /tmp (why not swap file ?)
Any suggestions and master's thoughts are welcome :)
-- Petrusko EBE23AE5
------------------------------------------------------------------------
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 25 Oct. 2016, at 21:03, Duncan Guthrie <dguthrie@posteo.net> wrote:
Hi folks,
I am not sure it is more secure. What are we trying to protect here? As long as the relay is running,it is unencrypted. Disk encryption only prevents physical access - are you at risk of this? At any rate, the relay shouldn't be storing personal data.
Having it encrypted also makes remote management an absolute pain.
Can someone clarify this?
I am not a lawyer, but I've heard that it helps to prove you have no personal data. This is harder when there is encrypted data on the machine. Tim
-- D
On 24 October 2016 08:53:14 BST, Petrusko <petrusko@riseup.net> wrote: Hey all,
I'm planning to customise a RPi with Raspbian already running, and using cryptsetup (LUKS) to have a partition more secure for some reasons... So the goal is to move some existing sensitive folders to this new encrypted partition. Some sym-links will be used for those directories.
About Tor, if I'm not wrong, those directories can be moved to this encrypted partition : /var/lib/tor : so I'm planning to move /var...
So at final, planning to move : /home /var /tmp (why not swap file ?)
Any suggestions and master's thoughts are welcome :) _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 10/25/2016 12:03 PM, Duncan Guthrie wrote:
Having it encrypted also makes remote management an absolute pain.
Depends on - an encrypted ext4fs needs just to be decrypted after boot as I tried in [1]. And the use case is to avoid that the private key of the tor exit relay can be accessed by somebody having physical access to the hard disk. [1] https://github.com/toralf/torutils/blob/master/unlock_tor.sh - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- iHYEAREIAB4FAlgPMQsXHHRvcmFsZi5mb2Vyc3RlckBnbXguZGUACgkQxOrN3gB2 6U46ZwD+O8iItKweJ9xC90enAgEA28Q0jqBw4wN5LMtMKz0o+XEBAIdP9oe7KKBh AX5Qf4PQ2wUKB49Ut0Il2nBKOyA0C3bs =4jom -----END PGP SIGNATURE-----
On 25 Oct. 2016, at 21:16, Toralf Förster <toralf.foerster@gmx.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 10/25/2016 12:03 PM, Duncan Guthrie wrote:
Having it encrypted also makes remote management an absolute pain.
Depends on - an encrypted ext4fs needs just to be decrypted after boot as I tried in [1].
And the use case is to avoid that the private key of the tor exit relay can be accessed by somebody having physical access to the hard disk.
... while the machine is unpowered. If the machine is powered, physical access likely gives them physical access to the contents of memory as well. (Not just cold boot-style attacks, but DMA hardware as well.) Tim
[1] https://github.com/toralf/torutils/blob/master/unlock_tor.sh
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE-----
iHYEAREIAB4FAlgPMQsXHHRvcmFsZi5mb2Vyc3RlckBnbXguZGUACgkQxOrN3gB2 6U46ZwD+O8iItKweJ9xC90enAgEA28Q0jqBw4wN5LMtMKz0o+XEBAIdP9oe7KKBh AX5Qf4PQ2wUKB49Ut0Il2nBKOyA0C3bs =4jom -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------------
Right, it's so easy and quick to duplicate a SD card with this hardware, by only unplugging it from the board... If it's not stored under your bed, it can be useful :p And 2nd, it can be a cool challenge to make it working ? To understand how those security softwares and how to config them nicely is really cool. It's always good to make your head thinking about a new way you don't know ;) And exploring some new things you never seen working... and sharing informations you found with others by trying to make it work. By this way, if I become more friendly with encrypting data and system with this test, it will be useful for future RPi installs, like mail servers and other stuff to secure by encrypting personal data... hosting some friends backups for example... Thx ;) Duncan Guthrie :
Disk encryption only prevents physical access - are you at risk of this?
-- Petrusko EBE23AE5
participants (7)
-
diffusae -
Duncan Guthrie -
Mirimir -
Petrusko -
Ralph Seichter -
teor -
Toralf Förster