[Centos-docs] Re: Encrypted partition short howto

Thu Sep 7 10:07:16 UTC 2006
Daniel de Kok <danieldk at pobox.com>

(Sorry for top-posting, I have just added myself to the list.)

Hi Paul,

> I've written a short howto on creating and mounting an encrypted 
> filesystem using dm-crypt.

Thanks for the HOWTO. Some (fairly trivial) suggestions for improvement:

- Although cryptsetup is in base, it would be nice to mention what
  packages are involved.
- Using a partition as physical storage is such a common use case,
  that it seems useful to me to describe this explicitly.
- The HOWTO describes writing zeros to the file that will hold the 
  encrypted file system, and how to use this file afterwards
  without any further measures to obscure the virtual device.
  This is bad, because an attacker can easily determine what parts
  of the raw file contain data blocks, and what parts contain no data.
  It is much better to set up the encrypted device first, and write
  zeros to the encryped device (i.e. /dev/mapper/secretfs). This will
  look like random data in the raw file or partition, making it
  virtually impossible to grab data blocks for further analysis.
- The following line is fairly useless without any further
  parameters: "tune2fs /dev/mapper/secretfs"
- A wishlist item: encrypted CDs. Very handy for having secured
  backup copies.

-- Daniel