[NBLUG/talk] Crypt Filesystems

Jacob Appelbaum jake at nblug.org
Sun Jul 30 14:31:43 PDT 2006


Lincoln Peters wrote:
> On Jul 30, 2006, at 12:40 AM, Jacob Appelbaum wrote:
>> Hrm. That's a shame. I don't suggest you recompile your kernel for this
>> as it's not needed. Loop-aes is only a patch to the loop module and thus
>> it's not required to recompile anything unless the loop device is
>> compiled in (which it's not by default in debian).
> 
> Why not use dm-crypt?  You'd get the same results while eliminating the
> overhead of a loopback filesystem.  I can't see any advantage to
> loop-aes (or any sort of cryptoloop) unless you're trying to encrypt
> something that can't be written to the same way as a standard block
> device (e.g. a CD or DVD).
> 
> I don't know if a kernel recompile would be needed to support dm-crypt
> on Debian, as I have not used the stock kernels in Debian (i.e. I've
> built my own) for years.  You probably wouldn't, though, as the
> userspace tools for managing dm-crypt are available in the apt
> repository, and I would be surprised if they're available but the
> dm-crypt module itself isn't.
> 

Plainly, I don't trust it.

If you read this article:
http://docs.linux.com/article.pl?sid=04/06/07/2036205&tid=72&tid=14&tid=35

Notice the quote at the top about how it's similar in implementation to
cryptoloop? That's not a good sign in my book. Granted, I haven't done
an audit of the source. Here's why:
http://clemens.endorphin.org/LinuxHDEncSettings

See also:
http://docs.indymedia.org/view/Local/UkCrypto#http_www_saout_de_misc_dm_crypt
http://docs.indymedia.org/pub/Local/UkCrypto/wisa2004.pdf

The nice people at riseup have done a performance comparison for us:
http://deb.riseup.net/storage/encryption/benchmarks/dmcrypt-v-loopaes/

Here's a talk I gave in Berlin about different disk crypto systems:
http://events.ccc.de/congress/2005/fahrplan/events/1112.de.html

Google has a video of it:
http://video.google.com/videoplay?docid=1878757655471507926

Also, I found two useful tutorials that should help anyone setting up
loop-aes:
http://www.debian-administration.org/articles/81 and
http://deb.riseup.net/storage/encryption/loop-aes/

If you still wanted to go the dmcrypt route:
http://deb.riseup.net/storage/encryption/dmcrypt/

Best,
Jacob



More information about the talk mailing list