USB booting :: USB Pendrive with encrypted /home



Hi,
It is quite important for me to keep my data encrypted on usb drives because they ease get lost...

So i've made a modification to linuxrc script from initrd so one can pass an option to kernel "encrypted=<device>" where device is encrypted filesystem (aes256, ext3). During booted you will be asked for password. If mounting fails you can retry. Then home & var from enc. fs are linked to / and violla.

I've devided my USB into two partitions. vfat with grub and compressed root filesystem=freespace for files, and 50MB encrypted ext3.
One can create encrypted partition on running DSL with:
losetup -e aes256 /dev/loop0 /dev/<device>
mkfs.ext3 /dev/loop0
losetup -d /dev/loop0

Then boot it with other bootflags...
Is somebody interested? Might it go upstream?
Some files:
https://thera.be/my_public/DSL-enc
Inside of linuxrc i've inserted credit, so you can search modifications by "bla"... i generally don't care about the credit itself.

IMAGE-encryption.bz2  there is a compressed image of my whole 512 usb memory... rather useless! But you can try it... Password for encrypted /home on that image is "dummydummydummydummy".

PS. I don't know how to, in elegant way, stop DSL from overriding /home/.* files!

We currently offer the protect boot option for just such purposes. This option encrypts the backup file. I made this setup just for pendrive and the fact that they get easily lost.

With pendrive as other flash devices you do not want to have peristent home or other writeable directories on the pendrive. With the limited life, write cycles. Running DSL as designed wth large static extensions seperated from any backup, they become write once read many. Therefore the backup should remain rather small and home and opt being in ramdisk does not affect the wite cycles.
Therefore only writes occuring to pendrive are when performing the backup. Using the protect option secures that sensitive/personal  file.



Bla -

*WARNING*

Never use single-key loop-aes v.1.x in dsl!

It's old and is *broken* encryption-wise.  Your data is vulnerable to attacks.

If the 'protect' tarball encryption is not enough, use multikey v.3.x loop-aes in dsl-n or knoppix.  I think you can probably mount your single-key encrypted partition with v.3 loop-aes in dsl-n, make a multikey encrypted partition with loop-aes v.3, mount both, then copy your data across from your unsafe partition to your new safe partition.

Then umount your old partition and *shred* the whole thing many times. Or use wipe -b /dev/hdwhatever

Also, never try to mount your v3 loop-aes partition with the old loop driver in dsl - you might bork your data.

Also - don't use swap, or, if you do, encrypt it.


original here.