jump to navigation

encrypted filesystem on Linux February 9, 2007

Posted by TSAI HONG-BIN in Linux.

Here is a benchmarking report done by Justin Korelc and Ed Tittel


I’ve surveyed several crypto filesystems and (whew..) finally made my choice to apply dm-crypt + LUKS. Here I’ll give some quick info about the alternatives. One may ask, which is “more secure” than the other? Since I don’t have sufficient time to do in-depth  security analysis, (Please be aware that “security” encompasses “algorithm” and “implementation”,) I’ll not jump to any conclusion by “feelings”. You may find assertion from others around the internet. If you find any convincing security analysis proved by concrete theoretical deduction or experiment, please let me know.

As for algorithms, generally speaking, the 5 finalists of AES: MARS, Serpent, RC6, Rijndael, Twofish are one way or another more secure than old symmetric ciphers such as DES, blowfish. If you don’t know how it works, just pick something looks like aes-256. No matter what crpto-algorithm you are going to use, you’d better be sure that your kernel supports that algorithm. (go check /lib/modules/(`uname -r`)/kernel/crypto/*) As for some userspace program, such as TrueCrypt, has implemented crypto-algorithm itself. So that users can decrypt data on a host OS without kernel’s support.

One more tips, you should be clear at your needs. Is the encrypted filesystem going to run for a multi-user system? Is the portability a requirement? Is it going to be placed in embedded system? You should first understand what kind of security features you’re going to achieve in your system, what is the constraint, then you pick one that best suits your need.

kernel space ->

dm-crypt + LUKS: included in mainline kernel, block-level encryption, can be formated as any kinds of file system. Easy to setup by a userspace program “cryptsetup,” which is a static binary file. That’s kindda handy because then you don’t have to worry about missing libraries or version-mismatch.

ecryptFS: a stacked filesystem included in mainline kernel, one big problem is its compatibility. ecryptfs currently requires kernel version 2.6.19 or above, and requires you to run ext3 or jfs. As for other filesystem, it’s not done yet.

loop-aes: not included in kernel, That’s one of the big problem. Some people claim that it’s faster, more secure, but no supportive data is given.

user space -> 

EncFS: Need FUSE support. EncFS communicates with data through glibc and libfuse, so you should be aware that if the disk you’re going to encrypt is a portable HDD, the host OS must have these libraries installed. Besides, EncFS leaves metadata of files plaintext. If you really don’t want any information, I mean “ANY,” say, file name, file attributes, file size …etc. to be disclosed. Try another solution.

truecrypt: open source, kinnda handy. But still, if your data is portable, that program should be with you too.



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: