Results 1 to 7 of 7

Thread: Encrypted filesystems

  1. #1
    Newbie
    Join Date
    Jun 2006
    Posts
    8

    Encrypted filesystems

    Hi everyone.

    I've been thinking about this idea on and off for as long as I've been umm-ing and ahh-ing about a Car PC: to have the in car's disks encrypted. This would mean that if the PC is stolen, any data is protected, and there is also the supreme geekiness of the venture.

    So far my car PC sitting on the floor in the house. I have some of the hardware... I need a pocket PC for the front end, various power stuff, and a case for the whole system. Oh, and a car Mine failed it's MOT, and it's uneconomical to fix. So I'm keeping half an eye on ebay and autotrader, and using my Mother's Honda Jazz in the meantime. It's a nice new car, but it's aimed squarely at the older driver, and it shows with its awful acceleration.

    I don't really have much of an idea how to do an encrypted filesystem with Linux.... I've googled a bit and it looks like you use libcrypt and loop-back devices, and it seems there could be rather a lot of CPU overhead.

    Ideally I'd plug a USB stick into the dash of the car, by the ignition, and this'd power on the laptop. My current machine (Tosh Portege 7020CT) can't boot from USB, so I guess I'd have to have an unencrypted /boot partition on the HDD. The machine'd boot, read the encryption key from the USB stick, decrypt and mount /, and carry on booting.

    Has anyone done anything like this? I should think it'd be quite easy to fashion up a button/switch inside a USB socket, so this could be hacked into the power button on the computer. A script could halt the PC upon device removal.

    I also plan to have automated music sync onto my car PC, by getting it to power on at night using a BIOS feature, connect to the home WLAN, and rsync with a server. With an encrypted filesystem, and the USB stick on my car keys, booting up would be a problem. The initrd would have to contain enough to get the PC onto the WLAN, then the filesystem encryption key could be loaded off the network.

    As I said, I don't have a car of my own at the moment, and my first car PC is very must in development too, so I should think I'd try a fully encrypted system would be at least version 2 of my rig. But food for thought in the meantime

    Nick

  2. #2
    Variable Bitrate rubicon's Avatar
    Join Date
    Feb 2005
    Location
    $240 worth of puddin'
    Posts
    297
    Another Linux user - bravo! Now, where to start ...

    Ok, your ideas get an 'A' for geekiness, but I'm not sure how useful it'd be to have *everything* encrypted: the overhead for keeping a multi-gig music partition encrypted would [probably] be substantial, and you wouldn't gain much. Surely an encrypted boot/root would be fine, with a normally-mounted XFS or JFS music partition; unless the theoretical thief knows anything about Linux, the music would be unavailable - and if they do, your machine is already gone anyway, so who cares? You could always put a software dead-man's switch in: three or more boots without properly authenticating wipes the music partition ...

    Places to start for encryption:
    I use loop-AES to encrypt some sensitive stuff on the back-end, like my SSL CA. It supports GnuPG, as well as plain password-authenticated crypto. Folks have been talking about using dm-crypt instead of the cryptoloop driver; haven't tried it yet myself, since my uses for crypto are infrequent.

    You'll probably want to rethink the idea of using a Pocket PC as a front-end: not sure how useful it'll be when you're traveling at speed or stuck in traffic.

    As for the "plug-in-a-USB-stick-and-go," I like the idea. On a side note, you might want to look at something like this: it won't provide any storage for a private key, but it's got other pluses, and I've been looking into integrating it into my CarPC.

    Have you settled on a distro? I recommend Gentoo, since you can customize it up the wazoo. A lot of folks complain that it's not worth the extra compile time to gain a few percentage points of performance, and I'd agree WRT servers or the desktop. For a CarPC, though, it's my OS of choice, since my board (a VIA Epia M10k) isn't exactly a screamer without some tweaking.

    On another side note, have you been able to get X11 working on the Portege'? I've got one, and haven't been able to thus far.

    Good luck!

  3. #3
    Newbie
    Join Date
    Jun 2006
    Posts
    8
    Quote Originally Posted by rubicon View Post
    Surely an encrypted boot/root would be fine, with a normally-mounted XFS or JFS music partition; unless the theoretical thief knows anything about Linux, the music would be unavailable - and if they do, your machine is already gone anyway, so who cares?
    Oh yes, a car thief is unlikely to know what the software is, but I don't fancy them getting a music collection out of their actions. The ability to encrypt the whole machine is almost fascinating to me, and to be honest I am a privacy geek too, so setting up something like this'd be cool The possibilty of making the car PC essentially a brick to a thief is nice too.

    Encrypted partitions is something I'd do to a car PC in a future version, but I'll probably have a play with VMWare in the meantime. I'll be able to see what the CPU overhead is like, and then decide if I should do it on my real machine.

    Quote Originally Posted by rubicon View Post
    You could always put a software dead-man's switch in: three or more boots without properly authenticating wipes the music partition ...
    Now that I'd trigger myself, no doubt!

    Quote Originally Posted by rubicon View Post
    Places to start for encryption:
    <snip>
    Cheers, I've bookmarked them and will have a look in time. I'd seen similar stuff when googling before, but those links look particularly good.

    Quote Originally Posted by rubicon View Post
    You'll probably want to rethink the idea of using a Pocket PC as a front-end: not sure how useful it'll be when you're traveling at speed or stuck in traffic.
    I skipped over the details with that.... I'm going to use a VNC client on the PDA and connect over an ad-hoc wireless LAN to a Tight VNC server. The X session will possibly run no window manager, and just an MP3 player. Noatun is looking most likely at the moment, with a custom skin suitable for full-screen on the PDA. I can then prod at the PDA mounted on the car's dash with a finger, or other people in the car can queue up music, as the screen is easily portable (and totally wireless). I'm doing music playing only, but the laptop is also going to havs a GPS and kismet on a second wireless adapter, warlogging.

    The PDA might be able to do sat. nav. if Tom Tom or the like can talk to gpsd on the LAN (unlikely), but I really dislike sat nav currently. I can read a map fine, and have a sense of direction, so I can get by without sat nav.

    I might also be able to get a kismet client for the PDA to be able to connect to the kismet server on the laptop, and so see what the laptop can see. But I haven't got a PDA yet, so this is all pie in the sky

    Quote Originally Posted by rubicon View Post
    As for the "plug-in-a-USB-stick-and-go," I like the idea. On a side note, you might want to look at something like this: it won't provide any storage for a private key, but it's got other pluses, and I've been looking into integrating it into my CarPC.
    That does look quite cool. Similar could be done no doubt with a bluetooth adapter and have it look for my phone. A mate can do this on Windows with some piece of software... might be the BT stack software or phone software...

    Quote Originally Posted by rubicon View Post
    Have you settled on a distro? I recommend Gentoo, since you can customize it up the wazoo. A lot of folks complain that it's not worth the extra compile time to gain a few percentage points of performance, and I'd agree WRT servers or the desktop. For a CarPC, though, it's my OS of choice, since my board (a VIA Epia M10k) isn't exactly a screamer without some tweaking.
    I am still essentially a Linux n00b, but I've been using DOS then Windows for years, Commodores before that, so can use a computer. I've used Linux for various things, including trying it on the desktop several times, usually for about a week before going groveling back to Gates. I've been successfully running my mail server on a Slackware box I built for about 4 years now, I've run various firewalls, and VMWares, but this car PC is really making me have to understand stuff.

    My choice for the car PC is Slackware 11, but running a 2.6 kernel rather than the default 2.4. My Linux n00bness shows here, as it was only a week or 2 ago I first changed to 2.6.18 from the /testing directory on the DVD, and I'm still a kernel compile virgin: I've never built my own kernel. Part of what I like about Slackware is that it doesn't have much fluff to get in your way, but on the flipside nearly everything needs fiddling with before it works or works as you want. But to me that's a good thing, because then I know the computer isn't doing something stupid behind my back! Years of MS products has turned me into a bitter cynic, so Slackware's mentality is a refreshing change.

    Quote Originally Posted by rubicon View Post
    On another side note, have you been able to get X11 working on the Portege'? I've got one, and haven't been able to thus far.
    It worked on its own after a fresh Slack install, but that was using the vesa driver I think. To me it seemed analagous to Windows using its VGA driver when it doesn't know what the graphics card is. I mooched around the 'net and found a few howtos for the 7020 (it seems like it is quite a good laptop for Linux), but in the end I used a program/script that came with the distro, but might be part of X.org, xorgconfig. I think I then fiddled with the X config files as per what a howto or 2 said, and it seems to work much better now than to start with. I haven't tried the external VGA on the docking station, but I don't need that working. My Portege won't be in a docking station when in the car.

    These bits of my xorg.conf might help? :
    Code:
    Section "Device"
        Identifier  "** NeoMagic (generic)                 [neomagic]"
        Driver      "neomagic"
    EndSection
    
    Section "Screen"
        Identifier  "Screen 1"
        Device      "** NeoMagic (generic)                 [neomagic]"
        Monitor     "My Monitor"
        DefaultDepth 16
    
        Subsection "Display"
            Depth       8
            Modes       "1024x768" "800x600" "640x480"
            ViewPort    0 0
        EndSubsection
        Subsection "Display"
            Depth       16
            Modes       "1024x768" "800x600" "640x480"
            ViewPort    0 0
        EndSubsection
        Subsection "Display"
            Depth       24
            Modes       "800x600" "640x480"
            ViewPort    0 0
        EndSubsection
    EndSection
    The machine should be capable of 1024x768 at 24bit too, as it has two and a half meg of video RAM I believe, but I was happy enough with just 16bit working so I didn't bother to "fix" my config. I didn't need to get X working on the laptop's display anyway as I'm going to be using Xvnc, so I only made minimal effort to make X load a better driver, but IIRC glxgears went from 20ish to 70ish fps after changing to the neomagic driver.

    Quote Originally Posted by rubicon View Post
    Good luck!
    Thanks.

    This is Linux though, not Windows, so I don't think I need luck, I just need to RTFM!

  4. #4
    Low Bitrate
    Join Date
    Mar 2004
    Posts
    89
    I have never tested it, but I have noticed that during an installation of SUSE you have the option of making a filesystem encrypted. I am not sure what type of encryption is needed of if it uses any special drivers.

  5. #5
    Newbie
    Join Date
    Nov 2006
    Location
    Akron, Ohio
    Posts
    7
    The URL's given rubicon above should be all you need to get it set up, but thought I'd give a few notes on personal experiences.

    Encrypting root will be tricky, especially with how you want to do it, and the benefits are few. The only file in / that's usually of any concern on a basic system like this is /etc/shadow. I'd just use different passwords on my carputer than what I use elsewhere, which would be a good idea regardless of what you do. I would recommend just encrypting /home and/or your music partition if it's separate from /home. This way your startup scripts could have a couple if/then statements to check for a usb thumb drive with the encryption key, then check for a network resource with the encryption key. If neither exist, then it doesn't try to mount that partition. You'd have to set it noauto in fstab and write your own script for it, of course.

    As for overhead, with todays hardware it is incredibly negligible. I had a 300gig encrypted partition on a 550mhz system and the load was minor, so I wouldn't be concerned on that aspect.

    -Link

  6. #6
    Newbie
    Join Date
    Jun 2005
    Location
    Maryland
    Posts
    16
    I am not an encryption professional, and actually know very little about it, but I did come across this program for windows and linux, which can use a password or keyfile (files present on a USB dongle or elsewhere), and it is free of course:

    http://www.truecrypt.org/

    I've been meaning to try it out.

    Also, have you thought about placing the entire linux distro on the USB key? Puppy linux or DSL will fit. Use an initrd to load and mount the usb key from the HD (HD has the kernel and initrd on it), then set the root to the USB key root directory, and exit the initrd. Use an encryption program, mount your repository, and your done. Make the USB key a read-only FS, then damage to the key if turned off or removed would not be a problem. I run my car PC distro as readonly for this reason.

    Puppy Linux loads completely in RAM, and can be modified. Runs a 2.6 kernel, and is fast on slower hardware. Also comes with lots of software and options. Maybe worth looking into:

    http://www.puppylinux.org/user/viewpage.php?page_id=1

    Also check out Puppy Unleashed to create your own distro.

  7. #7
    Variable Bitrate red_parchel's Avatar
    Join Date
    Jul 2006
    Location
    Boston, Ma
    Posts
    276
    That does look quite cool. Similar could be done no doubt with a bluetooth adapter and have it look for my phone. A mate can do this on Windows with some piece of software... might be the BT stack software or phone software...
    here http://gentoo-wiki.com/TIP_Bluetooth_Proximity_Monitor
    this may help
    MobileThree: in car - Zotac Atom/ION - linuxICE 2.0.2

    --worklog--

Similar Threads

  1. Windows EFS (Encrypted File System)
    By roadhog in forum Off Topic
    Replies: 3
    Last Post: 02-26-2006, 06:24 PM
  2. Laptop HD, password encrypted - break it?
    By kiltjim in forum General Hardware Discussion
    Replies: 10
    Last Post: 12-03-2004, 12:39 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •