Sunday 3 August 2008

Encrypting data in Hardy...

Think of this post as a more or less of a response to David Thomas' post about how to encrypt data in Ubuntu... However, as a little warning, this has the potential to cause you issues depending on where you are travelling, what is the political climate like where you are going, or if your country has regulations about using encryption. I'm thinking France here, for example, where if I'm not mistaken you are not allowed to use specific encryption algorithms like 3DES or AES? If I'm mistaken, please let me know.

As for me, I'm only using it as a theft protection device, don't want people to have access to sensitive data that could be on my drive if I forgot my laptop somewhere or had it stolen.

Anyway, so you can encrypt your whole disk in Ubuntu. This feature has been available since Gutsy in the installer, where it will permit you to partition your whole disk using LVS and LUKS or some other system. You could also do the partitioning yourself, provided you remember to create the partition for "physical volume for encryption" first, and then use that as a "physical volume for LVS"... You'll also need to have /boot separate, unecrypted. Here's a nice overview of using the installer to encrypt the whole drive: http://learninginlinux.wordpress.com/2008/04/23/installing-ubuntu-804-with-full-disk-encryption/

Also, you can use another very nifty tool called TrueCrypt. Sadly, while some GUI (or so they seem, at first glance) tools exist in the repositories to interface with Truecrypt, the actual software still doesn't appear to be available. You can however get it here, on the official TrueCrypt website.

To setup a truecrypt drive, plug a USB key for example, run truecrypt, select the device and options and follow the directions. I've found that they are all pretty clear. I personally use this to secure my GPG key and lists of contacts... Oh, and my hackergotchi too :)

TrueCrypt happens to have this interesting feature where you can hide an encrypted volume inside another one, and thus benefit from "plausible deniability", since if only the outer volume was decrypted, the data contained (which would effectively be your inner encrypted volume) would not be distinguishable from random data -- still, I probably wouldn't let my life depend on people's lack of curiosity.

Anyway, using these two options, and strong passphrases, you would be able to deter most attempts at reading your personal, sensitive data, and you won't have to worry about the proprietary company information you were carrying to be viewed by your laptop's thief.

For now though, there's still nothing more secure than keeping sensitive data in your head only. Encryption can always, given enough resources thrown at it, be cracked, so this just one more thing to ... keep in mind.

No comments: