Monday, May 6, 2013

Encrypted folders with Linux/MACOSX

One cool feature of linux/macosx is the native support for encryption. A lot of person harp over truecrypt, but you have native encryption support in the OS. Here we will look at both maxos and linux native support with  encryption.

1st let's craft a encrypted volume and dmg.

When  you 1st build the  image, it will ask you for the phassphrase for the image, and rate you  level of security.

Now when you click on that encrypted dmg file, it will prompt you for the passphrase. With AES, the  encryption is very tight and with a strong passphrase you will have the ultimate in in security. AES256 support strong encryption  and both are  military grade of encryption.

You can also mount the diskimage from the command line also;

Okay let's move on to linux OS.

1st you have to install the encryption fs utility  pkg. Here I'm using apt-get install;

Now to craft a encrypted folder, we would do the following;

It's guided , and will give you a choice of encryption ciphers. I believe the default of aes is 128bit key strength, with the option of  a 256 bit key.

Their you have it, 2 ways to encrypted a folder. Now I know a lot of you are going to argue full disk encryption ( FDE )  is supported,  blah........ blah ..........blah ............., but here we can encrypt folders or volumes that we can easy move around of transfer between users or systems.

Try moving around a fully encrypted file system and get back to me on that , LOL

Next with  encryted folder/volumes, you only place the files of importance within that folder. Not all data imho needs to be encrypted. In my day-2-day practices, I place my tax returns, logins, certs, keys, important word/excel docs into my encrypted folder.

Regardless if my  computer was losted in transit like let's say flying, a break in,  or somebody within TSA with sticky fingers. My data ( important files ) are 100% secured,  and I can go to sleep & rest assured that my sensitive data is protected. Just like with my  earlier post on PGP, don't save the key on the host. A combo lock is of no use, if you write the combo on the backside of the lock :)

I will point out some of the pro/con with truecrypt, linux and maxosc

  •  support for numerous ciphers 
  •  more 256bit key support ciphers
  •  supported in most  OSes
  •  free source
  •  very well documentation & detailed
  •  encrypts volumes, disk partitions and storage devices on-the-fly

Linux enFScrypt

  •   support numerous ciphers both with 128/256 bit keys and supports 128 or 64 bit blocks
  •   very well packaged 
  •   free
  •   support simple encryption

MACOSX ( as of lion )

  •   only supports 2 ciphers ( AES128/256 )
  •   simple management via the GUI
  •   easy to use or the typical end user
  •   nothing to install it's part of the OS

As in all three, the key is storage in RAM, so if some one has access to the host and can read kernel memory  ( e.g /dev/memory ) you could be compromised.

Ken Felix
Freelance Security/Network Engineer
kfelix --at-- hyperfeed --dot--com

No comments:

Post a Comment