How to hide the entire file system

Simple file encryption has its own benefits, but it is sometimes useful to encrypt the entire file system or encrypt the entire drive. As in the case that you need to protect a large set of files, or sometimes not only to protect, but you also need to hide the entire presence of sensitive data before prying eyes. In such cases, which solution is effective for you? This article will provide some options to help you protect your system more safely.

If you already have a dedicated encrypted partition or drive, what you need now is just a password or decryption key to open all protected files. Some solutions even allow you to encrypt both the root and intermediate partitions. However, there are some disadvantages that are sometimes significantly reduced (and unfortunately, this is one of the security assessment criteria). The truth is, if an attacker finds your decryption key (or if it is accidentally revealed by the owner), you can say goodbye to all your protected files.

Loop loop device and dm-crypt

Currently, the main method used in system file encryption in the Linux kernel is the loop loop device driver and the device mapping system (using dm-crypt target ). If you intend to use a loopback device, loop-AES is the best option. It is one of the most complete hard disk encryption methods for Linux and its smart README tutorial file provides some significant real examples of system file encryption.

Dm-crypt is packaged with a 2.6 kernel series and provides better performance and security than loop loop device drivers. Its composition is also richer.

The most promising project to use dm-cryp seems to be LUKS. The purpose of the project is to provide a standard disk format, making data transfer protected between distributions easier. Besides, it provides multi-key management program (a large extension) and encrypted partitions that can be accessed in Windows via FreeOTFE (even larger extensions).

Methods of using FUSE

The other two applications have a different approach. Both CryptoFS and EncFS are encrypted file systems running on top of FUSE, a package that allows users to create system files in user space and manipulate it without having root privileges with many things. other. With these applications, the file (and their name) is encoded and contained in a normal directory. Users must select another folder as a setpoint for the encrypted file system: encrypted data will be decrypted there, using a decryption key. If there is no resolution key, there is no way to open the directory with decrypted files.

CryptoFS and EncFS achieve a good balance between security and user convenience. System files created with FUSE can be scaled to any size, in contrast to the looping method that requires creating a fixed-size partition. However, with a careful user object, they realize that there is a big disadvantage in using FUSE file system: if you look inside the normal folder, anyone will still see the total number of encrypted files. How much, calculate their actual size and check possible permissions.

A recent study comparing EncFS and CryptoFS with LUKS indicates that LUKS is more hands-on in executing files.

eCryptfs

Another option that tends to reverse the Linux kernel is eCryptfs. You will need to use the kernel module and user space utilities to install and use it. eCryptfs provides a stacked file system, which means it works at the top of another existing file system and its call stack (so some file systems like XFS can be Causes of many problems).

An improvement when using eCryptfs is enough for you to be assured: eCryptfs is a natural file system type in Linux and does not need to be operated through FUSE or RPC calls. That means it is less dependent and easier to develop. Cryptographic metadata of each file is stored in their header, making data transfer and backup easier. Components such as key management have been provided. Some other components, such as file name encoding are being planned in the near future.

Encryption can be denied

In some cases, data not only needs to be protected but also to avoid prying eyes of many others. In some countries there has been a law that states citizens may be imprisoned if they refuse to provide encryption keys for encrypted files to authorities. Therefore, the best protection therapy sometimes is to not have encrypted data up.

Some steganographic tools allow users to hide data discreetly 'after' other files (usually image or audio files). However, when you have multiple files to hide or their sizes are too large to be behind a simple .jpg file, it is best to use a steganographic file system.

A recent interesting proposal is the steganographic MP3 file system. The most used method is simply to create hidden encrypted partitions. But not only that, they also allow users to create layers within the partition, with different passwords for each partition. When forced to provide a password for a hidden partition, the user can give them a password to access the floor containing the fake data. A floor is independent and does not know each other, so it will not be possible to show the existence of another floor. Therefore, you can refuse to provide information wisely and reasonably.

Steganographic system files have some drawbacks. Because hidden data must be distributed randomly across the entire drive or partition, tracking cannot be performed. And they can be overwritten by normal file operations in visible partitions. Data conflicts may also appear. The speed of file execution with this file system type is also unusually poor. But the worst is that almost all projects that I know cannot be deployed, or deployed halfway. Examples are Rubberhose, Phonebook, and StegFS, MagikFS, projects that are promising in theory. Hopefully they don't have the same fate as other projects.

There is a pretty nice tool with good maintainability, using reusable encryption: Truecrypt. In addition to allowing the creation of simple encryption partitions, Truecipt also creates hidden drives, where an 'external partition' is encoded to hide fake data. And therefore, a smaller 'inner partition' cannot be created. Its data is kept in the free space of the external partition.

If you read the accompanying documentation, you'll see Truecrypt finds some way to avoid the problem of data interruption and file execution associated with steganographic system files. Besides, it is easy to install and use, there is also a version for Linux with Windows. (You will need the kernel source to install it on Linux). It is one of the best hard drive encryption solutions for both operating systems.

Security - please prioritize

Someone once said that security is a state of intellect. Because no one else is the one who keeps your system safe and not the software you use. There are always some vulnerabilities on all systems when encrypting files or even encrypting inaccessible drives. Each time you access a file, a copy of it can be created in the swap space or in temporary folders. The history file on your shell will display the most recently used commands. Many applications retain backup copies of the files they create. And the text you just printed or deleted from the hard drive can still be recovered from the printer pipe. Your decryption key should be written on paper or stored in a mobile device (memory card, CD) and stored in a safe place. Placing a difference between the two options is a little more paranoid (preparing for possible incidents) than being careful.

And lastly, if you are using FreeBSD, you can try CryptoFS and EncFS via Fuse4BSD. You should also keep an eye on CGD (NetBSD) and GBDE. For more information on steganography and data hiding, you can refer here. I should also note that you should not simply remove the normal file encryption mechanism after encrypting the file system. Instead, consider a solution that combines both. And, if you have enough resources, think of a hardware encryption solution like the Trusted Platform Module.