You might want to look at cryptsetup to encrypt your Linux root partition. You can make a custom initrd to decrypt it at startup. I am going to post a tutorial one of these days when I get around to testing it. As far as encrypting Windows, the major caveat with whole disk encryption is that the boot loader needs to handle the encryption/decryption routines(Kinda like a marriage between cryptsetup or loop-aes and syslinux), and then kick off the OS specific bootloader(s), and as far as I have seen, there aren't many of those. If someone could figure out how to keep a very small Linux kernel between Windows and the harddisk then cryptsetup might be feasible. For example, your bootloader loads a small vmlinuz and custom initrd with cryptsetup, prompts your for the volume password, and then transfers control to the OS kernel, say ntldr, but the Linux kernel is still sitting between the OS and the disk handling the encryption/decryption, sounds familiar, doesn't it, think VM's and hypervisors. I can envision future disk encryption technologies using vm hypervisors to handle encryption/decryption...
missed
...but (with respect, Elazar) you missed the whole point.
I believe the original question was concerning 'Whole Drive Encryption'.
What you postulate as your vision is already here. These forms can already be done. To achieve a satisfactory schema one needs external booting and key safe.
(Your early link was to quite a good paper).
Lux sit
Point taken. Cryptsetup is not whole drive encryption because it is not OS independent. I mentioned it because it will solve half of his problem and to possibly pique interest in building a kernel that can handle disk encryption regardless of the OS.Originally Posted by blackfoot
That link describes a method that is not OS independent, hence lacking the "whole drive" capability. As I mentioned previously, my theory is to build a Linux kernel with Cryptsetup that can handle drive encryption regardless of the OS, because it sits between the OS and the drive. Keep in mind that whatever boots the drive cannot be encrypted, whether it is on or off the drive. The end result is a method very similar to the way virtual machines function, given that most modern processors have vm optimizations, I envision whole disk encryption using already available vm technology where the OS(s) are encrypted and the unencrypted hypervisor handles the encryption/decryption process.What you postulate as your vision is already here. These forms can already be done. To achieve a satisfactory schema one needs external booting and key safe.
(Your early link was to quite a good paper).
cfs
Cryptographic File System is available.
Linux has export control restrictions if it emanates from the USA.
Since it bootstraps into existence it must use an external drvier to start proceedings. To do otherwise is not possible since the script would be encoded and the interpreter would not be able to decrypt it.
You might note it is not my wish to go into a protracted debate. This is only a marginal issue here. My own option has always been to stay with OpenBSD and CFS. This distribution is not up to that, nor seeks to be.
Lux sit
Agreed. I took a quick look at CFS, its pretty cool. I don't have any experience with OpenBSD, I will have to check it out one of these days...
Whole disk encryption options
Hello,
I'd love to post some links, but since this is a new account, the software won't let me.
Google for "LINUX UNIFIED KEY SETUP dm-crypt" and the first response has lots of links how to do this from various distributions. I've used this with openSUSE 10.3 with success. A note that all the tools are still in progress, although at least with openSUSE 10.3, it is an official function.
- David
Posting Permissions
