mhogomchungu / zuluCrypt

zuluCrypt is a front end to cryptsetup and tcplay and it allows easy management of encrypted block devices
https://mhogomchungu.github.io/zuluCrypt
Other
513 stars 60 forks source link

A few questions #137

Closed git70 closed 4 years ago

git70 commented 5 years ago

I write here because it can be useful to other users.

  1. Create Encrypted Container In A Hard Drive function: Is there a difference between LUKS encrypting only partitions and the entire device? (for example /dev/sda instead of /dev/sda1) Is it safer or fewer other problems?

  2. How does LUKS2+External Header work? a) Immediately saves the header in a different location b) First saves the header on the device / file, then copies it to another location and deletes the original If b) Does it overwrite a randomly released place?

  3. What is the maximum password length? 512 characters?

mhogomchungu commented 5 years ago
  1. What does entire drive mean? If the drive is un partitioned, then encrypting "the entire drive" gives the same result as encrypting a partition and zuluCrypt supports both. If by "entire drive" you mean encrypting everything including the partition table, then zuluCrypt doesnt support this because this will mean first decrypting the drive and then manually reading the partition table with tools like kpartx or recent versions of losetup.

  2. b.

  3. The maximum password length is determined by cryptsetup and last time i checked, it was 8Mb.

git70 commented 5 years ago
  1. I do the following: a) Wipe the entire disk Establishing a gpt partition table Establishing one large sda1 partition Encrypt LUKS sda1 It works or b) Wipe the entire disk Establishing a gpt partition table Encrypt LUKS sda It Works (without creating the sda1 partition) How better do you think?

  2. Does the program make dd zero or random free space after deleting the original header?

mhogomchungu commented 5 years ago

A is better because there are tools out there that may not work well with un-partitioned devices. Partitioning your device guarantees that your drive will work everywhere and with everything.

Partitioning a drive wastes a bit of space because the partition will start somewhere inside the drive but adds an advantage that the start of the partition will be properly aligned based on whatever criteria the partitioning tool think is best.

zuluCrypt-cli can not create a volume with a detached header but it can:

  1. Create a volume with attached header.
  2. Create a volume header backup,
  3. Create a plain dm-crypt encryption mapper with a 64 byte random key.

Somebody requested an ability to create a volume with a detached header and i chose to implemenet it not by adding a switch in zuluCrypt-cli to add the ability, but to combine existing functionality in zuluCrypt-gui to achieve the same result.

What zuluCrypt-gui does when asked to create a LUKS volume with a detached header is:

  1. Ask zuluCrypt-cli to create a LUKS volume with an attached header.
  2. Ask zuluCrypt-cli to make a backup of the LUKS's header.
  3. Ask zuluCrypt-cli to create a plain dm-crypt device using a 64 byte random key.
  4. zuluCrypt-gui then writes zeros to the created plain dm-crypt device the size of the header created to erase the header on the device.
git70 commented 5 years ago
  1. For the purpose of secure, trouble-free and long-term storage of the archive, what will be better? Encrypted partition or encrypted one large file? (1-10TB)

  2. So the de facto original header is first overwritten with random data and then with zeros?

mhogomchungu commented 5 years ago

Partition, a file can accidentally be deleted. You may say a file can easily be transfered to another location and that's a good thing but how easy is it to transfer a 10 terabyte file?

With a partition, keep a backup of the volume header and a backup of a partition table. You never know, a wrong step somewhere and you may accidentally overwrite first couple of sectors of the device.

The size of the header in the original device is overwritten with random data. The random data is obtained through writing zeros to a plan dm-crypt mapper created with a 64 byte key obtained from /dev/urandom.

git70 commented 5 years ago

Ok thx!