Linux en­cryp­tion tools

re­veals why ev­ery­one ben­e­fits from keep­ing data safe from pry­ing eyes

Tech Advisor - - Contents - Alex Camp­bell

En­cryp­tion is an in­ter­est­ing thing. The first time this writer saw en­cryp­tion in ac­tion was on a col­league’s Gen­too Linux laptop that could boot only if the USB key with the boot par­ti­tion and de­cryp­tion key was in­serted. In­ter­est­ing stuff, from a geek point of view.

Fast for­ward, and rev­e­la­tions from Ed­ward Snow­den and on­go­ing con­cerns about gov­ern­ment snoop­ing are slowly bring­ing en­cryp­tion and pri­vacy tools into the main­stream. Even if you’re not wor­ried about a Big Brother or some shady spy-ver­susspy sce­nario, en­cryp­tion can still pro­tect your iden­tity and pri­vacy if your laptop is stolen. Think of all the things we keep on our lap­tops: con­tact in­for­ma­tion, fi­nan­cial de­tails, and client and com­pany data. All of that is wor­thy of pro­tec­tion. Luck­ily, Linux users have ac­cess to sev­eral tools for free.

There are three main meth­ods for pro­tect­ing the data on your laptop, each with its own strengths and weak­nesses.

OpenPGP and email en­cryp­tion


Us­ing Pretty Good Pri­vacy (PGP) en­cryp­tion to pro­tect email isn’t any­thing new. While the orig­i­nal PGP im­ple­men­ta­tion is pro­pri­etary, the OpenPGP spec­i­fi­ca­tion was writ­ten in 1997. OpenPGP uses pub­lickey cryp­tog­ra­phy, which means ev­ery key­pair comes with a pri­vate and pub­lic key. You use a pri­vate key (that you keep se­cret) to un­lock and sign files, while a pub­lic key (that you give to peo­ple) can be used to en­crypt files to you and ver­ify files you’ve signed.

In the con­text of email, your plain­text email is en­crypted with a pub­lic key into ei­ther a file or ASCII cypher­text (which looks ran­dom to peo­ple and ma­chines) that can only be read by some­one with the match­ing pri­vate key. In ba­sic terms, this means that the email is en­crypted be­fore it leaves your PC, so no amount of snoop­ing on the email server you’re us­ing will al­low some­one to see the con­tents of the file. This is known as end-to-end en­cryp­tion. (Me­ta­data, such as the sub­ject line, re­cip­i­ents, and time sent are all left in plain­text, though.)

The most widely used im­ple­men­ta­tion of this stan­dard (as far as Linux users are con­cerned) is GNU Pri­vacy Guard ( Most mod­ern Linux dis­tri­bu­tions come with GnuPG pre­in­stalled. If it isn’t, it can be eas­ily found us­ing your dis­tri­bu­tion’s pack­age man­ager, usu­ally with the name gpg.

While you can use GPG on the com­mand line, it’s of­ten eas­ier to cre­ate and man­age keys us­ing a GUI pro­gram. The GnuPG team pro­vides the GNU Pri­vacy As­sis­tant ( GUI to cre­ate and man­age keys. If you pre­fer a KDE-com­pat­i­ble in­ter­face, you can in­stall Kleopa­tra, while GNOME 3 users might pre­fer GNOME’s Sea­horse. GnuPG is also avail­able for Win­dows us­ing GPG4Win, which pro­vides Win­dows ver­sions of both Kleopa­tra and GPA. Be­fore you can en­crypt files or email with OpenPGP, you’ll need to cre­ate your first key­pair. When you cre­ate your key you’ll need to pro­vide (at least) a name and email ad­dress to help iden­tify the key. You’ll also need to pro­vide a key strength. While a 2048-bit key is con­sid­ered pretty safe, a 4096-bit key will pro­vide more pro­tec­tion, though at the ex­pense of slightly longer times for key cre­ation, en­cryp­tion, and de­cryp­tion. How you set up GnuPG for use with your email will vary de­pend­ing on the client you use. If you use Mozilla’s Thun­der­bird, you’ll need to in­stall the Enig­mail ex­ten­sion ( Both KDE’s KMail and GNOME’s Evo­lu­tion sup­port OpenPGP na­tively. KDE’s on­line doc­u­men­ta­tion pro­vides a man­ual for GPG in­te­gra­tion with KMail (, and Fe­dora has a great how-to for Evo­lu­tion (­zf9rw). There are a few browser plug­ins such as Mail­ve­lope (which of­fers add-ons for both Chromium/Chrome and Fire­fox) that work pretty well for those who pre­fer web­mail ( GnuPG pro­vides a great in-depth on­line man­ual on how OpenPGP works and how to use the GnuPG tools (­tac).

En­crypted con­tain­ers


Not ev­ery­thing you want to keep se­cret or se­cure is a text file or email. To se­cure groups of files, some peo­ple pre­fer to use en­crypted con­tain­ers.

Con­tain­ers are handy be­cause they’re por­ta­ble. In its sim­plest form, a con­tainer is

a lot like a zip file that’s en­crypted. That file can be in your home folder, copied to a USB drive, stored in the cloud, or put any­where else that’s con­ve­nient.

The most ba­sic con­tainer can be a zip or gzipped tar file (.tar.gz) that you en­crypt us­ing OpenPGP. The down­side to such a sim­ple con­tainer is that you have to delete the plain­text (de­crypted) file once you’re fin­ished with it. If you have to mod­ify or add files in the ar­chive, you ba­si­cally have to delete the old file and en­crypt a new one.

A sim­pler and more se­cure way to han­dle con­tain­ers is to use Ver­aCrypt (the suc­ces­sor to TrueCrypt). Ver­aCrypt is ca­pa­ble of cre­at­ing en­crypted con­tain­ers of fixed size, which can help ob­scure the size of the files in the con­tainer. There’s a good tu­to­rial on Ver­aCrypt’s web­site that ex­plains how to cre­ate such a con­tainer (­j3p). The good thing about us­ing a Ver­aCrypt con­tainer is that you can ac­cess its con­tents us­ing Ver­aCrypt on both Win­dows and Linux.

Fi­nally, there’s a tool called Tomb. Tomb is lit­tle more than a script, but it makes cre­at­ing and man­ag­ing con­tain­ers and keys for dm-crypt re­ally easy. The dm-crypt util­ity is stan­dard to Linux and is its built-in disk en­cryp­tion engine (I’ll get to more on that in a bit), but it can also be used to cre­ate con­tain­ers. Tomb’s us­age is quite sim­ple, and the project web­site of­fers use­ful guid­ance (­wgf8).

Whole-disk en­cryp­tion


Some­times, it can be eas­ier to en­crypt ev­ery­thing on your sys­tem. That way, there’s lit­tle need to worry (for the most part) about what files are stored where. Ev­ery­thing is pro­tected, so long as your PC is off.

Win­dows users may re­call that Ver­aCrypt (or TrueCrypt) can en­crypt drive par­ti­tions and en­tire disks. This can be done on Linux as well, but most users will likely pre­fer to use Linux’s built-in disk en­cryp­tion tool, dm-crypt.

By it­self, dm-crypt and its tool crypt­setup are very ba­sic and can be a lit­tle cum­ber­some, since dm-crypt can only use a sin­gle key. Most peo­ple pre­fer to use Linux Uni­fied Key Setup (LUKS) to man­age keys for an en­crypted de­vice, which al­lows up to eight keys to be used with dm-crypt, such that any one key or passphrase sup­plied can un­lock the drive. When us­ing dm-crypt to en­crypt a drive, a passphrase must be en­tered at boot time to un­lock it.

We should also note that LUKS and dm-crypt are the un­der­ly­ing pro­grams that Tomb uses to work its magic.

Set­ting up dm-crypt, LUKS, and op­tion­ally LVM (log­i­cal par­ti­tions) can be a messy task for a new­bie. For users who feel up to the task, the Arch Linux Wiki has a great guide on us­ing LUKS and dm-crypt to en­crypt a sys­tem ( For those less in­clined to get down and dirty with ter­mi­nal com­mands, there’s an op­tion to use LVM and LUKS drive en­cryp­tion when you in­stall Ubuntu or De­bian.

There are a cou­ple pit­falls when us­ing whole-disk en­cryp­tion. First, the boot par­ti­tion (/boot) is usu­ally left un­en­crypted, since the sys­tem has to boot to an ini­tial ramdisk to get it­self go­ing. The sys­tem can’t do that if the ramdisk and boot par­ti­tion are un­read­able. (You ac­tu­ally can en­crypt the boot par­ti­tion, but it takes ex­tra steps and is a bit more tricky.) The con­se­quence of this is that it if some­one got their hands on your PC, they could the­o­ret­i­cally in­stall a mod­i­fied ker­nel that could har­vest your passphrase. It’s an un­likely sce­nario, but tech­ni­cally pos­si­ble. This can be cir­cum­vented by plac­ing your boot par­ti­tion on a USB thumb drive that you keep sep­a­rate from the sys­tem.

The minute you turn on your PC and un­lock the disk, files on the sys­tem can be read as though it weren’t en­crypted at all. If your laptop is stolen and you don’t have a screen lock en­abled, some­one could sim­ply com­pro­mise your sys­tem as long as it has power (which is very sim­i­lar to de­vice en­cryp­tion on an An­droid phone).

Fi­nally, SSDs present special prob­lems be­cause of the way they al­lo­cate and clear (or don’t clear) cells. You can still use an SSD with disk en­cryp­tion, but ex­tra steps should be taken when pre­par­ing the drive.

Even with a few pit­falls, we con­sider us­ing disk en­cryp­tion on lap­tops to be good prac­tice. While en­crypt­ing desk­tops is less com­mon be­cause they are stolen less of­ten, ev­ery­one has seen some­one leave a laptop at a cof­fee shop or on a seat on a train. We rest a lit­tle eas­ier know­ing that if our laptop is ever taken, we’re only los­ing a de­vice, not our pri­vacy along with it. J

To cre­ate a GnuPG key­pair us­ing the com­mand line, use gpg —gen-key

Set­ting up a con­tainer and key us­ing Tomb is re­ally easy, if you’re com­fort­able with the com­mand line

A par­ti­tion tree viewed with ls­blk. Note that the en­crypted par­ti­tion / dev/sda3 is host to the LVM par­ti­tions that are mounted to the root directory (/) and swap, while the boot par­ti­tion (/dev/sda2) is un­en­crypted

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.