Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 47

Thread: Encryption recommendation for external drive with data

  1. #11
    Join Date
    Jun 2018
    Beans
    163

    Re: Encryption recommendation for external drive with data

    I would strongly encourage you to NOT use a passWORD but instead use a passPHRASE! An example of a strong passphrase could be: "in the field there are 2 cows and a sheep". It is easier to remember and it is much harder to crack than something like: "s67bWkp?ns#g2" which you will need to write down somewhere in order to remember it.
    Have a ubuntastic day!

  2. #12
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Encryption recommendation for external drive with data

    Quote Originally Posted by dinkidonk View Post
    I would strongly encourage you to NOT use a passWORD but instead use a passPHRASE! An example of a strong passphrase could be: "in the field there are 2 cows and a sheep". It is easier to remember and it is much harder to crack than something like: "s67bWkp?ns#g2" which you will need to write down somewhere in order to remember it.
    I would say that using "s67bWkp?ns#g2" + {something you never write down} would be better. Random characters are better, always, provided they are long enough. For most people, there is nothing wrong with having a yellow sticky on their monitor at home with 10 random passphrases in the list, provided that is just the 1st half of the total passphrase (or the second half).

    {from your mind} + {random 13+ characters}
    or
    {random 13+ characters} + {from your mind}

    Then you can take the random parts on a small paper in your wallet, keep it like you'd protect a credit card or $500 bill.

    At work, things are different. IT Security would freak out over a yellow sticky with random stuff on it. These days, someone with a cell phone could walk passed and snap a photo for attempted cracking later.

    Phrases are great, provided they aren't in any books. I know people who use ISBN numbers for passwords or music album numbers - and so do the crackers. Those have all been added to their crack-list. Remember, they will let their password cracker run for months trying to learn the passwords. Humans are really bad at random. Have the computer create the random half and make certain it is long enough.

  3. #13
    Join Date
    Jan 2014
    Beans
    141

    Re: Encryption recommendation for external drive with data

    As I mentioned before. I am new to encryption and learning a lot these past few days. I am initially trying to get the most usable, convenient and portable encryption I can find (security is second at this time because if it is too difficult to use then I won't use it). I am still evaluating things. I am finding that If I create a container I can't seem to find a quick way to see how much free space is left in the container unless I open it and then click on properties. Other attempts through nautilus (for example) will yield no/erroneous information. Are there short cuts anywhere that tells me encrypted storage sizes and free space?

  4. #14
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,330
    Distro
    Xubuntu 20.04 Focal Fossa

    Re: Encryption recommendation for external drive with data

    Not for an encrypted container. You have to look inside it to see how full it is.
    Encfs does individual file encryption, so you can see how much disk space that uses, although it has other weaknesses so you may not want to use that.
    Being able to see the file sizes does give something away about what kind of material may be encrypted.

  5. #15
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Encryption recommendation for external drive with data

    Forget the GUIs. They lie.

    Be careful using "container" alone. It has many different meanings, mostly nothing to do with storage or encryption. The LUKS container doesn't have free space. The objects held inside do.

    Remember, Linux is about layers.

    HDD --> Partition --> Encryption Container --> LVM-PV --> LVM-VG --> LVM-LV ---> File system

    The file system (say ext4), has free space for files and directories. The file system doesn't need to use the entire LV, but usually it does. The LV shouldn't use all the VG space - really, ever. That would be a terrible LVM design and deployment. Multiple PVs can be merged/connected to 1 VG. This is an extremely powerful idea. LVM may or may not be used with LUKS or any other encryption method. LVM is just a layer, which is optional.

    So ... if you want summaries of these things, this link has some command examples :
    https://ubuntuforums.org/showthread....7#post13883277
    I use a few aliases to make life easier:
    Code:
    alias dft='df -hT -x squashfs -x tmpfs -x devtmpfs'
    alias lsblkt='lsblk -o name,size,type,fstype,mountpoint'
    And for LVM summaries, use:
    Code:
    sudo lvs
    sudo vgs
    sudo pvs
    This only works if the VG has been "activated", which should happen automatically on an LVM setup created by the installer. Manually created LVM stuff most likely doesn't get activated until you run sudo vgchange -ay AFTER the LUKS container has been successfully opened.

    I get that this can seem overwhelming and complex. There are reasons for how this is. Brilliant reasons, but until you have more experience those reasons won't be clear.

  6. #16
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Encryption recommendation for external drive with data

    Though I'm known in these parts to be very keen on security/encryption/privacy etc, I feel it may be useful to play devil's advocate here.

    There's always a tradeoff between security and convenience. Always. Don't believe anyone who tells you otherwise. So, at what point does the security become overbearing? If you are trying to keep vacation photos safe from prying eyes, then LUKS+full disk encryption may be overkill. Just maybe. OTOH, if you must protect secret next gen missile plans from other state actors, then it's not remotely sufficient. Point is, there's a continuum. Matching the level of encryption to the significance of the data is an important principle. Otherwise, we run the danger of either overdoing or underdoing. The former makes computing an ordeal; the latter leads to danger, possibly disaster.

    On these forums, we routinely run into new users who go whole hog on full disk encryption, suffer some otherwise minor mishap, forgot their encryption key, and turn a small matter into an insoluble one.

    You don't tell us what sort of data you are concerned about and we don't need to know. But you need to do this assessment. As much as protecting ones data is important, the solution must be proportional to the sensitivity of the data.

  7. #17
    Join Date
    Jun 2018
    Beans
    163

    Re: Encryption recommendation for external drive with data

    Quote Originally Posted by TheFu View Post
    I would say that using "s67bWkp?ns#g2" + {something you never write down} would be better. Random characters are better, always, provided they are long enough.
    I disagree. If one would try to access an encrypted volume, the usual approach would be to run through a list of well known passwords. If that does not give access, brute force may be one of the next steps. Brute force basically means to run first through all numeric/binary values from 8-bit and up until access is achieved and that leads to the fact that longer (and maybe easy to remember) phrases are more secure than shorter (hard to remember) ones are. "s67bWkp?ns#g2" = 256^13, "in the field there are 2 cows and a sheep" = 256^42 which is an enormous difference. If SHA256 is used for key generation, 32 bytes is the limit though.

    @jgwphd: If portability is a requirement, use VeraCrypt since this is accessible from all systems (Linux, MAC & Windows). If you want full disk encryption for Linux systems only, you can use LUKS. For backwards compatibility use LUKS1, for better security use LUKS2. Use at least 256 bit hash for the master key.

    EDIT: Don't use EncFS unless you absolutely have to.
    Last edited by dinkidonk; March 12th, 2021 at 09:24 PM.
    Have a ubuntastic day!

  8. #18
    Join Date
    Jan 2014
    Beans
    141

    Re: Encryption recommendation for external drive with data

    Due to my portability needs I am focusing on VeraCrypt.

    But I find the following statement troubling from developers "There's always a tradeoff between security and convenience." Why? ...Does it have to be this way? ...have we "given up"?

    Frankly, I want it all! Ideally I'd like to have security, sort of built in or added on Ubuntu in such a way that it is "very easy to use". And then install a dial that matches my desire for the level of security that meets my needs and let the system do the rest. For example, point at a drive, a partition, volume etc. and then click on "secure it" and then turn the dial presented for the level of security that meets my needs. Go have a beer and let the system do the rest ...after all that's what computers are for????

  9. #19
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Encryption recommendation for external drive with data

    Quote Originally Posted by jgwphd View Post
    Due to my portability needs I am focusing on VeraCrypt.

    But I find the following statement troubling from developers "There's always a tradeoff between security and convenience." Why? ...Does it have to be this way? ...have we "given up"?

    Frankly, I want it all! Ideally I'd like to have security, sort of built in or added on Ubuntu in such a way that it is "very easy to use". And then install a dial that matches my desire for the level of security that meets my needs and let the system do the rest. For example, point at a drive, a partition, volume etc. and then click on "secure it" and then turn the dial presented for the level of security that meets my needs. Go have a beer and let the system do the rest ...after all that's what computers are for????
    Why? Because higher security is an extra thing added. Not having that means 1 less thing to worry about.
    With encryption of storage, you must
    • Have excellent backups. Disk recovery tools won't help.
    • Performance will be impacted. Good encryption does require some extra processing, and that does slow things down, if only a little. LUKS is about 3% slower than non-LUKS. Other encrypted storage tools have higher processing requirements than LUKS.
    • Key management is a hassle if you've never dealt with it before.
    • It is another password to be remembered, entered, stored. For a few releases, Ubuntu used the login password as the unlock-encryption-code for per-user HOME directory encryption. This was acceptable to many, but it broke my backups and at major release upgrade times, sometimes the upgrade would fail. Remember, Linux is always multi-user, even if you are the only human using a computer.


    I know of only 1 situation where it is both more secure and more convenient. This is with ssh remote connections using ssh-keys. Hopping from system to system to system to system securely is relatively easy, once the keys have been exchanged. That's just 2 commands for the first system, then 1 command for every system after that. Then you'll only be prompted to unlock your ssh-keys periodically. How often is tunable. Never wouldn't be very secure. Every 5 minutes would be too inconvenient. I find somewhere between 4 and 12 hours the right mix for me, but many people would be happy with once an hour, I suppose.

    ssh rocks completely. Most of my work uses ssh. Right now, I have at least 10 ssh remote sessions connected to other systems of all types in multiple locations. People who use ssh with passwords are doing it the hard way and certainly less secure than a 2K RSA ssh-key or 400 byte ed25519 ssh-key.

    Important take-a-ways:
    • When you use encryption for file storage, be 100% certain you have excellent backups.
    • Security isn't just 1 thing. Encryption isn't just 1 thing. The user can encrypt everything, yet a bonehead choice will completely undo all that effort. No software can fix an ignorant end-user. Every time developers try, dog makes a someone even more less informed.


    And let's not forget that MSFT has an implementation of encrypted storage, which will post your decryption key to their online servers if you use the online microsoft.com account they push. That means THEY have access to the data even if you lose the decryption key. That doesn't sound very secure to me. If we aren't the only person in charge of and retaining the decryption key, that's a huge security failure in my book.
    Last edited by TheFu; March 13th, 2021 at 03:15 AM.

  10. #20
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: Encryption recommendation for external drive with data

    Quote Originally Posted by jgwphd View Post
    …I find the following statement troubling from developers "There's always a tradeoff between security and convenience." Why? ...Does it have to be this way? ...have we "given up"?

    Frankly, I want it all! Ideally I'd like to have security, sort of built in or added on Ubuntu in such a way that it is "very easy to use". And then install a dial that matches my desire for the level of security that meets my needs and let the system do the rest. For example, point at a drive, a partition, volume etc. and then click on "secure it" and then turn the dial presented for the level of security that meets my needs. Go have a beer and let the system do the rest ...after all that's what computers are for????
    At the risk of offending you, this sounds like the sort of approach that gets Windows users into so much trouble. It's a tired truism by now, but security is not an app (or a dial). Rather, it is many things: a process, a frame of mind, a set of habits, a study of basic knowledge, a commitment to continuing learning, an ascetic and disciplined lifestyle if you will. Most are unwilling to learn or adopt the necessary self‑discipline. Trying to substitute an app for these qualities is just wishful thinking.

    Security will never be a fire‑and‑forget affair because, by its very nature, it cannot be. Using your dial metaphor: what would things look like at the low end of the dial? Does it enable the root account? Does it default to autologin? Does it install telnet? I would answer "No" to all of these. Someone else might answer "Yes". At the high end, does it enforce whole disk encryption? Does it disable all browsers? Does it default to a totally sealed firewall? Again, I would say "No" to any of them. Others might say "Yes".

    We cannot address complex issues with simplistic approaches any more than we can solve complex problems with simplistic answers. Users who disagree tend to avoid Linux altogether precisely because it refuses to beguile with easy "solutions". They stick with Windows or Apple where dozens of companies have made billions by selling them the fantasy that an app will protect them from themselves. I'm not trying to be argumentative, but that's the reality.

Page 2 of 5 FirstFirst 1234 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •