http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html This article provides all the neccessary explanations to create a fully transparent filesystem encryption for your system root. After you followed the steps of this tutorial all your data will be stored encrypted on your hard drive during your normal days work. This is especially interesting for laptops which might be stolen with important or even secret information on it. en CC by-nc-sa Jakob Westhoff Jakob Westhoff <jakob@westhoffswelt.de> Tue, 24 Jun 2008 14:34:12 +0000 Wed, 04 Feb 2009 22:44:26 +0000 eZ Components Feed dev (http://ezcomponents.org/docs/tutorials/Feed) http://www.rssboard.org/rss-specification http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html#comment_7 Excellent and thorough guide. Thank you. A couple suggestions: 1) I agree with Chris, you need to create /proc and /mnt/root in the initramfs directory before gzip'ng it up. 2) There is an aes-x86_64 module that needs to be loaded in order for the 64-bit AES cipher to be used. 3) Specify what your initramfs contains. For example, noting that your keymap is different than say US, will save people time by just going ahead and rolling their own. Also, it doesn't look like you included v86d in your initramfs. Overall, your guide is impressive. Thanks to you, I didn't have to read/sort through the gentoo-wiki article that was chock full of suspend2 stuff. nmp0906 Thu, 21 May 2009 06:45:12 +0000 http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html#comment_6 Great guide, some comments though: - /proc and /mnt/root have to be created manually - I also had to uncomment the / part in fstab in order to boot succesfully With this guide I succesfully created an encrypted gentoo root installation on a raid1 root disk setup. Thank you for writing this nice tutorial! Chris Fri, 08 May 2009 15:51:04 +0000 http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html#comment_5 good point, sounds logically... rac Tue, 02 Dec 2008 11:06:57 +0000 http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html#comment_4 That might be true. But as I stated above by writing zeros (0s) to the encryption container, the data written to the disk should be as good as random data in relation to the chances of data reconstruction. greetings Jakob Jakob Fri, 21 Nov 2008 18:30:38 +0000 http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html#comment_3 Hy A friend that worked in forensics told me once that if you just overwrite it with 0s it is possible to recover the data partially (maybe just in laboratory) but if you use 1s instead it will be harder and if you use random data its going to be very hard to recover and of course if you use multiple cycles with random data it should be nearly impossible... greetz rac rac Fri, 14 Nov 2008 11:55:24 +0000 http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html#comment_2 Hi, you are partially right concerning step 8. This step was not ment to ensure the overwritten data could not be reconstructed in any way. It was just introduced to render it virtually impossible to distinguish between encrypted data and free space. This may become relevant if you are using an empty disk for encryption or your previous filesystem has got some serious gaps inbetween the datablocks. Nevertheless, it is still not completely clear what kind of overwrite is needed to make sure the data can not be recovered. The wikipedia article about data remanence ( http://en.wikipedia.org/wiki/Data_remanence#Overwriting ) has some details about this. If you are the paranoid type of person you may use a tool which uses the Gutmann method ( http://en.wikipedia.org/wiki/Gutmann_method ) for example to wipe the disk. This method uses a specially designed order of different patterns to destroy the data. Personally I don't think this is really neccessary, because the high density of todays magnetic storage systems in combination with one write cycle of pseudo random data should be enough make it nearly impossible to reconstruct the data using a realistic amount of time and effort. greetings Jakob Jakob Mon, 10 Nov 2008 18:25:02 +0000 http://westhoffswelt.de/blog/creating_a_transparently_encrypted_root_filesystem.html#comment_1 Hy I was just flying trough your post and it looks quite impressive, good work. Question about Step 8: You wrote that filling it with 0 makes no difference. As I see this is the initial overwrite all phase where the data that was there should be overwritten and I thought that it would be recoverable, if it's just set on LOW (0), with special equipment... Of course the Data from the encrypted partition will fill up the disk with random look-a-like data but some old data would be left hiiden behind the LOW bit's for some time. Or what do you think? PS: Hab deinen post in die related links genommen da er sehr informativ die Hintergründe erklärt. Eigentlich hätte ich das ja auch so machen müssen, deswegen wurde es auch nur ein install log ;-) rac Mon, 10 Nov 2008 14:35:26 +0000