Encrypted Install, how strong is it? What kind is it?

Using applications, configuring, problems
Post Reply
Message
Author
arby
Posts: 37
Joined: Sat 30 Aug 2008, 04:16

Encrypted Install, how strong is it? What kind is it?

#1 Post by arby »

Hi all,

I have recently installed Puppy 4.1 onto a jumpdrive using the 'strong'
encrypted option. Everything appears to work as expected, with no
noticeable lag in operation, just no booting without the password.

Now that it's working, some questions have developed:

1- Can I ever change the password again, or is a reinstall required?

2- What kind of encryption is "pup_save_crypta.2fs" using?

3- How strong is it? Any known weaknesses or risks?

4- Where are the keys stored?

5- Where can I learn more about it? Reading materials etc?

Thanks for any info! , Arby

Dromeno
Posts: 534
Joined: Fri 12 Sep 2008, 07:01

Are these questions answered somewhere?

#2 Post by Dromeno »

I am also interested in the answers to these questions!

Main reason is that I would like to know if Puppy's own encryption is comparable to TrueCrypt.

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#3 Post by PaulBx1 »

aes128 via cryptoloop (google for more info). I always say it is good enough to thwart criminals and nosy people and the local constabulary, but probably not NSA.

DO NOT USE SWAP if you are encrypting your pupsave, because swap is not encrypted and your passwords, etc. are thus able to be harvested from it.

Truecrypt is more modern and up-to-snuff than Puppy's encryption (cryptoloop being "deprecated"), however I might bet on Puppy if the Truecrypt was being used on Windows. There are lots of things you have to be aware of when using encryption; see the truecrypt site for general security practices.

I don't understand your question #4. The keys are stored in your head. That's the passphrase, and that's it. This is not public key cryptography. BTW, make sure you choose a strong passphrase.

If you want to change your passphrase, you can use this utility I cooked up a while ago. It generates a new pupsave. After you are sure the new one works, you can delete the old one. And don't forget to wipe the empty space on your disk too.
Attachments
convert-pupsave.tar.gz
(5.24 KiB) Downloaded 1196 times

arby
Posts: 37
Joined: Sat 30 Aug 2008, 04:16

#4 Post by arby »

Thanks for the advice Paul,

Eventually I realized that the "A" in the filename must stand
for AES. Wikipedia provided many of the answers after that.

Regarding point #4, I think you must've misunderstood what
I was asking. I wasn't referring to the passphrase.

Even a symmetric-key algorithm needs an encryption key.
The name aes128, is saying that the key size is 128.
My interest is that the key must be in puppy somewhere,
possibly in an open vulnerable location.

Thanks for the utility!
arby

Perkins
Posts: 62
Joined: Sun 25 Sep 2005, 05:45
Contact:

#5 Post by Perkins »

General practice for encrypted file systems is to put the heavy key (In this case, the 128 bit AES key) in one of the first sectors of the file system, encrypted with the user's passphrase. I would bet that puppy's AES encryption is roughly as strong as TrueCrypt's AES encryption. TrueCrypt has the advantage though of being able to do cascading cyphers and steganography. Most users probably don't need that level of security though. 128 bit AES should keep out just about anybody short of possibly some government intelligence agency. And they'll most likely get in by either snooping your passphrase, or through rubber-hose cryptanalysis anyway. :wink:

User avatar
Luluc
Posts: 200
Joined: Wed 16 Mar 2011, 07:10

#6 Post by Luluc »

Very informative thread.

However, when choosing to create an encrypted save file, we are forced to use an ext2 file system. Cryptoloop supports ext3. So why can't we use ext3? Or even ext4 maybe?

Encrypting the save file is all fine and good, but how am I supposed to manage my 50GB LUKS partition? I can open it with a combination of cryptsetup + cryptmount (the latter manages /dev/mapper), but these don't work very well in Puppy. I created a brand new cryptmount volume, it works, but then I cannot open/decrypt it. I can open my existing LUKS partition, but only manually, not automatically with fstab+crypttab as expected. And it is not "unmounted" automatically properly at shutdown/reboot.

User avatar
Dougal
Posts: 2502
Joined: Wed 19 Oct 2005, 13:06
Location: Hell more grotesque than any medieval woodcut

#7 Post by Dougal »

Luluc wrote:However, when choosing to create an encrypted save file, we are forced to use an ext2 file system. Cryptoloop supports ext3. So why can't we use ext3? Or even ext4 maybe?
This could be the result of one of two things:
- Does it let you use a ext3 non-encrypted pupsave on that partition? It only allows ext3 on journalled partitions.
- There might have been problems or some security concerns about ext3+encryption -- try searching Barry's blog or asking Kirk.
Encrypting the save file is all fine and good, but how am I supposed to manage my 50GB LUKS partition? I can open it with a combination of cryptsetup + cryptmount (the latter manages /dev/mapper), but these don't work very well in Puppy. I created a brand new cryptmount volume, it works, but then I cannot open/decrypt it. I can open my existing LUKS partition, but only manually, not automatically with fstab+crypttab as expected. And it is not "unmounted" automatically properly at shutdown/reboot.
I don't really know about using LUKS, but the cause of your problems is probably that in Puppy /bin/mount is a script, for transparently handling ntfs(-3g): Puppy puts "ntfs" as the fstype in fstab (rather than "ntfs-3g") and the mount script does everything itself, rather than letting mount.ntfs-3g (=ntfs-3g) be used.
Anyway, that script is very likely (ahem) broken in some subtle ways and it also has no conscious support for fstab mounts, as far as I recall (when I started using fstab I had to add special code to detect an fstab mount and get the params from fstab).

So you might solve your problems by just replacing the script with a link to the binary (mount-FULL). Assuming you don't care about NTFS mounts...

/bin/umount is also a script, so your unmounting problems are probably cause by that, too...
What's the ugliest part of your body?
Some say your nose
Some say your toes
But I think it's your mind

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#8 Post by Sylvander »

At first I was scared by the .tar.gz extension...

But then I found a comment that said to use this all you needed to do was download it to a handy folder, unpack the archive, and run the program file.
[Like portable Windows program]

So I downloaded the .tar.gz to my /01 folder->in Xfe I navigated to the folder->right-clicked and chose to extract to the same folder->clicked on the terminal icon above to run the terminal in that folder->typed the name of the program [convert-pupsave] and hit <Enter>, and the program ran.

Great program! :D 8)
It explains things.
Easy to use.
Worked "like it says on the tin".
I changed my Boxpup-431 ext2 pupsave to ext3->[wise or not?], having 1st saved a backup of the old ext2 file.

Post Reply