My Encryption Basics, on Linux!


     So recently, given the revelations of everyone from the NSA to power plants being hacked, I decided to learn the two most popular encryption tools included with Linux. Even NASA publishes an encryption basics knowledge base article (found HERE) using one of the same tools I mention here. In this article I run over the basics of using the two most popular encryption tools found on Linux, which as it happens are included by default (at least on Fedora). For Windows users, Bitlocker can accomplish the same task as LUKS and gpg4win is the Windows equivalent as gpg on Linux but may not provide all of the same features and Bitlocker isn't free. As it goes, I am no expert and this is only what I've learned so far.



     It does beg the question, exactly why bother learning basic encryption techniques? Well, simple, everyone is getting hacked and if you're wired into the net, your vulnerable. Well, as the Iranians learned, even if your not wired into the net you are still vulnerable. Consider exactly how much sensitive information you might store on your computer. If one ever really studies what doxxing is, you'd be far more selective of what you say on the net, but as it turns out, that doesn't really matter much. Far more information about people who don't even use social media is released by the (US) Government at both the federal, state, and local level. I've even found people's social security numbers posted on state websites that had documents exposed that probably shouldn't have been (just using google search). As for the average user however, think about the files you do not elect to put on the internet. How many of those contain passwords, account numbers, etc. Would you really want someone reading that stuff? No, obviously not. Such techniques as I've included below can help increase your level of safety (and cost you little to nothing). But it remains, the all-consuming facts of the internet. No amount of security will prevent breeches if you don't use any sense and no system is completely secure -- NONE. But if you are not already aware of basic security in modern computing, you really should look into that before looking into encryption.  Not knowing how to write passwords that are less vulnerable to dictionary attacks will only make these following items much less secure.



     The first type of encryption I use is block-level encryption. Fedora's Disk Encryption page provides an overview of what this is (found HERE). The following is a quote from the website. More details can be found there.


Block device encryption encrypts/decrypts the data transparently as it is written/read from block devices, the underlying block device sees only encrypted data. To mount encrypted block devices the sysadmin (or user, depending on context) must provide a passphrase to activate the decryption key. Encryption provides additional security beyond existing OS security mechanisms in that it protects the device's contents even if it has been physically removed from the system.


     On Linux, the most widely used block-level encryption is LUKS via the kernel device mapping subsystem module called dm-crypt. This method protects data at rest. When installing the OS for the first time, the Anaconda installer allows one to utilize LUKS on install, where you will set a passphrase. One note of concern here however is this option doesn't usually allow one to overwright existing data that could be dug up from any previous installs. LUKS only encrypts newly written data and therefore doesn't overwrite or encrypt the free space. If this is a new hard drive or the data is unimportant then it is not a problem. There are also other, more detailed, concerns that are well outside of my expertise. As pointed out in the quote, this option is also available to removable drives such as USB sticks (only in Linux file formats however). There are programs that can be found, at the moment, to read Linux file systems and decrpyt LUKS drives on Windows but they're a huge pain to get working as Windows flags these as trojans.

LUKS and BitLocker both require very little interactions outside of the initial setup, therefore I do not provide a write-up on my usage. More details for LUKS was previously mentioned and BitLocker may be found HERE.



      The second type of encryption that I use is GPG, which is short for Gnu Privacy Guard. It is a file-level encryption program included with just about every Linux distro. This level of encryption (file-level) is designed to protect data in transit. GPG has two main utilizations, symmetric encryption and unsymmetric. For symmetric, the same passphrase is used to encrypt and decrypt whereas in unsymmetric, it is not. Symmetric encryption does not require the use of public and private keys, and does not require signatures. Utilizing GPG unsymmetrically is meant to transfer files between multiple trusted people, each with their own set of signed keys. The public key you generate is distributed to a trusted partner and they to you. The public key you give to someone is used by them to encrypt a file for you to receive securely and decrypt and vice-versa. The private key, which you NEVER distribute, is used to decrypt a file. Therefore, to use GPG to communicate securely, you both must exchange public keys. More detailed (and important) information on exactly how all this works can be found in the documents section at, in particular their GNU Privacy Handbook.

     The files I am encrypting using GPG need not ever be decrypted by someone else and therefore I utilize the symmetric option far more often. In this case, a file is encrypted and decrypted by the same passphrase. The weakness in this option is that someone else knowing that passphrase could decrypt your data and could learn it from someone else you tell. Key exchanging avoids this pitfall -- nobody knows your decrypt key. But the symmetric option is as strong as long as you do not let others use your passphrase. Such utilization of file-level encryption could allow one to store sensitive information on cloud backups without worrying that it could be compromised. While technically possible to brute-force an encryption in a somewhat more reasonable time frame using factoring technology, it is nearly always cheaper and shorter in time to compromise the system and gain access to the data in some other way but there is no reason we have to make it easy when free tools are right at our finger tips.

My personal notes on using GPG in the command line symmetrically can be found HERE for Linux only.

Best Practice

     The weakest point of either method above is always the passphrase itself. Picking a good passphrase is essential. Random alphanumeric sequences are best, longer the better. What should be well established by now is the normal practice of not using names, birthdays, cities, zip codes and other information related to you or people to closely associate with and its best to avoid any term that is defined, as they are vulnerable to dictionary attacks that make brute-forcing exponentially easier. These methods also do not protect against tactics like key logging. The reality remains that if someone really wants your data - - they will get it but such methods as encryption and utilizing VPN services like IPVanish or NordVPN far more difficult for someone to compromise your data.

     This also leads to another point of weakness. If you decrypt one of your private files, and simply delete it, the underlying data is still sitting there. While LUKS, if utilized, helps to prevent access, to be even confident that the private, unencrypted data is destroyed we can utilize file shredding programs to remove the unwanted file and making it very nearly impossible to retrieve with the most sophisticated of hard drive reconstruction techniques. On Linux, as with encryption, there are several programs included by default. I personally use a command line program called shred. Because these files are nearly always tiny, we can run iterations over the file many times greater than the oft-recommended of 5 to 10, which is still sufficient. If I were doing this to an entire hard drive, DoD 5220 standards for this method recommend 3 passes (with particular numeric patterns and verification) to be secure which usually takes some hours. Since we are doing this for a select few files at at ime, we might as well do this for say, 50, if we wanted to be obstinate. A parting comment, for a drive to be truly securly erased, if it is to be used no longer we destroy the drives physically or degauss them (Defense Security Service, 06/28/2007).

     it really should go without saying that you certainly should not make your gpg symmetric and LUKS pass phrase even remotely similar! Utilizing a block-level encryption system, along with file-level encryption over point to point encrypted connections will make your data considerably more difficult to compromise, Secure VPN services can be had for just $10/ mo or less, although they do have issues with streaming services but if your ever on a public connection, don't be without one.

No amount of security in the world will amount to anything however if your actions on the net are frivolous to downright stupid. The Dummies series has a good INTERNET SAFETY CHEATSHEET everyone should read at least once.

© 2016 Zachary G Wolfe -- Remember to turn your brain off for a reboot sometimes...