truecrypt support in grub ?

truecrypt support in grub ?

[J. Bakshi]

Hello list,

GRUB2 is a robust boot loader. Is it possible to have truecrypt encryption support dirctly in GRUB2 ? Then we can have truecrypt encrypted partition with linux installed and GRUB2 just decrypt it and load the kernel. 

Thanks

Re: truecrypt support in grub ?

[Chip Panarchy]

Hello

If this is possible (and there isn't already an implementation of it)
then I would also like this feature!

:D

Good suggestion!

:P

Panarchy

On Wed, Apr 15, 2009 at 11:28 PM, J. Bakshi <bakshi12@gmail.com> wrote:
> Hello list,
>
> GRUB2 is a robust boot loader. Is it possible to have truecrypt encryption support dirctly in GRUB2 ? Then we can have truecrypt encrypted partition with linux installed and GRUB2 just decrypt it and load the kernel.
>
> Thanks
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel
>

Re: truecrypt support in grub ?

[phcoder]

Michael Gorven has already implemented LUKS support for grub2. Using 
truecrypt with linux partitions is a bad idea - this encryption isn't 
native to it in any way and also truecrypt is under GPL-incompatible 
licence which means it's unlikely to be incorporated to grub (you need 
to figure out the on-disk layout of truecrypt and then reimplement it 
from scratch (but you can reuse ciphers from luks implementation)). If 
all you want is boot windows installed on truecrypt partition then the 
best way is to chainload truecrypt booter. I haven't yet looked in it 
myself but it seems that truecrypt booter uses mbr gap too which 
conflicts with grub. However it can be workarounded by dumping contents 
of mbr gap created by truecrypt and replicating the action of tc-mbr 
(can't be difficult)
J. Bakshi wrote:
> Hello list,
> 
> GRUB2 is a robust boot loader. Is it possible to have truecrypt encryption support dirctly in GRUB2 ? Then we can have truecrypt encrypted partition with linux installed and GRUB2 just decrypt it and load the kernel. 
> 
> Thanks
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel


-- 

Regards
Vladimir 'phcoder' Serbinenko

Re: truecrypt support in grub ?

[J. Bakshi]

On Wed, 15 Apr 2009 18:25:27 +0200
phcoder <phcoder@gmail.com> wrote:

> Michael Gorven has already implemented LUKS support for grub2. 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

really nice to know. But does it still required /boot partition as un-encrypted ?


>Using 
> truecrypt with linux partitions is a bad idea - this encryption isn't 
> native to it in any way and also truecrypt is under GPL-incompatible 
> licence which means it's unlikely to be incorporated to grub (you
> need to figure out the on-disk layout of truecrypt and then
> reimplement it from scratch (but you can reuse ciphers from luks
> implementation)). If all you want is boot windows installed on
> truecrypt partition then the best way is to chainload truecrypt
> booter. I haven't yet looked in it myself but it seems that truecrypt
> booter uses mbr gap too which conflicts with grub. However it can be
> workarounded by dumping contents of mbr gap created by truecrypt and
> replicating the action of tc-mbr (can't be difficult)

eagerly waiting to see that grub2 support that 

Thanks

> J. Bakshi wrote:
> > Hello list,
> > 
> > GRUB2 is a robust boot loader. Is it possible to have truecrypt
> > encryption support dirctly in GRUB2 ? Then we can have truecrypt
> > encrypted partition with linux installed and GRUB2 just decrypt it
> > and load the kernel. 
> > 
> > Thanks
> > 
> > 
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > http://lists.gnu.org/mailman/listinfo/grub-devel
> 
> 

Re: truecrypt support in grub ?

[phcoder]

J. Bakshi wrote:
> On Wed, 15 Apr 2009 18:25:27 +0200
> phcoder <phcoder@gmail.com> wrote:
> 
>> Michael Gorven has already implemented LUKS support for grub2. 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> really nice to know. But does it still required /boot partition as un-encrypted ?
> 
It's already able to load kernels from encrypted partition. For the 
moment it's too big to fit to mbr gap but in perspective it could be 
squeezed enough. Then you don't need unencrypted partitions at all. For 
now if you want to do this you need to leave some space before the first 
partition.
Be aware that even if such configuration is nice it doesn't increase 
security in any way. The easiest attack is to replace grub with a 
recompiled grub which additionally writes password somewhere on the disk
> 
>> Using 
>> truecrypt with linux partitions is a bad idea - this encryption isn't 
>> native to it in any way and also truecrypt is under GPL-incompatible 
>> licence which means it's unlikely to be incorporated to grub (you
>> need to figure out the on-disk layout of truecrypt and then
>> reimplement it from scratch (but you can reuse ciphers from luks
>> implementation)). If all you want is boot windows installed on
>> truecrypt partition then the best way is to chainload truecrypt
>> booter. I haven't yet looked in it myself but it seems that truecrypt
>> booter uses mbr gap too which conflicts with grub. However it can be
>> workarounded by dumping contents of mbr gap created by truecrypt and
>> replicating the action of tc-mbr (can't be difficult)
> 
> eagerly waiting to see that grub2 support that 
> 
Why don't you help us with that? Install truecrypt, dump mbr and mbr 
gap. Disassemble mbr and send an explanation of what it does in plain 
english here
> Thanks
> 
>> J. Bakshi wrote:
>>> Hello list,
>>>
>>> GRUB2 is a robust boot loader. Is it possible to have truecrypt
>>> encryption support dirctly in GRUB2 ? Then we can have truecrypt
>>> encrypted partition with linux installed and GRUB2 just decrypt it
>>> and load the kernel. 
>>>
>>> Thanks
>>>
>>>
>>> _______________________________________________
>>> Grub-devel mailing list
>>> Grub-devel@gnu.org
>>> http://lists.gnu.org/mailman/listinfo/grub-devel
>>
> 
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel


-- 

Regards
Vladimir 'phcoder' Serbinenko

Re: truecrypt support in grub ?

[Michael Gorven]

[-- Attachment #1: Type: text/plain, Size: 539 bytes --]

On Thursday 16 April 2009 18:27:33 phcoder wrote:
> Why don't you help us with that? Install truecrypt, dump mbr and mbr
> gap. Disassemble mbr and send an explanation of what it does in plain
> english here

There seems to be a decent specification[1] of the TrueCrypt format on their 
website. It would probably need an additional hash (Whirlpool) and cipher 
modes (XTS and LRW).

Michael

[1] http://www.truecrypt.org/docs/technical-details

-- 
http://michael.gorven.za.net
PGP Key ID 6612FE85
S/MIME Key ID AAF09E0E

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: truecrypt support in grub ?

[phcoder]

Is there any info about the truecrypt booting process too? This is more 
important than being able to read truecrypted files because I don't 
think that anyone wants to boot linux from truecrypt when luks is 
faster, better integrated and provides similar set of features
I don't see it on the link you provided. Whirlpool is based on tweaked 
rijndael which is already a part of your patch. And LRW and xts are used 
(and recommended) for luks too.
Michael Gorven wrote:
> On Thursday 16 April 2009 18:27:33 phcoder wrote:
>> Why don't you help us with that? Install truecrypt, dump mbr and mbr
>> gap. Disassemble mbr and send an explanation of what it does in plain
>> english here
> 
> There seems to be a decent specification[1] of the TrueCrypt format on their 
> website. It would probably need an additional hash (Whirlpool) and cipher 
> modes (XTS and LRW).
> 
> Michael
> 
> [1] http://www.truecrypt.org/docs/technical-details
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel


-- 

Regards
Vladimir 'phcoder' Serbinenko

Re: truecrypt support in grub ?

[Alon Bar-Lev]

Correct.

Stronger encryption is offered by loop-aes [1], and it also has a
simper on-disk format.

The main problem an encryption solution should address is where the
keys are stored.

A password only based encryption is considered weak.

Placing the keys on external media, such as USB Mass storage device is
better, protecting the key on the USB Mass storage device is even
better.

Placing keys on cryptographic hardware is almost the best solution...

The best solution is to have a cryptographic device with no
extractable keys on the SATA/IDE bus...

The main problem is that to support all these sequences and devices in
a boot loader is somewhat difficult.

I use decrypted boot partition with loop-aes and cryptographic hardware [2].

When the Linux kexec method will be actually usable, I may consider to
kexec a kernel within the encrypted partition. The problem is how to
guarantee a clean hand-over.

Alon

[1] http://loop-aes.sourceforge.net/
[2] http://wiki.tuxonice.net/EncryptedSwapAndRoot


On 4/16/09, phcoder <phcoder@gmail.com> wrote:
> Is there any info about the truecrypt booting process too? This is more
> important than being able to read truecrypted files because I don't think
> that anyone wants to boot linux from truecrypt when luks is faster, better
> integrated and provides similar set of features
>  I don't see it on the link you provided. Whirlpool is based on tweaked
> rijndael which is already a part of your patch. And LRW and xts are used
> (and recommended) for luks too.
>  Michael Gorven wrote:
>
> > On Thursday 16 April 2009 18:27:33 phcoder wrote:
> >
> > > Why don't you help us with that? Install truecrypt, dump mbr and mbr
> > > gap. Disassemble mbr and send an explanation of what it does in plain
> > > english here
> > >
> >
> > There seems to be a decent specification[1] of the TrueCrypt format on
> their website. It would probably need an additional hash (Whirlpool) and
> cipher modes (XTS and LRW).
> >
> > Michael
> >
> > [1] http://www.truecrypt.org/docs/technical-details
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > http://lists.gnu.org/mailman/listinfo/grub-devel
> >
>
>
>  --
>
>  Regards
>  Vladimir 'phcoder' Serbinenko
>
>
>  _______________________________________________
>  Grub-devel mailing list
>  Grub-devel@gnu.org
>  http://lists.gnu.org/mailman/listinfo/grub-devel
>

Re: truecrypt support in grub ?

[Robert Millan]

On Wed, Apr 15, 2009 at 06:58:54PM +0530, J. Bakshi wrote:
> Hello list,
> 
> GRUB2 is a robust boot loader. Is it possible to have truecrypt encryption support dirctly in GRUB2 ? Then we can have truecrypt encrypted partition with linux installed and GRUB2 just decrypt it and load the kernel. 

See http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt

-- 
Robert Millan

  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
  how) you may access your data; but nobody's threatening your freedom: we
  still allow you to remove your data and not access it at all."

Re: truecrypt support in grub ?

[Chip Panarchy]

[-- Attachment #1: Type: text/plain, Size: 915 bytes --]

^Ah.

What would you suggest instead, for a free full-drive encryption?

On Sat, May 2, 2009 at 9:40 PM, Robert Millan <rmh@aybabtu.com> wrote:

> On Wed, Apr 15, 2009 at 06:58:54PM +0530, J. Bakshi wrote:
> > Hello list,
> >
> > GRUB2 is a robust boot loader. Is it possible to have truecrypt
> encryption support dirctly in GRUB2 ? Then we can have truecrypt encrypted
> partition with linux installed and GRUB2 just decrypt it and load the
> kernel.
>
> See http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt
>
> --
> Robert Millan
>
>  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
>  how) you may access your data; but nobody's threatening your freedom: we
>  still allow you to remove your data and not access it at all."
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel
>

[-- Attachment #2: Type: text/html, Size: 1557 bytes --]

Re: truecrypt support in grub ?

[Robert Millan]

On Sun, May 03, 2009 at 10:47:00AM +1000, Chip Panarchy wrote:
> ^Ah.
> 
> What would you suggest instead, for a free full-drive encryption?

LUKS

-- 
Robert Millan

  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
  how) you may access your data; but nobody's threatening your freedom: we
  still allow you to remove your data and not access it at all."

Re: truecrypt support in grub ?

[Chip Panarchy]

So I've got to use LUKS & FreeOTFE?

Seems a little hard... seeing as the different file-systems I need to
encrypt, including;

Ext3, HFS+, Ext4, NTFS, UFS2 & ZFS

Any other drive encryption tools you'd like to suggest, or should I
stick to TrueCrypt (will start using it once all my OSs are working
together)

On Mon, May 4, 2009 at 2:28 AM, Robert Millan <rmh@aybabtu.com> wrote:
> On Sun, May 03, 2009 at 10:47:00AM +1000, Chip Panarchy wrote:
>> ^Ah.
>>
>> What would you suggest instead, for a free full-drive encryption?
>
> LUKS
>
> --
> Robert Millan
>
>  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
>  how) you may access your data; but nobody's threatening your freedom: we
>  still allow you to remove your data and not access it at all."
>
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> http://lists.gnu.org/mailman/listinfo/grub-devel
>

Re: truecrypt support in grub ?

[Alon Bar-Lev]

loop-aes...

On 5/4/09, Chip Panarchy <forumanarchy@gmail.com> wrote:
> So I've got to use LUKS & FreeOTFE?
>
>  Seems a little hard... seeing as the different file-systems I need to
>  encrypt, including;
>
>  Ext3, HFS+, Ext4, NTFS, UFS2 & ZFS
>
>  Any other drive encryption tools you'd like to suggest, or should I
>  stick to TrueCrypt (will start using it once all my OSs are working
>  together)
>
>
>  On Mon, May 4, 2009 at 2:28 AM, Robert Millan <rmh@aybabtu.com> wrote:
>  > On Sun, May 03, 2009 at 10:47:00AM +1000, Chip Panarchy wrote:
>  >> ^Ah.
>  >>
>  >> What would you suggest instead, for a free full-drive encryption?
>  >
>  > LUKS
>  >
>  > --
>  > Robert Millan
>  >
>  >  The DRM opt-in fallacy: "Your data belongs to us. We will decide when (and
>  >  how) you may access your data; but nobody's threatening your freedom: we
>  >  still allow you to remove your data and not access it at all."
>  >
>  >
>  > _______________________________________________
>  > Grub-devel mailing list
>  > Grub-devel@gnu.org
>  > http://lists.gnu.org/mailman/listinfo/grub-devel
>  >
>
>
>  _______________________________________________
>  Grub-devel mailing list
>  Grub-devel@gnu.org
>  http://lists.gnu.org/mailman/listinfo/grub-devel
>

Re: truecrypt support in grub ?

[Vladimir 'phcoder' Serbinenko]

[-- Attachment #1: Type: text/plain, Size: 2803 bytes --]

On Mon, May 4, 2009 at 2:27 PM, Chip Panarchy <forumanarchy@gmail.com>wrote:

> So I've got to use LUKS & FreeOTFE?
>
FreeOTFE has a function which allows reading sectors from a device without
authentication. This way the whole application security is blown away (not
like the were a big deal of it, it's windows).  I informed Sarah Dean that
because of this function FreeOTFE is an application which destroys the
security instead of enhancing it. However it looks like she doesn't
understand the gravity of the problem and assumes only a threat of laptop
steal and not much more common threats like viruses or trojans (it is
windows, he-he)

>
> Seems a little hard... seeing as the different file-systems I need to
> encrypt, including;
>
> Ext3, HFS+, Ext4, NTFS, UFS2 & ZFS
>
You can encrypt any FS with any full-disk-encryption. The encryption doesn't
care what you put on it.

>
> Any other drive encryption tools you'd like to suggest, or should I
> stick to TrueCrypt (will start using it once all my OSs are working
> together)
>
 What you say is quite out of sync with reality. I don't know any program
able to boot two different OSes encrypted with it. (I don't speak about
reading volumes, I speak about booting). Additionally such a setup is less
secure than encrypting every OS separately since if one OS is compomised
it's somewhat contained (not entirely true actually). AFAIK till date noone
was able to boot Darwin or OSX from encrypted volume.
But encrypting every OS on a harddrive is really an overkill. Remember that
encryption only addresses a small set of threats all of them involving
physical access to your hardware. It's not like some marketing employes who
make the people believe that pronouncing the word AES three times a day
makes your computer secure. I doubt that you use more than one or at most
two OSes for regular data work. I suppose the rest is just your experimental
OSes. Encrypting experimental OS is just more headache and waste of
resources. The setup I recommend is:
GPT-partitioned disk:
-BIOS or EFI boot partition holding embeded part of grub or grub.efi
 BIOS partition is typically 1 MiB in size. EFI partition is typically
100MiB in size (but 10 MiB should be enough)
-GRUB /boot partition holding grub modules and linux kernels and initrds.
Optionally also holding information related to booting of other OSes
-Linux root, swap and home on lvm on luks
-Optionally a FAT partition used to transfer data between OSes
-Experimental OSes

And please next time inform yourself before suggesting any feature requests.
Best feature request is the one containing a patch with it. Second best is
the one containing detailed info with it

Anyway this discussion goes away from grub so please don't continue it here.

-- 
Regards
Vladimir 'phcoder' Serbinenko

[-- Attachment #2: Type: text/html, Size: 3588 bytes --]