Debian User Forums

[PsySc0rpi0n]

Hello.

I'm looking for a way of storing some sensitive information securely without having to spend money on devices or software and keep a minimum level of safety and also keeping some level of integrity to whatever I come up with.

I want opinions and suggestions of what can I do. Actually, I already have a very basic idea of what I want but if there is a way better solution in all aspects, I'm all ears.

To start, I should say I have pretty limited to none knowledge about security, cryptography and so on, but this is also a way to learn the very basics.

So, the idea I already have in practice is that I created a sparse file, encrypted it with LUKS (using a gpg key file) and now I can mount that volume, send there the files, folders and any other data I want to keep safe and when I'm done, I unmount, close the LUKS volume and finally I encrypt the volume file itself again using GnuPG.

So, this way, I have kind of a small drive, portable, and that I can use as if is a normal folder in my computer. It also has the advantage of being able to only use the necessary space in disk as it is a sparse file, which means, space will grow dynamically as needed up to the apparent size of this volume.

If needed I can share all the commands I used to create and use this volume, because I used some nuances to avoid having any leaks of data from the keys used to encrypt the volume. For instance, the way I created the key used to encrypt the volume, never exposed its unencrypted contents to stdout, files or any other type of non-volatile media, by means of using `dd ..... | gpg2 .... > key.gpg`.

After all this is done, I intend to create a small script that compresses the volume file, and creates a sha256 (or) hash, or some other checksum mechanism, regularly and compares the compressed file with the checksum to let me know if anything goes wrong with the file.

So, what you all think about this approach and of you have other way better suggestions, please let me know.

Thank you

[sgosnell]

I do it two different ways. One is veracrypt. It will create an encrypted container, using a file, a partition, or an entire drive, and optionally hides the container. Any search engine will find the details for you.

I also have a small partition on my internal drive, which is encrypted by LUKS. It shows up in the file manager, but can only be mounted and opened when the password is entered. Unmounting it closes the LUKS volume. There are a number of tutorials for doing this.

The veracrypt volume is easier to set up, but it takes slightly more effort to mount. You unmount it with veracrypt, and it's encrypted. You can use any filename, so it's not obvious that it's an encrypted volume. LUKS takes more effort to set up, but once it's set up you just click on the volume in the file manager and get a password prompt. It's obvious to anyone who opens the file manager that it exists, because it's labeled as 'encrypted volume'. But knowing that it exists won't open it without the password.

I carry a tiny USB drive with my gpg keys and other data that I sometimes need, and I have a veracrypt volume which holds all the sensitive information, with veracrypt binaries for both Linux and Windows on the root of the drive, so that I can access it on almost any computer, but no one can decrypt it without the passphrase, which is long and complex enough that I don't think a supercomputer can break it.

[PsySc0rpi0n]

I do it two different ways. One is veracrypt. It will create an encrypted container, using a file, a partition, or an entire drive, and optionally hides the container. Any search engine will find the details for you.

I also have a small partition on my internal drive, which is encrypted by LUKS. It shows up in the file manager, but can only be mounted and opened when the password is entered. Unmounting it closes the LUKS volume. There are a number of tutorials for doing this.

The veracrypt volume is easier to set up, but it takes slightly more effort to mount. You unmount it with veracrypt, and it's encrypted. You can use any filename, so it's not obvious that it's an encrypted volume. LUKS takes more effort to set up, but once it's set up you just click on the volume in the file manager and get a password prompt. It's obvious to anyone who opens the file manager that it exists, because it's labeled as 'encrypted volume'. But knowing that it exists won't open it without the password.

I carry a tiny USB drive with my gpg keys and other data that I sometimes need, and I have a veracrypt volume which holds all the sensitive information, with veracrypt binaries for both Linux and Windows on the root of the drive, so that I can access it on almost any computer, but no one can decrypt it without the passphrase, which is long and complex enough that I don't think a supercomputer can break it.

I understand. However, in my case, if I browse this file, I can't see it is an encrypted volume. Only if I run `file volume.vol`.
I think there are a few things about what you said that might be not 100% accurate, but I got it. Like, for instance, unmounting the partition/device/whatever doesn't close the Luks volume. There is the `luksClose` command for that purpose. This one closes/encrypts back the volume.

And what you mean by setting ups Luks? I just created the sparse file, encrypted it with Luks, opened the volume and mounted it. I didn't change any configurations of Luks.

[sgosnell]

The volume I created with cryptsetup is automatically re-encrypted when I unmount it. There are multiple ways to encrypt files/directories/drives, and whichever works best for you is fine.

[PsySc0rpi0n]

The volume I created with cryptsetup is automatically re-encrypted when I unmount it. There are multiple ways to encrypt files/directories/drives, and whichever works best for you is fine.

It encrypts at the umount command? I umount and then luksClose. That's when it gets re-encrypted. What you did different to get it re-encrypted at umount time?

[sgosnell]

I don't know what I did differently, because I don't know exactly what you did. I normally don't run umount, I just do it through Thunar file manager.. AFAIK once the volume is unmounted, it is re-encrypted. You can close it via luksClose without unmounting it. If I run luksClose on the volume after unmounting, I get a message that it is not active. Unmounting is sufficient, and accessing it requires the passphrase.

[PsySc0rpi0n]

I don't know what I did differently, because I don't know exactly what you did. I normally don't run umount, I just do it through Thunar file manager.. AFAIK once the volume is unmounted, it is re-encrypted. You can close it via luksClose without unmounting it. If I run luksClose on the volume after unmounting, I get a message that it is not active. Unmounting is sufficient, and accessing it requires the passphrase.

Ah ok. I'm doing it all by the command line. So, I always run the same set of commands to open (decrypt), mount, use, umount and close (re-encrypt).