Encryption in Ubuntu 9.04

Ioannis Vranos ivranos at freemail.gr
Fri Jul 17 13:16:29 UTC 2009 

Blaž Repas wrote:
> Ioannis Vranos pravi:
>> Blaž Repas wrote:
>>  >
>>   
>>> https://help.ubuntu.com/community/EncryptedFilesystemHowto
>>>     
>>
>>
>> I can't find any definite answer there for my question.
>>
>>
>>
>>   
> [quote]
> 
> 
>       OK, which encryption engines does the DeviceMapper support?
> 
> You can choose all those provided by the crypto-modules of your kernel. 
> The Ubuntu-Kernels come with the full set, including *Twofish, AES, DES 
> and others.*
> 
> 
>       Which of those engines should I choose?
> 
> I recommend AES. It is reasonably fast and believed to be secure. Avoid 
> DES, it is considered too weak to offer decent protection nowadays.
> 
> 
>       How many bits should the key used by the algorithm have?
> 
> This depends on your needs for security: A longer key is more secure, 
> but it takes longer to de-/encrypt data using it.
> 
> With a good crypto algorithm a attacker must use brute force: He has to 
> generate each key and then has to try to unlock the encrypted data with 
> it. So the number of possible keys directly gives the average time 
> needed to break the encryption. So let us play a bit with some numbers:
> 
> A 256bit key gives about 10^77 (a 1 followed by 77 zeros) different keys 
> while a 128bit key has "only" about 10^38 (a 1 followed by 38 zeros). At 
> the moment a PC can generate and test about 3*10^5 (3 followed by 5 
> zeros) keys per second. So breaking a 128bit key will take about 10^25 
> years (1 followed by 25 zeros), which is longer than the universe 
> exists. That should be secure enough for most users.
> 
> To understand how secure 128 bit keys are, you may read this analogy 
> <http://www.interesting-people.org/archives/interesting-people/200607/msg00058.html> 
> by Jon Callas:
> 
> “Imagine a computer that is the size of a grain of sand that can test 
> keys against some encrypted data. Also imagine that it can test a key in 
> the amount of time it takes light to cross it. Then consider a cluster 
> of these computers, so many that if you covered the earth with them, 
> they would cover the whole planet to the height of 1 meter. The cluster 
> of computers would crack a 128-bit key on average in 1,000 years.”
> 
> Even if you don't believe that the NSA has another planet devoted to key 
> cracking, you still may want to use a longer key. If a weakness in your 
> chosen crypto-module is found, it may limit the keyspace that needs to 
> be tested, and you will then have an effectivly shorter key. Using a 256 
> bit key will keep your data secure much longer if that should happen.
> 
> [/quote]
> 
> Hope this helps clearing up your question. And it was in the document, 
> by the way ;-) :-D
> 
> Have a nice day!


If I am not missing something, when we setup encrypted Private directory, or encrypted partition/encrypted 
home directory during installation, there are no options for choosing an algorithm.



-- 
Ioannis A. Vranos

C95 / C++03 Developer

http://www.cpp-software.net

More information about the ubuntu-users mailing list