Encryption in Ubuntu 9.04

Blaž Repas linux at bss.si
Fri Jul 17 16:21:35 UTC 2009 

Ioannis Vranos pravi:
> Blaž Repas wrote:
>   
>> Ioannis Vranos pravi:
>>     
>>> Blaž Repas wrote:
>>>  >
>>>   
>>>       
>>>> https://help.ubuntu.com/community/EncryptedFilesystemHowto
>>>>     
>>>>         
>>> I can't find any definite answer there for my question.
>>>
>>>
>>>
>>>   
>>>       
>> [quote]
>>
>>
>>       OK, which encryption engines does the DeviceMapper support?
>>
>> You can choose all those provided by the crypto-modules of your kernel. 
>> The Ubuntu-Kernels come with the full set, including *Twofish, AES, DES 
>> and others.*
>>
>>
>>       Which of those engines should I choose?
>>
>> I recommend AES. It is reasonably fast and believed to be secure. Avoid 
>> DES, it is considered too weak to offer decent protection nowadays.
>>
>>
>>       How many bits should the key used by the algorithm have?
>>
>> This depends on your needs for security: A longer key is more secure, 
>> but it takes longer to de-/encrypt data using it.
>>
>> With a good crypto algorithm a attacker must use brute force: He has to 
>> generate each key and then has to try to unlock the encrypted data with 
>> it. So the number of possible keys directly gives the average time 
>> needed to break the encryption. So let us play a bit with some numbers:
>>
>> A 256bit key gives about 10^77 (a 1 followed by 77 zeros) different keys 
>> while a 128bit key has "only" about 10^38 (a 1 followed by 38 zeros). At 
>> the moment a PC can generate and test about 3*10^5 (3 followed by 5 
>> zeros) keys per second. So breaking a 128bit key will take about 10^25 
>> years (1 followed by 25 zeros), which is longer than the universe 
>> exists. That should be secure enough for most users.
>>
>> To understand how secure 128 bit keys are, you may read this analogy 
>> <http://www.interesting-people.org/archives/interesting-people/200607/msg00058.html> 
>> by Jon Callas:
>>
>> “Imagine a computer that is the size of a grain of sand that can test 
>> keys against some encrypted data. Also imagine that it can test a key in 
>> the amount of time it takes light to cross it. Then consider a cluster 
>> of these computers, so many that if you covered the earth with them, 
>> they would cover the whole planet to the height of 1 meter. The cluster 
>> of computers would crack a 128-bit key on average in 1,000 years.”
>>
>> Even if you don't believe that the NSA has another planet devoted to key 
>> cracking, you still may want to use a longer key. If a weakness in your 
>> chosen crypto-module is found, it may limit the keyspace that needs to 
>> be tested, and you will then have an effectivly shorter key. Using a 256 
>> bit key will keep your data secure much longer if that should happen.
>>
>> [/quote]
>>
>> Hope this helps clearing up your question. And it was in the document, 
>> by the way ;-) :-D
>>
>> Have a nice day!
>>     
>
>
> If I am not missing something, when we setup encrypted Private directory, or encrypted partition/encrypted 
> home directory during installation, there are no options for choosing an algorithm.
>
>
>
>   
Hmmm.. interesting...

I'll look around and maybe try it. But i guess it's one of the more 
common ones (3des, des, aes).

Have a nice day!
Blaž

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20090717/18983bd5/attachment.html>

More information about the ubuntu-users mailing list