[Haifux] Nested disk encryption

Shachar Raindel shacharr at gmail.com
Thu Sep 16 10:44:07 MSD 2010

I will add a recommendation for TrueCrypt, which is considered secure,
very easy to use, and supports hidden volumes, so that even if you are
forced to give out passwords, you can give out passwords that will be
valid, but not show up the content of your real encrypted drive.

It is also portable, so you can use the same drive image on different
OSes, and it has a nice gui (in addition to command line support).


On Thu, Sep 16, 2010 at 3:57 AM, Orr Dunkelman <orr.dunkelman at gmail.com> wrote:
> If you use modern ciphers (AES-256, or Serpent are two such ciphers),
> there should be no problem.
> The RAID's encryption does not care what you encrypt. The loopback
> device does not care where it is stored. So you get double protection.
> Orr.
> On Thu, Sep 16, 2010 at 2:09 AM, Eli Billauer <eli at billauer.co.il> wrote:
>> Hello,
>> I have a piece of sensitive data, which I'd like to keep locked away when I
>> don't use it. It's reassuring to know, that even if my computer would ever
>> meet a trojan horse, that data will be off limit, unless I would happen to
>> be using it in very bad timing.
>> Having a Fedora 12 (kernel 2.6.32 for now), the immediate solution is to
>> create a large empty file, mount it as a loop device, and create an
>> encrypted disk on it. When I don't use the data, I simply close the
>> encryption, and all is safe and sound.
>> The only thing that worries me, is that the disk itself is a RAID-5 (three
>> disks) with the whole thing encrypted (that is, the whole of /dev/md0, which
>> is why I don't have any unencrypted space left) and then we have LVM over
>> that. So if I pull my stunt, there will be five layers of munching between
>> real data and what is written on the hardware disk. Including encrypting
>> twice.
>> In a theoretical world, one can stack layers without worrying about
>> anything. In a real world, there are sometimes bugs, which show up in exotic
>> situations.
>> I have no problem with some possible slowdown. I only wonder, if I'm not
>> pushing my luck.
>> So what do you say? Would you feel safe to stack one encryption on another?
>> Is it correct to assume that each layer works independently, and therefore
>> it doesn't matter how much I stack up?
>> Thanks in advance,
>>     Eli
>> --
>> Web: http://www.billauer.co.il
>> _______________________________________________
>> Haifux mailing list
>> Haifux at haifux.org
>> http://hamakor.org.il/cgi-bin/mailman/listinfo/haifux
> --
> Orr Dunkelman,
> Orr.Dunkelman at gmail.com
> GPG fingerprint: C2D5 C6D6 9A24 9A95 C5B3  2023 6CAB 4A7C B73F D0AA
> (This key will never sign Emails, only other PGP keys. The key
> corresponds to orrd at vipe.technion.ac.il)
> _______________________________________________
> Haifux mailing list
> Haifux at haifux.org
> http://hamakor.org.il/cgi-bin/mailman/listinfo/haifux

More information about the Haifux mailing list