Linux / Security: Encrypted External Drive Part 1 – Urandom
So I am re-doing my external RAID 1 drive enclosure. I love this little thing. It has two 2.5 inch 160gig SATA drives in it. The enclosure is connected via USB 2.0 but it does have an eSATA interface as well. I will be configuring this to have a 10 gig non-encrypted partition. The remaining ~150 gigs will be an encrypted (LUKS) filesystem to be used on my linux machine.
All of this will not be detailed here but will be split up in 3 blogs. Below just shows the time it takes to use Linux to overwrite the disk device using /dev/urandom. This is done to make it just that much harder for a would be hacker to try and brute force the key on the encrypted partition. If this is not done, the un-used space would just show up as empty, allowing for a more targeted attack against the pseudo random filesystem. Being pseudo-random means that it is not truly random. This being the case, with a lot of time and computing power, an attacker might be able to either brute force or find a pattern in the encryption.
So why not use /dev/random? For me, this would take forever! I do not have any special hardware or scripts pulling information from the environment and adding to the entropy pool. The data on this drive not being national security grade, /dev/random will do the job.
I know that the drive is under /dev/sdb. With that information, it is as simple as using “dd” (built in Linux utility) to overwrite all blocks on the drive with pseudo-random data.
root@tstbox:~# dd if=/dev/urandom of=/dev/sdb dd: writing to `/dev/sdb': No space left on device 312581810+0 records in 312581809+0 records out 160041886208 bytes (160 GB) copied, 40284.5 s, 4.0 MB/s
From above, it tool 40,284.5 seconds to overwrite the drive with urandom data. This equals ~11 hours and 19 minutes. Definitely still a long time, but a lot faster than if /dev/random was used.
This workstation is not an impressive computer. It is a single CPU dual core machine with 2 gigs of ram. Below is the info on one of the cores.
root@tstbox:~# cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 15 model name : Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz stepping : 2 cpu MHz : 1867.000 cache size : 2048 KB physical id : 0 siblings : 2
Notes: I wish I could use /dev/random and probably will eventually when I can sit a drive out for a week. Setting up external drives in this fashion is really geared towards data protection. Not only are the drives in a mirrored RAID (one can fail and everything would still run fine), important data is encrypted using a strong key. So who cares is the external enclosure walks away at a conference? I would be out ~190$ but the data will be safe.
[...] this article: Linux / Security: Encrypted External Drive Part 1 – Urandom Posted in: [...]
Linux / Security: Encrypted External Drive Part 1 – Urandom | Linux Affinity said this on September 10, 2009 at 3:50 pm