It seems that the even the most recent version of GRUB2 doesn't support LUKS2 with the PBKDF Argon2ID ([source](https://wiki.archlinux.org/index.php/GRUB#Encrypted_/boot)) . The Raspberry Pi bootloader for instance fully supports this new hashing function. Is there an actively maintained (and widely enough adopted) desktop Linux bootloader that supports LUKS2 devices with Argon2ID? Would it be possible to achieve an encrypted /boot (other than /) partition with this PBKDF?

I am running Debian Jessie. I have 2 hard drives with my various partitions spread across both (not RAID). Both of them are separately LUKS encrypted, and LVMs sit upon both of those. My /boot partition is the only partition not included on the two hard drives; instead, it is located on an unencrypted USB stick. On the /boot partition is myKeyfile.key which should unlock both of the hard drives [but doesn't]. My goal is to have fully inaccessible/useless disks whenever the system boots without the USB stick. Here is what I have done to accomplish this. I used this answer on StackOverflow as a guide. ---------- /etc/default/cryptdisks - # Mountpoints to mount, before cryptsetup is invoked at initscripts. Takes # mountpoints which are configured in /etc/fstab/ as arguments. Separate # mountpoints by space. # original: CRYPTDISKS_MOUNT="" CRYPTDISKS_MOUNT=/boot According to the comment, I just have to make sure I have the proper mountpoint name as described in fstab. For completeness, here is the relevant line: /etc/fstab - # UUID= /boot ext4 defaults 0 2 ---------- /etc/crypttab - sda1_crypt UUID= /boot/myKeyfile.key luks,keyscript=/bin/passphrase-from-usb sda2_crypt UUID= /boot/myKeyfile.key luks,keyscript=/bin/passphrase-from-usb I could specify the UUID of the USB drive (instead of /boot/myKeyfile.key), but then I'm not sure how I would specify that myKeyfile.key is the file I'm interested in. /etc/initramfs-tools/hooks/passphrase-from-usb - #!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac . "${CONFDIR}/initramfs.conf" . /usr/share/initramfs-tools/hook-functions copy_exec /bin/passphrase-from-usb /bin /bin/passphrase-from-usb - #!/bin/sh set -e if ! [ -e "$CRYPTTAB_KEY" ]; then echo "Waiting for USB stick to be recognized..." >&2 sleep 5 fi if [ -e "$CRYPTTAB_KEY" ]; then echo "Unlocking the disk $CRYPTTAB_SOURCE ($CRYPTTAB_NAME) from USB key" >&2 echo "Using $CRYPTTAB_KEY as the key source" >&2 dd if="$CRYPTTAB_KEY" bs=1 count=256 2>/dev/null exit else echo "Can't find $CRYPTTAB_KEY; USB stick not present." >&2 fi /lib/cryptsetup/askpass "Manually unlock the disk ($CRYPTTAB_NAME)\nEnter passphrase: " ---------- ---------- This is what I am greeted with upon booting: Loading, please wait... Volume group "vg-root" not found Skipping volume group vg-root Unable to find LVM volume vg-root/lv-root Volume group "vg-other" not found Skipping volume group vg-other Unable to find LVM volume vg-other/lv-swap Waiting for USB stick to be recognized... [ 3.159979] sd 7:0:0:0: [sdd] No Caching mode page found [ 3.160152] sd 7:0:0:0: [sdd] Assuming drive cache: write through Can't find /boot/myKeyfile.key; USB stick not present. Manually unlock the disk (sda1_crypt) Enter passphrase: After I enter the passphrase, the same exchange happens for the second disk, sdb1_crypt. ---------- I'm doing something wrong, but I'm not sure what. Since CRYPTDISKS_MOUNT "specifies the mountpoints that are mounted before cryptdisks is invoked", I thought adding /boot to it would make /boot available before the unlocking procedure began. However, it does not appear to be mounted when /bin/passphrase-from-usb runs. I am sure that myKeyfile.key is added as a LUKS key to both drives, and I have updated the initramfs via update-initramfs -u.

I have some packets that are encrypted with Cryptcat tool and I want to decrypt them. I have the encryption password. I tried to use netcat with cryptcat, but every time I'm connecting from netcat to cryptcat and try to send something the connection closes. I tried the following: cryptcat -vv -k p@ssword -l -p 1337 > decryptedfile and from another terminal: cat encrypted | nc localhost 1337 When I hit enter the connection closes!

The Debian GUI Installer provides multiple automated partitioning options. I've had no issues with "use entire disk and set up encrypted LVM" so far. But toady I had to install Debian on a disk that is preoccupied by multiple operating systems. In the beginning of the disk there is a Windows installation, and in the end of the disk there is an Ubuntu installation. There is one continuous space in the middle of the disk. When I chose the "use the largest continuous free space" option it correctly selected the entire space but there was no automated process to encrypt the volume. So I have an unencrypted Debian installation in the middle of my disk. Is it possible to encrypt only the entire Debian portion of the disk after an unencrypted installation in the same way as the guided "use entire disk and set up encrypted LVM"? I chose to put "All files in one partition". If there are no native methods, can third party software such as Veracrypt help? If there is no solution but to reinstall, how should I partition next time to achieve what I want?

I've created a user ... but forgotten the password

mysql> create user 'blayo'@'%' identified by 'right';

Which Linux command line tool can **encrypt the password the same way mysql 5.5 does ?**

mysql> select Password,User from mysql.user
------------------------------------------+-------+
*920018161824B14A1067A69626595E68CB8284CB | blayo |

...to be sure I use the right one

$ tool right
*920018161824B14A1067A69626595E68CB8284CB

So I have Chromium (137), and Kwallet, and they work ok, Chromium saves and offers passwords on sites, and they are correct. But I want to backup my passwords to external drive (and there are another use cases when I need plain-text password, like console github login), so I opened Chromium password manager - and it was empty. No passwords at all. Offering passwords on login screen still works OK. Do you know how I can extract passwords from 'Login Data' sqlite using Kwallet key (I tried kwalletcli -f "Chromium Keys" -e "Chromium Safe Storage" and it returned me something looks like a key) or just make Chromium password manager work? Thanks

Assuming that I want to encrypt/decrypt a hard drive corresponding to /dev/sdX, the following is the procedure I have for doing so: **Encryption:** 1. Write the hard drive's data into a file (e.g. ./tmp), using the command dd if=/dev/sdX of=./tmp 2. Encrypt the tmp file using any secure file encryption algorithm 3. Write the encrypted tmp.enc into the hard drive (dd if=./tmp.enc of=/dev/sdX) **Decryption:** 1. Write the hard drive's data into a file (e.g. ./tmp), using the command dd if=/dev/sdX of=./tmp.enc 2. Decrypt the tmp.enc file 3. Write the decrypted tmp into the hard drive (dd if=./tmp of=/dev/sdX) Does the following method necessarily work?

I am using Debian 7.4 CD. When I set a partition as / during manual partition. It is fine. However when I then try to use it as *physical volume for encryption*... everything works fine it erases and writes random data BUT THEN the mount point / disappears! And when I try to proceed with installation, it says > NO root file system is defined. Please correct this from partitioning menu And when I try to make /, I cant modify the partition to be used as /' because it says No modification can be made. In use as physical volume for encrypted volume I am following [these instructions](http://www.debianuserforums.org/viewtopic.php?f=9&t=460)

We have two servers. Application sever A and NFS file server B. Server B is shared among multiple various applications and it's generic NFS storage host that we don't have access to and it's corporate shared storage. Application server A processes very sensitive data and then stores them on NFS shared with everyone. Since it's far from perfect situation, we need to store data from Application server A on NFS in encrypted form so that it can't be read/processed even if one would have full access to NFS server B. We've set this up with gocryptfs but we're suffering from severe performance issues so this time we decided to give ecryptfs a go. I tried to crawl through ecryptfs and encfs tutorials and docs but all of them seem to be focused on automounting filesystem at login. For us there will be no login. It's autonomous machine that is supposed to automatically boot after power failure and automatically mount encrypted volume at boot time, without human intervention. We need to provide passphrase via file stored on Application server A disk. How can I do that? We tried to use fstab with: /mnt/nfs_encrypted /mnt/nfs ecryptfs nofail,rw,relatime,ecryptfs_sig=5d6b2xxxxxxx35,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs 0 0 but it fails to mount at boot time since keyring is empty after each reboot.

I have been trying to follow this guide: https://www.howtoforge.com/tutorial/how-to-encrypt-directories-and-partitions-with-ecryptfs-on-debian/ to encrypt the home directory on my pi with out a password by saving the password on a file onto a usb. But the issue is that the pi boots up to a login screen and prompts for a password. The only difference to the configuration in the guide I have made is that my usb is ntfs and the name of the directory that is being encrypted (pi) and the password. I tried it again and afterwards when the pi booted up it said root account was locked and I only had command line access to the system. Are there any passwordless encryption alternatives that I can use? As the pi will have a display but no keyboard.

> Recutils offers a way to encrypt specified fields in a record, whilst leaving the rest in clear text. -- [GNU Recutils Manual](https://www.gnu.org/software/recutils/manual/Editing-Records.html#Editing-Records) What encryption algorithm does it use by default?

Hi my crypttab looks as follows: crypt_device /dev/sda luks,header=/boot/header.img update-initramfs -u -k all works with success, but for some reason cryptsetup will not find the header.img which resides on the usb stick (that also contains the boot partition) during boot. It is stored on /boot/header.img (using luks encryption with detached header, and seperate boot partition on usb, os: lubuntu 18)

Looking for a private journal app that is customizable in font size and style and similar functions to Libra writer. Why you ask? *I am a Tinkerer, and a Philosopher of sorts, and am looking for that **"just right"** packaged app that meets these primary specs:* Encrypted, Secure, in Ubuntu or Debian, and similarly customizable to Libra Writer as far as fonts and text size and shapes goes, and also contains a simplistic toolbar for object creation with various geometric shapes and sized objects for point & click ease. Also a simple header or title block creator to start each new thought or idea would be fantastic! Also, I am somewhat new to Linux & Unix, and any terminal command line syntax to simplify installation or functionality and ways to encrypt is greatly appreciated! Thank you kindly as well, Rudy

I have one physical server and would like to configure full disk encryption for it. First I was playing around with an virtual machines (CentOS7) and have enabled it during installation: On reboot I get the following prompt and can successfully unlock the drive: [root@srv~]# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 20G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 19G 0 part └─luks-9ca13c53-317d-42c5-a3ea-c6039274bf38 253:0 0 19G 0 crypt ├─centos_otrs-root 253:1 0 17G 0 lvm / └─centos_otrs-swap 253:2 0 2G 0 lvm [SWAP] sr0 11:0 1 1024M 0 rom AFAICS the bootpartition is not encrypted. How could I possibly perform a true full disk encryption and still be able to use the crypt-ssh dracut module for remote unlocking of systems with disk encryption via ssh. Thanks!

Is there a way to encrypt single files with a Yubikey that doesn't use OpenPGP? I use my Yubikey for ssh logins and encrypting individual files (password stores.) The Yubikey is operating in CCID mode only (I don't currently use OTP or U2F.) All operations require the physical presence test. Up until now I've been using my Yubikey as an OpenPGP smart card along with: - gpg-agent --enable-ssh-support for ssh support; and - gnupg.vim plugin for encrypting files. GnuPG is clunky, unreliable, and hard to script. I'd like to stop using the Yubikey in this mode. I have another Yubikey that is configured as a NIST PIV smart card. I use OpenSSH's PKCS11 support and a regular ssh-agent. This is much more reliable than the gpg tools, but it *doesn't provide the individual-file-encryption support*. As I see it, there are a few possible options to using a PIV smart card for individual file encryption: - some sort of ssh-agent + vim hack? - maybe there's a seamless PKCS11 based file encryption tool? - using one of the other slots on the yubikey for file encryption, maybe with OpenSC or some of libccid stuff? - open source password manager that talks directly to the Yubikey?

For brevity I talk about PGP, but GnuPG or OpenPGP are meant as well and gpg is the OpenPGP encryption and signing tool for it. When initially establishing an email connection with someone, both parties have to exchange their public keys. If this exchange is done in person, the keys may be used right away. If they are mutually sent to each other by email, users are advised to check the **fingerprints of both public keys** by independent means rather than email. They can do so e.g. by telephone. Email is considered unsafe and a man in the middle (MIM) might intervene, replace the sent public key by another one from a key pair generated for himself on behalf of the original sender's email account. This theoretical threat works as long, as MIM is able to intervene in all future encrypted emails sent to the other side using the replaced key. Such manipulation is immediately detected after the fingerprint check. That's why users are encouraged to verify the other side's public key by checking its fingerprint. The fingerprint must not be received by the same communication means. Can this rule be relaxed, if one of the two got the other side's public key on a safe way, e.g. by 1. downloading it from a (non-compromised) https website, comparing it with the fingerprint displayed there and then using this key to send his own public key in a signed and encrypted message. Signing would prevent unnoticed manipulation of the email and encryption would safeguard MIM from knowing that the email is part of an initial key exchange. This email with attached own public key (by which any receiver could check, if it is unaltered) would be encrypted the other side's https-downloaded public key (lst's assume that the other side is the only one that has access to the corresponding private key). 2. receiving the other side's public key in a signed and encrypted email, when the sender uses the receiver's public PGP key which had been verified by the sender before (a situation which might arise when one side generates a new pair of private/public keys for himself and attaches his new public key to such a message. It might also arise for the second part of an initial key exchange when one public key was transferred according method 1. or after only one side has verified the receiver's public key). What might be the weak points of such a simplified procedure?

I want to encrypt the folder which contains my org-mode files at rest separate from OS level encryption. When working on these files, I would like them to be transparently decrypted so that I can use all file-based Linux and emacs tools, git, rsync, etc. For instance, I would like to keep the files in version control in a couple of places (e.g. laptop, backup server), so I can easily push and pull incremental updates. However, because the files are private, the files should be encrypted on the backup server except when synchronizing updates. The folder should also be encrypted at rest on my laptop, so that even if somebody manages to login to my account after a reboot, they will need an additional passphrase to decrypt my personal folder (note: my personal folder is _not_ my /home/ folder. It could be a folder inside the home-folder or on a memory stick). I am ok with mounting the files such that they remain readable until I log-out or restart the computer. But the files should be mounted so that they do not actively have to be re-encrypted at shutdown. I.e. if there was a power-cut, or the memory stick was just removed, the data would remain encrypted until it is unlocked again. To sum it up, the requirements are: 1. folder is always encrypted at rest (no need to re-encypt at shutdown) 2. folder can be mounted decrypted in a transparent fashion to allow use of standard tools (it looks like a normal folder to those tools) 3. the folder can grow so I can modify and add files without having to allocate a huge amount of space upfront 4. the encrypted folder should behave like a file that can be copied around without special tools and stored on any regular file-system Bonus: 5. using widely available tools only 6. can be distributed as a "package" on a memory stick so I can access my files quickly on a new system (i.e. all tools required to decrypt can be shipped as stand-alone binaries) 7. possible to setup multiple keys including second master key (that I would keep somewhere in case I forget the password) What are good options available fullfill the requirements, and maybe even some of the bonuses?

More recent AMD CPUs have a feature named Secure Memory Encryption SME which if available can be explicitly be enabled by adding this parameter to linux' command line. mem_encrypt=on (according to https://libvirt.org/kbase/launch_security_sev.html) I am unsure if my system (with an AMD EPYC cpu) has this feature enabled (i.e. if the feature might be default on anyway). My question is how to check if the AMD SME feature is enabled? Since https://www.kernel.org/doc/html/latest/arch/x86/amd-memory-encryption.html suggests that: > If support for SME is present, MSR 0xc00100010 (MSR_K8_SYSCFG) can be > used to determine if SME is enabled and/or to enable memory > encryption: I have run this commands (on a debian 10): apt-get install msr-tools rdmsr --raw 0xc0010010 | xxd -b which presented me this output 00000000: 00000000 00000000 11110100 00000000 00000000 00000000 ...... 00000006: 00000000 00000000 where according to the source quoted the 23rd bit indicates if SME is indeed enabled/active (=1) or not (=0). If above is indeed the correct way to test this, a confirmation may be considered a valid answer, ideally of course providing some background. Else again I would be very happy to be able to check the state of SME on a running linux system.

I'm trying to do a simple task with no luck so far. I have two linux hosts communicating using macsec interfaces: Host1: [Expert@jaguar_macsec-s01-01:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569ed33d0001 on SA 0 0: PN 123787, state on, key 00000000000000000000000000000000 RXSC: 0050569e00d00001, state on 0: PN 19308, state on, key 00000000000000000000000000000000 Host 2: [Expert@jaguar_macsec-s01-02:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569e00d00001 on SA 0 0: PN 35356, state on, key 00000000000000000000000000000000 RXSC: 0050569ed33d0001, state on 0: PN 148262, state on, key 00000000000000000000000000000000 In order to change the key, I create a new tx channel and a new rx channel on both ends, then turn off the old ones: Host 1: ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec add Sync rx sci 0050569e00d00001 sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec set Sync tx sa 1 on ip macsec set Sync rx sci 0050569e00d00001 sa 1 on ip macsec set Sync tx sa 0 off ip macsec set Sync rx sci 0050569e00d00001 sa 0 off [Expert@jaguar_macsec-s01-01:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569ed33d0001 on SA 0 0: PN 155609, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 RXSC: 0050569e00d00001, state on 0: PN 39777, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 Host 2: ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec add Sync rx sci 0050569ed33d0001 sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec set Sync tx sa 1 on ip macsec set Sync rx sci 0050569ed33d0001 sa 1 on ip macsec set Sync tx sa 0 off ip macsec set Sync rx sci 0050569ed33d0001 sa 0 off [Expert@jaguar_macsec-s01-02:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569e00d00001 on SA 0 0: PN 36370, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 RXSC: 0050569ed33d0001, state on 0: PN 149509, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 As can be seen, even though I turned off the old channels, I still can't get the new ones to work - the PN (packet number) stays at 1, means no packets have been sent or received using these channels. Deleting the old channels completely didn't help either. I couldn't find any documentation that explains how this procedure can be done correctly. Any advice would be greatly appreciated.

I'm using Ubuntu with a LVM over LUKS disk scheme. I have two SSDs, hence two LVM PVs are needed. They are both encrypted with LUKS, and have the same passphrase. Now on boot-up, I need to type the same passphrase twice. I want to tweak init to cache the passphrase (shortly) to unlock both partitions. I tried decrypt_derived, however it doesn't work:

device xxx uses the kernel keyring
Nothing to read on input.

How can I implement this? Thanks.