Full disk encryption

Message
Author
User avatar
anticapitalista
Developer
Posts: 4160
Joined: Sat Jul 15, 2006 10:40 am

Full disk encryption

#1 Post by anticapitalista »

We want to add full disk encryption within the antiX/MX installer, and we need some feedback from users who already use a Linux OS with full disk encryption (fde).

How many times do you have to input the encryption passphrase?
When?
Does the system use LUKS over LVM? Should it?

I ask since I tried 2 different Linux distros that offer fde, and they did it differently.
One prompted for the passphrase before grub menu and also afterwards when 'opening' the root filesystem.
The other only prompted once, IIRC after the grub menu.

Thanks
anticapitalista
Reg. linux user #395339.

Philosophers have interpreted the world in many ways; the point is to change it.

antiX with runit - lean and mean.
https://antixlinux.com

User avatar
Mauser
Posts: 1350
Joined: Mon Jun 27, 2016 7:32 pm

Re: Full disk encryption

#2 Post by Mauser »

This would be great.
I am command line illiterate. :confused: I copy & paste to the terminal. Liars, Wiseguys, Trolls, and those without manners will be added to my ignore list. :mad:

User avatar
Adrian
Developer
Posts: 8248
Joined: Wed Jul 12, 2006 1:42 am

Re: Full disk encryption

#3 Post by Adrian »

How many people around have experience with LVM?

User avatar
fbc
Posts: 2
Joined: Thu May 10, 2018 11:07 am

Re: Full disk encryption

#4 Post by fbc »

How many times do you have to input the encryption passphrase?
Assuming you involve the cryptsetup executable, you have the option --verify-passphrase.
It's arguable how much sense that makes from a frontend, which can verify the input itself, but it's also
arguable whether the frontend should know about the meaning of the corresponding input field. The
repetition could just be made optional, with an additional option to visually reveal the passphrase (like
in the user creation dialog; I think most people wouldn't consider this critical, because the encryption is
only setup once.
Does the system use LUKS over LVM? Should it?
If "the system" refers to MX Linux, honestly, I don't know... both LUKS and LVM, however, are addressed
via the device mapper infrastructure, which generally means, that you can as well have LUKS on LVM as LVM on LUKS.

Omitting (SW/HW) RAID from this thread, most users would create one partition per disk and make
that physical volume (PV), logically dividing that into extents, which can be concluded to logical volumes (LV).

From my POV it's logical to encrypt the partition and create the PV in the encrypted volume, so I have to provide a passphrase only once.

Another approach would be to set up the LVs to be encrypted individually. Apart from the fact, that the
user has to memorize possibly distinct passphrases per LV, this method could leak information about the
distribution of LVs in the PV (how critical that is, remains at the discretion of each user; i. e. I wouldn't
care, but others do).

Encrypting individual LVs has an advantage: assume your girlfriend/brother/daughter/father needs their
data for a presentation tomorrow, but their notebook died yesterday... They have the data on backup
and ask if they can borrow your laptop, and there's no reason against it. Just install their Widows and
Orphace into an LV, which can be passed via Xen to any DomU so that it appears as a physical block
device. And even if that respective person works for Bank A, while you work for Bank B, there's little
chance that they could access the other, individually encrypted LVs on the system, which could hold
delicate data of Bank B.

Since LVM on LUKS is as possible as LUKS on LVM, and both are mediated via the device manager, both
approaches can even be combined.

To abstract the term "logical volume": even encrypting a partition makes a logical volume (in a broader
sense), which can be used as a physical volume in terms of LVM. That PV can be partitioned into so
called extents, which can be concluded into LVM LVs... each of those LVs can in turn be encrypted or
even made further physical volumes for a distinct LVM volume group. Etc. etc...

How much of this setup could/should/would be implemented in an installer, is also debatable to the
max. If it was my task, I'd just say, support LVM so far that LVs are recognized (using lvscan),
but leave the creation of such arbitrarily nested LUKS/LVM setups out of the installation focus.

An option could be to add an alternative choice to gparted, which runs a shell, in which a user can do
this setup if they feel like it, and afterwards, no matter whether they choose gparted or a manual setup
(or maybe the disk to be used has been partitioned/LVMed as desired in the first place), just read in all
possible volumes (even with recursion it's pretty easy), using lvscan and cryptsetup isLuks <device-node>, give the user the chance to unlock volumes, then check again. Finally, when the volumes,
that the user deems important, are visible in the system, let the user choose:

- never touch this (probably for most of already existing file systems, or at least for LVM physical
volumes not scanned for their contents)
- don't mount
- mount as <mountpoint>
- format as <filesystem choice> and mount as <mountpoint>

While the first two options are technically equivalent, they may raise awareness when facing a user who
is not (yet) well experienced...

Anyway, just a set of suggestions...

Have a good time... til then...

User avatar
JCH760310
Posts: 1
Joined: Tue Apr 25, 2017 8:46 am

Re: Full disk encryption

#5 Post by JCH760310 »

FDE would be great addition to already great distro .....

I still have Ubuntu MATE on my laptop because it has FDE (providing passphrase just once), but the desktop was already migrated from W10 to MX, but I'd like to have FDE as an extra security layer on desktop as well.

User avatar
KBD
Posts: 959
Joined: Sun Jul 03, 2011 7:52 pm

Re: Full disk encryption

#6 Post by KBD »

FDE is a good idea. I used it in the past with Debian. I only remember being asked for my password once at bootup. I use just a single partition with everything on it and never had any problems with FDE. I have seen on one of the forums recently, perhaps Mint?, that those using a separate home partition had issues with FDE so might want to test for that.

User avatar
johnf76
Posts: 10
Joined: Tue Jun 19, 2018 11:09 am

Re: Full disk encryption

#7 Post by johnf76 »

Hi!

I use Linux Mint XFCE (18.3) with FDE (LUKS). I actually like having to enter in a password twice...in my case, I can use two different passwords, which I think gives a bit more security as well. I am intrigued with MX, though for work purposes I would need FDE if I'm to use it on my laptop. Great Distro, by the way!

User avatar
c4os
Posts: 29
Joined: Tue Jun 19, 2018 12:28 pm

Re: Full disk encryption

#8 Post by c4os »

Hello MX friends,

I'm new at the forum, especially registered for this thread.

I also missed the full disk encryption, because wifi passwords and /tmp is not secure with home encryption.
With some tests yesterday, I made an manual for full disk encryption.

But first the answer to the questions at the beginning:
How many times do you have to input the encryption passphrase? One time
When? When the system boots
Does the system use LUKS over LVM? Should it? Yes, it's LUKS over LVM

This manual is for an empty disk, but it also works behind a Windows installation, if Windows has only 3 partitions created.
Normally Windows use a boot, a system and a recovery disk, which are primary disks. In this case the fourth should be an extended partition, which include boot and the rest of LVM partitions.
But we speak about an empty disk and this is only for information.
Also the numbers of partitions into the LVM are not limited. You can create as much as you want. In my manual I created only root, home and swap.

Unfortunately you have to type two passwords. One for encryption and one for login.

Should I add it as attachment or as code block? Because it's a little bit longer! ;)
Last edited by c4os on Wed Jun 20, 2018 6:40 am, edited 2 times in total.
Powered on: MX 17 Horizon x86_64
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]

User avatar
c4os
Posts: 29
Joined: Tue Jun 19, 2018 12:28 pm

Re: Full disk encryption

#9 Post by c4os »

Need to correct that:
Does the system use LUKS over LVM? Should it? No, it's LVM over LUKS!
Powered on: MX 17 Horizon x86_64
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]

User avatar
Adrian
Developer
Posts: 8248
Joined: Wed Jul 12, 2006 1:42 am

Re: Full disk encryption

#10 Post by Adrian »

Thanks, add a code block, not sure you can add an attachment as a new user of the forum.

Post Reply

Return to “General”