Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am looking for a way to setup a laptop with a single linux OS installed that uses disk encryption to protect the data on the HDD. This is the first time I'm working on a project like this and I'd like to ask for some guidelines. I'm not sure to what degree a disk can be encrypted in linux, but I am talking about at least encrypted root partition and encrypted swap, both with pre-boot authentication (meaning you need the correct password to decrypt them at boot).
What are the possibilities and suggestions?
Regards, Ol
Many main-stream distros support whole disk encryption out of the box - though you should realise that, unlike other OSs, linux does not write sensitive or user information to any old place on the drive. So it is very common to leave a separate boot (and other) partitions unencrypted.
Ubuntu, in particular, supports double encryption - you can install to an encrypted HDD, putting the keys on a removable drive, and also have an encrypted directory off your home directory (called ~/Private) for stuff so sensitive, you don't want people getting to it when you leave your laptop for a bit.
You can also create plausible deniability by dual booting so the unencrypted (dummy) linux boots when a key drive is not plugged in.
There are many articles online on this subject too.
Basically, I am looking for something to encrypt the contents of the operating system (root partition) and the swap. The user has to provide the correct password before the OS partition can be decrypted and the system boots normally (pre-boot authentication).
I am not as paranoid to put the boot files onto a removable media. I'm fine with the idea that the files remain on the hard disk (likely the /boot partition, which will probably have to remain unencrypted) as long as a passphrase is needed at boot-time to decrypt and boot the OS.
The linux image I'm working with doesn't offer any encryption at installation and I'm talking about having to set up the encryption manually. This is where I require some advice as I am not sure what solution to use.
I was thinking about using dm-crypt/cryptsetup/LUKS.
I was thinking about using dm-crypt/cryptsetup/LUKS.
That's the standard setup for most linuxes. There are plenty of howtos.
Ubuntu uses LVM to help.
Bear in mind that there is no such thing as "true" whole disk encryption - something has to be available to run the bootstrap, get the keys, decrypt the boot partition ... etc.
Why do you want to encrypt /boot?
Encrypting the entire drive is needed in Windows because temporary files can be written anywhere. But linux does not write to /boot.
Ah, thank you. This last post of yours has a good amount of answers.
Quote:
Originally Posted by Simon Bridge
That's the standard setup for most linuxes. There are plenty of howtos.
Excellent. I assume this is also the proper way of doing it on linux.
Quote:
Originally Posted by Simon Bridge
Ubuntu uses LVM to help.
I'm not quite sure what LVM is, but I'll do some googling and reading.
Quote:
Originally Posted by Simon Bridge
Bear in mind that there is no such thing as "true" whole disk encryption - something has to be available to run the bootstrap, get the keys, decrypt the boot partition ... etc.
That is correct. Most users would suggest putting the needed boot files onto some removable media, but for my setup, I would much rather have all neccessary files on the HDD itself. I am aware this approach may require some unencrypted space.
Quote:
Originally Posted by Simon Bridge
Why do you want to encrypt /boot?
Encrypting the entire drive is needed in Windows because temporary files can be written anywhere. But linux does not write to /boot.
I'm not sure if it's even possible to have an encrypted /boot partition and have the system boot without relying on any external files located on some removable media. Perhaps there is a linux boot loader that can decrypt the /boot partition and boot the system normally. I wonder if grub2 supports this feature, I really don't know. In windows I know that TrueCrypt has a boot loader of its own that decrypts the rest of the file system. Anyway, I was thinking about setting up a system that does have an unencrypted boot partition, but if there is a way to encrypt that as well (no external dependencies) then so much the better.
Why encrypt the boot partition, you ask? Ask yourself how secure really the other approach is. An adversary could easily access the /boot partition and replace or modify some files to insert a malicious keylogger that in terms logs down the pass phrase upon entering it and hides it somewhere within the unencrypted space without my knowledge. All that is left to do is to read it while I'm not paying attention.
Fedora 10 allows you to check a box ("Encrypt Drive") during drive configuration that will create a single encrypted partition that holds / and swap inside it. /boot is left unencrypted, but should never contain any sensitive data from a general user.
In debian lenny with encrypted root and swap partitions, when booting, one is asked for root and swap passphrases. To avoid the swap passphrase, a working setup is found here: [LINK REMOVED BY MODERATOR]
tkibugu, please stop using LQ posts to promote your site. If you continue this sort of behavior, there will be consequences which may include your temporary or even permanent loss of LQ privileges. TIA.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.