Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am considering encryption of some of my drives: usbs, 'd'drive etc seems straightforward.
However, having read briefly that some do not recommend encryption of whole drives or OS due to slowness or possibility of errors I am wondering if it is worth securing the OS or 'c'drive. (I have linux on a USB and windows on 'c' drive).
Apart from browser history and bookmarks etc what are the files/folders that would be worth encryption on the OS or 'c'drive? and would encrypting part of those drives cause any operating problems?
you can download a lot of different distros, why do you want to encrypt it? You only need to save your personal data (and probably some configuration). That's why you can/need to put all the sensitive data onto an encrypted drive.
In my experience, the chief reason for encryption is to protect data in case of loss.
Encrypted thumb drives are available off-the-shelf.
At my last job, all PCs were laptops. When we were issued a new one, the IT folks made sure all our data got moved over and all the software was loaded and configured (these were Windows 7 laptops), and then they started the whole-disk encryption process, which typically took 24-36 hours. We weren't allowed to take the laptops off the premises until that process was complete. There were no obvious issues in performance once the encryption was completed...things were impacted during the encryption process, but that was a one-time thing.
One could be dismissed if caught using a non-encrypted and passworded thumb drive.
Veracrypt will only encrypt the OS on Windows not Linux. But the possibility of using containers/partitions/devices should be enough for most users' needs.
on my laptops (all Debian) all file systems except for /boot are encrypted. It's just a matter of selecting the option at install time. From what I've read the overhead is minimal. If you have a separate /home partition, you may prefer to encrypt only that.
What is your attack scenerio - what are you trying to protect against ?.
Encrypting the O/S is pointless IMHO. I always have a separate /home partition - the encrypted /home offered by Ubuntu derivatives I find too limited, but plenty use it. Simpler to encrypt the entire partition as implied/stated above.
Always consider how you will recover your data - maybe on a system you don't own ...
I have looked at Veracrypt. I did not know it only encrypted Windows OS not Linux. I can see I can still use it for folders/partitions.
One question is about the OS. I know most personal stuff is stored in /home. But are there other on folders/files on the OS such as Bookmarks and Browser History that should be encrypted? How would I do that?
As a matter of course I keep larger personal files on my D drive which can be accessed by my Linux OS which I have installed on a usb.
I tried to encrypt when installing the OS - but installing under 'something else' seemed to grey out the encryption option
I will encrypt the /home folder - this is on my usb (all under /root). I know I could have it separate but for simplicity I installed the whole file system under /root.
Do users of veracrypt tend to have problems when opening encrypted folders. I think I read many have to resort to a recovery key on a external usb?
The attack could be physical (ie someone taking the USB or Laptop) or could be an intrusion via the web. Both theoretical as I have sole use and I do not use in public or outside.
I would recover either on my own existing OS or a fresh install on another usb of my own.
Do users of veracrypt tend to have problems when opening encrypted folders.
I think I read many have to resort to a recovery key on a external usb?
It's recommended to make a backup of the header in case of any problems regardless of where the volume is hosted. Volumes hosted on usb devices do not present any more risk than those hosted elsewhere.
Bookmarks and such are stored in hidden directories under /home. If you encrypt that, everything that matters will be taken care of. Well worthwhile for a laptop.
If you use hibernation/suspend, make sure you are set up to always require a password to resume - what if the laptop gets stolen whilst suspended ?. And encrypting data provides no protection against on-line attacks - when mounted (i.e. when you are logged in) the data are unencrypted. So it is merely part of the solution, not the be-all-and-end-all.
It's recommended to make a backup of the header in case of any problems regardless of where the volume is hosted. Volumes hosted on usb devices do not present any more risk than those hosted elsewhere.
Bookmarks and such are stored in hidden directories under /home. If you encrypt that, everything that matters will be taken care of. Well worthwhile for a laptop.
If you use hibernation/suspend, make sure you are set up to always require a password to resume - what if the laptop gets stolen whilst suspended ?. And encrypting data provides no protection against on-line attacks - when mounted (i.e. when you are logged in) the data are unencrypted. So it is merely part of the solution, not the be-all-and-end-all.
Thanks for the pointer about bookmarks etc and helpful advice on security in general.
It is possible with cryptsetup-reencrypt, but it's an inherently dangerous operation not resistant to hardware or kernel failures during the process (make a backup first), and you need to be able to shrink the filesystem enough to make room for the ~2MB LUKS header at the start of the partition. I believe that recent versions of the cryptsetup package include the cryptsetup-reencrypt tool. (Formerly, you had to download the source for that package and build that tool yourself.)
If you've decided you need to protect your data with encryption, then in my opinion encrypting /home isn't sufficient. You need to also encrypt /var, /tmp (unless its tmpfs), possibly /etc depending on the contents of your system configuration and how sensitive that is and your swap partition, and anywhere else the software you use could store temporary information or meta data about your data. You also shouldn't leave your machine unattended whilst its turned on or sleeping.
The overhead incurred by encrypting the entire drive save /boot, in my opinion is a small sacrifice for the peace of mind that the computer won't write information that I want protected to somewhere not encrypted.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.