[SOLVED] Questions on home folder and full drive encryption.
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I do not know how ecryptfs works, but even without recovery mode, I can boot your pc from a live distro and steal your key. I repeat, I don't know ecryptfs at all, but a crypt program who stores a clear key must not be used.
BTW, main unlock system in LUKS is the passphrase, but you can use a keyfile e.g. stored in a pendrive that you always carry with you (ok, it's too much spy-movie).
LUKS is totally "invisible" to system, once I want to mount an encrypted partition/volume, it asks for a passphrase, then it works normally.
To protect your data, you must encrypt your /home directory/partition (or wherever you data are placed). That doesn't prevent to steal/change you login password, as it's held in /etc/passwd - /etc/shadow. Then you must encrypt / partition. That means two (at least) LUKS partitions with two different passphrases. With the swap area we have three different passphrases (it could be the same but you must enter it thrice).
LVM comes in help, you create a volume, crypt it with LUKS and create several partitions inside it. Many partitions, one key.
This link is a guide written by Alien Bob to setup the encryption in Slackware, the logic under the hood is the same for every Linux.
I use it on my laptop, after about 5 seconds after kernel boot, it asks for the passphrase, then it continues booting. No passphrase, no kernel boot nor partitions access. Even if someone take my hdd, there are 100MB of /boot (just kernels) on a top of unreadable data.
Last edited by gengisdave; 07-02-2014 at 02:45 PM.
LUKS is totally "invisible" to system, once I want to mount an encrypted partition/volume, it asks for a passphrase, then it works normally.
To protect your data, you must encrypt your /home directory/partition (or wherever you data are placed). That doesn't prevent to steal/change you login password, as it's held in /etc/passwd - /etc/shadow. Then you must encrypt / partition. That means two (at least) LUKS partitions with two different passphrases. With the swap area we have three different passphrases (it could be the same but you must enter it thrice).
LVM comes in help, you create a volume, crypt it with LUKS and create several partitions inside it. Many partitions, one key.
This link is a guide written by Alien Bob to setup the encryption in Slackware, the logic under the hood is the same for every Linux.
I use it on my laptop, after about 5 seconds after kernel boot, it asks for the passphrase, then it continues booting. No passphrase, no kernel boot nor partitions access. Even if someone take my hdd, there are 100MB of /boot (just kernels) on a top of unreadable data.
So I could choose LUKS + LVM in a fresh HDD and then later (after installation) choose these partitions (root, home, swap) and still just use a single passphrase?
Is LUKS safe from crackers even if they use recovery mode or a live CD/USB? It sounds like .ecryptfs is not much better than no encryption.
Would the security in these scenarios be about the same?
(a) LUKS setup with a login password.
(b) LUKS setup with auto login password. (this would be very handy and secure at the same time)
Last edited by linustalman; 07-02-2014 at 02:52 PM.
Yes, every Linux (almost every) can help you in the configuration of luks/lvm, otherwise you have to set it up manually (before partitioning). LUKS provides a block level encryption, like TrueCrypt does, no way to decode data without passphrase.
Once the passphrase is provided, the partitions are "unlocked" and the system works normally. In both of your scenarios, the login is made after you unlocked the drive (automatically or not), so the security is the same.
jump to "Combining LUKS and LVM" but read all the document for completeness.
Fast mode: create a little partition for /boot; create the big partition; encrypt it with luks; mount and create a lvm inside it; create lvm partitions (at least / and swap); install linux as usual;
I don't know if Mint has an easier way to do this (I've seen it offers to encrypt home folder but I've never tried it) so I fear you have to do this on a terminal.
ADD: depending on the kernel installed, you have to build an initrd, or you'll get a kernel panic
Last edited by gengisdave; 07-08-2014 at 05:34 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.