LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-22-2022, 06:44 PM   #1
Skaperen
Senior Member
 
Registered: May 2009
Location: center of singularity
Distribution: Xubuntu, Ubuntu, Slackware, Amazon Linux, OpenBSD, LFS (on Sparc_32 and i386)
Posts: 2,678
Blog Entries: 31

Rep: Reputation: 176Reputation: 176
does full disk encryption really need LVM?


i want to do full disk encryption on a disk. here are some details:

1. the disk is /dev/sdc, not /dev/sda.
2. its passphrase will be entered manually.
3. i will be mounting it via the admin user (auto-logged-in, sudo authorized)
4. home directories for most users will be on it (not root or admin).
5. i may, some day, have container and/or virtual machine systems in some form on it.
6. there may be only one partition or there may be more than one.
7. it is intended to secure even the partition table and boot sector.
8. i may want to do other disks and memory sticks this way.
9. i want to use the simplest mechanism for encryption, even if it involves more work.

do i really need to use LVM, as every instruction page i have found online would have me do? to me, LVM is adding more work for the system to do. i am not counting the crypto that is being done as part of that work.

does anyone know of a non-LVM way to deploy full disk encryption that i will not be booting from? i am using Xubuntu 18.04.6 and later on 22.04 LTS (freshly installed onto a non-encrypted disk then upgraded as needed). there is no dual-booting on this system
 
Old 05-22-2022, 09:40 PM   #2
wpeckham
LQ Guru
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDO, tinycore, Q4OS,Manjaro
Posts: 5,512

Rep: Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658Reputation: 2658
There are MANY disk/partition/volume encryption tools for Linux. You should look up several, examine their advantages and disadvantages, and select one that fits your risk evaluation, security needs, and work profile.
Some places to start https://www.ubuntupit.com/best-disk-...are-for-linux/ or perhaps https://www.tecmint.com/file-and-dis...ols-for-linux/ and possibly something from https://linuxsecurity.com/features/b...ools-for-linux.
 
Old 05-23-2022, 03:20 AM   #3
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 21,103

Rep: Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117Reputation: 4117
It's your foot, and your gun.

The entire exercise should at least be educational. A LUKS (e.g) container is just a block device once its opened; feel free to construct a partition table therein. T'were it me, I would encrypt the entire device (without partitioning).
Good luck with your plans for /home.

tl;dr - use LVM, it has all the plumbing already tested.
 
1 members found this post helpful.
Old 05-24-2022, 05:20 AM   #4
zeebra
Senior Member
 
Registered: Dec 2011
Distribution: Slackware
Posts: 1,824
Blog Entries: 17

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
I dunno what you mean, but personally I only ever used LUKS in recent times.

I partition my disks "normally" and manually create with cryptsetup etc or through some tools do it automatically (like distro installer). I've used this for partitions and full disks internal and external. Never had a problem.
 
Old 05-28-2022, 06:27 PM   #5
Skaperen
Senior Member
 
Registered: May 2009
Location: center of singularity
Distribution: Xubuntu, Ubuntu, Slackware, Amazon Linux, OpenBSD, LFS (on Sparc_32 and i386)
Posts: 2,678

Original Poster
Blog Entries: 31

Rep: Reputation: 176Reputation: 176
Quote:
Originally Posted by syg00 View Post
It's your foot, and your gun.
right! but should i go with revolver or semi-auto?

Quote:
Originally Posted by syg00 View Post
The entire exercise should at least be educational. A LUKS (e.g) container is just a block device once its opened; feel free to construct a partition table therein. T'were it me, I would encrypt the entire device (without partitioning).
Good luck with your plans for /home.

tl;dr - use LVM, it has all the plumbing already tested.
the plan is to do full disk encryption to make a new full disk device appear. then partition that new device. I/O to all sectors would go through encryption or decryption. if the disk is stolen, the thieves would have no knowledge of how it's encrypted. i would enter the passphrase after it is booted up as part of adding the disk to the running system. then file system(s) can be mounted.
 
Old 05-28-2022, 09:53 PM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
If you encrypt the entire device and then partition the encrypted container, you will have to add an extra step, probably a call to kpartx, in the init scripts to scan that container for partitions.

If you use LUKS, the header on the device will proudly proclaim that this is a LUKS container and tell the encryption parameters, other than the key of course. You could hide that identification by using LUKS with a detached header stored elsewhere, or else set up the encryption without LUKS. For the latter, you will have to specify any non-default encryption parameters (cipher specification, hash method, key size, etc.) each time the container is unlocked.
 
Old 05-29-2022, 01:19 AM   #7
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Quote:
Originally Posted by Skaperen View Post
i want to do full disk encryption on a disk. here are some details:

1. the disk is /dev/sdc, not /dev/sda.
2. its passphrase will be entered manually.
3. i will be mounting it via the admin user (auto-logged-in, sudo authorized)
4. home directories for most users will be on it (not root or admin).
5. i may, some day, have container and/or virtual machine systems in some form on it.
6. there may be only one partition or there may be more than one.
7. it is intended to secure even the partition table and boot sector.
8. i may want to do other disks and memory sticks this way.
9. i want to use the simplest mechanism for encryption, even if it involves more work.

do i really need to use LVM, as every instruction page i have found online would have me do? to me, LVM is adding more work for the system to do. i am not counting the crypto that is being done as part of that work.

does anyone know of a non-LVM way to deploy full disk encryption that i will not be booting from? i am using Xubuntu 18.04.6 and later on 22.04 LTS (freshly installed onto a non-encrypted disk then upgraded as needed). there is no dual-booting on this system
This article outlines various scenarios, with - as far as I can see - full instructions.
Take your pick, make your choice.
 
3 members found this post helpful.
Old 05-29-2022, 02:13 AM   #8
zeebra
Senior Member
 
Registered: Dec 2011
Distribution: Slackware
Posts: 1,824
Blog Entries: 17

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
Quote:
Originally Posted by ondoho View Post
This article outlines various scenarios, with - as far as I can see - full instructions.
Take your pick, make your choice.
I second that, it's an excellent article and covers pretty much any scenario or questions anyone might have.
 
Old 05-30-2022, 02:26 PM   #9
Skaperen
Senior Member
 
Registered: May 2009
Location: center of singularity
Distribution: Xubuntu, Ubuntu, Slackware, Amazon Linux, OpenBSD, LFS (on Sparc_32 and i386)
Posts: 2,678

Original Poster
Blog Entries: 31

Rep: Reputation: 176Reputation: 176
Quote:
Originally Posted by ondoho View Post
This article outlines various scenarios, with - as far as I can see - full instructions.
Take your pick, make your choice.
looks like some good reading to do. thanks for the link.
 
Old 05-30-2022, 02:36 PM   #10
Skaperen
Senior Member
 
Registered: May 2009
Location: center of singularity
Distribution: Xubuntu, Ubuntu, Slackware, Amazon Linux, OpenBSD, LFS (on Sparc_32 and i386)
Posts: 2,678

Original Poster
Blog Entries: 31

Rep: Reputation: 176Reputation: 176
Quote:
Originally Posted by rknichols View Post
If you encrypt the entire device and then partition the encrypted container, you will have to add an extra step, probably a call to kpartx, in the init scripts to scan that container for partitions.

If you use LUKS, the header on the device will proudly proclaim that this is a LUKS container and tell the encryption parameters, other than the key of course. You could hide that identification by using LUKS with a detached header stored elsewhere, or else set up the encryption without LUKS. For the latter, you will have to specify any non-default encryption parameters (cipher specification, hash method, key size, etc.) each time the container is unlocked.
for my case, it will be manually done when that encrypted device is needed. it will not be in init scripts. part of the intention is to make it look like an ordinary system booting up. it won't ask for the pass phrase until the script is run. that will happen manually. so kpartx can be in the "setupsdc" script.
 
Old 05-30-2022, 08:58 PM   #11
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
As long as you will be manually invoking some script to set up the access, there is almost no limit to how and how deeply you can arrange the various levels of abstraction. Right now I'm looking at
Code:
Physical drive
  +-Partition
    +-LVM Logical Volume
      +-Filesystem
        +-File 1 (rather large)
          +-Partition
            +-LVM Logical Volume
              +-LUKS encrypted container
                +-Filesystem
                  +-File 2
Seem strange? Not at all, when you consider that "File 1" is actually the storage volume for a virtual machine, which then "does its thing" with partitioning, LVM, encryption, etc. I don't normally try to access anything below the level of "File 1" from the host, but I certainly could (given that I know the encryption key, of course).

And, if that virtual machine were hosting VMs of its own, then the nesting would continue on, deeper and deeper.
 
Old 05-31-2022, 06:12 PM   #12
Skaperen
Senior Member
 
Registered: May 2009
Location: center of singularity
Distribution: Xubuntu, Ubuntu, Slackware, Amazon Linux, OpenBSD, LFS (on Sparc_32 and i386)
Posts: 2,678

Original Poster
Blog Entries: 31

Rep: Reputation: 176Reputation: 176
so it understands the filesystem used to distinguish File 1 and File 2? does it go through the kernel to do that? can that filesystem be concurrently mounted by the system level that has access to that image with the filesystem? can it use any filesystem type the kernel supports? can it do a collective RAID (randomly scattered pieces joined into one contiguous image)?

i'd prefer every byte on the entire drive look like total gibberish. maybe it would be better to have locations with actual filesystems be encrypted with a different key since those ready to crack the drive could be thinking "we know what LVM bytes look like. clue #1 to cracking her key."
 
Old 05-31-2022, 09:05 PM   #13
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by Skaperen View Post
so it understands the filesystem used to distinguish File 1 and File 2? does it go through the kernel to do that? can that filesystem be concurrently mounted by the system level that has access to that image with the filesystem? can it use any filesystem type the kernel supports? can it do a collective RAID (randomly scattered pieces joined into one contiguous image)?
File 1 and File 2 are on two separate filesystems. I'm not sure what you mean by "concurrently mounted," but no, the VM that uses File 1 as its virtual disk cannot be running if I want to mount that second filesystem from the host. This is just an example of how the layers can be nested. I'm not suggesting it as a solution to your problem.

At boot time, the physical drive is scanned for its partitions, the LVM logical volume is found, and the filesystem is mounted. Those first 4 levels all occur automtically -- it's normal boot behavior. If I want to look inside File 1 to find File 2, here's what I would do on the host:
Code:
# kpartx -av VM1raw.img 
add map loop0p1 (253:8): 0 2097152 linear /dev/loop0 2048
add map loop0p2 (253:9): 0 69580800 linear /dev/loop0 2099200
# vgscan
  Reading all physical volumes.  This may take a while...
  Found volume group "VM1vg" using metadata type lvm2
# vgchange -ay VM1vg
  1 logical volume(s) in volume group "VM1vg" now active
# lvs VM1vg
  LV     VG    Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  vmroot VM1vg -wi-a----- 33.18g
# cryptsetup luksOpen /dev/VM1vg/vmroot xxx
Enter passphrase for /dev/VM1vg/vmroot: 
# mount /dev/mapper/xxx /mnt/tmp
# cat /mnt/tmp/"File 2"
This is the content of the test file
# umount /mnt/tmp
# cryptsetup luksClose xxx
# vgchange -an VM1vg
  0 logical volume(s) in volume group "VM1vg" now active
# kpartx -dv VM1raw.img
del devmap : loop0p2
del devmap : loop0p1
loop deleted : /dev/loop0
 
Old 06-01-2022, 01:40 AM   #14
Skaperen
Senior Member
 
Registered: May 2009
Location: center of singularity
Distribution: Xubuntu, Ubuntu, Slackware, Amazon Linux, OpenBSD, LFS (on Sparc_32 and i386)
Posts: 2,678

Original Poster
Blog Entries: 31

Rep: Reputation: 176Reputation: 176
/dev/sdc will not be listed in /etc/fstab to be mounted. it is not to be mounted at boot time. a hidden script will mount it with an obscure prompt for the encryption passphrase. so what happens at boot time does not matter much. it will just boot up a simple Xubuntu.
 
Old 06-01-2022, 03:40 PM   #15
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,770

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by Skaperen View Post
/dev/sdc will not be listed in /etc/fstab to be mounted. it is not to be mounted at boot time. a hidden script will mount it with an obscure prompt for the encryption passphrase. so what happens at boot time does not matter much. it will just boot up a simple Xubuntu.
That's fine. You can arrange the layers any way you wish.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Volume Encryption or Full Disk Encryption with Veracrypt? lisamint Linux - Security 4 11-07-2019 08:43 AM
How to have luks encryption with keyfile OR passphrase (efi full disk encryption including boot)? byroncollege Linux - Security 2 03-30-2017 07:45 AM
Mint 18 Full disk encryption VS Veracrypt Full Disk encryption: Help a Noob Decide Please ! APeacefulRig Linux - Security 2 11-11-2016 08:10 AM
LXer: The state of manual LVM and full disk encryption configuration in Ubuntu’s Ubiquity LXer Syndicated Linux News 0 09-07-2012 02:20 PM
How secure LUKS/LVM disk encryption really is? <Ol>Origy Linux - Security 14 03-09-2009 12:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration