LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-30-2019, 12:23 PM   #1
jones5
Member
 
Registered: Mar 2015
Distribution: Peppermint
Posts: 98

Rep: Reputation: 1
Encryption of OS, part of it or none?


Hello,

I am fairly new to Linux.

I am considering encryption of some of my drives: usbs, 'd'drive etc seems straightforward.

However, having read briefly that some do not recommend encryption of whole drives or OS due to slowness or possibility of errors I am wondering if it is worth securing the OS or 'c'drive. (I have linux on a USB and windows on 'c' drive).

Apart from browser history and bookmarks etc what are the files/folders that would be worth encryption on the OS or 'c'drive? and would encrypting part of those drives cause any operating problems?
 
Old 07-30-2019, 01:18 PM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 13,071

Rep: Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133Reputation: 4133
you can download a lot of different distros, why do you want to encrypt it? You only need to save your personal data (and probably some configuration). That's why you can/need to put all the sensitive data onto an encrypted drive.
 
Old 07-30-2019, 04:01 PM   #3
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,778

Rep: Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263Reputation: 1263
In my experience, the chief reason for encryption is to protect data in case of loss.
Encrypted thumb drives are available off-the-shelf.

At my last job, all PCs were laptops. When we were issued a new one, the IT folks made sure all our data got moved over and all the software was loaded and configured (these were Windows 7 laptops), and then they started the whole-disk encryption process, which typically took 24-36 hours. We weren't allowed to take the laptops off the premises until that process was complete. There were no obvious issues in performance once the encryption was completed...things were impacted during the encryption process, but that was a one-time thing.

One could be dismissed if caught using a non-encrypted and passworded thumb drive.

Is your 'puter a laptop?
 
Old 07-30-2019, 05:00 PM   #4
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 9,147

Rep: Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969Reputation: 3969
Have you looked into VeraCrypt?
 
Old 07-30-2019, 07:36 PM   #5
LU344928
LQ Newbie
 
Registered: Jan 2019
Distribution: Fedora, MX Linux, PCLinuxOS
Posts: 24

Rep: Reputation: Disabled
Veracrypt will only encrypt the OS on Windows not Linux. But the possibility of using containers/partitions/devices should be enough for most users' needs.
 
Old 07-30-2019, 08:13 PM   #6
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,002

Rep: Reputation: 1389Reputation: 1389Reputation: 1389Reputation: 1389Reputation: 1389Reputation: 1389Reputation: 1389Reputation: 1389Reputation: 1389Reputation: 1389
Hi,

on my laptops (all Debian) all file systems except for /boot are encrypted. It's just a matter of selecting the option at install time. From what I've read the overhead is minimal. If you have a separate /home partition, you may prefer to encrypt only that.

Evo2.
 
Old 07-30-2019, 08:35 PM   #7
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,129

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
What is your attack scenerio - what are you trying to protect against ?.
Encrypting the O/S is pointless IMHO. I always have a separate /home partition - the encrypted /home offered by Ubuntu derivatives I find too limited, but plenty use it. Simpler to encrypt the entire partition as implied/stated above.
Always consider how you will recover your data - maybe on a system you don't own ...
 
1 members found this post helpful.
Old 07-31-2019, 07:43 AM   #8
jones5
Member
 
Registered: Mar 2015
Distribution: Peppermint
Posts: 98

Original Poster
Rep: Reputation: 1
Thanks for the replies.

I am dealing with a Laptop for now.

I have looked at Veracrypt. I did not know it only encrypted Windows OS not Linux. I can see I can still use it for folders/partitions.

One question is about the OS. I know most personal stuff is stored in /home. But are there other on folders/files on the OS such as Bookmarks and Browser History that should be encrypted? How would I do that?

As a matter of course I keep larger personal files on my D drive which can be accessed by my Linux OS which I have installed on a usb.

I tried to encrypt when installing the OS - but installing under 'something else' seemed to grey out the encryption option

I will encrypt the /home folder - this is on my usb (all under /root). I know I could have it separate but for simplicity I installed the whole file system under /root.

Do users of veracrypt tend to have problems when opening encrypted folders. I think I read many have to resort to a recovery key on a external usb?

The attack could be physical (ie someone taking the USB or Laptop) or could be an intrusion via the web. Both theoretical as I have sole use and I do not use in public or outside.

I would recover either on my own existing OS or a fresh install on another usb of my own.
 
Old 07-31-2019, 08:51 AM   #9
LU344928
LQ Newbie
 
Registered: Jan 2019
Distribution: Fedora, MX Linux, PCLinuxOS
Posts: 24

Rep: Reputation: Disabled
Quote:
Originally Posted by jones5 View Post

Do users of veracrypt tend to have problems when opening encrypted folders.

I think I read many have to resort to a recovery key on a external usb?
It's recommended to make a backup of the header in case of any problems regardless of where the volume is hosted. Volumes hosted on usb devices do not present any more risk than those hosted elsewhere.


See here for more info:

https://www.veracrypt.fr/en/FAQ.html

https://www.veracrypt.fr/en/Documentation.html
 
1 members found this post helpful.
Old 07-31-2019, 04:59 PM   #10
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,129

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Bookmarks and such are stored in hidden directories under /home. If you encrypt that, everything that matters will be taken care of. Well worthwhile for a laptop.
If you use hibernation/suspend, make sure you are set up to always require a password to resume - what if the laptop gets stolen whilst suspended ?. And encrypting data provides no protection against on-line attacks - when mounted (i.e. when you are logged in) the data are unencrypted. So it is merely part of the solution, not the be-all-and-end-all.
 
1 members found this post helpful.
Old 08-01-2019, 06:08 AM   #11
jones5
Member
 
Registered: Mar 2015
Distribution: Peppermint
Posts: 98

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by LU344928 View Post
It's recommended to make a backup of the header in case of any problems regardless of where the volume is hosted. Volumes hosted on usb devices do not present any more risk than those hosted elsewhere.


See here for more info:

https://www.veracrypt.fr/en/FAQ.html

https://www.veracrypt.fr/en/Documentation.html
Thanks - Useful info.
 
Old 08-01-2019, 06:10 AM   #12
jones5
Member
 
Registered: Mar 2015
Distribution: Peppermint
Posts: 98

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by syg00 View Post
Bookmarks and such are stored in hidden directories under /home. If you encrypt that, everything that matters will be taken care of. Well worthwhile for a laptop.
If you use hibernation/suspend, make sure you are set up to always require a password to resume - what if the laptop gets stolen whilst suspended ?. And encrypting data provides no protection against on-line attacks - when mounted (i.e. when you are logged in) the data are unencrypted. So it is merely part of the solution, not the be-all-and-end-all.
Thanks for the pointer about bookmarks etc and helpful advice on security in general.
 
Old 08-10-2019, 06:43 AM   #13
jones5
Member
 
Registered: Mar 2015
Distribution: Peppermint
Posts: 98

Original Poster
Rep: Reputation: 1
Is it possible to encrypt a current /home partition (including existing data inside) using veracrypt or other encryption methods. How is this done?
 
Old 08-10-2019, 11:00 AM   #14
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,298

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
It is possible with cryptsetup-reencrypt, but it's an inherently dangerous operation not resistant to hardware or kernel failures during the process (make a backup first), and you need to be able to shrink the filesystem enough to make room for the ~2MB LUKS header at the start of the partition. I believe that recent versions of the cryptsetup package include the cryptsetup-reencrypt tool. (Formerly, you had to download the source for that package and build that tool yourself.)
 
Old 08-16-2019, 02:48 AM   #15
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,255

Rep: Reputation: 130Reputation: 130
If you've decided you need to protect your data with encryption, then in my opinion encrypting /home isn't sufficient. You need to also encrypt /var, /tmp (unless its tmpfs), possibly /etc depending on the contents of your system configuration and how sensitive that is and your swap partition, and anywhere else the software you use could store temporary information or meta data about your data. You also shouldn't leave your machine unattended whilst its turned on or sleeping.

The overhead incurred by encrypting the entire drive save /boot, in my opinion is a small sacrifice for the peace of mind that the computer won't write information that I want protected to somewhere not encrypted.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What's none means in command mount -t usbfs none /proc/bus/usb ? viktor2000 Linux - Newbie 1 08-30-2012 07:53 AM
redhat 6 gpg2 none gui encryption Xris718 Linux - Security 2 06-15-2012 10:56 AM
How to grep *.info;mail.none;authpriv.none;cron.none; in /etc/syslog.conf sharadchhetri Linux - Server 9 01-06-2012 02:55 PM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM
Mandrake 9.0 Wireless Works without encryption.. does not with encryption topcat Linux - Wireless Networking 3 05-04-2003 08:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration