LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Ok to skip Erasing Data section of LUKS Encryption? (https://www.linuxquestions.org/questions/linux-software-2/ok-to-skip-erasing-data-section-of-luks-encryption-4175591653/)

linustalman 10-18-2016 08:41 AM
Ok to skip Erasing Data section of LUKS Encryption?
 
1 Attachment(s)
Hi.

I currently have LUKS encryption (boot and root partitions) on Linux Mint on my Desktop PC (has 2TB HDD). When I installed Debian with LUKS before on my laptop -- the Erasing Data part took hours for a 1TB HDD.
Is it ok to skip the Erasing Data section of LUKS Encryption if I install Debian with LUKS encryption over my current LUKS setup?

Thanks.

custangro 10-18-2016 11:58 AM
Depends how sensitive the data is on the disk. If you don't initialize the device (probably what "Erasing Data" does...that or writing it with random data) then the encryption layer is not as strong as it would normally be by doing this step.

Habitual 10-18-2016 12:32 PM
https://help.ubuntu.com/community/EncryptedFilesystems
Since it has to be formatted to implement LUKS, I suspect without this option selected, you won't have any encryption where you expect it.
And if you use the one that is there, you'd have to format it. Data Loss.

Got backup?

syg00 10-18-2016 06:11 PM
Read this recent thread.
To answer your initial question see post #10. For an interesting take on speeding up the process see post #5.

custangro 10-19-2016 10:51 PM
Quote:
Originally Posted by syg00 (Post 5619786)
Read this recent thread.
To answer your initial question see post #10. For an interesting take on speeding up the process see post #5.
Best sentence is...

Quote:
"if you're not _too_
concerned with the possibility of an FBI agent confiscating your computer,
you can skip this command:"

rknichols 10-20-2016 09:29 AM
Note that for the current case the partition was previously random-filled and LUKS encrypted. Once that old LUKS header is overwritten, that data all becomes undecypherable random garbage. If you are concerned that someone with a copy of the old LUKS header might crack its passphrase and use it to recover data remaining from the old filesystem, then you should fill the partition with random data again. Otherwise, don't bother.

linustalman 10-21-2016 08:54 AM
Quote:
Originally Posted by rknichols (Post 5620555)
Note that for the current case the partition was previously random-filled and LUKS encrypted. Once that old LUKS header is overwritten, that data all becomes undecypherable random garbage. If you are concerned that someone with a copy of the old LUKS header might crack its passphrase and use it to recover data remaining from the old filesystem, then you should fill the partition with random data again. Otherwise, don't bother.
Hi rknichols.

The answer that I wanted. ^_^

Just one thing -- what do you mean by 'a copy of the old LUKS header'? Could you elaborate on that?

Thanks.

rknichols 10-21-2016 09:11 AM
Each LUKS container normally** begins with a 1 to 2 megabyte LUKS header which contains all the encryption parameters and multiple copies of the master key, each copy encrypted by one of the up to 8 possible passphrases. Someone with such a header could, after cracking one of the passphrases, use it to decrypt any leftover information from the filesystem that was previously in that container. https://gitlab.com/cryptsetup/crypts...isk-format.pdf
**It is also possible to use a detached LUKS header that is stored elsewhere.

linustalman 10-21-2016 09:14 AM
@rknichols

I see.

BTW, I will use the same passphrase again for installing Debian + LUKS -- does this mean skipping the 'erase date' Debian installation step is still ok?

rknichols 10-21-2016 10:57 AM
Quote:
Originally Posted by LinusStallman (Post 5620982)
BTW, I will use the same passphrase again for installing Debian + LUKS -- does this mean skipping the 'erase date' Debian installation step is still ok?
The encryption is done with a random master key that is not related to your passphrase or keyfile. That old master key is gone with no possibility of recovery when the original header has been overwritten. The old data cannot be recovered.

John VV 10-21-2016 12:31 PM
also keep in mind WHO!!!! are you trying to stop ?
a normal everyday thief ?
or LEO's that might send it to the state law enforcement
OR the FBI/NSA/CIA/( fill in your clandestine government org. name)

linustalman 10-22-2016 02:01 PM
Quote:
Originally Posted by John VV (Post 5621071)
also keep in mind WHO!!!! are you trying to stop ?
a normal everyday thief ?
or LEO's that might send it to the state law enforcement
OR the FBI/NSA/CIA/( fill in your clandestine government org. name)
Hi John. Nobody in particular.

linustalman 10-22-2016 02:03 PM
It seems Ubuntu does not do the erase data step when installing with LUKS enabled.

I will heed the advice of rknichols.

Thanks all.


All times are GMT -5. The time now is 09:13 PM.