Ok to skip Erasing Data section of LUKS Encryption?
1 Attachment(s)
Hi.
I currently have LUKS encryption (boot and root partitions) on Linux Mint on my Desktop PC (has 2TB HDD). When I installed Debian with LUKS before on my laptop -- the Erasing Data part took hours for a 1TB HDD. Is it ok to skip the Erasing Data section of LUKS Encryption if I install Debian with LUKS encryption over my current LUKS setup? Thanks. |
Depends how sensitive the data is on the disk. If you don't initialize the device (probably what "Erasing Data" does...that or writing it with random data) then the encryption layer is not as strong as it would normally be by doing this step.
|
https://help.ubuntu.com/community/EncryptedFilesystems
Since it has to be formatted to implement LUKS, I suspect without this option selected, you won't have any encryption where you expect it. And if you use the one that is there, you'd have to format it. Data Loss. Got backup? |
Read this recent thread.
To answer your initial question see post #10. For an interesting take on speeding up the process see post #5. |
Quote:
Quote:
|
Note that for the current case the partition was previously random-filled and LUKS encrypted. Once that old LUKS header is overwritten, that data all becomes undecypherable random garbage. If you are concerned that someone with a copy of the old LUKS header might crack its passphrase and use it to recover data remaining from the old filesystem, then you should fill the partition with random data again. Otherwise, don't bother.
|
Quote:
The answer that I wanted. ^_^ Just one thing -- what do you mean by 'a copy of the old LUKS header'? Could you elaborate on that? Thanks. |
Each LUKS container normally** begins with a 1 to 2 megabyte LUKS header which contains all the encryption parameters and multiple copies of the master key, each copy encrypted by one of the up to 8 possible passphrases. Someone with such a header could, after cracking one of the passphrases, use it to decrypt any leftover information from the filesystem that was previously in that container. https://gitlab.com/cryptsetup/crypts...isk-format.pdf
**It is also possible to use a detached LUKS header that is stored elsewhere. |
@rknichols
I see. BTW, I will use the same passphrase again for installing Debian + LUKS -- does this mean skipping the 'erase date' Debian installation step is still ok? |
Quote:
|
also keep in mind WHO!!!! are you trying to stop ?
a normal everyday thief ? or LEO's that might send it to the state law enforcement OR the FBI/NSA/CIA/( fill in your clandestine government org. name) |
Quote:
|
It seems Ubuntu does not do the erase data step when installing with LUKS enabled.
I will heed the advice of rknichols. Thanks all. |
All times are GMT -5. The time now is 09:13 PM. |