LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-18-2016, 08:41 AM   #1
linustalman
Senior Member
 
Registered: Mar 2010
Location: Ireland
Distribution: Debian 11 (Bullseye) x64
Posts: 4,728

Rep: Reputation: 446Reputation: 446Reputation: 446Reputation: 446Reputation: 446
Question Ok to skip Erasing Data section of LUKS Encryption?


Hi.

I currently have LUKS encryption (boot and root partitions) on Linux Mint on my Desktop PC (has 2TB HDD). When I installed Debian with LUKS before on my laptop -- the Erasing Data part took hours for a 1TB HDD.
Is it ok to skip the Erasing Data section of LUKS Encryption if I install Debian with LUKS encryption over my current LUKS setup?

Thanks.
Attached Thumbnails
Click image for larger version

Name:	Erasing Data.png
Views:	36
Size:	6.3 KB
ID:	23317  
 
Old 10-18-2016, 11:58 AM   #2
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,978
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Depends how sensitive the data is on the disk. If you don't initialize the device (probably what "Erasing Data" does...that or writing it with random data) then the encryption layer is not as strong as it would normally be by doing this step.
 
Old 10-18-2016, 12:32 PM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
https://help.ubuntu.com/community/EncryptedFilesystems
Since it has to be formatted to implement LUKS, I suspect without this option selected, you won't have any encryption where you expect it.
And if you use the one that is there, you'd have to format it. Data Loss.

Got backup?

Last edited by Habitual; 10-18-2016 at 12:38 PM.
 
Old 10-18-2016, 06:11 PM   #4
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,973

Rep: Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633Reputation: 3633
Read this recent thread.
To answer your initial question see post #10. For an interesting take on speeding up the process see post #5.
 
Old 10-19-2016, 10:51 PM   #5
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,978
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by syg00 View Post
Read this recent thread.
To answer your initial question see post #10. For an interesting take on speeding up the process see post #5.
Best sentence is...

Quote:
"if you're not _too_
concerned with the possibility of an FBI agent confiscating your computer,
you can skip this command:"
 
Old 10-20-2016, 09:29 AM   #6
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,567

Rep: Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093
Note that for the current case the partition was previously random-filled and LUKS encrypted. Once that old LUKS header is overwritten, that data all becomes undecypherable random garbage. If you are concerned that someone with a copy of the old LUKS header might crack its passphrase and use it to recover data remaining from the old filesystem, then you should fill the partition with random data again. Otherwise, don't bother.
 
1 members found this post helpful.
Old 10-21-2016, 08:54 AM   #7
linustalman
Senior Member
 
Registered: Mar 2010
Location: Ireland
Distribution: Debian 11 (Bullseye) x64
Posts: 4,728

Original Poster
Rep: Reputation: 446Reputation: 446Reputation: 446Reputation: 446Reputation: 446
Quote:
Originally Posted by rknichols View Post
Note that for the current case the partition was previously random-filled and LUKS encrypted. Once that old LUKS header is overwritten, that data all becomes undecypherable random garbage. If you are concerned that someone with a copy of the old LUKS header might crack its passphrase and use it to recover data remaining from the old filesystem, then you should fill the partition with random data again. Otherwise, don't bother.
Hi rknichols.

The answer that I wanted. ^_^

Just one thing -- what do you mean by 'a copy of the old LUKS header'? Could you elaborate on that?

Thanks.
 
Old 10-21-2016, 09:11 AM   #8
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,567

Rep: Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093
Each LUKS container normally** begins with a 1 to 2 megabyte LUKS header which contains all the encryption parameters and multiple copies of the master key, each copy encrypted by one of the up to 8 possible passphrases. Someone with such a header could, after cracking one of the passphrases, use it to decrypt any leftover information from the filesystem that was previously in that container. https://gitlab.com/cryptsetup/crypts...isk-format.pdf
**It is also possible to use a detached LUKS header that is stored elsewhere.
 
Old 10-21-2016, 09:14 AM   #9
linustalman
Senior Member
 
Registered: Mar 2010
Location: Ireland
Distribution: Debian 11 (Bullseye) x64
Posts: 4,728

Original Poster
Rep: Reputation: 446Reputation: 446Reputation: 446Reputation: 446Reputation: 446
Question

@rknichols

I see.

BTW, I will use the same passphrase again for installing Debian + LUKS -- does this mean skipping the 'erase date' Debian installation step is still ok?
 
Old 10-21-2016, 10:57 AM   #10
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: CentOS
Posts: 4,567

Rep: Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093Reputation: 2093
Quote:
Originally Posted by LinusStallman View Post
BTW, I will use the same passphrase again for installing Debian + LUKS -- does this mean skipping the 'erase date' Debian installation step is still ok?
The encryption is done with a random master key that is not related to your passphrase or keyfile. That old master key is gone with no possibility of recovery when the original header has been overwritten. The old data cannot be recovered.
 
1 members found this post helpful.
Old 10-21-2016, 12:31 PM   #11
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,531

Rep: Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622Reputation: 2622
also keep in mind WHO!!!! are you trying to stop ?
a normal everyday thief ?
or LEO's that might send it to the state law enforcement
OR the FBI/NSA/CIA/( fill in your clandestine government org. name)
 
Old 10-22-2016, 02:01 PM   #12
linustalman
Senior Member
 
Registered: Mar 2010
Location: Ireland
Distribution: Debian 11 (Bullseye) x64
Posts: 4,728

Original Poster
Rep: Reputation: 446Reputation: 446Reputation: 446Reputation: 446Reputation: 446
Quote:
Originally Posted by John VV View Post
also keep in mind WHO!!!! are you trying to stop ?
a normal everyday thief ?
or LEO's that might send it to the state law enforcement
OR the FBI/NSA/CIA/( fill in your clandestine government org. name)
Hi John. Nobody in particular.
 
Old 10-22-2016, 02:03 PM   #13
linustalman
Senior Member
 
Registered: Mar 2010
Location: Ireland
Distribution: Debian 11 (Bullseye) x64
Posts: 4,728

Original Poster
Rep: Reputation: 446Reputation: 446Reputation: 446Reputation: 446Reputation: 446
It seems Ubuntu does not do the erase data step when installing with LUKS enabled.

I will heed the advice of rknichols.

Thanks all.
 
  


Reply

Tags
erasing data, luks


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Luks disk encryption balaji2219@gmail.com Linux - Newbie 2 08-06-2014 02:51 PM
Is LUKS the best data/system encryption? dman777 Linux - Security 1 03-20-2011 07:41 PM
LUKS encryption, sets xyzone Linux - Security 1 06-21-2010 12:43 AM
Luks Encryption in Slackware Alexvader Slackware 3 11-06-2009 03:56 PM
LUKS encryption question DarkpawT Linux - Software 4 11-05-2008 01:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration