Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Full disk encryption--an explanation of exactly how does it work from the user's end?

  1. #11
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    Quote Originally Posted by StewartM View Post
    And using LUKS I have to what? Re-partition the LVMS to accommodate a new user? Or resize a LVM if one user runs out of space while another user has plenty of space? And how exactly do you give different users different LVMs when everything is supposed to be under /home? I have looked at a good many tutorials and 'how-tos' to do full-disk encryption, and none of them I recall showing this.
    As TheFu mentioned everything is a file on Linux. You can create a 10GB file with dd and then turn it into a LUKS container via cryptsetup. It's not going to be as flexible as LVM but it's still possible.

    After you create the dd file, you can mount the luks container, format it as ext3/ext4 and then mount the file system as /home/$USERNAME.

    It isn't as easy to deal with, but it is still possible. If a user needs more space, you can either resize the image after unmounting it and then resize the file system after remounting it or do some lvm magic.

    There are other ways to accomplish the same thing with different encryption tools, but the only one I've really used is LUKS for block level encryption.

    Have a read through this page if you want more info on what is out there:
    https://wiki.archlinux.org/title/Dat...mparison_table

    I've used ext3 on all my systems for the past 14 years, since migrating to Linux from Windows, and I've never lost data, despite doing file wipes routinely. The only hard drives I've had fail was a new one from Dell that was so new that it couldn't have possibly been to disk wear (it was replaced under warranty a few months after I bought the computer) and a backup external one where the firmware, not the disk itself, failed. Wiping files on ext3 should mostly work, and plus I do it routinely for mostly everything, not just for sensitive files. I believe that no security system is perfect, but I also think that putting all your eggs into one basket (say, full-disk encryption with no ability to wipe individual files) is also a mistake.

    Since I've never lost data to file corruption using ext3, plus I can wipe files, I don't see the advantage of ext4.
    I was using ext3 for years up until I tried out ext4 and stuck with it.

    You can see some of the differences in the link below:
    https://www.thegeekstuff.com/2011/05/ext2-ext3-ext4/

    FWIW, I only really use ext4 for my /boot and root partitons nowadays. Everything else is running off ZFS, but I know that isn't for everyone as it is more complicated to set up and use.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  2. #12
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    148
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    TheFu,

    You've not failed. You'd made me aware of the possibilities with LUKS. However, there is no specific tutorial on how to proceed, You've spoken of a great many possibilities, and I don't doubt you at all, but the examples are sparse---Say, I've not seen a /home directory subdivided into multiple user partitions out of the box. What I got from the Linux vendor (which I've not set up yet, hence this post) is probably the generic full-disk encryption installation plus /home on a separate physical drive.

    So, what I'm thinking is the easiest and quickest way to get what and to get the new computer up and running is:

    1) Reformat the LUKS partition on the drive containing /home that they provided from ext4 to ext3. Ext3 is still a journaling system, but only journals the metadata by default, not the file contents, so file wiping is still an option. This should be doable using GParted, so it seems (maybe from a bootable DVD?) so this should be fairly straightforward and I can do this first. If what you say is correct, I don't need to change the filesystem of the physical drive containing home itself from ext4 to ext3, just the LUKS container, which you say is doable on the fly.

    The LUKS partition on the filesystem drive ( / ) can stay ext4 as that is a SSD M2 drive and wiping won't work anyway on an SSD.

    2) Install Encryptfs to produce the encrypted /home directory, save that now /home resides inside the LUKS /home partition. Using Encryptfs inside of/in addition to LUKS on the same system appears to be quite possible:

    https://unix.stackexchange.com/quest...-the-same-time

    This means that each user has separate encrypted folders without having to create additional LUKS partitions within the /home LUKS directory.

    This would also install encryptfs-swap. The documentation says "it detects any swap partitions or swap files" so hopefully that would work. That gives me another thing I want, an encrypted swap with a temporary key that is destroyed on shutdown and regenerated on boot (it will also be encrypted with the LUKS key of that partition but that is less relevant). As encryptfs-swap detects swap files, as well as swap partitions, this (hopefully) means on future installs I can jettison the arbitrary swap partitions created by the default Ubuntu distributions, which are hard to resize, and just create swap files.

    I next want to upgrade this laptop, so maybe I can try out that combo. But first, I have to get the new desktop up and running.

  3. #13
    Join Date
    Sep 2011
    Location
    Pennsylvania, U.S.A.
    Beans
    2,986
    Distro
    Ubuntu Development Release

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    As encryptfs-swap detects swap files, as well as swap partitions, this (hopefully) means on future installs I can jettison the arbitrary swap partitions created by the default Ubuntu distributions, which are hard to resize, and just create swap files.
    As far as I know, Ubuntu hasn't created swap partitions at install for some time, it creates swap files. I used one of the 'easy to use' encryption methods, I think it was encfs but I'm not certain. I became aware of a REALLY easy to exploit security issue - typing the letter "p" unlocked the encryption so stopped using it. Too bad, it was really easy to use. I don't know why the flaw couldn't be fixed. I'm a basic/casual user so not versed in the ins and outs of advanced topics like partition or disk encryption.

  4. #14
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    148
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    I used one of the 'easy to use' encryption methods, I think it was encfs but I'm not certain. I became aware of a REALLY easy to exploit security issue - typing the letter "p" unlocked the encryption so stopped using it.
    I've used ecrypt-swap-setup for years with no problems (and yes, I checked periodically).

    http://manpages.ubuntu.com/manpages/...up-swap.1.html

    https://superuser.com/questions/5760...wap-persistent

    Running ecryptfs-setup-swap makes permanent changes to /etc/fstab and /etc/crypttab that ensure your swap space is encrypted at every boot.

    A random key is generated and used to encrypt swap at each boot.

    The only exception to the above occurs if you add new swap files or swap partitions after you've run ecryptfs-setup-swap, as it only operates on the swap space present at that time.
    On my new desktop I set up over the past weekend, I also was able to run ecryptfs-setup-swap on my LUKS encrypted volume that held an encrypted swap (with a permanent, fixed, key, the same as used for the rest of the volume) and it replaced that with the random key generated at boot and destroyed on shutdown. Ecryptfs-setup-swap to me is clearly the superior solution. Some have reported bugs with ecryptfs-setup-swap, but I've never seen it and I suspect that at least some of these were related to hibernate/suspend usage. To me, for a desktop (or even a laptop) these are not important. I've used encryption long enough and was warned by almost all encryption programs to "disable hibernate/suspend!" so that not having these isn't an expectation nor a big deal.

    I was also able to run ecryptfs inside the LUKS LVM as well for my user accounts, which is also preferable as it provides an easier way to separate the encryption of user accounts from the system-wide encryption provided by the LUKS LVM (i.e., you don't have to block off various parts of the /home directory partition for various users and set up keys for each one; which can be a problem as various users' disk space requirements can vary drastically).

    And, I also found out it's trivial now to use GParted or other partition managers to open up LUKS containers and to change the filesystem type from there. I was able to change it from ext4 to ext3 for /home, as I had wanted. As I stated above, the loss of wiping abilities for ext4 (without the need to wipe the drive freespace periodically, which is time-consuming for large drives) plus the fact that I've never lost data to corruption with ext3 filesystems (and trust me, the power has gone out lots of times here!) doesn't justify ext4. Whatever gain in filesystem robustness with ext4 is minute compared to the loss of the ability to wipe data.
    Last edited by StewartM; July 14th, 2021 at 02:22 PM.

  5. #15
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    Glad you found a solution which makes you happy enough.

    I've used LUKS on laptops that suspend nightly since 2016. My rule is suspend at home/work when only trusted people have access, but shutdown whenever I leave the building or the laptop is moving outside the building. If I'm walking on campus between buildings, I shutdown. My laptop is still suspended from last night, so I can't show the "uptime" it reports, but it has probably been 2 weeks, perhaps longer. LUKS and suspend are stable, at least on Intel CPUs that I've used.

    For disk space limitations, I'd use quotas.

    I have an automatic free-space weekly wipe job. It file system independent. It runs after daily backups, but before the automatic pm-standby, so I don't have to be involved or inconvenienced.

    How do you backup the encrypted files for users who aren't logged in? I ask because that was the main reason I stopped using directory-level encryption methods. Backups are more important to me than encryption. With LUKS, I can get all the data for all the users in the system backups whether they are logged in or not. I'm probably just displaying my ignorance.

  6. #16
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    148
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    I've used LUKS on laptops that suspend nightly since 2016.
    This is for a desktop, so suspends/hibernate isn't really as applicable. The technology may well have improved, I don't doubt that, but as someone who has been doing encryption since the 1990s the boilerplate warning was always "don't trust hibernate/suspend". So I'm just accustomed to disabling those up front.

    For disk space limitations, I'd use quotas.
    Hmm, as in % of the disk? I thought that block encryption by definition required setting up a fixed allocation per device (I know that LUKS containers can be expanded, and even shrunk, but what I've read in the tutorials was that there was always risk in that).

    How do you backup the encrypted files for users who aren't logged in?
    As most of the users who would be using this desktop would be in the category of "infrequent but recurrent" users, I leave the backups to them. I back up my own accounts to encrypted (Veracrypt) external hard drives. The users who would occasionally use my system would be a) not users who would require a lot of storage (for one in particular, the internet is mostly Facebook and Youtube); b) not security-conscious (they would ask for weak passphrases, and if enforced a stronger LUKS passphrase, they'd just write it down). I know I could create different LUKS keys for them, put they'd have weak passphrases for them, else I'd be constantly enabling and disabling LUKS keys for them so it would not be walk-up access. At least given the LUKS encryption system installation I was given.

    I don't doubt that, as you say, that you could get a LUKS system I would be happy with, it's just I've not seen any examples on the web. I had held on to Ubuntu 16.04 for a long time after seeing no options with the encrypted LUKS install of 18.04, thinking "in 20.04 they'll have options" but nope, none yet. You can't even do the simple things, like change the default swap space size nor put /home on a different drive/partition with the installation defaults. From my perspective, encrypted installs should be the default (there's really no reason why not, and especially for laptops--both Microsoft and Apple make encryption the default option) and thus as it is the default option it should have all the options in the GUI that a non-encrypted installation has.


    If you wanted to back up a directly-level Ecryptfs encryption for someone, you could simply copy-and-paste their entire encrypted directly--and their keys are in /home/.ecryptfs--though that would not be a backup that could be opened independently of a running Linux system. (Me, I don't back up my entire directory, just the user data; as if I do a complete install instead of an upgrade sometimes the configuration files in /home/user are incompatible with the new version of Linux and break things, so it's best to start out with new configuration files).

  7. #17
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    Cough - way to bury the lead!!! 16 posts in and we are finally told this is a temporary purpose setup? Thanks.

    If it were me, I would encrypt and put the LUKS decryption key on the network for automatic boot. https://withblue.ink/2020/01/19/auto...-on-linux.html explains how. I've not done this. Basically, any disk on the correct network could be unlocked automatically, but off that network and it is fully encrypted. I have seen this implemented with RHEL and FreeIPA, but didn't dig into the implementation.

    Per-user quotas don't have anything to do with partition sizes, except setting a quota for a user larger than the partition wouldn't magically create storage.

    Is comparing $420B annual revenue Apple and $140B annual revenue MSFT to $0.120B annual revenue Canonical fair?
    Anyway, you've found a solution. Enjoy.
    Last edited by TheFu; July 17th, 2021 at 01:08 AM.

  8. #18
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    Quote Originally Posted by StewartM View Post
    I don't doubt that, as you say, that you could get a LUKS system I would be happy with, it's just I've not seen any examples on the web. I had held on to Ubuntu 16.04 for a long time after seeing no options with the encrypted LUKS install of 18.04, thinking "in 20.04 they'll have options" but nope, none yet. You can't even do the simple things, like change the default swap space size nor put /home on a different drive/partition with the installation defaults. From my perspective, encrypted installs should be the default (there's really no reason why not, and especially for laptops--both Microsoft and Apple make encryption the default option) and thus as it is the default option it should have all the options in the GUI that a non-encrypted installation has.
    What are you going on about? You can do an encrypted root from the setup GUI if you really want to.

    If you want to do it automatically, you just need to select the "Advanced features" button under "Erase disk and install Ubuntu" and check the boxes for use LVM and encrypt the new installation for security. That stuffs everything for / on a single partition.

    automatic encrypted root.jpg

    If you want something more complicated, do it manually by selecting "Something else" instead of "Erase disk and install Ubuntu" and set up the efi, /boot and encrypted root partition from there by selecting the option for "physical volume for encryption" listed in the wizard.

    That option will create your LUKS container. You still need to create the ext4 file system and set it up as / and swap or /home or /tmp or however many partitions you want to have.

    create luks partition.PNG

    FWIW, Windows 10 doesn't do encryption by default during install. You have to enable Bitlocker after install and create your recovery key in order to enable it.

    I haven't used a Mac, so I can't comment on how they handle full disk encryption.
    Last edited by CharlesA; July 16th, 2021 at 11:42 PM. Reason: added windows stuff
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #19
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    148
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    If you want something more complicated, do it manually by selecting "Something else" instead of "Erase disk and install Ubuntu" and set up the efi, /boot and encrypted root partition from there by selecting the option for "physical volume for encryption" listed in the wizard.

    That option will create your LUKS container. You still need to create the ext4 file system and set it up as / and swap or /home or /tmp or however many partitions you want to have.
    Hmm, I didn't do an Ubuntu install, but I did do a Bodhi install of the LTS release equivalent of 20.04 (which would be a downstream release) for a friend and tried the hard drive encryption and didn't see these options. Moreover, after a lot of searching I never saw any resource that described what you just posted (several things that had long pages of command line stuff, and I'm old school enough to follow the adage (which has been posted on the Ubuntu forums) is that "never copy and paste and execute command line commands you don't understand, due to the potential of executing malicious code"). And even these pages didn't have every option I wanted.

    What I did see while doing this install and searching for solutions (my friend's laptop had only 2 GB of RAM, which was why I was installing Bodhi and not Ubuntu, as it was below the recommended specs) was the people struggling with the default swap partition/file size issue. The default install gave me only 1 GB of swap for a laptop having 2 GB RAM, which seemed to me inadequate for a machine so limited; I would have voted for 4 GB swap, Lots of other people too thought it was inadequate, but from what you showed, it should be trivial to set up. But no one mentioned it or seemed to be aware of it.

    So the GUI options surely aren't advertised.

    Another thing that I find frustrating and backward (and is disappointing) is that the Linux distros I've tried still keep showing the users " ****** "s for their passphrases. All the standalone encryption software I've used of good repute (Scramdisk, TrueCrypt, Veracrypt, etc) now give the "show passphrase" option because they understand that showing the passphrase encourages users to create stronger passphrases while strings of ****'s lead them to use weaker passphrases. Now Windows 10 allows one to peek at what one typed in to encourage stronger passphrases; I don't know about Mac. But Linux still enforces the "*****"s. The reason I mention this is an IT friend of mine (who's a Linux user) says the "****"s are "the industry standard" but that can't be as Windows 10 now allows users to view their passphrases.

    IMHO, the history of ****s dates from terminal/mainframe days, when encryption wasn't used, and people used their girlfriend's or dog's name or whatnot to login, passphrases so weak that someone peeking over their shoulder might spot and use to hack the account. With encryption, passphrases that are generally equal to at least a 128-bit key that would resist a dictionary attack someone could not spot and memorize in a 3-second peak, unlike "Rover", so whatever security one would lose by this option would be more than offset by users generating and using stronger passphrases. I know that someone could set up a hidden camera to capture passphrases but someone with that kind of access would just install a keylogger on the machine to be compromised. So to me, there's no good reason not to allow them.

  10. #20
    Join Date
    Aug 2007
    Location
    Kingsport TN
    Beans
    148
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Full disk encryption--an explanation of exactly how does it work from the user's

    If you want something more complicated, do it manually by selecting "Something else" instead of "Erase disk and install Ubuntu" and set up the efi, /boot and encrypted root partition from there by selecting the option for "physical volume for encryption" listed in the wizard.

    That option will create your LUKS container. You still need to create the ext4 file system and set it up as / and swap or /home or /tmp or however many partitions you want to have.
    Hmm, I didn't do an Ubuntu install, but I did do a Bodhi install of the LTS release equivalent of 20.04 (which would be a downstream release) for a friend and tried the hard drive encryption and didn't see these options. Moreover, after a lot of searching I never saw any resource that described what you just posted (several things that had long pages of command line stuff, and I'm old school enough to follow the adage (which has been posted on the Ubuntu forums) is that "never copy and paste and execute command line commands you don't understand, due to the potential of executing malicious code"). And even these pages didn't have every option I wanted.

    What I did see while doing this install and searching for solutions (my friend's laptop had only 2 GB of RAM, which was why I was installing Bodhi and not Ubuntu, as it was below the recommended specs) was the people struggling with the default swap partition/file size issue. The default install gave me only 1 GB of swap for a laptop having 2 GB RAM, which seemed to me inadequate for a machine so limited; I would have voted for 4 GB swap, Lots of other people too thought it was inadequate, but from what you showed, it should be trivial to set up. But no one mentioned it or seemed to be aware of it.

    So the GUI options surely aren't advertised.

    Another thing that I find frustrating and backward (and is disappointing) is that the Linux distros I've tried still keep showing the users " ****** "s for their passphrases. All the standalone encryption software I've used of good repute (Scramdisk, TrueCrypt, Veracrypt, etc) now give the "show passphrase" option because they understand that showing the passphrase encourages users to create stronger passphrases while strings of ****'s lead them to use weaker passphrases. Now Windows 10 allows one to peek at what one typed in to encourage stronger passphrases; I don't know about Mac. But Linux still enforces the "*****"s. The reason I mention this is an IT friend of mine (who's a Linux user) says the "****"s are "the industry standard" but that can't be as Windows 10 now allows users to view their passphrases.

    IMHO, the history of ****s dates from terminal/mainframe days, when encryption wasn't used, and people used their girlfriend's or dog's name or whatnot to login, passphrases so weak that someone peeking over their shoulder might spot and use to hack the account. With encryption, passphrases that are generally equal to at least a 128-bit key that would resist a dictionary attack someone could not spot and memorize in a 3-second peak, unlike "Rover", so whatever security one would lose by this option would be more than offset by users generating and using stronger passphrases. I know that someone could set up a hidden camera to capture passphrases but someone with that kind of access would just install a keylogger on the machine to be compromised. So to me, there's no good reason not to allow them.

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •