Re: What to encrypt and why (was: Using dm-crypt: whole disk encryption

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Mon, 22 Mar 2021 at 21:37, ken <gebser@xxxxxxxxxxxx> wrote:
On March 22, 2021 3:57:13 AM UTC, Arno Wagner <arno@xxxxxxxxxxx> wrote:
>To do that you need to boot from an external medium.
>FAQ Section 9 has some informatiopn on how to create an
>initrd for an external boot medium.
>
>Regards,
>Arno
>
>
>On Sun, Mar 21, 2021 at 17:13:16 CET, ken wrote:
>> A new laptop is on the way and I'm considering using dm-crypt 2
>secure the whole SSD. I have some basic questions though.
>>
>> Is it possible to encrypt the entire Drive, including all the system
>files?
>> _______________________________________________
>> dm-crypt mailing list -- dm-crypt@xxxxxxxx
>> To unsubscribe send an email to dm-crypt-leave@xxxxxxxx

Thanks for your reply and or the reference to the FAQ. I should have known that the latter probably existed.

While it probably is a very useful kind of configuration for some for a system to have to boot from an external medium, it doesn't sound like something that I want to do. I guess I've been misled by my previous experience with dm-crypt.

It must have been about 20 years ago that I set up and for a couple years used an encrypted system. That system would boot as systems normally do, and I was prompted for a password somewhere along the boot process prior to having to enter my user password. I didn't need an external medium at all. And very recently I very briefly tried out Fedora 33 and clicked a checkbox for disk encryption during the install process, and the boot process was essentially the same, that is, the system would boot, then it would require password for disk decryption before I could log in. Again, no external medium was required. Your answer, though, was the right one, given my imprecise question.

This brings up larger, but pre-technical questions: what is appropriate to encrypt and why? Given your reply, it seems safe to assume that it's possible to encrypt the boot partition of a system. It's quite possible that I'm missing some reason to do this, but I can't see it. However, I'm not at all conversant with the newer UEFI boot processes, so perhaps there's something to learn there.

Reasons for encrypting the OS are more apparent, so I'm fairly certain that would be advisable. I can imagine a sound rationale for encrypting just one part a person's home directory, but for me the entire /home partition is the absolute minimum.

KVM throws another layer of possible confusion into the mix. At the moment I'm considering encrypting the entire (host) OS and /home partition, and with those all the guest systems, because this seems like the simplest way to go. However, I could be convinced against that plan if I find that performance would be too adversely affected, or for some other possible issues I'm not even aware of. Or maybe it wouldn't be simple at all to do what I'm planning. I don't know at this point.

One specific question I have comes out of the FAQ: What is meant by a container? I'm fairly certain that it could be an entire partition. Anything else? Could one container be comprised of two or more partitions? Can two or more virtual machines constitute one container if they are all on the same partition or within the same logical volume?

Sorry for the long post. If you're looking for more fodder for the FAQ, I obviously have plenty of that.  :)



Did you see my detailed reply to your previous post? It explains the exact boot process you want (being asked for a password at boot).

As for whether to use UEFI boot or not: Yes. Use it. It's way more robust than MBR boot methods. Don't be afraid to research what systemd-boot is, if you want to know. Or just enable UEFI in your BIOS (it's most likely on by default on your new laptop) and just install the OS and it'll automatically use UEFI.

As for what to encrypt:

/boot/efi = No. It must be unencrypted to be able to boot. But it only contains your bootloader, kernel and initramfs which is what sets up the decryption environment.

/ (root) = Yes. All of it will be encrypted with your passphrase.

As for having a separate /home partition: Don't bother. It makes no sense at all and just creates hassle when you inevitably run out of space in either / or /home. There are no benefits to a separate home directory. None. People think it makes OS reinstalls or distro hopping easier. Nope it doesn't. If you have a unified partition, you simply have to boot any random liveCD and delete everything except the /home folder, and then install your OS on the same partition without formatting it, and voila you've kept /home without tediously separating it.

If you wanna check out the distro I recommended in the longer answer about full disk encryption, you even have a "Refresh Install" feature in the installer, which deletes everything except /home and reinstalls the OS. That's another fantastically easy option. :-)


-- Johnny
_______________________________________________
dm-crypt mailing list -- dm-crypt@xxxxxxxx
To unsubscribe send an email to dm-crypt-leave@xxxxxxxx

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux