Encrypted disk
#11
(09-27-2019, 02:29 PM)jpakkane Wrote: Has anyone looked into running the pbpro with full disk encryption? It works really nicely on x86, but since the whole boot mechanism is different, there is no guarantee it will work out of the box.

Thanks,

I'm currently using the Bionic images from @ayufan with the brand new fscrypt subsystem.  It's file-based, like eCryptFS, but it is not a stacking filesystem- rather it relies on native filesystem metadata.  At the moment it's supported on ext4, F2FS, and UBIFS.  The default kernel images from ayufan only have support baked in for F2FS, but that's fine since that's what I wanted to use anyway.

The point that some others have made about file-based encryption solutions being vulnerable to leakage is completely valid- things will occasionally escape into /var and /tmp.  In my case I've decided that the significant added convenience (fscrypt is _very_ easy) is well worth the slight increased risk (my typical usage behavior leaves the risk of the laptop being stolen or searched extremely low).

All of that said, it does look like ayufan's Bionic images also include baked-in kernel support for dm-crypt, avoiding the need for a custom kernel build there if you want to do full-disk encryption.  In any event, if you do end up going the fscrypt route, in addition to the linked tutorial from Arch above (they always have wonderful online docs, don't they?) make sure you do the Ubuntu-specific pam_keyinit fix as mentioned here.
#12
(11-14-2019, 06:39 AM)ninefathom Wrote:
(09-27-2019, 02:29 PM)jpakkane Wrote: Has anyone looked into running the pbpro with full disk encryption? It works really nicely on x86, but since the whole boot mechanism is different, there is no guarantee it will work out of the box.

Thanks,

I'm currently using the Bionic images from @ayufan with the brand new fscrypt subsystem.  It's file-based, like eCryptFS, but it is not a stacking filesystem- rather it relies on native filesystem metadata.  At the moment it's supported on ext4, F2FS, and UBIFS.  The default kernel images from ayufan only have support baked in for F2FS, but that's fine since that's what I wanted to use anyway.

The point that some others have made about file-based encryption solutions being vulnerable to leakage is completely valid- things will occasionally escape into /var and /tmp.  In my case I've decided that the significant added convenience (fscrypt is _very_ easy) is well worth the slight increased risk (my typical usage behavior leaves the risk of the laptop being stolen or searched extremely low).

All of that said, it does look like ayufan's Bionic images also include baked-in kernel support for dm-crypt, avoiding the need for a custom kernel build there if you want to do full-disk encryption.  In any event, if you do end up going the fscrypt route, in addition to the linked tutorial from Arch above (they always have wonderful online docs, don't they?) make sure you do the Ubuntu-specific pam_keyinit fix as mentioned here.

I wish that was enabled by default for ext4...  I'm not going to bother to recompile.   I guess I'll just use cryfs.

Matthew


Possibly Related Threads…
Thread Author Replies Views Last Post
Question Manjaro with Full Disk Encryption and GRUB dumetrulo 1 2,316 02-02-2024, 02:45 AM
Last Post: frankkinney
  Issue with booting Manjaro from encrypted NVMe drive on pbp Cs137 1 1,365 08-18-2023, 01:58 AM
Last Post: juliamenendez
  Encrypted Root jaredoconnor 1 1,309 01-19-2023, 02:27 PM
Last Post: Cs137
  Enter disk description passphrase Galaxy9 1 1,122 01-14-2023, 02:49 PM
Last Post: fxc
Information Install Void Linux with near-full-disk encryption dumetrulo 3 3,912 09-05-2022, 12:00 PM
Last Post: petersen77
  Manjaro Arm Encrypted EMMC detrexer 8 9,093 03-20-2020, 12:13 PM
Last Post: GloriousCoffee

Forum Jump:


Users browsing this thread: 1 Guest(s)