11-22-2019, 01:57 PM
(11-14-2019, 06:39 AM)ninefathom Wrote:(09-27-2019, 02:29 PM)jpakkane Wrote: Has anyone looked into running the pbpro with full disk encryption? It works really nicely on x86, but since the whole boot mechanism is different, there is no guarantee it will work out of the box.
Thanks,
I'm currently using the Bionic images from @ayufan with the brand new fscrypt subsystem. It's file-based, like eCryptFS, but it is not a stacking filesystem- rather it relies on native filesystem metadata. At the moment it's supported on ext4, F2FS, and UBIFS. The default kernel images from ayufan only have support baked in for F2FS, but that's fine since that's what I wanted to use anyway.
The point that some others have made about file-based encryption solutions being vulnerable to leakage is completely valid- things will occasionally escape into /var and /tmp. In my case I've decided that the significant added convenience (fscrypt is _very_ easy) is well worth the slight increased risk (my typical usage behavior leaves the risk of the laptop being stolen or searched extremely low).
All of that said, it does look like ayufan's Bionic images also include baked-in kernel support for dm-crypt, avoiding the need for a custom kernel build there if you want to do full-disk encryption. In any event, if you do end up going the fscrypt route, in addition to the linked tutorial from Arch above (they always have wonderful online docs, don't they?) make sure you do the Ubuntu-specific pam_keyinit fix as mentioned here.
I wish that was enabled by default for ext4... I'm not going to bother to recompile. I guess I'll just use cryfs.
Matthew
