Best way forward for new encrypted laptop install?

If none of the more specific forums is the right place to ask

Best way forward for new encrypted laptop install?

Postby Lysander » 2020-01-16 10:57

I am working out what best to do with my laptop. I take this thing everywhere with me and I will be taking it abroad quite a bit over the next couple of years too.

I did an install of Debian 10 a few days ago and encrypted the whole hard drive. However, I have a few reservations now:

- the password I chose is just too long, it's a pain to type it in and I often get it wrong
- the installer doesn't give you an option for a backup password
- before entering the password on boot I get an error [which is inconsequential] that "volume group <host name>--vg not found, cannot process volume group <host name>--vg". I don't think this is anything to worry about at all since it appears to make no difference to anything but I'd still like it to go.

When doing the install I used the Debian non-free iso since the usual installer told me that non-free firmware was needed.

I have some data I would like to protect but I am thinking it may be better just to have a partition which is encrypted for this rather than the whole drive. If, for some reason, the password fails on boot I will get locked of the machine, would I not? Especially without a backup password.

In this situation what would be the best way forward? Leave the whole thing encrypted, reinstall with just one partition encrypted separate to /home or something else altogether?
User avatar
Lysander
 
Posts: 593
Joined: 2017-02-23 10:07
Location: London

Re: Best way forward for new encrypted laptop install?

Postby Chrisdb » 2020-01-16 12:05

I found the following very enlightening:
Code: Select all
Choosing a setup
Which disk encryption setup is appropriate for you will depend on your goals (please read #Why use encryption? above) and system parameters.

Among other things, you will need to answer the following questions:

What kind of "attacker" do you want to protect against?
Casual computer user snooping around your disk when your system is turned off, stolen, etc.
Professional cryptanalyst who can get repeated read/write access to your system before and after you use it
Anyone in between

What do you want to encrypt?
Only user data
User data and system data
Only confidential data, i.e. a subset of your data

How should swap, /tmp, etc. be taken care of?
Disable or mount as ramdisk
Encrypted swap
Swapfile as part of full disk encryption
Encrypt swap partition separately

How should encrypted parts of the disk be unlocked?
Passphrase
Same as login password
Different to login password
Keyfile (e.g. on a USB stick, that you keep in a safe place or carry around with yourself)
Both

When should encrypted parts of the disk be unlocked?
Before boot
During boot
At login
Manually on demand (after login)

How should multiple users be accommodated?
Not at all
Using a shared passphrase (or keyfile) known to every user
Independently issued and revocable passphrases (or keyfiles) for the same encrypted part of the disk
Separate encrypted parts of the disk for different users

Then you can go on to make the required technical choices (see #Available methods above, and #How the encryption works below), regarding:

stacked filesystem encryption vs. blockdevice encryption
key management
cipher and mode of operation
metadata storage
location of the "lower directory" (in case of stacked filesystem encryption)
Examples
In practice, it could turn out something like:

Example 1
Simple user data encryption (internal hard drive) using a virtual folder called ~/Private in the user's home directory encrypted with EncFS
encrypted versions of the files stored on-disk in ~/.Private
unlocked on demand with dedicated passphrase

Example 2
Partial system encryption with each user's home directory encrypted with ECryptfs
unlocked on respective user login, using login passphrase
swap and /tmp partitions encrypted with Dm-crypt with LUKS, using an automatically generated per-session throwaway key
indexing/caching of contents of /home by slocate (and similar apps) disabled.

Example 3
System encryption - whole hard drive except /boot partition (however, /boot can be encrypted with GRUB) encrypted with Dm-crypt with LUKS
unlocked during boot, using passphrases or USB stick with keyfiles
Maybe different passphrases/keys per user - independently revocable
Maybe encryption spanning multiple drives or partition layout flexibility with LUKS on LVM

Example 4
Hidden/plain system encryption - whole hard drive encrypted with plain dm-crypt
USB-boot, using dedicated passphrase plus USB stick with keyfile
data integrity checked before mounting
/boot partition located on aforementioned USB stick
Many other combinations are of course possible. You should carefully plan what kind of setup will be appropriate for your system.


It's from the arch WIKI: https://wiki.archlinux.org/index.php/Disk_encryption#Preparation
Chrisdb
 
Posts: 253
Joined: 2018-04-10 07:16

Re: Best way forward for new encrypted laptop install?

Postby arzgi » 2020-01-16 12:12

Note there are countries that require you to give the decryption password before letting in.

I'd write any sensitive data to usb-stick or sd-card, you can encrypt those as well, and would transport it separately from laptop (in pocket or smth).

And of course if data is valuable, you have backups, you probably knew this already.

My two cents.
arzgi
 
Posts: 533
Joined: 2008-02-21 17:03
Location: Finland

Re: Best way forward for new encrypted laptop install?

Postby p.H » 2020-01-16 12:25

Lysander wrote:I did an install of Debian 10 a few days ago and encrypted the whole hard drive.

The standard Debian installation with encryption does not encrypt all the drive : /boot is left unencrypted.

Lysander wrote:- the password I chose is just too long, it's a pain to type it in and I often get it wrong
- the installer doesn't give you an option for a backup password

You can change or add a passphrase anytime with cryptsetup.
Lysander wrote:- before entering the password on boot I get an error [which is inconsequential] that "volume group <host name>--vg not found, cannot process volume group <host name>--vg".

This message is normal. The initramfs is generic and tries to activate LVM logical volumes before unlocking encrypted volumes (useful if a logical volume contains an encrypted volume), and tries again after.

Lysander wrote:I have some data I would like to protect

Protect from what ? Loss and theft ? Or tampering ?
p.H
 
Posts: 1260
Joined: 2017-09-17 07:12

Re: Best way forward for new encrypted laptop install?

Postby Lysander » 2020-01-16 12:34

Chrisdb wrote:I found the following very enlightening:


That was very useful and gave me some important pointers to think about. I think I may go for option 1. I think the others just aren't relevant to my use-case. I hadn't heard of EncFS before, and that's something to consider if I don't want to encrypt a whole partition.

arzgi wrote:Note there are countries that require you to give the decryption password before letting in.


I didn't think of that. That may happen. Thanks for the idea.

arzgi wrote:I'd write any sensitive data to usb-stick or sd-card, you can encrypt those as well, and would transport it separately from laptop (in pocket or smth).


Already exists, but thank you. And yes, transporting it separately is a good idea.

p.H wrote:The standard Debian installation with encryption does not encrypt all the drive : /boot is left unencrypted.


p.H wrote:You can change or add a passphrase anytime with cryptsetup.


p.H wrote:This message is normal. The initramfs is generic and tries to activate LVM logical volumes before unlocking encrypted volumes (useful if a logical volume contains an encrypted volume), and tries again after.


Ah OK, I didn't know these things. Thank you.

p.H wrote:Protect from what ? Loss and theft ? Or tampering ?


Specifically the loss or theft of the machine. I also have my sensitive files backed up on a cloud.
User avatar
Lysander
 
Posts: 593
Joined: 2017-02-23 10:07
Location: London

Re: Best way forward for new encrypted laptop install?

Postby p.H » 2020-01-18 09:13

Then you do not need to encrypt the whole system.
p.H
 
Posts: 1260
Joined: 2017-09-17 07:12


Return to General Questions

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable