I’ve recently installed Manjaro KDE on a new laptop of mine (Ideapad 5 14ARE05 with a Ryzen 4600U, 16GB RAM, 512 GB SSD).
As I’m going to use the laptop for occasional traveling, I want to keep my personal data safe in case of theft of loss.
Therefore, I would like to use full disk encryption and thus choose the respective setting during installation of Manjaro through the normal graphical installer from the live system.
What I did notice right at first boot was that the unlock prompt
- is rather, say, spartanic and more importantly
- it’s pretty slow to actually unlock and start the proper boot process.
I’m comparing to Linux Mint, which I had installed on my previous laptop with full disk encryption.
The old laptop had far less capable hardware (old i3 3110M), so I would exclude the possibility that my hardware is too slow.
In comparison, the old laptop would unlock much faster and finish the boot quicker. The unlock prompt was also using a graphical representation instead of a simple text console.
Reading around a little bit, it seems to me that the issue might be with grub2 not supporting some related hardware instruction sets and the way the installer is doing the full-disk encryption, including the /boot directory.
So, my question is - what is the best way to do disk encryption with Manjaro to have a good and reasonable balance between security and comfort?
Is this even doable with the graphical installer, or should I follow e.g. the advice found in this recent thread?
Are there ways to speed up the unlocking process after the installation is done or do I need to start over and do a fresh installation?
I’m not a dissident, investigative journalist, high-level business or government exec and thus probably don’t need to worry too much about obtaining ultimate security or third parties trying to hack my device to listen in to my communications.
Thank you for any suggestions!
Most of the new SSD’s encrypt data by default (self encrypting drives). With my Lenovo for example, setting a HDD password in BIOS is sufficient and will protect the keys used for the SED encryption. You may want to check if that is the case for your model as well… (They have a forum where you should get some answers)
Of course you have to trust your vendor that they implemented this stuff properly. If you do not trust them I would probably go for /home encryption only. Just make sure you store all your sensitive files there then.
In a single boot uefi installation, mount the efi partition to /boot instead of /boot/efi. This results in unencrypted /boot partition, so the kernel will do the decryption instead of grub. This is usually about five times faster than full disk encryption. Fde is mostly overkill anyway for securing personal data. It results in data having to be decrypted twice, and one of those times is done by grub, which sucks at decryption. The downside of this approach is that it is unsuitable for multiboot, because you don’t want to share /boot directory between different distros. I’m pretty sure this approach (unencrypted /boot partition) is what linux mint is doing behind the scenes, at least of you are getting a graphical dialog asking your password for decryption.
If you want fde and still reasonable boot time, manjaro-architect has an option of doing encryption with less secure method. This is theoretically easier to brute force open, but would still be secure for all normal purposes.
If you want to secure your personal data, the only thing that actually needs encryption is your $HOME. I suggest reading this:
Thanks all for the suggestions!
I switched to full disk encryption some time ago (from home folder encryption), since it also looks to be the option giving better performance (see e.g. this article on Phoronix).
So in summary, if I want to keep (almost) full disk encryption, the way forward would probably be to reinstall and mount the efi partition to /boot?
Could this be done without a complete wipe of the system?
I’ll have a look, but I don’t remember any HDD password option, it’s a pretty basic BIOS, unfortunately
Theoretically something like this:
- edit your /etc/fstab so that your /boot/efi gets mounted to /boot instead
- comment out
GRUB_ENABLE_CRYPTODISK=y from /etc/default/grub
- remove the keyfile from files array in /etc/mkinitcpio.conf
- copy the contents of your /boot directory to your /boot/efi
mkinitcpio -P and
update-grub as root
Caveat emptor, this is just written off the top of my head on cell phone and may result in an unbootable system. You might or might not need to also reinstall grub or move some files around in your efi partition. So, if you are doing it, double check that you are doing something that makes sense and have a live USB ready for system rescue.
Thanks, I’ll do some more research and then decide how to proceed.
In the end the system is still relatively fresh, so a quick re-install will probably still be faster than too much fiddling around with an unbootable system.
Make sure this partition is large enough. For a /boot/efi 100 MiB might be enough, for a /boot partition you need at least 500 MiB.