Looking for Advice and opinions regarding Full Disk Encryption

Feel like tinkering with encryption
running manjaro KDE currently not encrypted
trying to decide if I want to re-install and enable drive encryption, or use a 3rd party solution like Veracrypt or some such

Also would be interested in Encrypting an External, USB connected HDD. MY emby server servers media stored on said drive, I'm assuming this would not interfere

Advice and opinions?

I am using full disc encryption with luks on my laptop. I like it. It is easy to use. Basically it is fully transparent for the user except for the password question at the beginning of the boot process. And suspend and hibernation with a swapfile are working fine. So does the trim command for the underlying SSD.

And on my desktop PC I have an encfs encrypted container in my home directory. It is mounted automatically during login with pam_mount.

Ok, so would I need to reinstall to do this?
How would one go about setting up LUKS?

RTFM

LUKS encryption is offered as an option during Manjaro installation. This is how I got it going on my laptop.

I must have missed the "encrypt entire disk and all USB connected external drives" checkbox

Yes, you must have missed that. There is a LUKS encryption option with the graphical Clamares installer as well as with Manjaro Architect:

grafik

External USB drives are not handled by the installer. You need to encrypt them manually after the istallation. Start reading here: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system

I strongly suggest that you start using the search function here in the forum as well as in the internet. And the wiki pages for arch or Manjaro are always a good education source.

1 Like

Please look into Manjaro User Guide, it's a PDF. You will find there what checkbox to check to encrypt a partition.

1 Like

Wow everyone has been so nice and supportive up until now.
Part of the reason I liked Manjaro was because of the supportive community.
If it was a simple thing to link to, why not just link to it instead of mocking me and such?

Would it have been so hard to say "to answer your question directly, yes you'd have to re-install, you can find the relevant info at this link. Also, as for encrypting the external drive, here's an article that can help you with that"

Thank you for your help, I'm sorry for wasting your precious time, I'm sorry my searches were poorly worded and turned up no results
it's all my fault, I blame no one else, But I didn't deserve that, simply for asking for help.

1 Like

Yes, you have to reinstall.
Please, understand that sometimes it is so obvious that people forget to tell it explicitely. Don't take it personally! At least you got valuable information that in manjaro-architect it is the submenu 4 and in Calamares it is a checkbox and you can find the explanation in the User Guide.
Another valuable information was that you have to encrypt removalbe devices separately from the installation process.

4 Likes

Thank you, and I am trying to take away from it what I can. I don't know why my searches turned up nothing.
I tried searching the forum, and I tried searching general web, (duckduckgo) I found lots of info about Veracrypt and LuKs, and a few other encryption file systems, but no real tutorial on how to implement them, and when I installed originally the only box I remember seeing was one for encrypting the home directory, not the whole disk.

I am not into encryption, so ignore this post if it is not relevant to what you are looking for.

search engine: duckduckgo
search term: how to encrypt drives in linux
search result: https://duckduckgo.com/?q=how+to+encrypt+drives+in+linux&ia=web

For obvious reasons, I haven't read each and every one of all the How-To:s that was found. Hope sincerly that you find some method to correspond to your exigencies.

Nobody was mocking you. I can not see that in any of my replies.

Would it have been so hard to say "to answer your question directly, yes you'd have to re-install, you can find the relevant info at this link.

I thought I did that by saying: "LUKS encryption is offered as an option during Manjaro installation." I missed to give you a link to the installation guide though.

3 Likes

There's quite a bit to read, and the information you require is spread across several links: (also there may be other ways to encrypt)

https://wiki.archlinux.org/index.php/Dm-crypt

I haven't done full system encryption, but I do have several internal encrypted drives.

This is a rough step by step:

  1. Read above link and the links it contains.
  2. Backup.
  3. Securely wipe, I use dmcrypt and dd from /dev/zero.
  4. Encrypt with luks.
  5. Add keyfile if needed, backup header.
  6. Unlock.
  7. Create filesystem.
  8. Mount.
  9. Copy data over.

securely erasing the drive
/Device encryption

If the drive is to be connected all the time and mounted at boot:
(I haven't tried this with a USB drive)

  1. Edit /etc/crypttab.
  2. Edit /etc/fstab

https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration

If it gets moved about you'll need to unlock and mount it manually, or by clicking on it in a file manager and entering your password.

You should read the rest of it too, including /Specialties, particularly if it's an SSD.

Integrating it with emby is up to you, but it's transparent once it's unlocked and mounted it's just a mounted filesystem like any other.

If in doubt ask.

EDIT:
Just to clarify, there would be more steps for full disk encryption, but you've probably already seen that from the link. This is just for the external disk.

1 Like

Thank you for that, if it's a normal file system once mounted, then Emby should have no problems. In theory.
I've been trying to read the links posted so far, and like you said the info is a little spread out.

I haven't done a secure wipe before, it looks a little complex at first glance, but I'll read up and get it figured out.

You're welcome. :smiley:

Secure wipe isn't that bad, just takes ages if you have a multi TB disk:

1.Find your partition. eg sda1, sdb3
2. Make sure it's the correct one!
3. Do any backup and make sure it's un-mounted.
4. sudo cryptsetup open --type plain -d /dev/urandom /dev/sdXY some_label
5. You should make sure it worked by using lsblk.
6. sudo dd if=/dev/zero of=/dev/mapper/some_label status=progress bs=1M
7. Wait until dd finishes and tells you you've run out of space.
8. sync just in case, wait till it finishes.
9. sudo cryptsetup close some_label

Change XY to the correct letter and number. You can check if it's mounted using lsblk.

1 Like

Ahh thank you again!!!

I forgot to mention, you should have a bootable USB drive (or another working install) just in case, but that should be a given, never know when you might need one.

You're welcome :slight_smile:

1 Like

My own personal opinion is you had better keep very good backups because full disk encryption is just data loss waiting to happen.

If you are not familiar with disk encryption you are just complicating your install process and creating pitfalls for down the road.

Also, grow a little thicker skin. You were in no way being mocked when advised to search thoroughly. @mbod was being very helpful in assisting you, and in no way deserved being taken to task for making a very reasonable comment.

Regardless, good luck with your planned encryption, but beware as this leads to many forum posts from users locked out of their system with resultant data loss. Just sayin, but at least forewarned is forearmed.

Thank you for the advice on keeping good backups, I'll keep that in mind. I'm open to other suggestions on how to encrypt specific folders/files and still keep the m accessible to my system/Emby. I was under the impression that Full disk encryption would be the most streamlined way to accomplish what i wanted

Which DE are you using, KDE has vaults built in.

Forum kindly sponsored by