I have a new laptop for back-up to my main machine & I want an OS with full disk encryption. Reading online, it seems that the Manjaro installation process does provide this option but people have said that the decryption is slow.
Within reason, that doesn’t bother me too much. The main thing I am concerned about is the stability of the system. I have been using an unencrypted Manjaro OS on my main rig for the last 5 years, without problem. The only issue is that the SSD isn’t encrypted, which I don’t like.
What is the state of Full Disk Encryption with Manjaro as of today & is it recommended. I tried out the ArchInstall script last weekend & it works well with full encryption; however, my concern is the greater risk of breakages.
I would appreciate peoples thoughts on the above. Thanks & more power to you all.
Thanks, I guess that’s the challenge. I’m not sure how high the risks of breakage are vs the security risk of not having my system encrypted. I don’t deep tech skills, so will have to weigh it up. Thanks, R
My attack scenario is mainly someone stealing the machine & getting access to my data. I also keep all my business tabs open & logged into various services. I want to know that if someone steals my machine, it’s as good as useless as far as accessing my systems is concerned.
As far as stability goes, I don’t have an opinion on encrypted Manjaro system - I just want to ensure I’m not greatly increasing the chances of something going wrong. My Manjaro OS has been rock solid for 5 years but it’s unencrypted.
Use disk encryption. The performance should be negligible, especially if there is hardware support for the encryption. Even without the hardware, a lot of time is spent waiting for i/o which is longer than the time it takes your CPU to decode it. I’ve used disk encryption with Manjaro for probably 5 years. It’s just using LUKS, which you should be able to unlock with any liveUSB should you have any problems.
It is highly stable. This isn’t Manjaro disk encryption, this is the disk encryption that is used by the entirety of the Linux community (LUKS).
This is because the default encryption method encrypts your boot and root. When decrypting your boot, hardware acceleration cannot be used, so it takes easily 10x or more as long as with hardware acceleration. You can choose to manually partition and only encrypt your root partition but not your boot, which will allow you to use hardware acceleration and greatly speed up your boot times.
The downside to this is that your boot partition will not be encrypted. People won’t be able to steal any of your data (unless you are keeping it in your bootloader for some reason), but someone with access to the device could implant malware into your bootloader, which would then activate the next time you booted up your computer.
As long as you don’t encrypt the boot partition it’s not slow in a noticable way.
As for stability: practice to mount and decrypt your install from a live USB. Because one time in the last 10 years there was an update of cryptsetup package that made an encrypted install unbootable. You had to decrypt and chroot from a live USB. A challnge for non techy users.
Or just wait for a few days before updating.
Just to add my voice, same here, LUKS is very stable and a good piece of s/w, it’s quite powerful. I’ve used it for years w/o problems (and I experimented a lot with it, it was resiliant to anything I could throw at it). As long as you don’t forget your passphrase (you can have more than one if that’s of any use) you should be ok. Performance wise also, on SSD or nvme I didn’t notice any lag. You do need to read about it and know how it works to feel more in control but there’re tutorials and not that complex. The header (where keys/slots are) is problematic if corrupted, but LUKS2 has improved its resiliance to that, and chances are slim for something like that to happen, and you can destroy anything if you want.
Thanks everyone - I appreciated all your comments & it gave me the confidence to go for it - I know there are no guarantees in this life but the risk/benefits weigh up & you all seem to have good experiences.
I took the plunge & have just finished setting up my new Manjaro machine with full disk encryption. Yea, it takes an extra 15 seconds or so to boot but that doesn’t bother me at all.
The last time I installed Manjaro was 5 years ago on my main box & I’m massively impressed with what the team have done. Thanks to you all - this is a great community.
Hi @varikonniemi . You’re right - I haven’t timed it but it’s probably quite a bit less than that. I’m talking 15 seconds to log-in & that feels pretty quick considering. It feels good knowing it’s full disk encryption. I’m super impressed with Manjaro on my new laptop. Thanks again, Ruziel
Hi again. In your good peoples opinion, what would be the best way for me to secure my applications with encryption? I installed Manjaro on my main machine 5 years ago & didn’t include full disk encryption at the time. Most of my data is in the cloud, so the main thing I want to be able to do is stop anyone from firing up any apps, in the event that my machine is compromised. I stay logged in to a lot of services for convenience. Would encrypting my Home folder be the thing to go for? I’m not sure where the applications like browsers etc are kept. Thanks in advance…
I have just timed my boot & with an SSD & 16Gig RAM on an i7 6th Generation chip, it took 1m18S to get me to the sign-in page. I would like to edit Grub a bit but I dont’ want to mess with the decryption process. Arch was significantly faster but then it doesn’t provide full disk encryption in the Installer Script, so for me Manjaro does the better job. Security is much more important to me on my laptop, so it’s no big deal really. Thanks, R
LUKS encryption is configurable and you can set the number of hashing iterations to make the unlock be faster. This is to make it harder to brute force decryption should your hardware come in anyone else possession. The default number of iterations used by default has increased over time as hardware has gotten more powerful.