this post was submitted on 02 Sep 2024
75 points (98.7% liked)

Linux

48622 readers
1271 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

My laptop isn't under my supervision most of the time. And I'd hate it if someone were to steal my SSD, or whole laptop even, when I'm not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It's a very slow laptop. So decryption on login isn't viable, takes too long. While booting up also takes forever, so it needs to be in a "safe" state when simply logged out. Maybe a way that's decrypt-on-demand?

I'm on Arch with KDE.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 38 points 3 months ago (5 children)

The standard route is to decrypt on boot. It happens after GRUB but before your display manager starts. IDK if there even is a setup that has you "decrypt on login". Thats sounds like your display manager (sddm for KDE) is decrypting system which is not possible IMO.

Unless your laptop somehow has multiple drives you'll want to use the "LVM on LUKS" configuration. 1 small partition for /boot. The rest gets LUKS encrypted, and an LVM group is put on the LUKS container. Or you could replace LVM with btrfs.

This will require wiping your system and reinstalling so you have some reading to do.

The arch-install script in the live iso has options for full disk encryption.

If you suspend to RAM your system will stay unencrypted, because your ram is not encrypted. if you suspend to disk (aka hibernate) your system will be encrypted. You go through the boot loader when waking from hibernation but it just drops you off where you left off.

You need a swapfile for hibernation so make sure its inside the LUKS container.

[–] [email protected] 10 points 3 months ago (1 children)

There is a way for just your home folder to be encrypted, Linux Mint has it as an option.

[–] [email protected] 3 points 3 months ago

Looks like they use eCryptFS. Never heard of it before so thats neat. I can see using it on systems where you can't reinstall the system with Dm-crypt but it most cases I suspect Dm-crypt is a better alternative.

Idk if its faster or slower than Dm-crypt.

[–] [email protected] 9 points 3 months ago

+1 for LVM on LUKS

[–] [email protected] 3 points 3 months ago (5 children)

To add to the comments, most distros do not offer FDE by default when installing. You have to jump thru hoops. No idea why this is still the case given how many consumer computers are laptops these days, it seems crazy.

The big exception seems to be PopOS, an Ubuntu derivative which is intended for laptops. FDE by default so it must be pretty easy to get that up and running.

Ubuntu itself has a solid FDE option on install, too. It sets up the LVM configuration as already described, no expertise needed. And IME works very reliably.

[–] [email protected] 2 points 3 months ago (1 children)

openSUSE also has a simple FDE setup. Just check a box and enter a passphrase during install. It's not default, but it's about as easy as possible to set up.

[–] [email protected] 1 points 3 months ago

Useful to know, thanks.

For the record, I once had a bad experience with the Debian installer's version. That is why I will not be trying Debian again. Installation is a moment of vulnerability, when you don't have ready access to your data, or the network, and this is one extra factor. IMO it really is non-negotiable for a distro to provide a bulletproof installation experience.

load more comments (4 replies)
[–] UnRelatedBurner 2 points 3 months ago (2 children)

okay I got my homework, I'll read on these.

[–] [email protected] 6 points 3 months ago* (last edited 3 months ago)

Keep in mind an unencrypted /boot partition still leaves you open to an evil maid attack. I'm not really paranoid (or interesting) enough that I feel the need to take measures to prevent those kinds of attacks, but your situation may differ.

[–] [email protected] 2 points 3 months ago

Dreams of Code on YouTube has a video for a full start to finish arch install specifically including full disk encryption. While my computer is far from “slow” it’s also nothing crazy, and other than adding a second password to my bootup process, the decrypting really doesn’t take long.

[–] [email protected] 2 points 3 months ago

You technically could encrypt just your home but that's not the recommended approach.

[–] [email protected] 20 points 3 months ago (2 children)

How old are we talking? If the CPU is >10 years old and/or some kind of ARM, it may not have hardware encryption acceleration, which means it'll happen in software. I did that once, it was horrible. lscpu |grep -i aes should probably tell you what you need to know.

[–] [email protected] 5 points 3 months ago

If you don't have hardware encryption you can use --cipher xchacha20,aes-adiantum option when running cryptsetup to make it way faster than standard aes cipher in software.

[–] UnRelatedBurner 3 points 3 months ago (4 children)

It does give me a result so I do have "aes". How can I use it?

We're talking an Intel i5-8350U. it has 16GBs of ram and 500GB of SSD.

[–] [email protected] 4 points 3 months ago

You said you're on Arch, you'll want to go through their docs which are solid: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system

[–] [email protected] 4 points 3 months ago (1 children)

That's not a slow laptop. I've been daily driving worse for years.

To protect the data from random thief just browsing through the files I still use ecryptfs. It only encrypts the home directory, and the keys are derived from my accounts password, so no extra hassle.

The encryption is weak by the current standards, and wouldn't stop a determined attacker, but it's 100% better than nothing, and I've never noticed any performance problems.

load more comments (1 replies)
[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (2 children)

That's pretty much my ThinkPad's Specs. Fine for almost all stuff I have to do on the go (expect CAD, don't try to run BricsCAD on the thing, it'll make you go crazy.)

I use full disk encryption on it, as on all my other devices, and it's fine, speed-wise. The SSD is NVME, not SATA, but I doubt the performance impact would be noticeable on a SATA SSD if that's what you've got.

load more comments (2 replies)
[–] [email protected] 2 points 3 months ago

That is absolutely not a slow laptop. If it takes a long time to boot there must be something wrong. I have a similar system that takes about ten seconds to boot.

Anyways, like others said, LVM with LUKS is the simplest. It uses your hardware to quickly decrypt the drive on boot. While it is running access to your data is protected by your login manager or lock screen.

[–] [email protected] 8 points 3 months ago (9 children)

That’s a hard thing to do for a bunch of reasons. There’s someone else who went into em so I’m not gonna do that.

Unless something’s seriously wrong, it would probably be better to just make your laptop boot faster.

So, what’s your laptop, what kind of disk does it have and how long does it take to boot/login?

load more comments (9 replies)
[–] [email protected] 8 points 3 months ago

LUKS2 with a strong hash.

It will take a while to decrypt but it will so be worth it. You only have to enter the password once.

[–] [email protected] 5 points 3 months ago
[–] [email protected] 4 points 3 months ago
[–] [email protected] 4 points 3 months ago* (last edited 3 months ago) (1 children)

Maybe systemd-homed is the solution you are looking for. The arch wiki has a page for it. And this can be better for your use case because only your home folder needs decryption and not the whole drive.

There is this to keep in mind since you are using KDE, but can be easily fixed: https://wiki.archlinux.org/title/Systemd-homed#Home_directory_remains_active_after_logging_out_of_Plasma

[–] UnRelatedBurner 2 points 3 months ago (1 children)

Sounds perfect. I'll need more sources to understand what it's doing and how to config it. Thanks!

[–] [email protected] 2 points 3 months ago (2 children)

Systemd has a good guide on how to use it https://systemd.io/HOME_DIRECTORY/

And they also have a guide on migrating a traditional user home to this. Do remember to take backups if going this route https://systemd.io/CONVERTING_TO_HOMED/

I personally used the arch wiki when I set it up https://wiki.archlinux.org/title/Systemd-homed

There is not much config.

I think the command I used for my laptop was:

homectl create <name> --storage=luks --shell=/usr/bin/fish --member-of=wheel

https://wiki.archlinux.org/title/Systemd-homed#Creation

Gnome is working on a gui for this, but it will probably be a while until that is out. I feel like it is pretty safe to use the cli for this one.

[–] UnRelatedBurner 2 points 3 months ago* (last edited 3 months ago)

Hehe, Thank you. But by the time I'm reading this I've already done it. Got stuck on a couple or roadblocks, but figured it out. I got scared when I didn't "enable" the service just "start" it. I'm not safe(-ish enough). :D

edit: well not the plasma fix. wiki said if it's a problem I need to start something, and that something should be on by default. So I didn't do anything, maybe that's a problem

[–] UnRelatedBurner 2 points 3 months ago (1 children)

Okay I just had a bit of freetime to test it: doesn't work.. if I log out or sleep, my home dir is still mounted. Meaning it's as good as nothing. Looked at the plasma fix, didn't work. I have a pretty good lead, that I need the topmost template from some wiki:

[Unit]
PartOf=graphical-session.target

Problem is, where in the world should I write this? I really don't expect you to know, but maybe I'm talking to a genius. The internet didn't help, or I used it wrong.

[–] [email protected] 1 points 3 months ago (1 children)

The template is supposed to be something that you put in your own systemd services. plasma-kwin_x11.service and plasma-kwin_wayland.service both already have it.

If I have to guess, it is probably a bug that will get fixed sometime in the future, meaning this is not a viable solution until then. Sorry for that.

Just as a last bit of troubleshooting, check if cat ~/.config/startkderc shows systemBoot = true. If it does not, run kwriteconfig6 --file startkderc --group General --key systemdBoot true. I doubt this will change much, but still worth trying.

If I get some free time, I will do some testing and let you know here

[–] UnRelatedBurner 2 points 3 months ago (1 children)

cat ~/.config/startkderc returns systemdBoot=true. I'm guessing you made a typo and this is correct. In this case I guess it just doesn't work on KDE, my next idea is LUKS on /home and hibernating instead of sleeping. Or I always wanted to try a tiling window manager... hm

[–] [email protected] 2 points 3 months ago (1 children)

systemdBoot is supposed to be true, not a typo. But yeah, I don't use plasma much so I don't really know how to solve the issue... Sorry for that!

[–] UnRelatedBurner 2 points 3 months ago

No problem, thanks for the help. Also I got news is that I don't have to trust anyone with my laptop, I can keep it by my side after all. Still it's a security mesure, that I didn't solve in time. fun fact: LUKS on /home only breaks KDE. I really don't want to give up kde tho, I put on sway, realised that I needed to memorise console commands to change my fking volumes, so no thank you. I got spoiled by sweet UIs. it's so comfortable that everything is at one place.

[–] [email protected] 4 points 3 months ago

I encrypt my disk with LVM on my Debian laptop. You'll need to reinstall your operating system, as you have to do special partitioning. If your device has a TPM, you can use Clevis to set it to auto-decrypt.

[–] [email protected] 3 points 3 months ago* (last edited 3 months ago) (1 children)

With an encrypted disk, you only need to enter the encryption password when you shutdown or restart. Suspending and ~~sleep~~ lock screen don't need your encryption password.

[–] [email protected] 5 points 3 months ago (1 children)

Suspending to disk usually requires a password on resume.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (1 children)

That's true for hibernation, but not suspending. Hibernation stores everything in RAM onto the disk then shuts off the PC; to resume the system, you need to unlock the disk to access that data. Suspending doesn't turn off the computer, it keeps the CPU and RAM active.

On my Fedora system, I can hit the suspend button and get back into the OS without needing to type my encryption password, only my user password.

[–] [email protected] 5 points 3 months ago* (last edited 3 months ago) (2 children)

Ok so what do you call "sleep"? You've now listed suspending, sleeping, and hibernating as 3 different things.

load more comments (2 replies)
[–] [email protected] 3 points 3 months ago* (last edited 3 months ago)

Most filesystems now how encryption that is better optimized for their specific performance & might be worth choosing over LUKS… ZFS, Bcachefs, F2FS, ext4

[–] [email protected] 2 points 3 months ago

I use ZFS on my workstations with Debian, but yeah full drive is the way to go i think even Linux Mint does full drive anymore, also remember to keep backups.

load more comments
view more: next ›