You are not logged in.

Pages: 1

#1 2008-09-13 20:09:10

solarwind
Member
From: Toronto
Registered: 2008-03-18
Posts: 546

Disk Encryption

I have a hard drive with windows and Linux. Linux has 4 partitions. What's the best way to encrypt my entire Linux system? I don't care about the windows partition.

Offline

#2 2008-09-13 23:15:05

fflarex
Member
Registered: 2007-09-15
Posts: 466

Re: Disk Encryption

Check out the ArchWiki page about LUKS encryption. That is probably the best way, but you'll probably need to reinstall. Also, you'll need an unencrypted /boot partition (which can be store on some other drive if you really want everything encrypted).

Offline

#3 2008-09-13 23:35:03

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,675

Re: Disk Encryption

Can't encryption be done without reinstalling ?

The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#4 2008-09-14 00:12:59

solarwind
Member
From: Toronto
Registered: 2008-03-18
Posts: 546

Re: Disk Encryption

fflarex wrote:

Check out the ArchWiki page about LUKS encryption. That is probably the best way, but you'll probably need to reinstall. Also, you'll need an unencrypted /boot partition (which can be store on some other drive if you really want everything encrypted).

Already have a separate boot partition. Can't this be done without reinstalling?

Offline

#5 2008-09-14 01:13:14

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,128
Website

Re: Disk Encryption

If you want to avoid reinstalling you'll need to rotate your root partition while you encrypt your system, i.e. if it's on partition A, clear partition B, encrypt partition B, copy partition A to partition B, update grub and fstab to boot partition B properly, encrypt A if it worked.

You can't encrypt a disk without losing what's on it without storing that somewhere else because encrypting it involves formatting it (once you encrypt it, it's just random data so you need to build the file system).


If you have to wipe everything, I would suggest ditching the 4 partitions and replacing them with a single LVM partition (it's in the wiki). You then have 2 main choices for encryption:

a) LVM over LUKS
Encrypt the single physical partition (that replaces the 4 partitions) with LUKS, then stick LVM on top of that to create your logical partitions (which you can easily resize etc).

b) LUKS over LVM
Create an LVM partition then encrypt the logical volumes that you want to encrypt. Depending on your partition scheme, there may be no need to encrypt all of your partitions (read: logical volumes), e.g. /usr. Just ask yourself "what do I actually want/need to encrypt?". With this, you can also decide what you unlock when the system starts (maybe you have a partition that you only want to access sometimes, or that shouldn't be accessible/mounted during normal operation).

Also, if you have the memory for it (or a fast enough disk), you should consider using tmpfs to encrypt your /tmp partition. As you'll no doubt have an encrypted swap partition that's mounted with a random key each time you boot the computer (so that once you shut down, there's no key saved and the data becomes unrecoverable), you can safely use tmpfs to store /tmp in RAM and on the encrypted swap partition, which also makes all data on /tmp unrecoverable.

Last edited by Xyne (2008-09-14 01:15:59)

My Arch Linux Stuff Forum Etiquette BBCode and Emoticons Community Ethos - Arch is not for everyone

Offline

#6 2008-09-14 03:24:44

solarwind
Member
From: Toronto
Registered: 2008-03-18
Posts: 546

Re: Disk Encryption

Xyne wrote:

If you want to avoid reinstalling you'll need to rotate your root partition while you encrypt your system, i.e. if it's on partition A, clear partition B, encrypt partition B, copy partition A to partition B, update grub and fstab to boot partition B properly, encrypt A if it worked.

You can't encrypt a disk without losing what's on it without storing that somewhere else because encrypting it involves formatting it (once you encrypt it, it's just random data so you need to build the file system).


If you have to wipe everything, I would suggest ditching the 4 partitions and replacing them with a single LVM partition (it's in the wiki). You then have 2 main choices for encryption:

a) LVM over LUKS
Encrypt the single physical partition (that replaces the 4 partitions) with LUKS, then stick LVM on top of that to create your logical partitions (which you can easily resize etc).

b) LUKS over LVM
Create an LVM partition then encrypt the logical volumes that you want to encrypt. Depending on your partition scheme, there may be no need to encrypt all of your partitions (read: logical volumes), e.g. /usr. Just ask yourself "what do I actually want/need to encrypt?". With this, you can also decide what you unlock when the system starts (maybe you have a partition that you only want to access sometimes, or that shouldn't be accessible/mounted during normal operation).

Also, if you have the memory for it (or a fast enough disk), you should consider using tmpfs to encrypt your /tmp partition. As you'll no doubt have an encrypted swap partition that's mounted with a random key each time you boot the computer (so that once you shut down, there's no key saved and the data becomes unrecoverable), you can safely use tmpfs to store /tmp in RAM and on the encrypted swap partition, which also makes all data on /tmp unrecoverable.

1 GB ram should be good enough for /tmp in RAM. Also, I've never actually looked into LVM. I've been using normal old partitions all along. Thanks for pointing them out. They seem interesting! I guess I'll do LUKS over LVM with /tmp in RAM and encrypted swap. I'll also get another stick of ram and put it in my laptop.

Offline

#7 2008-09-14 05:43:00

Xyne
Moderator/TU
Registered: 2008-08-03
Posts: 5,128
Website

Re: Disk Encryption

solarwind wrote:

1 GB ram should be good enough for /tmp in RAM. Also, I've never actually looked into LVM. I've been using normal old partitions all along. Thanks for pointing them out. They seem interesting! I guess I'll do LUKS over LVM with /tmp in RAM and encrypted swap. I'll also get another stick of ram and put it in my laptop.

One caveat: When I first installed Arch I looked into recommendations for partition sizes. I remember reading that if you want to burn DVDs, you (might) need to have enough space in /tmp, so if that applies to your case, consider that when deciding on how much swap space you need.

That said, the beauty of LVM is that you can just resize your swap partition or extend it with another one (only temporarily if you wish).

My Arch Linux Stuff Forum Etiquette BBCode and Emoticons Community Ethos - Arch is not for everyone

Offline

Pages: 1

Board footer

Powered by FluxBB