
Ask HN: What Do You Use for Linux Full Disk Crypto? - otterwww
What do you use to manage Linux full disk encryption centrally (like BitLocker and FileVault let you do)?<p>I know you can do FDE with LUKS but would prefer a more enterprise solution where I can store a recovery key centrally that a user can’t remove.
======
majewsky
What problem are you trying to prevent?

\- A novice user fatfingering `cryptsetup luksRemoveKey`? Sounds extremely
unlikely.

\- A determined user trying to deliberately destroy information? A lot of
things are easier, e.g. `dd if=/dev/zero of=/dev/sda` to `shred
important_document.pdf`.

The only thing that would protect against most accidental-destruction
scenarios is not giving the users root access, and then you don't have to
worry about users removing LUKS keys anyway.

------
8fingerlouie
I'm using LUKS, with disks being mounted with crypttab.

The keys for the drives are stored on an encrypted USB key, and the key for
the encrypted USB key is stored on the root SSD.

I wanted something where i could boot unattended, and at the same time i
wanted the possibility to destroy the keys and render the disks useless.

I have an encrypted backup of the keys, stored outside of the encrypted disk
arrays.

------
mrkeen
During installation, I tick the box that says 'full disk encryption'.

~~~
jusssi
Which distro are you using? The last I tried with Ubuntu, it "just didn't
work", i.e. failed with very unhelpful error message.

Bonus points if it's possible to install to a partition in existing FDE
container (saves a /home backup-restore external drive round trip).

~~~
Faaak
Works well for me on Ubuntu 18.04 and 18.10

------
emergie
>what do you use

luks

>what do you use to manage

cryptsetup

>prefer a more enterprise solution...

You have exotic needs, I doubt there is any open source solution that fits,
you have to write your own.

You can start by reading this arch page:
[https://wiki.archlinux.org/index.php/dm-
crypt/System_configu...](https://wiki.archlinux.org/index.php/dm-
crypt/System_configuration)

------
rb666
(very soon) ZFS! It's happening:
[https://github.com/zfsonlinux/zfs/releases](https://github.com/zfsonlinux/zfs/releases)

The PR started 3 years ago:
[https://github.com/zfsonlinux/zfs/pull/4329](https://github.com/zfsonlinux/zfs/pull/4329)

~~~
Biskit1943
Can you explain to me why i should use zfs instead of ext4?

~~~
atmosx
You can compare ZFS to BTRFS, Ext4FS belongs to the late 90s. Comparing ZFS to
Ext4 is like comparing a Pentium 100 Mhz to a Quad Core, asking why would
someone want to use the quad core.

------
Leace
LUKS with TPM2-backed key: [https://github.com/electrickite/luks-
tpm2](https://github.com/electrickite/luks-tpm2)

------
rwmj
LUKS + Clevis and Tang does all that you want. [http://www.admin-
magazine.com/Archive/2018/43/Automatic-data...](http://www.admin-
magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-
Clevis-and-Tang) There's no way to prevent a determined user with root access
from removing a key, except maybe some kind of locked down trusted boot
scenario which will undoubtedly create more problems than it solves.

~~~
8fingerlouie
FDE doesn't protect in case someone breaks in.

Its purpose is to protect data at rest, and if you keep it available in its
unencrypted form, you're not gaining anything from it.

------
xorcist
LUKS can use a central recovery key.

Regular users can't mess with LUKS settings.

~~~
saint_abroad
+1

> a more enterprise solution where I can store a recovery key centrally that a
> user can’t remove.

The enterprise solution is to not give users administrative privs.

------
girzel
I have a yubikey, and this[0] tutorial has been open in a browser tab for I
swear four months or more. I just haven't summoned the guts to do it -- a
voice in my head keeps whispering "you'll brick your laptop, you'll brick your
laptop..."

[0] [https://github.com/agherzan/yubikey-full-disk-
encryption](https://github.com/agherzan/yubikey-full-disk-encryption)

------
rca
You can probably use luksHeaderBackup and luksHeaderRestore to make sure your
recovery key will always work with the volume. Although I've never tried it so
don't take my word for it, it should be pretty easy for you to try out.

Not that it will prevent any dedicated user with root rights from locking you
out of the data if they wish to. It just raises friction from a simple
luksRemoveKey

------
gpetrosyan
This article gives a good overview of the options and potential threats:
[https://www.whonix.org/wiki/Full_Disk_Encryption_and_Encrypt...](https://www.whonix.org/wiki/Full_Disk_Encryption_and_Encrypted_Images)

Use whonix itself and read the privacy guides in its wiki if you are concerned
with privacy beyond FDE.

------
jason_slack
Actually, this poses a question. I have disk encryption enabled on my laptop.

Now I want to put in a larger hard drive and clone the current drive on to it.
Without disk encryption I could use clonezilla or other tools. With disk
encryption enabled I can't seem to do anything to clone.

What is a solution?

~~~
zAy0LfpBZLC8mAC
Why would it matter whether the disk is encrypted? No clue what clonezilla is
or does, but dd certainly doesn't care whether a partition you are copying is
encrypted.

~~~
pnutjam
I think clonezilla uses partition specific tools for copying. You could dd to
a new drive, but you would not be able to enlarge the partition. You would
need to create a larger partition manually an copy data.

You might be able to do a fresh install (same version) and then copy over it
with your existing installation. You'd have to mount both partitions.

------
jstanley
In the past I have used LUKS and simply stored a copy of the passphrase
centrally. Not very "enterprise" though.

A user who wants to destroy data can do so regardless. Storing a key centrally
only guards against accidental loss of the key.

------
craftoman
I'm using Debian with full disk encryption using the help of Debian Installer.
Such a great tool, during installation and setup sometimes you might get
confused when messing up with physical and encrypted partitions.

------
Daniel_sk
I wish it was so easy as on MacOS or Windows - where you can essentially turn
it on with one button. I don't think enabling encryption on an existing
installation of Linux can be done without reinstalling or a lot of work.

~~~
throwaway77384
Ackchually, enabling full disk encryption via LUKS is rather easy on Manjaro.
It's literally a button that states "use full disk encryption" as part of the
setup wizard. You then enter a password and that's it.

The tricky bit is if GRUB breaks (hint: GRUB looks for every opportunity to
break. If it can break, it will) and you have to chroot into an encrypted LUKS
partition. That's where your average user will be SOL. Not sure how the
recovery process would work for Bitlocker or FileVault.

~~~
Nux
The parent was referring to doing it after the installation and he is right,
it can't be done without serious hassle.

~~~
majewsky
I can see why that's useful for Windows or MacOS, where most users get the OS
preinstalled when purchasing the machine. But Linux is installed by the user
themselves (or a trusted person) 99% of the time, so it's usually sufficient
to set it up at install time.

~~~
chopin
For me, not so much. I installed Mint and skipped the step (as to not to
introduce more complexity the first time), thinking 'I can do that later'. The
disk is still unencrypted... Is there a way to do this and to restore the
system state (installed software etc.)? DuckDuckGo didn't reveal anything
conclusive.

Could anybody comment on the convenience of Linux encryptions (eg. LUKS)? In
Windows, encryption is totally transparent to users (I need only to type the
account password). I wouldn't mind typing in two passwords, other users on the
systems not so much.

~~~
saint_abroad
> In Windows, encryption is totally transparent to users (I need only to type
> the account password).

With transparent encryption, Windows decrypts the disk at boot using the TPM.
Prior to login the disk is already mounted (decrypted).

It provides an easy way for enterprise to say, "yes- we have FDE".

~~~
chopin
So there is no protection if the entire device is stolen (or put in a backroom
at a border)? You can just boot it up and acess the disk without having a
user? The Wikipedia page on Bitlocker does not mention this problem for TPM
mode. Or is only a part decrypted until a user logs in?

Edited to add: The best I could find was this discussion:
[https://www.reddit.com/r/sysadmin/comments/5fllep/whats_the_...](https://www.reddit.com/r/sysadmin/comments/5fllep/whats_the_point_of_bitlocker_with_tpmonly_mode_as/)

------
convery
Usually just Veracrypt since I can use it on Windows as well..

