Linux Mint Forums

[ASmith]

Add the Installation Option of Full Disk Encryption to All future Linux Mint Releases

Many Linux distributions are fully utilising the Linux Volume Manager (LVM) to install their LiveCD updates AND give their users the option to fully encrypt the entire disk in the process.

Linux Mint teams should give the option of Full Disk Encryption to Linux Mint DVD installers, include LVM and the painless,reliable Full Disk Encryption set-up and installation of Linux Mint in the same process.

Many Linux uses are very security minded, the Ubuntu kernel includes the routines to fully support full disk encryption. Computer,Laptop and Notepads stolen or seized under dubious or illegal warrants are on a rather large rise these days underscoring the value and need for Linux Mint users to have the option of full disk encryption during the Linux Mint installation.

Does disk encryption really protect your data from unauthorised access by gov.agencys or more common thugs and thieves? YES provided the passphrase is strong enough along with a strong multi-encryption algorithm http://www.linuxbsdos.com/2011/12/05/does-disk-encryption-really-protect-your-data-from-unauthorized-access/

References and Articles showing how very popular Full Disk Encryption on Linux based Desktops,Laptops,Notepads Is:

Linux and BDS desktop distributions with support for full disk encryption http://www.linuxbsdos.com/2011/07/26/linux-and-bsd-desktop-distributions-with-support-for-disk-encryption/

How to install Linux Mint Debian Edition on an encrypted LVM file system http://www.linuxbsdos.com/2011/01/01/how-to-install-linux-mint-debian-edition-on-an-encrypted-lvm-file-system/

Full Disk Encryption easy HOWTO-Linux Mint Community http://community.linuxmint.com/tutorial/view/344

Linux Logical Volume Manager (LVM) for Linux distros to configure and manage quick and easy full disk encryption installations http://www.linuxbsdos.com/2008/11/17/linux-logical-volume-manager/#

The Benefits of Using Linux Logical Volume Manager (LVM) http://www.linuxbsdos.com/2008/09/24/the-benefits-of-using-linux-logical-volume-manager/

In closing...

Debian, Fedora, and Sabayon among other Linux Distros now offer Full Disk Encryption with their LVM based installers, why not Linux Mint?

[wan_dorra]

I registered to add my support for this. Previously, I had Debian on my laptop and having the whole drive (minus /boot) encrypted was a great feature. Installing Mint was a step up in terms of out-of-box user experience, however the lack of encryption, aside from just encrypting the home folder felt like a big step down.


+1 for this suggestion!

[prawnstar]

+1

I also just registered to voice my desire to see this as a feature of Linux Mint. It's the only feature preventing me from switching from Ubuntu to Mint. The only.

Encrypted LVM is pretty much par for any modern course these days. I think the lack of encrypted LVM options in the installer makes for a strong argument against your FAQ regarding "Is Linux Mint suitable for companies?"

[ASmith]

Thank you wan_dorra and prawnstar for your support on adding the Mint Option for Full Disk Encryption to all future Linux Mint Releases.

Yes, with the current police state mentality sweeping across USA, UK, Canada and Europe the business option of having a Linux distro which has full disk encryption is a must have feature.

I would also extend the urgent need for Linux Mint releases to also have the option for Token Files to be used for any/all pass phrases or optionally supplement a pass phrase. In a business environment, Root access only via a token file based pass phrase would be ideal and no one outside of the management would even know what that pass phrase is.

A token file is any external device file (CD,DVD,Pendrive) generally of a compressed nature (.gif,jpeg,mp3,avi,tar etc.) which is used to read in the maximum number allowed for the pass phrase by reading from the top or bottom nth. number of bits making the resulting pass phrase very strong and when the token file is nested among hundreds of additionally common files, very secure as well.

A token file also provides the victim of wrongful persecution, plausible deny ability in regards to interrogation over what the pass phrase is to legally or illegally enter into their computer to try and find anything they can to use against that computer user. There is now a legal ruling by a federal court judge that a computer user must disclose their pass phrase even thou there are no charges nor does the warrant indicate specifically what is being sought. The female victim in that court case has told the agents she doesn't know what her pass phrase is and has stuck to that line. With a token file, the computer user does not know what the pass phrase is and without it and with adequate encryption by Twofish, Serpent or both it is entirely unlikely anyone is going to access that safely secured data.

I hate to see people leaving the Linux Mint distribution or not even considering it because it currently doesn't have a full disk encryption option built into it's installer. With multiple Linux distributions offering that feature, it is clear they are listening to the urgent needs of their users and to the police state environment now pressing upon the global business climates.

I can think of no better time to include a Linux Mint full disk encryption installer option and a Token file full/supplemental Root/User pass phrase option to the Mint 12 LTS etc. releases.

[undoIT]

Yes! I agree. Full disk encryption option during install is a must. Including this feature should be a priority for the Linux Mint 13 release. I currently use Fedora 16 on my primary laptop that I keep at home and I have been installing Ubuntu for any laptops I take with me on the road. With Fedora, I must enter a password to unlock the disk encryption during boot and then enter my user password to enter the desktop. Although this is very secure, I really love the way Ubuntu does seamless encryption and doesn't require the additional password during boot.

I just finished installing Linux Mint 12 on my MacBook Air 4,2 and played around with both the standard and Cinnamon desktop. As much as I love Mint, it is not an option for any laptop that has sensitive information such as my email client, work files or financial files because of the lack of full disk encryption. This is absolutely essential for any laptop other than a toy / test box.

[xenopeek]

Vote this idea up (or down) over at the Linux Mint Community website: http://community.linuxmint.com/idea/view/2144 (You need to login or create an account.)

[undoIT]

Thanks. I just voted it up. I was really suprised to find out that there is no full disk encryption last night, because it has long been available as an install option for Ubuntu. I thought I must have missed it or something while installing Linux Mint 12 to test out Cinnamon and the new KDE release.

This issue needs to get more attention so that it is implemented in the next release. Lack of easy full disk encryption is a deal breaker for me and I'd imagine it is the same for many other Linux lovers.

[faolan]

I agree. LVMs and encryption are now deal breakers for me when it comes to choosing a distro, which is one of the reasons I recommend OpenSUSE, Debian, and even Kubuntu over many other distros (the other being good support for KDE). I was looking into installing Mint but was a little bit dismayed that its installer will not work because it can't pick up my encrypted LVM.

I think a great way of handling this would be to allow installation via the Debian installation framework (either the text or graphical tool, but prefebly both) AND using the live installer. I actually would prefer a non-live install disc, but I guess I'm just old school boring like that. It could be added as an option at the boot screen and would essentially provide instant support for LVMs, encryption, etc. And since most of the work is already done, only a few simple adjustments would really be necessary such as creating proper branding on the GUI version and ensuring the proper programs are selected by default.

Really, Mint seems to be the "perfect" distro right now, and I love that it has a development team that listens to its users, implements the best solutions based on its users commentary, and actually does a lot of development work. Cinnamon, MATE, and the Debian Edition as great examples of where the Mint team has went above and beyond to show that they are serious about making things work and innovating beyond the base. After seeing them in a working state, I think asking for good LVM and encryption support should be a snap to implement.

This is one of the few distros around that do any real innovation on a major front and really it is just a community supported project. I do think that Mint should take a next step to supporting LVMs and encryption simply to cross that bridge into enterprise territory. If businesses are to take Mint seriously it needs to provide the same full features as Debian, Ubuntu, Fedora, and SUSE. And really, being based off of Debian / Ubuntu really gives the project a major head start.

[powerhouse]

+1

I don't really care for encryption, but LVM is a must! I use LVM on my disks and this requires installer support. It's a real pain to install LMDE 12 on LVs, and any way I chose created problems in the end.

I voted for it in the "idea" forum.

[sf101]

+1, at the idea too.

Encryption is essential for me, especially on laptops. I tried Mint a few times on a testing machine and it looks very good, but the absence of FDE is a showstopper, so I keep falling back to the original Ubuntu/Xubuntu...

[kijin]

A token file also provides the victim of wrongful persecution, plausible deny ability in regards to interrogation over what the pass phrase is to legally or illegally enter into their computer to try and find anything they can to use against that computer user. There is now a legal ruling by a federal court judge that a computer user must disclose their pass phrase even thou there are no charges nor does the warrant indicate specifically what is being sought. The female victim in that court case has told the agents she doesn't know what her pass phrase is and has stuck to that line. With a token file, the computer user does not know what the pass phrase is and without it and with adequate encryption by Twofish, Serpent or both it is entirely unlikely anyone is going to access that safely secured data.

Just wait until another court ruling says you must disclose your token file.

The only way you can have plausible deniability is by using arbitrarily nested hidden volumes, like Rubberhose. For the rest of us who have no realistic reason to fear being kidnapped by secret agents, plain old LVM with a long passphrase will be good enough.

[ASmith]

Adding the optional provision of a external token file from a USB flash drive has multiple positive's.

1) Employees can be given a operation passphrase however lacking the USB based token file they cannot perform root access nor does the manager have to state what that supplementary passphrase is.

2) Unless the individual has a world class memory capable of accurately 100% memorising a string of 200+ non-related characters, figures and numbers that individual can honestly and ethically tell any goose stepping agent of a police state they do not know what that passphrase is.

3) Normally token supplemental passphrases are not openly displayed, simply read by the password seeking application. The small token file can be any compressed ZIP, TAR, MPEG, MP4, MP3 file and nested among literally hundreds if not thousands of decoys. The floor manager who is safekeeping the token file stored device need not know what the file nor supplemental passphrase is themselves, simply watch after and care take that USB device and supply it if a employe or worker needs it.

4) Token supplemental passphrases allows the end user to quickly and easily create a maximum length, extremely strong passphrase simply by allowing the reading of 1000+bits of a compressed file.

[BluegillFlyFisher]

+1

I love Mint, but not having encrypted LVM as an option in the installer is a real sore spot with me. I wouldn't care as much in desktop systems, maybe, since they aren't stolen nearly as much, but on a laptop, encryption is a must. All it would take is to offer an alternate installer version of Mint; it wouldn't even have to be in the graphical installer (but I think it should be).

[DrHu]

I would say you don't need encryption for applications or OS files, only your own data set, and encryption can prevent access to other partition data, if you do use multiple Linux installations..

I think that encryption or not; whole disk or your own data, should be a user-only choice not a force issue
--for example I notice that LMDE version installs crypt support and lvm already, whether or not I am using lvm or encryption..

[sf101]

I would say you don't need encryption for applications or OS files, only your own data set[...]

There are a few issues there.
The installed applications alone can give away more information than you might think. Furthermore, applications may put sensitive information in log files or temporary files outside the user's home directory, which would then be outside the encrypted region and thus, exposed.

I think that encryption or not; whole disk or your own data, should be a user-only choice not a force issue

Exactly, hence the topic is called

Add Option of Full Disk Encryption to all future Linux Mint

(emphasis by me)

[cb474]

Yes, please add the option for full disk encryption with lvm during install. I've been following the guides out there on how to do this and they don't work (perhaps they worked on older versions of Mint?).

It's especially egregious to have this missing in LMDE, given that it's based on Debian and Debian already has an installer that does this. I don't understand how Linux Mint can be the most popular distro and lack this basic feature.

Thanks to the developers for their consideration of this idea and hard work on Mint in general.

[canam101]

Yes, please add the option for full disk encryption with lvm during install.

I would like to see that too. The lack of full disk encryption is the one big thing that is missing in mint.

[powerhouse]

Yes, please add the option for full disk encryption with lvm during install.

I would like to see that too. The lack of full disk encryption is the one big thing that is missing in mint.

As I mentioned above, I too would like to see that as a feature of the installer. However, I have found a way to install LM13 (not LMDE, though it should work too) onto LVM. Essentially this procedure could be expanded with full disk encryption. There is also a tutorial on the forum that describes how to install LMDE with encryption onto LVM. For those looking for a way to accomplish that, look here:

http://forums.linuxmint.com/viewtopic.php?f=197&t=71159

http://forums.linuxmint.com/viewtopic.php?f=42&t=108442 - this is my tutorial on installing LM 13 Maya onto LVM. You could combine/adopt it with the above tutorial and include the encryption-specific instructions. The tutorial can also be adopted for UEFI boot, but that is a little more challenging because of buggy UEFI implementations in motherboard BIOSes and - my suspicion - a buggy grub2 1.99 UEFI implementation that leaves much to be desired. It seems that grub2 2.x is improving, at least according to reports on the ArchLinux forum.

Linux Mint is a great OS, and I really hope that this feature (together with better Xen support for VGA passthrough) will be supported soon.

[James R]

I agree having multiple layers of encryption would be nice. The first layer could be full disc encryption which will require one to enter a passphrase to decrypt the disc. The second layer of encryption could be optionally applied over directories, and the final layer could be applied over individual files. A fourth layer of security could be added by the system creating a system application which will list all logins by username and logintimes in a sortable/ user accessable manner.

[martensjd]

I just went back to ubuntu 12.04 for my laptop because there is simply no way I'm carrying a laptop around w/o encrypted LVMs. Encrypting the home directory is nice, but that's not the whole disk, and passwords typically have less entropy than passphrases.