LVM + Full Disk Encryption - Priority ONE

[kongming]

This is the HUGEST deal breaker about people deciding to install mint versions. LDME or Ubuntu based ones...

Even the non polished DEBIAN has full disk encryption in install... Why still not here???
Stop all you are doing and put it now... priority one... All my friends refused mint cause of this.

If you work on it right NOW, in next release you will see a FLOOD of people running to mint.
Please, there are some topics on "how to" every one try to make this, people even install on virtual machines to transpose to the disk later, all complicated stuff... When a master in one afternoon can create a script to automate this process.
Plus, please make it with support to create stronger encryption keys... Like not just the 512 that we see, but 2048, or 4096 avaliable to use in install. This is without doubt the priority number one because is a deal breaker to install mint to a very large % of people...

[bustard]

This is the HUGEST deal breaker about people deciding to install mint versions. LDME or Ubuntu based ones...

Even the non polished DEBIAN has full disk encryption in install... Why still not here???
Stop all you are doing and put it now... priority one... All my friends refused mint cause of this.

If you work on it right NOW, in next release you will see a FLOOD of people running to mint.

This post is right on target. I reluctantly went back today to ubuntu 12.04, reloading it from a backup using clonezilla, because it has full-disk encryption on it. I am not too technical, but I was able to install it using the alternate dvd.

Running mint with only /home encryption is uncomfotable; it is like locking the front door but leaving a window wide open. Mint would be my choice by a wide margin if only it had full-disk encryption.

[dragon-dragon_dragon]

Maybe you should mention your use-cases for this feature. Do you need full-disk encryption because people are taking your hard drive out and putting rootkits on your OS with out you knowing about it? That would bug the hell out of me, not being sure whether someone was doing that or not. But isn't it better or just as good to put a password on your HDD so no one can unlock it? I'm going to check if that's the case cause I've been putting this off for way too long.

Edit: Apparently my way overpriced laptop can't drive lock =/ I store all my sensative/private stuff in my home folder. As for my OS binaries, packages, and public stuff; I store that elsewhere on root and that makes me feel pretty safe.

[bustard]

Maybe you should mention your use-cases for this feature. Do you need full-disk encryption because people are taking your hard drive out and putting rootkits on your OS with out you knowing about it? That would bug the hell out of me, not being sure whether someone was doing that or not. But isn't it better or just as good to put a password on your HDD so no one can unlock it?

Maybe I am missing something, but that is exactly what you get with full-disk encryption (unless HDD means '/home' and not 'Hard Drive Something or Other'): you need to enter a password to boot up the OS and see anything on the hard drive. Then you enter a password to log into your user account - unlock your home drive.

My use case is a desire for privacy and to make sure no one can see what is in / and not just to keep them out of /home. I do not know enough about the OS to know if bits of private stuff are mixed in with system files on /, or how well my activities can be inferred from the state of the files on /, but I don't feel like being in the position of having to wonder.

[xenopeek]

As (almost) full disk encryption is required by some companies to allow employees the use of Linux Mint on their workplace laptop, it might be a good idea just for that. Though AFAIK even with full disk encryption, /boot is still unencrypted (as the BIOS doesn't know how to load an encrypted boot). Unless you put /boot on a removable storage device, using it sort of like an ignition key for your computer, and keep that with you always, then you aren't fully secured against tampering (one would simply load a custom kernel with a backdoor or "phone home" agent, which would run as root).

[jrw32982]

Yes, yes, yes! Please add full-disk encryption to Linux Mint. I so want to try it, but this is indeed a deal breaker. And I'm not really in love with using a workaround in order to get it installed with full disk encryption -- I'd like it to be in the actual distribution.

[Orbmiser]

My use case is a desire for privacy and to make sure no one can see what is in / and not just to keep them out of /home. I do not know enough about the OS to know if bits of private stuff are mixed in with system files on /, or how well my activities can be inferred from the state of the files on /, but I don't feel like being in the position of having to wonder.

Well there is always the option to add a password in Bios.
Then they wouldn't even be able to boot up. Or Boot up using a usb key or CD.

As to "I do not know enough about the OS to know if bits of private stuff are mixed in with system files on /, or how well my activities can be inferred from the state of the files on /"

I would think has more to do with the operator responsibility to learn about the OS they are using. Users Knowledge goes a long way in protecting their data. And helps them make informed decisions of what are the best tools and methods to use to protect themselves.

Tho agree that full Disk encryption is a natural progression that should be included.
.

[hal8000]

Although I agree encryption should be added to Mint the choice just needs to be added to the manual
partition screen (as on Ubuntu).

This way you choose whether to encrypt /, /home or any other partition.
Again the LVM option should be choice and not standard. If you want to try LVM you can try Fedora,
the diasadvantage of LVM is that all partitions are merged into one logical volume group, I preferto know
where each of my partition lies.

The disadvantage of encryption is that file access, deleteions are slower.

Bear in mind also, that there are 83 linux filesystems, none of which can be read on Windows
computers, which offers a modest amount of security.

[guimaster]

Will Mint 15 have a Full Disk Encryption option? LMDE likely won't anytime soon, sadly. But does 15 have it?

[guimaster]

Well there is always the option to add a password in Bios.
Then they wouldn't even be able to boot up. Or Boot up using a usb key or CD.

A password in the Bios will prevent boot up to the hard drive, but does it prevent boot to CD? (You'd have to be able to disable that boot option, and I don't know if that can be done. F12 is always available). What if someone pulls the hard drive out physically?

[hal8000]

Well there is always the option to add a password in Bios.
Then they wouldn't even be able to boot up. Or Boot up using a usb key or CD.

A password in the Bios will prevent boot up to the hard drive, but does it prevent boot to CD? (You'd have to be able to disable that boot option, and I don't know if that can be done. F12 is always available). What if someone pulls the hard drive out physically?

On my HP laptop, I have set a BIOS password. This does disable all booting including, CD/DVD boot.
However there is no password or encryption on the hard drive, so if hard drive was removed it could
be read on another linux system provided someone mounted the drive with the correct file system.
I'm bravely trying the new experimental btrfs and so far its pretty good, no problems.

[guimaster]

I installed Mint 15 RC today with Cinnamon. The Full Disk Encryption worked... fairly well. Instead of choosing Ext4 for your file system, you choose to set / as an encrypted partition. Unfortunately from there you can't further partition that encrypted partition, so all you can choose is /. Consequently I have no Swap partition. I doubt I need it anyway as I don't push Linux too hard. If I wasn't dual booting with Windows the default full disk encryption option would have given me a swap partition.

[oldnewboy]

This is the HUGEST deal breaker about people deciding to install mint versions. LDME or Ubuntu based ones...

Even the non polished DEBIAN has full disk encryption in install... Why still not here???
Stop all you are doing and put it now... priority one... All my friends refused mint cause of this.

If you work on it right NOW, in next release you will see a FLOOD of people running to mint.
Please, there are some topics on "how to" every one try to make this, people even install on virtual machines to transpose to the disk later, all complicated stuff... When a master in one afternoon can create a script to automate this process.
Plus, please make it with support to create stronger encryption keys... Like not just the 512 that we see, but 2048, or 4096 avaliable to use in install. This is without doubt the priority number one because is a deal breaker to install mint to a very large % of people...

I concur, as this is THE ONE and ONLY reason that I'm not using LMDE (or any other version of Linux Mint for that matter). Full disk encryption is simply a requirement for my laptop in case of theft or loss. I simply do not want to risk my personal or business information falling into the wrong hands. This also applies to several friends of mine.

[phill1978]

I can also add that this is an important feature.

Why? well I would ask the question: Why not ?

I cant see any reason other than the user error of forgetting the password after an initial install, but after typing it many times on boot im sure thats a very small issue.


I have some points:

.People say that you can still remove the disc. Well yea, but isnt that the point of whole disc encryption
. Secondly the backdoors people talk of, name one please? if your disc is 2048bit two fish encrypted thats going to be hard isnt it? simply mounting this disc on another machine wont give you access.. and if it does then wel thats just stupid.
. Bios talk about passwords seems moot also because even if you put it in the new machine or the same machine dont you need a password as above ^

I have some recommendations:

. Options for 512,2048,4096 with AES or Two Fish (AES has a possible reverse hack i read)
. Simple (but read nice) password menu system (read robust) to boot the computer
. A message on install the tells people what the relative performance impact would be as a percentage or just some advice. Encryption does not come without a price.

I have some questions:

. With full disc encryption is the disc 'contained' and therefore inside the container (other than the encrpyted home folders) is performance running as unencrypted (if that makes sense) so once the drive is mounted and running with the password entered is the disc in an 'open' state and therefore performance is exactly or nigh on exactly the same as when not encrypted?

Sorry if that sounds ^ dumb. The reason is, I would like a disc 'lock' with encryption but like to run steam games (some need to call the SSD / HDD HARD when loading games !!) if the performance goes from 125MBPS to 45-65MBPS ( and much ore for smaller files) and effects CPU resources then its off the list for me.

. Whats the difference between adding encryption on installation and running Truecrypt whole disc encryption ? seems identical. Is it just a nice convienience for users to have it on the install menu or does truecrypt hit performance more?

. Presumable you dont need a login to your computer with full disc encryption, just encrypted home folders (in case of internal network penetration from the internet / malware / virus / spyware etc..) because the encryption is so hot that once you entered a boot password your contained within that session (if that makes sense) ? obviously you still need a username but thats just for shares n stuff


Sorry for the long post ^^ but I agree its a key feature. Just make sure once its added you never update and break the service otherwise a lot of people are going to be pissed

[guimaster]

TrueCrypt doesn't support Full Disk Encryption in Linux.

[schelehond]

Installed LM15 last weekend with FDE. Killed my ASUS factory recovery partition as expected so no harm done.

But one big side note that took me 4 reinstalls before I realized it: selecting the keyboard layout is a choice AFTER selecting the FDE password. 4 times I installed and got a "bad password" error message while typing my pasword even though I was SO sure it was the correct one.

Not problem for default Qwerty users. I am not however, so I had to type the password I wanted while imagining I was using a Qwerty keyboard and after that everything worked flawlessly. Not even experiencing any performance drop or loss in battery life. Which doesn't mean it isn't there, but I don't notice it.