SOLVED Feature Request: Custom Full Disk Encryption Option
Forum rules
Do not post support questions here. Before you post read: Where to post ideas & feature requests
Do not post support questions here. Before you post read: Where to post ideas & feature requests
SOLVED Feature Request: Custom Full Disk Encryption Option
Hello,
Can Linux Mint users soon expect an official option for a completely customized full disk encryption (FDE)? The only encrypted option presented by this installer is inflexible and thus not suitable for systems requiring that certain types of data be confined to specific volumes.
For example, Mint currently doesn't have an option to create separate /opt, /tmp and /var partitions using its encrypted setup scheme. Other distros, such as Debian, Red Hat and openSUSE do provide this flexibility. I know that Mint uses the Ubiquity installer which is limited in this respect, but would it not be possible to modify Ubiquity to allow for this? There are external scripts that seem to be well-tested and that might even be incorporated if appropriate. Or possibly offer the text-based Debian installer as an option in Mint? Ubuntu used to do the latter but for some reason decided to stop maintaining it. I found it very useful.
Can Linux Mint users soon expect an official option for a completely customized full disk encryption (FDE)? The only encrypted option presented by this installer is inflexible and thus not suitable for systems requiring that certain types of data be confined to specific volumes.
For example, Mint currently doesn't have an option to create separate /opt, /tmp and /var partitions using its encrypted setup scheme. Other distros, such as Debian, Red Hat and openSUSE do provide this flexibility. I know that Mint uses the Ubiquity installer which is limited in this respect, but would it not be possible to modify Ubiquity to allow for this? There are external scripts that seem to be well-tested and that might even be incorporated if appropriate. Or possibly offer the text-based Debian installer as an option in Mint? Ubuntu used to do the latter but for some reason decided to stop maintaining it. I found it very useful.
Last edited by Hank Drew on Fri Jul 13, 2018 6:26 pm, edited 1 time in total.
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: Feature Request: Custom Full Disk Encryption Option
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: Feature Request: Custom Full Disk Encryption Option
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself. So, what about everyone else? You imply that you speak for all, so tell me what the world thinks, little one.
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: Feature Request: Custom Full Disk Encryption Option
First of all, it wasn't a put down, it's a valid question. Second, if your suggestion has no benefit to anyone other than yourself then it has a less than zero probability of being accepted. Third, I write only for myself. Fourth, you are way out of line. Keep your insults out of the forum.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: Feature Request: Custom Full Disk Encryption Option
the LinuxMint Project already provides for a Level of Full Disk Encryption during the Installation,
and that is most likely all that will be provided by the LinuxMint Project itself.
do keep in mind that the project is simply an subset of both the Debian and the Ubuntu Projects,
and as such, most of these sort of Features are supplied from the upstream Project(s).
you would be better served by making this suggestion within either of those projects.
and that is most likely all that will be provided by the LinuxMint Project itself.
do keep in mind that the project is simply an subset of both the Debian and the Ubuntu Projects,
and as such, most of these sort of Features are supplied from the upstream Project(s).
you would be better served by making this suggestion within either of those projects.
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
Re: Feature Request: Custom Full Disk Encryption Option
That's not how it works. You post on a public forum, you're going to get feedback. It's quite likely that not all of it will be positive; you'll have to learn to live with that.
Don't be rude to others here or your participation on this forum will be short-lived.
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Re: Feature Request: Custom Full Disk Encryption Option
But snark is acceptable. I get it. Okay fine.Moem wrote: ⤴Fri Jul 13, 2018 9:35 amThat's not how it works. You post on a public forum, you're going to get feedback. It's quite likely that not all of it will be positive; you'll have to learn to live with that.
Don't be rude to others here or your participation on this forum will be short-lived.
Re: Feature Request: Custom Full Disk Encryption Option
It's your snarkiness that's the issue. At any rate, Debian thinks it's important enough since they already have it.catweazel wrote: ⤴Fri Jul 13, 2018 8:26 amFirst of all, it wasn't a put down, it's a valid question. Second, if your suggestion has no benefit to anyone other than yourself then it has a less than zero probability of being accepted. Third, I write only for myself. Fourth, you are way out of line. Keep your insults out of the forum.
Am I not entitled to voice my opinion without the "what about everyone else" garbage? Have a nice day, good sir. Our discourse is concluded.
Re: SOLVED Feature Request: Custom Full Disk Encryption Option
Asking other people what they think is not snark or garbage; neither is expressing that you personally do not support a certain suggestion. I recommend that you have your snarkmeter calibrated.
And if you feel that someone is being rude to you, don't respond in kind but alert the mods (there is a 'Report' button on every post).
See that message at the top about help, knowledge and fellowship? We keep to strive this forum friendly, and everyone can help with that.
And if you feel that someone is being rude to you, don't respond in kind but alert the mods (there is a 'Report' button on every post).
See that message at the top about help, knowledge and fellowship? We keep to strive this forum friendly, and everyone can help with that.
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Re: Feature Request: Custom Full Disk Encryption Option
I'm sorry if I had misunderstood you. In retrospect, I can see I probably over-reacted.
Trying to answer your question I can only say that, if the Mint devs see merit in the suggestion they might adopt it; if not then they won't. I think you might've taken that personal testimonial as indication of intense self-interest on my part. I can assure you that nothing could be further from the truth; by speaking for myself I was only trying to show that at least one person would like to see this feature in Mint, as it appears in so many other distros.
Anyway, I think this was just a case of seeing the words without actually hearing the weights assigned to them. I that hope all finds you well.
Re: SOLVED Feature Request: Custom Full Disk Encryption Option
Yeah, it was a misunderstanding. You're correct in saying that responding to rudeness in kind isn't the appropriate response. I also think it's safe to assume that his intention wasn't to be rude in the first palce, as I've already said to catweazel.Moem wrote: ⤴Sat Jul 14, 2018 3:20 am Asking other people what they think is not snark or garbage; neither is expressing that you personally do not support a certain suggestion. I recommend that you have your snarkmeter calibrated.
And if you feel that someone is being rude to you, don't respond in kind but alert the mods (there is a 'Report' button on every post).
See that message at the top about help, knowledge and fellowship? We keep to strive this forum friendly, and everyone can help with that.
Re: SOLVED Feature Request: Custom Full Disk Encryption Option
Hi Hank,
If you do some searching on this forum there has been several discussions RE: encryption. Not just how but it's use and value. There are lots of differing opinions and as you can imagine like certain body parts, everyone has one. BTW this applies to to lots of areas like security, privacy and so on - bring up Bleachbit if you want to see all the differences of opinions on this forums.
Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
If you do some searching on this forum there has been several discussions RE: encryption. Not just how but it's use and value. There are lots of differing opinions and as you can imagine like certain body parts, everyone has one. BTW this applies to to lots of areas like security, privacy and so on - bring up Bleachbit if you want to see all the differences of opinions on this forums.
Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: Feature Request: Custom Full Disk Encryption Option
It's quite ok. The written word is always harder to interpret and is often subject to our assumptions.Hank Drew wrote: ⤴Sat Jul 14, 2018 9:57 pmI'm sorry if I had misunderstood you. In retrospect, I can see I probably over-reacted.
Trying to answer your question I can only say that, if the Mint devs see merit in the suggestion they might adopt it; if not then they won't. I think you might've taken that personal testimonial as indication of intense self-interest on my part. I can assure you that nothing could be further from the truth; by speaking for myself I was only trying to show that at least one person would like to see this feature in Mint, as it appears in so many other distros.
Anyway, I think this was just a case of seeing the words without actually hearing the weights assigned to them. I that hope all finds you well.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: SOLVED Feature Request: Custom Full Disk Encryption Option
Full disk encrytpion has always been a bit of sticking point with me. One the one hand, it's good to know my files are encrypted no matter which folder or volume they reside in; on the other hand, it has some definite weaknesses (even dangers) that limit its value in several situations. As you've pointed out, Linux requires that the MBR (or GPT) and boot partition both remain un-encrypted, leaving the boot code and kernel open to tampering. The false sense of security only makes matters worse. So while my OS and data partitions are encrypted, an attacker who gains access to my machine—even in the off state—can just use a boot CD to inject a keylogger (or whatver else) into the boot process via the un-encrypted partition. I realize there are scripts out there that allow for all partitions, including boot, to be encrypted on new Linux setups, but they're really quite cumbersome and aren't at all official. I can only see full disk encryption as one component in overall system security. And your experience reminds me of how fragile a component it is really is. (A whole new can of worms gets opened should things get really borked.)majpooper wrote: ⤴Sat Jul 14, 2018 10:25 pm Hi Hank,
If you do some searching on this forum there has been several discussions RE: encryption. Not just how but it's use and value. There are lots of differing opinions and as you can imagine like certain body parts, everyone has one. BTW this applies to to lots of areas like security, privacy and so on - bring up Bleachbit if you want to see all the differences of opinions on this forums.
Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
The best outcome would be a program similar to VeraCrypt or TrueCrypt that can effect true full disk encryption on Linux, as they already can on Windows systems. While it wouldn't solve all the problems you've mentioned, it would go a long way in both system security and ease of use. Maybe VeraCrypt will one day support true FDE on Linux...But I wouldn't hold my breath. At the end of the day your post reminds me of how limited Linux's idea of FDE is. Now I'm actually questioning the benefit-to-cost ratio of full disk encryption on Linux.
Re: SOLVED Feature Request: Custom Full Disk Encryption Option
Maybe your brother did not wanted to shoot some holes in your setup, or maybe he did not thought about it. But when your system is not protected by encryption than its very easy to boot from a usb stick and put some special software on your system, on the moment you decrypt your container with your TOP SECRET stuff that program can see it also... To protect your computer from intruders is very difficult, because there are so many ways to come into a computer. That why I always encrypt my whole disk, because than they can not modify or add files on your computer.majpooper wrote: ⤴Sat Jul 14, 2018 10:25 pm
Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
But thanks Officer for pointing me in the direction of the MBR problem!
Re: SOLVED Feature Request: Custom Full Disk Encryption Option
Linux does not requires that the boot partition remains un-encrypted, but I don't know about the MBR.Hank Drew wrote: ⤴Sun Jul 15, 2018 1:31 pm Full disk encrytpion has always been a bit of sticking point with me. One the one hand, it's good to know my files are encrypted no matter which folder or volume they reside in; on the other hand, it has some definite weaknesses (even dangers) that limit its value in several situations. As you've pointed out, Linux requires that the MBR (or GPT) and boot partition both remain un-encrypted, leaving the boot code and kernel open to tampering. The false sense of security only makes matters worse. So while my OS and data partitions are encrypted, an attacker who gains access to my machine—even in the off state—can just use a boot CD to inject a keylogger (or whatver else) into the boot process via the un-encrypted partition. I realize there are scripts out there that allow for all partitions, including boot, to be encrypted on new Linux setups, but they're really quite cumbersome and aren't at all official. I can only see full disk encryption as one component in overall system security. And your experience reminds me of how fragile a component it is really is. (A whole new can of worms gets opened should things get really borked.)
The best outcome would be a program similar to VeraCrypt or TrueCrypt that can effect true full disk encryption on Linux, as they already can on Windows systems. While it wouldn't solve all the problems you've mentioned, it would go a long way in both system security and ease of use. Maybe VeraCrypt will one day support true FDE on Linux...But I wouldn't hold my breath. At the end of the day your post reminds me of how limited Linux's idea of FDE is. Now I'm actually questioning the benefit-to-cost ratio of full disk encryption on Linux.
And I share your opinion about that leaving the boot partition un-encrypted is a false sense of security.
I use this setup for years and it works very well for me, maybe its something for you?
viewtopic.php?t=198077