SOLVED Feature Request: Custom Full Disk Encryption Option

Suggestions and feedback for Linux Mint and the forums
Forum rules
Do not post support questions here. Before you post read: Where to post ideas & feature requests
Post Reply
Hank Drew

SOLVED Feature Request: Custom Full Disk Encryption Option

Post by Hank Drew »

Hello,
Can Linux Mint users soon expect an official option for a completely customized full disk encryption (FDE)? The only encrypted option presented by this installer is inflexible and thus not suitable for systems requiring that certain types of data be confined to specific volumes.
For example, Mint currently doesn't have an option to create separate /opt, /tmp and /var partitions using its encrypted setup scheme. Other distros, such as Debian, Red Hat and openSUSE do provide this flexibility. I know that Mint uses the Ubiquity installer which is limited in this respect, but would it not be possible to modify Ubiquity to allow for this? There are external scripts that seem to be well-tested and that might even be incorporated if appropriate. Or possibly offer the text-based Debian installer as an option in Mint? Ubuntu used to do the latter but for some reason decided to stop maintaining it. I found it very useful.
Last edited by Hank Drew on Fri Jul 13, 2018 6:26 pm, edited 1 time in total.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Feature Request: Custom Full Disk Encryption Option

Post by catweazel »

Hank Drew wrote: Thu Jul 12, 2018 4:45 pm I found it very useful.
-1

What about everyone else?
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Hank Drew

Re: Feature Request: Custom Full Disk Encryption Option

Post by Hank Drew »

catweazel wrote: Fri Jul 13, 2018 2:21 am
Hank Drew wrote: Thu Jul 12, 2018 4:45 pm I found it very useful.
-1

What about everyone else?
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself. So, what about everyone else? You imply that you speak for all, so tell me what the world thinks, little one.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Feature Request: Custom Full Disk Encryption Option

Post by catweazel »

Hank Drew wrote: Fri Jul 13, 2018 8:11 am
catweazel wrote: Fri Jul 13, 2018 2:21 am
Hank Drew wrote: Thu Jul 12, 2018 4:45 pm I found it very useful.
-1

What about everyone else?
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself. So, what about everyone else? You imply that you speak for all, so tell me what the world thinks, little one.
First of all, it wasn't a put down, it's a valid question. Second, if your suggestion has no benefit to anyone other than yourself then it has a less than zero probability of being accepted. Third, I write only for myself. Fourth, you are way out of line. Keep your insults out of the forum.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
User avatar
Pierre
Level 21
Level 21
Posts: 13192
Joined: Fri Sep 05, 2008 5:33 am
Location: Perth, AU.

Re: Feature Request: Custom Full Disk Encryption Option

Post by Pierre »

the LinuxMint Project already provides for a Level of Full Disk Encryption during the Installation,
and that is most likely all that will be provided by the LinuxMint Project itself.

do keep in mind that the project is simply an subset of both the Debian and the Ubuntu Projects,
and as such, most of these sort of Features are supplied from the upstream Project(s).

you would be better served by making this suggestion within either of those projects.
Image
Please edit your original post title to include [SOLVED] - when your problem is solved!
and DO LOOK at those Unanswered Topics - - you may be able to answer some!.
User avatar
Moem
Level 22
Level 22
Posts: 16226
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: Feature Request: Custom Full Disk Encryption Option

Post by Moem »

Hank Drew wrote: Fri Jul 13, 2018 8:11 am This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself.
That's not how it works. You post on a public forum, you're going to get feedback. It's quite likely that not all of it will be positive; you'll have to learn to live with that.
Don't be rude to others here or your participation on this forum will be short-lived.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Hank Drew

Re: Feature Request: Custom Full Disk Encryption Option

Post by Hank Drew »

Moem wrote: Fri Jul 13, 2018 9:35 am
Hank Drew wrote: Fri Jul 13, 2018 8:11 am This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself.
That's not how it works. You post on a public forum, you're going to get feedback. It's quite likely that not all of it will be positive; you'll have to learn to live with that.
Don't be rude to others here or your participation on this forum will be short-lived.
But snark is acceptable. I get it. Okay fine.
Hank Drew

Re: Feature Request: Custom Full Disk Encryption Option

Post by Hank Drew »

catweazel wrote: Fri Jul 13, 2018 8:26 am
Hank Drew wrote: Fri Jul 13, 2018 8:11 am
catweazel wrote: Fri Jul 13, 2018 2:21 am

-1

What about everyone else?
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself. So, what about everyone else? You imply that you speak for all, so tell me what the world thinks, little one.
First of all, it wasn't a put down, it's a valid question. Second, if your suggestion has no benefit to anyone other than yourself then it has a less than zero probability of being accepted. Third, I write only for myself. Fourth, you are way out of line. Keep your insults out of the forum.
It's your snarkiness that's the issue. At any rate, Debian thinks it's important enough since they already have it.
Am I not entitled to voice my opinion without the "what about everyone else" garbage? Have a nice day, good sir. Our discourse is concluded.
User avatar
Moem
Level 22
Level 22
Posts: 16226
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Post by Moem »

Asking other people what they think is not snark or garbage; neither is expressing that you personally do not support a certain suggestion. I recommend that you have your snarkmeter calibrated.
And if you feel that someone is being rude to you, don't respond in kind but alert the mods (there is a 'Report' button on every post).
See that message at the top about help, knowledge and fellowship? We keep to strive this forum friendly, and everyone can help with that.
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Hank Drew

Re: Feature Request: Custom Full Disk Encryption Option

Post by Hank Drew »

catweazel wrote: Fri Jul 13, 2018 2:21 am
Hank Drew wrote: Thu Jul 12, 2018 4:45 pm I found it very useful.
-1

What about everyone else?
I'm sorry if I had misunderstood you. In retrospect, I can see I probably over-reacted.
Trying to answer your question I can only say that, if the Mint devs see merit in the suggestion they might adopt it; if not then they won't. I think you might've taken that personal testimonial as indication of intense self-interest on my part. I can assure you that nothing could be further from the truth; by speaking for myself I was only trying to show that at least one person would like to see this feature in Mint, as it appears in so many other distros.
Anyway, I think this was just a case of seeing the words without actually hearing the weights assigned to them. I that hope all finds you well.
Hank Drew

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Post by Hank Drew »

Moem wrote: Sat Jul 14, 2018 3:20 am Asking other people what they think is not snark or garbage; neither is expressing that you personally do not support a certain suggestion. I recommend that you have your snarkmeter calibrated.
And if you feel that someone is being rude to you, don't respond in kind but alert the mods (there is a 'Report' button on every post).
See that message at the top about help, knowledge and fellowship? We keep to strive this forum friendly, and everyone can help with that.
Yeah, it was a misunderstanding. You're correct in saying that responding to rudeness in kind isn't the appropriate response. I also think it's safe to assume that his intention wasn't to be rude in the first palce, as I've already said to catweazel.
User avatar
majpooper
Level 8
Level 8
Posts: 2084
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Post by majpooper »

Hi Hank,

If you do some searching on this forum there has been several discussions RE: encryption. Not just how but it's use and value. There are lots of differing opinions and as you can imagine like certain body parts, everyone has one. BTW this applies to to lots of areas like security, privacy and so on - bring up Bleachbit if you want to see all the differences of opinions on this forums.

Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: Feature Request: Custom Full Disk Encryption Option

Post by catweazel »

Hank Drew wrote: Sat Jul 14, 2018 9:57 pm
catweazel wrote: Fri Jul 13, 2018 2:21 am
Hank Drew wrote: Thu Jul 12, 2018 4:45 pm I found it very useful.
-1

What about everyone else?
I'm sorry if I had misunderstood you. In retrospect, I can see I probably over-reacted.
Trying to answer your question I can only say that, if the Mint devs see merit in the suggestion they might adopt it; if not then they won't. I think you might've taken that personal testimonial as indication of intense self-interest on my part. I can assure you that nothing could be further from the truth; by speaking for myself I was only trying to show that at least one person would like to see this feature in Mint, as it appears in so many other distros.
Anyway, I think this was just a case of seeing the words without actually hearing the weights assigned to them. I that hope all finds you well.
It's quite ok. The written word is always harder to interpret and is often subject to our assumptions.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Hank Drew

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Post by Hank Drew »

majpooper wrote: Sat Jul 14, 2018 10:25 pm Hi Hank,

If you do some searching on this forum there has been several discussions RE: encryption. Not just how but it's use and value. There are lots of differing opinions and as you can imagine like certain body parts, everyone has one. BTW this applies to to lots of areas like security, privacy and so on - bring up Bleachbit if you want to see all the differences of opinions on this forums.

Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
Full disk encrytpion has always been a bit of sticking point with me. One the one hand, it's good to know my files are encrypted no matter which folder or volume they reside in; on the other hand, it has some definite weaknesses (even dangers) that limit its value in several situations. As you've pointed out, Linux requires that the MBR (or GPT) and boot partition both remain un-encrypted, leaving the boot code and kernel open to tampering. The false sense of security only makes matters worse. So while my OS and data partitions are encrypted, an attacker who gains access to my machine—even in the off state—can just use a boot CD to inject a keylogger (or whatver else) into the boot process via the un-encrypted partition. I realize there are scripts out there that allow for all partitions, including boot, to be encrypted on new Linux setups, but they're really quite cumbersome and aren't at all official. I can only see full disk encryption as one component in overall system security. And your experience reminds me of how fragile a component it is really is. (A whole new can of worms gets opened should things get really borked.)
The best outcome would be a program similar to VeraCrypt or TrueCrypt that can effect true full disk encryption on Linux, as they already can on Windows systems. While it wouldn't solve all the problems you've mentioned, it would go a long way in both system security and ease of use. Maybe VeraCrypt will one day support true FDE on Linux...But I wouldn't hold my breath. At the end of the day your post reminds me of how limited Linux's idea of FDE is. Now I'm actually questioning the benefit-to-cost ratio of full disk encryption on Linux.
RobertoR

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Post by RobertoR »

majpooper wrote: Sat Jul 14, 2018 10:25 pm
Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
Maybe your brother did not wanted to shoot some holes in your setup, or maybe he did not thought about it. But when your system is not protected by encryption than its very easy to boot from a usb stick and put some special software on your system, on the moment you decrypt your container with your TOP SECRET stuff that program can see it also... To protect your computer from intruders is very difficult, because there are so many ways to come into a computer. That why I always encrypt my whole disk, because than they can not modify or add files on your computer.

But thanks Officer for pointing me in the direction of the MBR problem!
RobertoR

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Post by RobertoR »

Hank Drew wrote: Sun Jul 15, 2018 1:31 pm Full disk encrytpion has always been a bit of sticking point with me. One the one hand, it's good to know my files are encrypted no matter which folder or volume they reside in; on the other hand, it has some definite weaknesses (even dangers) that limit its value in several situations. As you've pointed out, Linux requires that the MBR (or GPT) and boot partition both remain un-encrypted, leaving the boot code and kernel open to tampering. The false sense of security only makes matters worse. So while my OS and data partitions are encrypted, an attacker who gains access to my machine—even in the off state—can just use a boot CD to inject a keylogger (or whatver else) into the boot process via the un-encrypted partition. I realize there are scripts out there that allow for all partitions, including boot, to be encrypted on new Linux setups, but they're really quite cumbersome and aren't at all official. I can only see full disk encryption as one component in overall system security. And your experience reminds me of how fragile a component it is really is. (A whole new can of worms gets opened should things get really borked.)
The best outcome would be a program similar to VeraCrypt or TrueCrypt that can effect true full disk encryption on Linux, as they already can on Windows systems. While it wouldn't solve all the problems you've mentioned, it would go a long way in both system security and ease of use. Maybe VeraCrypt will one day support true FDE on Linux...But I wouldn't hold my breath. At the end of the day your post reminds me of how limited Linux's idea of FDE is. Now I'm actually questioning the benefit-to-cost ratio of full disk encryption on Linux.
Linux does not requires that the boot partition remains un-encrypted, but I don't know about the MBR.
And I share your opinion about that leaving the boot partition un-encrypted is a false sense of security.
I use this setup for years and it works very well for me, maybe its something for you?
viewtopic.php?t=198077
Post Reply

Return to “Suggestions & Feedback”