Page 1 of 1

SOLVED Feature Request: Custom Full Disk Encryption Option

Posted: Thu Jul 12, 2018 4:45 pm
by Hank Drew
Hello,
Can Linux Mint users soon expect an official option for a completely customized full disk encryption (FDE)? The only encrypted option presented by this installer is inflexible and thus not suitable for systems requiring that certain types of data be confined to specific volumes.
For example, Mint currently doesn't have an option to create separate /opt, /tmp and /var partitions using its encrypted setup scheme. Other distros, such as Debian, Red Hat and openSUSE do provide this flexibility. I know that Mint uses the Ubiquity installer which is limited in this respect, but would it not be possible to modify Ubiquity to allow for this? There are external scripts that seem to be well-tested and that might even be incorporated if appropriate. Or possibly offer the text-based Debian installer as an option in Mint? Ubuntu used to do the latter but for some reason decided to stop maintaining it. I found it very useful.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 13, 2018 2:21 am
by catweazel
Hank Drew wrote:
Thu Jul 12, 2018 4:45 pm
I found it very useful.
-1

What about everyone else?

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 13, 2018 8:11 am
by Hank Drew
catweazel wrote:
Fri Jul 13, 2018 2:21 am
Hank Drew wrote:
Thu Jul 12, 2018 4:45 pm
I found it very useful.
-1

What about everyone else?
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself. So, what about everyone else? You imply that you speak for all, so tell me what the world thinks, little one.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 13, 2018 8:26 am
by catweazel
Hank Drew wrote:
Fri Jul 13, 2018 8:11 am
catweazel wrote:
Fri Jul 13, 2018 2:21 am
Hank Drew wrote:
Thu Jul 12, 2018 4:45 pm
I found it very useful.
-1

What about everyone else?
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself. So, what about everyone else? You imply that you speak for all, so tell me what the world thinks, little one.
First of all, it wasn't a put down, it's a valid question. Second, if your suggestion has no benefit to anyone other than yourself then it has a less than zero probability of being accepted. Third, I write only for myself. Fourth, you are way out of line. Keep your insults out of the forum.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 13, 2018 8:40 am
by Pierre
the LinuxMint Project already provides for a Level of Full Disk Encryption during the Installation,
and that is most likely all that will be provided by the LinuxMint Project itself.

do keep in mind that the project is simply an subset of both the Debian and the Ubuntu Projects,
and as such, most of these sort of Features are supplied from the upstream Project(s).

you would be better served by making this suggestion within either of those projects.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 13, 2018 9:35 am
by Moem
Hank Drew wrote:
Fri Jul 13, 2018 8:11 am
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself.
That's not how it works. You post on a public forum, you're going to get feedback. It's quite likely that not all of it will be positive; you'll have to learn to live with that.
Don't be rude to others here or your participation on this forum will be short-lived.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 13, 2018 6:21 pm
by Hank Drew
Moem wrote:
Fri Jul 13, 2018 9:35 am
Hank Drew wrote:
Fri Jul 13, 2018 8:11 am
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself.
That's not how it works. You post on a public forum, you're going to get feedback. It's quite likely that not all of it will be positive; you'll have to learn to live with that.
Don't be rude to others here or your participation on this forum will be short-lived.
But snark is acceptable. I get it. Okay fine.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 13, 2018 6:24 pm
by Hank Drew
catweazel wrote:
Fri Jul 13, 2018 8:26 am
Hank Drew wrote:
Fri Jul 13, 2018 8:11 am
catweazel wrote:
Fri Jul 13, 2018 2:21 am


-1

What about everyone else?
This is a forum for suggestions, not put-downs. If you don't like a suggestion you are free to keep your opinion to yourself. So, what about everyone else? You imply that you speak for all, so tell me what the world thinks, little one.
First of all, it wasn't a put down, it's a valid question. Second, if your suggestion has no benefit to anyone other than yourself then it has a less than zero probability of being accepted. Third, I write only for myself. Fourth, you are way out of line. Keep your insults out of the forum.
It's your snarkiness that's the issue. At any rate, Debian thinks it's important enough since they already have it.
Am I not entitled to voice my opinion without the "what about everyone else" garbage? Have a nice day, good sir. Our discourse is concluded.

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Posted: Sat Jul 14, 2018 3:20 am
by Moem
Asking other people what they think is not snark or garbage; neither is expressing that you personally do not support a certain suggestion. I recommend that you have your snarkmeter calibrated.
And if you feel that someone is being rude to you, don't respond in kind but alert the mods (there is a 'Report' button on every post).
See that message at the top about help, knowledge and fellowship? We keep to strive this forum friendly, and everyone can help with that.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Sat Jul 14, 2018 9:57 pm
by Hank Drew
catweazel wrote:
Fri Jul 13, 2018 2:21 am
Hank Drew wrote:
Thu Jul 12, 2018 4:45 pm
I found it very useful.
-1

What about everyone else?
I'm sorry if I had misunderstood you. In retrospect, I can see I probably over-reacted.
Trying to answer your question I can only say that, if the Mint devs see merit in the suggestion they might adopt it; if not then they won't. I think you might've taken that personal testimonial as indication of intense self-interest on my part. I can assure you that nothing could be further from the truth; by speaking for myself I was only trying to show that at least one person would like to see this feature in Mint, as it appears in so many other distros.
Anyway, I think this was just a case of seeing the words without actually hearing the weights assigned to them. I that hope all finds you well.

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Posted: Sat Jul 14, 2018 10:00 pm
by Hank Drew
Moem wrote:
Sat Jul 14, 2018 3:20 am
Asking other people what they think is not snark or garbage; neither is expressing that you personally do not support a certain suggestion. I recommend that you have your snarkmeter calibrated.
And if you feel that someone is being rude to you, don't respond in kind but alert the mods (there is a 'Report' button on every post).
See that message at the top about help, knowledge and fellowship? We keep to strive this forum friendly, and everyone can help with that.
Yeah, it was a misunderstanding. You're correct in saying that responding to rudeness in kind isn't the appropriate response. I also think it's safe to assume that his intention wasn't to be rude in the first palce, as I've already said to catweazel.

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Posted: Sat Jul 14, 2018 10:25 pm
by majpooper
Hi Hank,

If you do some searching on this forum there has been several discussions RE: encryption. Not just how but it's use and value. There are lots of differing opinions and as you can imagine like certain body parts, everyone has one. BTW this applies to to lots of areas like security, privacy and so on - bring up Bleachbit if you want to see all the differences of opinions on this forums.

Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.

Re: Feature Request: Custom Full Disk Encryption Option

Posted: Sun Jul 15, 2018 2:06 am
by catweazel
Hank Drew wrote:
Sat Jul 14, 2018 9:57 pm
catweazel wrote:
Fri Jul 13, 2018 2:21 am
Hank Drew wrote:
Thu Jul 12, 2018 4:45 pm
I found it very useful.
-1

What about everyone else?
I'm sorry if I had misunderstood you. In retrospect, I can see I probably over-reacted.
Trying to answer your question I can only say that, if the Mint devs see merit in the suggestion they might adopt it; if not then they won't. I think you might've taken that personal testimonial as indication of intense self-interest on my part. I can assure you that nothing could be further from the truth; by speaking for myself I was only trying to show that at least one person would like to see this feature in Mint, as it appears in so many other distros.
Anyway, I think this was just a case of seeing the words without actually hearing the weights assigned to them. I that hope all finds you well.
It's quite ok. The written word is always harder to interpret and is often subject to our assumptions.

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Posted: Sun Jul 15, 2018 1:31 pm
by Hank Drew
majpooper wrote:
Sat Jul 14, 2018 10:25 pm
Hi Hank,

If you do some searching on this forum there has been several discussions RE: encryption. Not just how but it's use and value. There are lots of differing opinions and as you can imagine like certain body parts, everyone has one. BTW this applies to to lots of areas like security, privacy and so on - bring up Bleachbit if you want to see all the differences of opinions on this forums.

Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
Full disk encrytpion has always been a bit of sticking point with me. One the one hand, it's good to know my files are encrypted no matter which folder or volume they reside in; on the other hand, it has some definite weaknesses (even dangers) that limit its value in several situations. As you've pointed out, Linux requires that the MBR (or GPT) and boot partition both remain un-encrypted, leaving the boot code and kernel open to tampering. The false sense of security only makes matters worse. So while my OS and data partitions are encrypted, an attacker who gains access to my machine—even in the off state—can just use a boot CD to inject a keylogger (or whatver else) into the boot process via the un-encrypted partition. I realize there are scripts out there that allow for all partitions, including boot, to be encrypted on new Linux setups, but they're really quite cumbersome and aren't at all official. I can only see full disk encryption as one component in overall system security. And your experience reminds me of how fragile a component it is really is. (A whole new can of worms gets opened should things get really borked.)
The best outcome would be a program similar to VeraCrypt or TrueCrypt that can effect true full disk encryption on Linux, as they already can on Windows systems. While it wouldn't solve all the problems you've mentioned, it would go a long way in both system security and ease of use. Maybe VeraCrypt will one day support true FDE on Linux...But I wouldn't hold my breath. At the end of the day your post reminds me of how limited Linux's idea of FDE is. Now I'm actually questioning the benefit-to-cost ratio of full disk encryption on Linux.

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 27, 2018 4:57 pm
by RobertoR
majpooper wrote:
Sat Jul 14, 2018 10:25 pm

Anyway back to encryption - here is a little story; my older brother is a retired NASA scientist (yep a rocket scientist) and a UNIX/CLI guru. He once shocked me by casually mentioning he forgot his linux password so had to use a live CD to get back in and change it. Well, that made me decide on the next fresh install I would encrypt my entire HD. I was very proud of myself when I told my brother what I did. He was not impressed - first he told me my system was only encrypted when it was powered off and second the MBR was not encrypted so to really be secure I would have to physically move that to a USB drive that I kept on my person at all times. I got the impression he thought what I had done was silly although he did not actually say that. In the end I use an encrypted container where I keep all my TOP SECRET (as in personal stuff) data. My brother seems to think that's OK . . . . I think, at least he didn't shoot any holes in it. As you can see a pretty wide range of opinion - encrypting on a partition basis I suppose could be useful although I personally prefer the encrypted container approach.
Maybe your brother did not wanted to shoot some holes in your setup, or maybe he did not thought about it. But when your system is not protected by encryption than its very easy to boot from a usb stick and put some special software on your system, on the moment you decrypt your container with your TOP SECRET stuff that program can see it also... To protect your computer from intruders is very difficult, because there are so many ways to come into a computer. That why I always encrypt my whole disk, because than they can not modify or add files on your computer.

But thanks Officer for pointing me in the direction of the MBR problem!

Re: SOLVED Feature Request: Custom Full Disk Encryption Option

Posted: Fri Jul 27, 2018 5:10 pm
by RobertoR
Hank Drew wrote:
Sun Jul 15, 2018 1:31 pm
Full disk encrytpion has always been a bit of sticking point with me. One the one hand, it's good to know my files are encrypted no matter which folder or volume they reside in; on the other hand, it has some definite weaknesses (even dangers) that limit its value in several situations. As you've pointed out, Linux requires that the MBR (or GPT) and boot partition both remain un-encrypted, leaving the boot code and kernel open to tampering. The false sense of security only makes matters worse. So while my OS and data partitions are encrypted, an attacker who gains access to my machine—even in the off state—can just use a boot CD to inject a keylogger (or whatver else) into the boot process via the un-encrypted partition. I realize there are scripts out there that allow for all partitions, including boot, to be encrypted on new Linux setups, but they're really quite cumbersome and aren't at all official. I can only see full disk encryption as one component in overall system security. And your experience reminds me of how fragile a component it is really is. (A whole new can of worms gets opened should things get really borked.)
The best outcome would be a program similar to VeraCrypt or TrueCrypt that can effect true full disk encryption on Linux, as they already can on Windows systems. While it wouldn't solve all the problems you've mentioned, it would go a long way in both system security and ease of use. Maybe VeraCrypt will one day support true FDE on Linux...But I wouldn't hold my breath. At the end of the day your post reminds me of how limited Linux's idea of FDE is. Now I'm actually questioning the benefit-to-cost ratio of full disk encryption on Linux.
Linux does not requires that the boot partition remains un-encrypted, but I don't know about the MBR.
And I share your opinion about that leaving the boot partition un-encrypted is a false sense of security.
I use this setup for years and it works very well for me, maybe its something for you?
viewtopic.php?t=198077