Partitions and encryption for a new Mint 20.2 install on 1tb SSD

[theratuk]

I have a new laptop with a 1tb ssd. I've been using mint for about eight years but need to install the new 20.2 version on this new laptop (im trailing way back at 17/18 or something now! still working solid but needs to change!). Previously I had an encrypted home partition on my last two installs, but I am aware ecrypts is somehow supposed to be 'outdated', that it isn't the best performance, and that there might be better ways to do this.

I don't want anyone getting access to my home files under any circumstances, I have both personal and work data which I want secure if I lose the laptop / it gets stolen (especially the work stuff). I sync personal data to Tresorit (where in theory no one can see it!) and I sync work data to OneDrive via OneDrive client (it doesn't need to be so secure no one at Microsoft can see it). I don't mind partitioning the drive beforehand to split data up... e.g. x amount for the system e.g. 250gb, x amount e.g. 500gb on drive for personal (could stop relying on tresorit alone and instead start using cryptomator or veracrypt?), and x amount e.g. 250gb for work? (work can just sync to onedrive as normal)

Does anyone have a recommended setup for my new install? I am presuming home director is no longer the way forward.

1. Just encrypt the whole drive as one 1tb partition (LVM option on install?), and login as normal to my user? (no encrypted home)

2. make partitions as above for the three distinct data sets, and encrypt the drives some other way?

3. something else entirely???

Any advice much appreciated! I am very behind the times with all this!

Also any other comments on data management, like... I can backup when computer turned on to external drive with encrypted contains maybe? What are the data loss / recovery measures I should take?

Whew... so much to consider!

[t42]

Just encrypt the whole drive as one 1tb partition LVM option on install

If you have to keep your data safe from random theft, that'd be fine and even recommended in case of portable device.
On the minus side setup automation defaults doesn't allow any user control, dual boot is impossible and they are using LUKS for AES in XTS_plain64 mode, a 256 bit key with SHA1 hashing runs during 1 second of PBKDF2.

Option two is quite complicated in implemention and makes sense if you need high security level. Custom full disk encryption is still using Cryptsetup, dm_crypt and LUKS. I don't know about any comprehensive instructions which doesn't require educated modification. Sometimes it may be far more work than necessary.

[GELvdH]

Here is one suggestion.
Partition a 200gig home partition for your programs, this does not have to be encrypted.
Partition a large enough partition for your work related files, this would be encrypted.
Leave a free space between it and your next partition in the event you need to expand it later, create another partition which will be encrypted for your personal files, Again try to leave free space after it in case of future expansion needs.

[gittiest personITW]

Another suggestion is to use Veracrypt to make either an encrypted file container (which can be treated like a file - copied/moved/deleted) or a encrypt a partition.
I personally like the encrypted file container. It mounts when needed, dismounts automatically at shutdown or when sent to sleep if no files are open - or is easy to dismount manually.

If you aren't trying to 'hide' system files and configuration files, then this is an easy option - and also, should there be a problem with your system down the line, takes away one layer of complexity in solving the problem.
Look through the forums and alot of the time where a system has been encrypted using the default encryption (LUKS/LVM) and there is a problem, unfortunately the answers seem to be along the lines of but more diplomatic than 'tough luck as you seem to have an encrypted system'.

[jjp2145-oldtimer]

A veracrypt container in your home directory. It contains your files, but not your .files. Keep the password to the veracrypt container on 2 or more usb sticks -- plain text will work fine. Keep one usb stick on your person, the other in your home safe. In the event that the laptop is lost or stolen, dd zeros over the contents of the usb sticks. In the event that one of the usb sticks is lost or stolen, create an entirely new veracrypt container in your home directory, copy the contents of the old container to the new container, and delete the old container.

Remember not to put a copy of the veracrypt container in the cloud. The same container with slightly different content is apparently a cryptographic weakness. It will also require you to encrypt the usb sticks, which would leave a weak password in the chain. And there is no good contingency for the loss of one of the usb sticks. I have always preferred encrypted external drives for this reason.

This is a something else entirely suggestion. It is flexible, but it relies on veracrypt, with its wonky truecrypt license.

[Looks like someone already recommended a veracrypt container while I was typing]

[t42]

but it relies on veracrypt, with its wonky truecrypt license.

Is it about an opinion of certain Red Hat lawyer (Tom "spot" Callaway) on some possible interpretation of the open source term in the license? If so it never became more than an opinion and was important only to their corporate entity.
VeraCrypt is multi-lisensed under under Apache License and the TrueCrypt License (with inclusion of Paul Le Roux's license agreement!):

Edit - just to minimize offtop in this thread, in reply to the jjp2145-oldtimer's comment below: Thanks! It's a valid concern but highly theoretical. There is more in the indemnification department it the TrueCrypt lisence:

7. If (in relevant context) any provision of chapterIV of this license is unenforceable, invalid, or prohibited under applicable law in your jurisdiction, you have no rights under this license and you must not use, copy, modify, create derivative works of, nor (re)distribute this product, nor any portion(s) thereof.

And another link from 2008 Callaway: TrueCrypt licensing concern

[jjp2145-oldtimer]

but it relies on veracrypt, with its wonky truecrypt license.

Is it about an opinion of certain Red Hat lawyer (Tom "spot" Callaway) on some possible interpretation of the open source term in the license? If so it never became more than an opinion and was important only to their corporate entity.
VeraCrypt is multi-lisensed under under Apache License and the TrueCrypt License (with inclusion of Paul Le Roux's license agreement!)

We are getting a little off topic here. I never heard of Callaway, and I don't care about Le Roux. Professor Green is the man worth listening to when it comes to encryption in general. It just offends my sensibilities that veracrypt is forced to carry this junk into perpetuity:

6. IF YOU ARE NOT SURE WHETHER YOU UNDERSTAND ALL PARTS OF THIS LICENSE OR IF YOU ARE NOT SURE WHETHER YOU CAN COMPLY WITH ALL TERMS AND CONDITIONS OF THIS LICENSE, YOU MUST NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) OF IT. YOU SHOULD CONSULT WITH A LAWYER.

I am not saying that I think this creates legally enforceable rights, but this is written in a document that is meant to create legally enforceable rights. I called it wonky, and I stick to that assessment.

Edit -- I guess I'll edit in a response. The problem with Section 6 is that it does nothing but encourage litigation. Section 6 purports to create enforceable legal rights based on the subjective state of mind of the licensee. Try to imagine what a lawsuit based on violating that section would look like. Harassment litigation at best -- maybe not even expensive litigation, but litigation nonetheless.

Section 7 is an understandable attempt to avoid liability, but it should scare business off. The derivative works may be banned in some jurisdictions based on that jurisdiction's consumer protection laws. Nobody wants to spend the time and money trying to figure out the implications of Section 7.

[theratuk]

These are all excellent ideas and have been really useful to read through. The full encryption sounds like it should be avoided. Also, quite like dual boot and may yet stick with having a windows 10 system on the side (though I haveb't booted that on my current machine in over a year at least). So yeah, full disk encryption sounds out. Therefore, need some kind of easy and largely automated way to mount encrypted stuff I think (automated except password requirement on login for user).

Whilst I find the idea of VeraCrypt appealing, because I've used it plenty myself (I backup to containers on an external drive), the issue here is that I do want to sync work files with OneDrive and personal files to Tresorit (I am assuming they can be trusted but who knows!) on the fly / as I work on them.

Also, I want like 250-500gb for each in space... which is a very large container for veracrypt? or it's OK?... what are the performance impacts of having two mounted encrypted partitions/containers at once (I want work and personal open together)?

So, I am torn between @GELvdH's suggestion of having a system partition and two encrypted partitions -versus- just one big clean install and then two massive veracrypt containers that when mounted are also synced to onedrive/tresorit?

Then again, I like leaving stuff lying around on my desktop and my docs... presumably I can just link these to the partitions? Or run my home off one of the encrypted partitions?

p.s. is cryptomator out of the question for any of this?

[theratuk]

Here is one suggestion.
Partition a 200gig home partition for your programs, this does not have to be encrypted.
Partition a large enough partition for your work related files, this would be encrypted.
Leave a free space between it and your next partition in the event you need to expand it later, create another partition which will be encrypted for your personal files, Again try to leave free space after it in case of future expansion needs.

Hi - I am still wrestling with the best option for this and have decided that encrypted partitions is the way to go.

BUT... I DO want to encrypt my home directory because it often has personal stuff in it (program settings, my email from thunderbird, etc etc)...

So, is there a way I could have my home directory run off a mounted encrypted drive that is the whole home directory? This could also be where my work files are? Is this possible in any way?

[t42]

So, is there a way I could have my home directory run off a mounted encrypted drive that is the whole home directory?

Drive is irrelevant, encrypted partition on the whatever drive is. It is possible to create encrypted home partition post installation if you know how (see *).

It'd be simpler if you are using VeraCrypt containters, so you can mount them inside home during boot as I described here:
Mounting Veracrypt container during boot using systemd
Just replace the mount point in fstab for /home/USER_HERE/Documents_2 or so

* something like this:
1 - fill the partition with noice
from root shell:
2 - format cryptsetup luksFormat ... /dev/sdxy
3 - cryptsetup luksOpen /dev/sdxy home
4 - mkfs.ext4 /dev/mapper/home
5 - edit /etc/fstab as appropriate
6 - edit /etc/crypttab as appropriate
7 - mount /dev/mapper/home
8 - mkdir /home/user
9 - chown -R user /home/user
10 - chmod 750 /home/user

[theratuk]

I am hugely grateful for you trying to suggest this and explain, but whilst I think I roughly 'get it', it also feels a bit beyond what I am comfortable setting up right now.

I think what I am going to try is...

1. my usual dual boot as I have now (just to have windows somewhere in case I need it for some perverse reason --- haven't booted it on my current machine in a long, long time... maybe years?)... this is with a 1tb drive I will partition up for windows, swap, boot, Mint, and two drives for work and personal.

2. an encrypted home folder with ecryptfs as per Mint setup offering... I know this is out-dated (though I don't know why) but it strikes me that it does work and is the easiest way for me to secure my program settings etc.

3. two big encrypted partitions of my 1tb drive, for (a) work stuff and (b) personal stuff, that I have some kind of auto mount for when I login to my home... then it mounts them for access

So, may I ask you... does this sound like a bad plan?

I am thinking it's the best route simply because I think it's the route I am comfortable setting up... but if there's big drawbacks maybe it's a big mistake?