Encrypting home partition using Veracrypt [solved]

[linuxheid]

Hi,

I have just installed Linux Mint 19.2 Cinnamon which appeared to go very smoothly. I would like to deploy encryption and I remember people in this forum previously recommending that instead of using the encryption that ships with Linux I would be better to:

* Install Veracrypt
* Use Veracrypt to encrypt only the home partition

I have installed Veracrypt what seems to have been without issue. However I repeatedly get this error message when I try to encrypt the Home partition:

Auto-mount failed due to one or more of the following:
- Incorrect password.
- Incorrect Volume PIM number:
- Incorrect PRF (hash).
- No valid volume found.

I don't believe the password is the issue. I say that sense I initially expected to enter a password specific to Veracrypt. That was immediately rejected. When I then changed to the admin password, I seemed to overcome that particular piece of validation. I say that since instead of the immediate error message I received when trying a unique password, Veracrypt instead rolled forward at this point.

Any help guiding me on this is appreciated.

[majpooper]

I can only give you my experience with VeraCrypt and encryption I emphasize experience as my actual knowledge and understanding of how encryption works on a technical level is pretty limited. I have always be able to encrypt encrypted containers and empty partitions with VeraCrypt with no problem. I think your problem may have something to with the /home partition not being empty although I can not say for certain - someone more knowledgable with linux/encryption may be able to comment on that.

The good news is if you want to encrypt your /home (or your entire hard drive) that is easily done during the install process.

There are lots of opinions about encryption and how useful it really is in terms of encrypting hard drives and partitions. As far as you /home goes encryption only provides "encrypted security" when you are not using it - in essence it is a form of physical security. The same is true even if you encrypt the entire linux partition. So if you are looking for a bit of physical security it will work to a degree. I encrypted my entire hard drive in the past only to be made aware that my computer was still vulnerable because the MBR was not encrypted. So to really do what I was trying to accomplish I would have to encrypt my entire hard drive and put the MBR on a separate USB drive that I kept in my possession.

What I decided was to make a few encrypted containers in which I keep my sensitive records and their back ups (tax stuff mainly) and open them when needed. Anyway that is my take on encryption for what it's worth, but like I said everyone has an opinion and in the end you should do what you feel comfortable with.

[blueocean]

Encrypting the home folder during install and disabling root login afterwards is pretty secure as far as anyone getting your data, plus rarely issues like you have. I use p7zip (included in Mint) to password protect files or folders. I keep my passwords password protected with Libreoffice Writer, because it's so convenient and really quite secure. I think you can still encrypt the Home directory with the correct process. I'm going to try it on a test run and will post my results. I'm sure some of the big guns on here could guide you on that.

[catweazel]

I would like to deploy encryption and I remember people in this forum previously recommending that instead of using the encryption that ships with Linux I would be better to:

* Install Veracrypt
* Use Veracrypt to encrypt only the home partition

Look, to be honest, if you have to ask about encryption then you're potentially headed for disaster. Your best course of action is not to encrypt any partitions, but create veracrypt containers that can be safely backed up and stored away for safe keeping. Once you have more linux experience, especially with finding answers for yourself, and with using the command line, then you can consider full drive encryption.

If you go down the full drive or partition encryption path, you must be prepared for disaster.

[blueocean]

I would like to deploy encryption and I remember people in this forum previously recommending that instead of using the encryption that ships with Linux I would be better to:

* Install Veracrypt
* Use Veracrypt to encrypt only the home partition

Look, to be honest, if you have to ask about encryption then you're potentially headed for disaster. Your best course of action is not to encrypt any partitions, but create veracrypt containers that can be safely backed up and stored away for safe keeping. Once you have more linux experience, especially with finding answers for yourself, and with using the command line, then you can consider full drive encryption.

If you go down the full drive or partition encryption path, you must be prepared for disaster.

Yep, encryption is a definite ingredient for disaster

[blueocean]

Encrypting the home folder during install and disabling root login afterwards is pretty secure as far as anyone getting your data, plus rarely issues like you have. I use p7zip (included in Mint) to password protect files or folders. I keep my passwords password protected with Libreoffice Writer, because it's so convenient and really quite secure. I think you can still encrypt the Home directory with the correct process. I'm going to try it on a test run and will post my results. I'm sure some of the big guns on here could guide you on that.

I aborted after the tutorial failed - why am I not surprised

[Portreve]

Hello linuxheid!

I have installed Veracrypt what seems to have been without issue. However I repeatedly get this error message when I try to encrypt the Home partition:

I'm not going to try and comment on why what you're doing isn't working, since I really don't know whether it is workable to begin with, much less the ins-and-outs of partition encryption.

However, I'd like to echo the sentiment above that you need to be careful about encryption.

While I do not comment, as a matter of policy, on what the specifics of my own personal security arrangements are, I will tell you some general things.

Unless you're setting your computer up as a true multi-user system, it's probably better to not worry about partition encryption, and simply use the distro installer utility to do a whole hard drive encryption, leaving your user folder itself not separately encrypted.

Veracrypt is a very nice utility, and it particularly shines when it's used to create encrypted disk images, or when used to encrypt partitions on a removable storage device like an SD card or flash drive. It's also great because it's fully multi-platform (GNU+Linux, Mac OS X, Windows) and seems to work just as well on all of them.

[linuxheid]

Thanks to everyone who has been kind enough to reply.

Some context if I may on what I am looking to achieve:

* I have an old laptop I have installed linux on to give to a friend who is without a PC
* His tech skills are very basic. Hence I am trying to set this up for him so that it requires minimal additional support (he and I don't live in the same continent)
* I recall a company I worked used to give us laptops that after powering on, the laptop was useless until the user entered the password for the encryption tool to de-encrypt the HDD. That is the level of simplicity I hoped to deploy here
* I started this a while back, then didn't touch it for a while. Encryption is pretty much the only thing still outstanding that I intended to complete
* In previous threads on this forum, I recall being advised to install Veracrypt to encrypt the home partition but not any others so that in case of issue, that increase the ease of troubleshooting
* I suspect asking my friend to use 7 zip will be too much for him. Ive used 7 zip for years on Windows and also have it on my linux partition. I can't even seem to install it though in Cinnamon 19.2 for the laptop I am putting together for my friend. I can find it in software manager but when I click "launch", nothing happens

[catweazel]

* I have an old laptop I have installed linux on to give to a friend who is without a PC

Nothing more need be said. If you implement encryption then you are setting your friend up for failure if his experience with linux is limited.

[majpooper]

* I recall a company I worked used to give us laptops that after powering on, the laptop was useless until the user entered the password for the encryption tool to de-encrypt the HDD. That is the level of simplicity I hoped to deploy here

I get it that this provides a limited level of physical security but the MBR is not encrypted so the laptop is still vulnerable unless the MBR is on an USB drive separate from the laptop. Add the other complexities encryption can bring about it just does not seem like a good idea especially for someone who is not computer savy. Emphasizing using a strong password for the laptop would be a better option IMHO.

[pbear]

I recall being advised to install Veracrypt to encrypt the home partition but not any others

I'm pretty sure you recall incorrectly. Can't say I've seen every single encryption thread, but I've read most of them the past couple years. What has been said often is that Veracrypt is a safer alternative, not that it's a means of encrypting the home folder or partition. And if someone said that, I'm pretty sure they were mistaken. Something of the sort can be done in Windows - have never done it and don't recall details - but not Linux.

What Veracrypt would give your friend is a safe place to stash sensitive files. I use a USB flash drive, backed up to another similarly encrypted flash drive. The container also can be a file on the internal drive (any size, within reason) which is backed up with all the other data files.

[linuxheid]

Thanks folks for replying. I am going to back off with both Veracrypt and encryption. Instead I will ship the laptop without both as recommended in this this thread.

[linuxheid]

Marking as solved