FileSystem encryption during installation

Chat about anything related to Linux Mint
Post Reply
Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

FileSystem encryption during installation

Post by Kambeinux » Fri Jan 26, 2018 7:27 am

Hello everyone,

I'm organizing to do my first installation of linux and especially Mint. I have read the installation manual and would like to better understand one aspect of the installation procedure. At some point there is the possibility to encrypt the disk. I would like to know if this disk encryption also implies file system encryption.

Thank you
Kambeinux

User avatar
catweazel
Level 17
Level 17
Posts: 7739
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: FileSystem encription during installation

Post by catweazel » Fri Jan 26, 2018 8:42 am

Yes, it does. However with you being new to linux I strongly urge you to avoid encryption until you've got more experience.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

Re: FileSystem encription during installation

Post by Kambeinux » Fri Jan 26, 2018 10:29 am

Thank you so much for your answer.
One doubt: which is the effect of the disk encription in terms of user experience ? I mean: why is it better for an unexperienced Linux user to avoid the disk encription ?

Thanks
Kambeinux

Cosmo.
Level 23
Level 23
Posts: 17829
Joined: Sat Dec 06, 2014 7:34 am

Re: FileSystem encryption during installation

Post by Cosmo. » Fri Jan 26, 2018 8:04 pm

New users have a tendency to do mistakes, which can lead to an unusable system. And far too many users do not do regularly backups on an external drive. The result of both is possible data loss.

User avatar
catweazel
Level 17
Level 17
Posts: 7739
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: FileSystem encription during installation

Post by catweazel » Fri Jan 26, 2018 8:18 pm

Kambeinux wrote:Thank you so much for your answer.
One doubt: which is the effect of the disk encription in terms of user experience ? I mean: why is it better for an unexperienced Linux user to avoid the disk encription ?
As Cosmo has indicated, mistakes can be made, passphrases forgotten, a corrupt installation could clobber your ability to get at your data; it's another level of complexity, and greater complexity leads to greater risk. The consequences I see on the forums are worse than Cosmo has indicated. You risk a total and irreversible loss of data.

If you need to keep documents private, try Veracrypt. You can create custom sized files and store your data in there.
¡uʍop ǝpısdn sı buıɥʇʎɹǝʌǝ os ɐıןɐɹʇsnɐ ɯoɹɟ ɯ,ı

Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

Re: FileSystem encryption during installation

Post by Kambeinux » Sun Jan 28, 2018 5:15 pm

Thank you guys for your clear explanations,

my real need would be the filesystem encryption only and not necessarly the entire drive.
So is the only filesystem encription equally risky ?
Is there a procedure to encrypt the file system only ?

Thanks
Kambeinux

Cosmo.
Level 23
Level 23
Posts: 17829
Joined: Sat Dec 06, 2014 7:34 am

Re: FileSystem encryption during installation

Post by Cosmo. » Sun Jan 28, 2018 6:19 pm

I don't know what you mean with "only file system encryption".

You have at installation 2 choices: Either encrypt the complete drive or only your home. The risks I named above are similar in both cases, especially if you do not make very regularly backups of your home, at least once per day before you shut down or reboot. And of course not to forget: In case you should forget your password (you wouldn't be the first) you can only say goodby to your user data.

Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

Re: FileSystem encryption during installation

Post by Kambeinux » Sun Jan 28, 2018 7:50 pm

It's clear to me that both the choices during installation may cause the risks you mentioned.
So my question is: after the installation and Mint works normally is there a procedure to encrypt only the directories where the filesystem is (may be kernel is the correct name, I am not sure) and not the Home directory. I am not interested in the encryption of my user data but in the encryption of the OS (I am not sure if the correct name is filesystem or kernel ). If I have understood correctly for example the new MacOS High Sierra filesystem (APFS) should provide this option. I would understand if and how to do the same in Mint.

Thanks
Kambeinux

Cosmo.
Level 23
Level 23
Posts: 17829
Joined: Sat Dec 06, 2014 7:34 am

Re: FileSystem encryption during installation

Post by Cosmo. » Mon Jan 29, 2018 6:35 am

Kambeinux wrote:but in the encryption of the OS
Not possible. What should be the meaning for this?

User avatar
Moem
Level 17
Level 17
Posts: 7002
Joined: Tue Nov 17, 2015 9:14 am
Location: The Netherlands
Contact:

Re: FileSystem encryption during installation

Post by Moem » Mon Jan 29, 2018 6:42 am

Kambeinux, can you explain what your end goal is?
Image

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

Re: FileSystem encryption during installation

Post by Kambeinux » Mon Jan 29, 2018 7:37 am

The aim is the best possible PC security. On the basis of what I have read on the net it is suggested to encrypt the filesystem of the OS to avoid that an attacher may run his code on your pc, hack your pc or stole information and so on. I am not a computer expert but curious to learn more about this. All the persons I know said to me that Linux is the most robust OS in terms of security and also in terms of stability. That's way I am interested in, just to replace windows with something quite better under all points of view.

Kambeinux

Cosmo.
Level 23
Level 23
Posts: 17829
Joined: Sat Dec 06, 2014 7:34 am

Re: FileSystem encryption during installation

Post by Cosmo. » Mon Jan 29, 2018 10:13 am

Kambeinux wrote:On the basis of what I have read on the net it is suggested to encrypt the filesystem of the OS to avoid that an attacher may run his code on your pc, hack your pc or stole information and so on.
Encrypting the drive - whether fully or partially - does help against local attackers, in other words, if an attacker gets physically in touch with the device. Encryption does not help against distant attacks, e, g via Internet connection. That has a simple reason: As soon as you use the computer, you have to unlock the drive, or your home (depending from what you have encrypted). After that it makes for an attacker absolutely no difference, whether there is something encrypted, until you shut the computer down again. So encrypting as a measurement against distant attackers is an illusion.

The protection of the system itself - that is all except your home with your user data and settings - gets done by the Linux self protection, which is a part of the privilege differentiation of the users. More practically: Whoever - you or an attacker - wants to do system changes, has to enter a password. You can, because you know it, the attacker cannot not. This mechanism works fully independent from encrypting anything.

Also fully independent from the encryption status of the computer a distant attacker can possibly execute arbitrary code on the system - if there is an open security leak in the system, which allows it. So an important measurement against attacks is to apply security fixes. For all software, which you install via the package management - that is in practical terms mostly the software manager or synaptic - you get noted by the update manager, as soon as an update is available. Also the update manager indicates by a red exclamation mark if an update is a security update.

User avatar
austin.texas
Level 20
Level 20
Posts: 12054
Joined: Tue Nov 17, 2009 3:57 pm
Location: at /home

Re: FileSystem encryption during installation

Post by austin.texas » Mon Jan 29, 2018 11:03 am

As Cosmo said, security updates are your main line of defense against internet attacks. In addition to security updates for programs (such as your web browser) there are occasional updates for your linux kernel - available in the Update Manager > View menu > Linux kernels
catweazel wrote:If you need to keep documents private, try Veracrypt. You can create custom sized files and store your data in there.
TUTORIAL: Install Veracrypt 1.19 on Mint 18 Cinnamon x64
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2018

Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

Re: FileSystem encryption during installation

Post by Kambeinux » Tue Jan 30, 2018 12:29 pm

Thank you so much guys for your explanations and suggestions.
Now I have more clear ideas.
So I will use a user that has no root privileges, so that's the security.
I will also take care of the updates installation.

Thanks
Kambeinux

Cosmo.
Level 23
Level 23
Posts: 17829
Joined: Sat Dec 06, 2014 7:34 am

Re: FileSystem encryption during installation

Post by Cosmo. » Tue Jan 30, 2018 4:30 pm

Kambeinux wrote:So I will use a user that has no root privileges, so that's the security.
You can do this and of course it does nor decrease security. But it also does not increase it. It only makes life a little bit more circumstantial.There is a big difference between Windows (where an admin account is actually admin) and Linux, where the admin type account can get root privileges, but only by entering the password. In Linux also the admin type account does never get the owner of system files, but only the virtual account root is the owner.

The main idea behind a second, non-admin type account is to give another physical person a platform for using the computer without the possibility to do system changes.

User avatar
Lucap
Level 5
Level 5
Posts: 913
Joined: Tue May 24, 2016 1:40 am

Re: FileSystem encryption during installation

Post by Lucap » Wed Jan 31, 2018 2:27 am

When Mint 19 is released in a few months you can install FSprotect 1.7 if you like as it will turn your drive into read only setup so nothing gets written to disk.

If you want to install anything like software updates or applications you simply put the drive back to normal by removing the FSprotect command during the boot up screen and once you have finished making changes to the drive you just reboot to go back too read only.

Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

Re: FileSystem encryption during installation

Post by Kambeinux » Wed Jan 31, 2018 5:31 am

Cosmo. wrote:
Kambeinux wrote:So I will use a user that has no root privileges, so that's the security.
You can do this and of course it does nor decrease security. But it also does not increase it. It only makes life a little bit more circumstantial.There is a big difference between Windows (where an admin account is actually admin) and Linux, where the admin type account can get root privileges, but only by entering the password. In Linux also the admin type account does never get the owner of system files, but only the virtual account root is the owner.

The main idea behind a second, non-admin type account is to give another physical person a platform for using the computer without the possibility to do system changes.

Thank you Cosmo,
Clear explanation.

Kambeinux

Kambeinux
Level 1
Level 1
Posts: 13
Joined: Thu Jan 25, 2018 4:23 pm
Location: Turin, Italy

Re: FileSystem encryption during installation

Post by Kambeinux » Wed Jan 31, 2018 5:34 am

Lucap wrote:When Mint 19 is released in a few months you can install FSprotect 1.7 if you like as it will turn your drive into read only setup so nothing gets written to disk.

If you want to install anything like software updates or applications you simply put the drive back to normal by removing the FSprotect command during the boot up screen and once you have finished making changes to the drive you just reboot to go back too read only.

Thanks Lucap,
I will try it.

Kambeinux

Post Reply

Return to “Chat about Linux Mint”