FileSystem encryption during installation
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
FileSystem encryption during installation
Hello everyone,
I'm organizing to do my first installation of linux and especially Mint. I have read the installation manual and would like to better understand one aspect of the installation procedure. At some point there is the possibility to encrypt the disk. I would like to know if this disk encryption also implies file system encryption.
Thank you
Kambeinux
I'm organizing to do my first installation of linux and especially Mint. I have read the installation manual and would like to better understand one aspect of the installation procedure. At some point there is the possibility to encrypt the disk. I would like to know if this disk encryption also implies file system encryption.
Thank you
Kambeinux
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: FileSystem encription during installation
Yes, it does. However with you being new to linux I strongly urge you to avoid encryption until you've got more experience.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: FileSystem encription during installation
Thank you so much for your answer.
One doubt: which is the effect of the disk encription in terms of user experience ? I mean: why is it better for an unexperienced Linux user to avoid the disk encription ?
Thanks
Kambeinux
One doubt: which is the effect of the disk encription in terms of user experience ? I mean: why is it better for an unexperienced Linux user to avoid the disk encription ?
Thanks
Kambeinux
Re: FileSystem encryption during installation
New users have a tendency to do mistakes, which can lead to an unusable system. And far too many users do not do regularly backups on an external drive. The result of both is possible data loss.
- catweazel
- Level 19
- Posts: 9763
- Joined: Fri Oct 12, 2012 9:44 pm
- Location: Australian Antarctic Territory
Re: FileSystem encription during installation
As Cosmo has indicated, mistakes can be made, passphrases forgotten, a corrupt installation could clobber your ability to get at your data; it's another level of complexity, and greater complexity leads to greater risk. The consequences I see on the forums are worse than Cosmo has indicated. You risk a total and irreversible loss of data.Kambeinux wrote:Thank you so much for your answer.
One doubt: which is the effect of the disk encription in terms of user experience ? I mean: why is it better for an unexperienced Linux user to avoid the disk encription ?
If you need to keep documents private, try Veracrypt. You can create custom sized files and store your data in there.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
Re: FileSystem encryption during installation
Thank you guys for your clear explanations,
my real need would be the filesystem encryption only and not necessarly the entire drive.
So is the only filesystem encription equally risky ?
Is there a procedure to encrypt the file system only ?
Thanks
Kambeinux
my real need would be the filesystem encryption only and not necessarly the entire drive.
So is the only filesystem encription equally risky ?
Is there a procedure to encrypt the file system only ?
Thanks
Kambeinux
Re: FileSystem encryption during installation
I don't know what you mean with "only file system encryption".
You have at installation 2 choices: Either encrypt the complete drive or only your home. The risks I named above are similar in both cases, especially if you do not make very regularly backups of your home, at least once per day before you shut down or reboot. And of course not to forget: In case you should forget your password (you wouldn't be the first) you can only say goodby to your user data.
You have at installation 2 choices: Either encrypt the complete drive or only your home. The risks I named above are similar in both cases, especially if you do not make very regularly backups of your home, at least once per day before you shut down or reboot. And of course not to forget: In case you should forget your password (you wouldn't be the first) you can only say goodby to your user data.
Re: FileSystem encryption during installation
It's clear to me that both the choices during installation may cause the risks you mentioned.
So my question is: after the installation and Mint works normally is there a procedure to encrypt only the directories where the filesystem is (may be kernel is the correct name, I am not sure) and not the Home directory. I am not interested in the encryption of my user data but in the encryption of the OS (I am not sure if the correct name is filesystem or kernel ). If I have understood correctly for example the new MacOS High Sierra filesystem (APFS) should provide this option. I would understand if and how to do the same in Mint.
Thanks
Kambeinux
So my question is: after the installation and Mint works normally is there a procedure to encrypt only the directories where the filesystem is (may be kernel is the correct name, I am not sure) and not the Home directory. I am not interested in the encryption of my user data but in the encryption of the OS (I am not sure if the correct name is filesystem or kernel ). If I have understood correctly for example the new MacOS High Sierra filesystem (APFS) should provide this option. I would understand if and how to do the same in Mint.
Thanks
Kambeinux
Re: FileSystem encryption during installation
Not possible. What should be the meaning for this?Kambeinux wrote:but in the encryption of the OS
Re: FileSystem encryption during installation
Kambeinux, can you explain what your end goal is?
If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!
Re: FileSystem encryption during installation
The aim is the best possible PC security. On the basis of what I have read on the net it is suggested to encrypt the filesystem of the OS to avoid that an attacher may run his code on your pc, hack your pc or stole information and so on. I am not a computer expert but curious to learn more about this. All the persons I know said to me that Linux is the most robust OS in terms of security and also in terms of stability. That's way I am interested in, just to replace windows with something quite better under all points of view.
Kambeinux
Kambeinux
Re: FileSystem encryption during installation
Encrypting the drive - whether fully or partially - does help against local attackers, in other words, if an attacker gets physically in touch with the device. Encryption does not help against distant attacks, e, g via Internet connection. That has a simple reason: As soon as you use the computer, you have to unlock the drive, or your home (depending from what you have encrypted). After that it makes for an attacker absolutely no difference, whether there is something encrypted, until you shut the computer down again. So encrypting as a measurement against distant attackers is an illusion.Kambeinux wrote:On the basis of what I have read on the net it is suggested to encrypt the filesystem of the OS to avoid that an attacher may run his code on your pc, hack your pc or stole information and so on.
The protection of the system itself - that is all except your home with your user data and settings - gets done by the Linux self protection, which is a part of the privilege differentiation of the users. More practically: Whoever - you or an attacker - wants to do system changes, has to enter a password. You can, because you know it, the attacker cannot not. This mechanism works fully independent from encrypting anything.
Also fully independent from the encryption status of the computer a distant attacker can possibly execute arbitrary code on the system - if there is an open security leak in the system, which allows it. So an important measurement against attacks is to apply security fixes. For all software, which you install via the package management - that is in practical terms mostly the software manager or synaptic - you get noted by the update manager, as soon as an update is available. Also the update manager indicates by a red exclamation mark if an update is a security update.
- austin.texas
- Level 20
- Posts: 12003
- Joined: Tue Nov 17, 2009 3:57 pm
- Location: at /home
Re: FileSystem encryption during installation
As Cosmo said, security updates are your main line of defense against internet attacks. In addition to security updates for programs (such as your web browser) there are occasional updates for your linux kernel - available in the Update Manager > View menu > Linux kernels
TUTORIAL: Install Veracrypt 1.19 on Mint 18 Cinnamon x64catweazel wrote:If you need to keep documents private, try Veracrypt. You can create custom sized files and store your data in there.
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2018
Linux Linx 2018
Re: FileSystem encryption during installation
Thank you so much guys for your explanations and suggestions.
Now I have more clear ideas.
So I will use a user that has no root privileges, so that's the security.
I will also take care of the updates installation.
Thanks
Kambeinux
Now I have more clear ideas.
So I will use a user that has no root privileges, so that's the security.
I will also take care of the updates installation.
Thanks
Kambeinux
Re: FileSystem encryption during installation
You can do this and of course it does nor decrease security. But it also does not increase it. It only makes life a little bit more circumstantial.There is a big difference between Windows (where an admin account is actually admin) and Linux, where the admin type account can get root privileges, but only by entering the password. In Linux also the admin type account does never get the owner of system files, but only the virtual account root is the owner.Kambeinux wrote:So I will use a user that has no root privileges, so that's the security.
The main idea behind a second, non-admin type account is to give another physical person a platform for using the computer without the possibility to do system changes.
Re: FileSystem encryption during installation
When Mint 19 is released in a few months you can install FSprotect 1.7 if you like as it will turn your drive into read only setup so nothing gets written to disk.
If you want to install anything like software updates or applications you simply put the drive back to normal by removing the FSprotect command during the boot up screen and once you have finished making changes to the drive you just reboot to go back too read only.
If you want to install anything like software updates or applications you simply put the drive back to normal by removing the FSprotect command during the boot up screen and once you have finished making changes to the drive you just reboot to go back too read only.
Re: FileSystem encryption during installation
Cosmo. wrote:You can do this and of course it does nor decrease security. But it also does not increase it. It only makes life a little bit more circumstantial.There is a big difference between Windows (where an admin account is actually admin) and Linux, where the admin type account can get root privileges, but only by entering the password. In Linux also the admin type account does never get the owner of system files, but only the virtual account root is the owner.Kambeinux wrote:So I will use a user that has no root privileges, so that's the security.
The main idea behind a second, non-admin type account is to give another physical person a platform for using the computer without the possibility to do system changes.
Thank you Cosmo,
Clear explanation.
Kambeinux
Re: FileSystem encryption during installation
Lucap wrote:When Mint 19 is released in a few months you can install FSprotect 1.7 if you like as it will turn your drive into read only setup so nothing gets written to disk.
If you want to install anything like software updates or applications you simply put the drive back to normal by removing the FSprotect command during the boot up screen and once you have finished making changes to the drive you just reboot to go back too read only.
Thanks Lucap,
I will try it.
Kambeinux