FileSystem encryption during installation

[Kambeinux]

Hello everyone,

I'm organizing to do my first installation of linux and especially Mint. I have read the installation manual and would like to better understand one aspect of the installation procedure. At some point there is the possibility to encrypt the disk. I would like to know if this disk encryption also implies file system encryption.

Thank you
Kambeinux

[catweazel]

Yes, it does. However with you being new to linux I strongly urge you to avoid encryption until you've got more experience.

[Kambeinux]

Thank you so much for your answer.
One doubt: which is the effect of the disk encription in terms of user experience ? I mean: why is it better for an unexperienced Linux user to avoid the disk encription ?

Thanks
Kambeinux

[Cosmo.]

New users have a tendency to do mistakes, which can lead to an unusable system. And far too many users do not do regularly backups on an external drive. The result of both is possible data loss.

[catweazel]

Thank you so much for your answer.
One doubt: which is the effect of the disk encription in terms of user experience ? I mean: why is it better for an unexperienced Linux user to avoid the disk encription ?

As Cosmo has indicated, mistakes can be made, passphrases forgotten, a corrupt installation could clobber your ability to get at your data; it's another level of complexity, and greater complexity leads to greater risk. The consequences I see on the forums are worse than Cosmo has indicated. You risk a total and irreversible loss of data.

If you need to keep documents private, try Veracrypt. You can create custom sized files and store your data in there.

[Kambeinux]

Thank you guys for your clear explanations,

my real need would be the filesystem encryption only and not necessarly the entire drive.
So is the only filesystem encription equally risky ?
Is there a procedure to encrypt the file system only ?

Thanks
Kambeinux

[Cosmo.]

I don't know what you mean with "only file system encryption".

You have at installation 2 choices: Either encrypt the complete drive or only your home. The risks I named above are similar in both cases, especially if you do not make very regularly backups of your home, at least once per day before you shut down or reboot. And of course not to forget: In case you should forget your password (you wouldn't be the first) you can only say goodby to your user data.

[Kambeinux]

It's clear to me that both the choices during installation may cause the risks you mentioned.
So my question is: after the installation and Mint works normally is there a procedure to encrypt only the directories where the filesystem is (may be kernel is the correct name, I am not sure) and not the Home directory. I am not interested in the encryption of my user data but in the encryption of the OS (I am not sure if the correct name is filesystem or kernel ). If I have understood correctly for example the new MacOS High Sierra filesystem (APFS) should provide this option. I would understand if and how to do the same in Mint.

Thanks
Kambeinux

[Cosmo.]

but in the encryption of the OS

Not possible. What should be the meaning for this?

[Moem]

Kambeinux, can you explain what your end goal is?

[Kambeinux]

The aim is the best possible PC security. On the basis of what I have read on the net it is suggested to encrypt the filesystem of the OS to avoid that an attacher may run his code on your pc, hack your pc or stole information and so on. I am not a computer expert but curious to learn more about this. All the persons I know said to me that Linux is the most robust OS in terms of security and also in terms of stability. That's way I am interested in, just to replace windows with something quite better under all points of view.

Kambeinux

[Cosmo.]

On the basis of what I have read on the net it is suggested to encrypt the filesystem of the OS to avoid that an attacher may run his code on your pc, hack your pc or stole information and so on.

Encrypting the drive - whether fully or partially - does help against local attackers, in other words, if an attacker gets physically in touch with the device. Encryption does not help against distant attacks, e, g via Internet connection. That has a simple reason: As soon as you use the computer, you have to unlock the drive, or your home (depending from what you have encrypted). After that it makes for an attacker absolutely no difference, whether there is something encrypted, until you shut the computer down again. So encrypting as a measurement against distant attackers is an illusion.

The protection of the system itself - that is all except your home with your user data and settings - gets done by the Linux self protection, which is a part of the privilege differentiation of the users. More practically: Whoever - you or an attacker - wants to do system changes, has to enter a password. You can, because you know it, the attacker cannot not. This mechanism works fully independent from encrypting anything.

Also fully independent from the encryption status of the computer a distant attacker can possibly execute arbitrary code on the system - if there is an open security leak in the system, which allows it. So an important measurement against attacks is to apply security fixes. For all software, which you install via the package management - that is in practical terms mostly the software manager or synaptic - you get noted by the update manager, as soon as an update is available. Also the update manager indicates by a red exclamation mark if an update is a security update.

[austin.texas]

As Cosmo said, security updates are your main line of defense against internet attacks. In addition to security updates for programs (such as your web browser) there are occasional updates for your linux kernel - available in the Update Manager > View menu > Linux kernels

If you need to keep documents private, try Veracrypt. You can create custom sized files and store your data in there.

TUTORIAL: Install Veracrypt 1.19 on Mint 18 Cinnamon x64

[Kambeinux]

Thank you so much guys for your explanations and suggestions.
Now I have more clear ideas.
So I will use a user that has no root privileges, so that's the security.
I will also take care of the updates installation.

Thanks
Kambeinux

[Cosmo.]

So I will use a user that has no root privileges, so that's the security.

You can do this and of course it does nor decrease security. But it also does not increase it. It only makes life a little bit more circumstantial.There is a big difference between Windows (where an admin account is actually admin) and Linux, where the admin type account can get root privileges, but only by entering the password. In Linux also the admin type account does never get the owner of system files, but only the virtual account root is the owner.

The main idea behind a second, non-admin type account is to give another physical person a platform for using the computer without the possibility to do system changes.

[Lucap]

When Mint 19 is released in a few months you can install FSprotect 1.7 if you like as it will turn your drive into read only setup so nothing gets written to disk.

If you want to install anything like software updates or applications you simply put the drive back to normal by removing the FSprotect command during the boot up screen and once you have finished making changes to the drive you just reboot to go back too read only.

[Kambeinux]

So I will use a user that has no root privileges, so that's the security.

You can do this and of course it does nor decrease security. But it also does not increase it. It only makes life a little bit more circumstantial.There is a big difference between Windows (where an admin account is actually admin) and Linux, where the admin type account can get root privileges, but only by entering the password. In Linux also the admin type account does never get the owner of system files, but only the virtual account root is the owner.

The main idea behind a second, non-admin type account is to give another physical person a platform for using the computer without the possibility to do system changes.

Thank you Cosmo,
Clear explanation.

Kambeinux

[Kambeinux]

When Mint 19 is released in a few months you can install FSprotect 1.7 if you like as it will turn your drive into read only setup so nothing gets written to disk.

If you want to install anything like software updates or applications you simply put the drive back to normal by removing the FSprotect command during the boot up screen and once you have finished making changes to the drive you just reboot to go back too read only.

Thanks Lucap,
I will try it.

Kambeinux