My laptop isn’t under my supervision most of the time. And I’d hate it if someone were to steal my SSD, or whole laptop even, when I’m not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It’s a very slow laptop. So decryption on login isn’t viable, takes too long. While booting up also takes forever, so it needs to be in a “safe” state when simply logged out. Maybe a way that’s decrypt-on-demand?
I’m on Arch with KDE.
The standard route is to decrypt on boot. It happens after GRUB but before your display manager starts. IDK if there even is a setup that has you “decrypt on login”. Thats sounds like your display manager (sddm for KDE) is decrypting system which is not possible IMO.
Unless your laptop somehow has multiple drives you’ll want to use the “LVM on LUKS” configuration. 1 small partition for
/boot. The rest gets LUKS encrypted, and an LVM group is put on the LUKS container. Or you could replace LVM with btrfs.This will require wiping your system and reinstalling so you have some reading to do.
- https://wiki.archlinux.org/title/Dm-crypt (aka LUKS)
- https://wiki.archlinux.org/title/Dm-crypt/System_configuration
- https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
- https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
The
arch-installscript in the live iso has options for full disk encryption.If you suspend to RAM your system will stay unencrypted, because your ram is not encrypted. if you suspend to disk (aka hibernate) your system will be encrypted. You go through the boot loader when waking from hibernation but it just drops you off where you left off.
You need a swapfile for hibernation so make sure its inside the LUKS container.
There is a way for just your home folder to be encrypted, Linux Mint has it as an option.
Looks like they use eCryptFS. Never heard of it before so thats neat. I can see using it on systems where you can’t reinstall the system with Dm-crypt but it most cases I suspect Dm-crypt is a better alternative.
Idk if its faster or slower than Dm-crypt.
+1 for LVM on LUKS
To add to the comments, most distros do not offer FDE by default when installing. You have to jump thru hoops. No idea why this is still the case given how many consumer computers are laptops these days, it seems crazy.
The big exception seems to be PopOS, an Ubuntu derivative which is intended for laptops. FDE by default so it must be pretty easy to get that up and running.
Ubuntu itself has a solid FDE option on install, too. It sets up the LVM configuration as already described, no expertise needed. And IME works very reliably.
openSUSE also has a simple FDE setup. Just check a box and enter a passphrase during install. It’s not default, but it’s about as easy as possible to set up.
I’m pretty sure all the major distros have FDE as an option in the installer its just never on by default. Fedora does the same but with BTRFS on LUKS. I’m sure Debian does. Someone else says OpenSuse does. Maybe some derivative distros don’t but I suspect the ones with an graphical installer do.
its just never on by default
Except PopOS, as I understand it. IMO that is a major point in its favor and against its competitors, given the dominance of laptops today. I see no reason why this is still opt-in, rather than opt-out as on mobile OSs.
I think PopOS can safely assume that its being installed on a laptop with only one drive. If there’s multiple drives involved then the setup gets far more complicated as you then must go to something like an LUKS on LVM setup. Basically, for a desktop there’s no safe defaults for FDE.
You technically could encrypt just your home but that’s not the recommended approach.
okay I got my homework, I’ll read on these.
Keep in mind an unencrypted /boot partition still leaves you open to an evil maid attack. I’m not really paranoid (or interesting) enough that I feel the need to take measures to prevent those kinds of attacks, but your situation may differ.
How old are we talking? If the CPU is >10 years old and/or some kind of ARM, it may not have hardware encryption acceleration, which means it’ll happen in software. I did that once, it was horrible.
lscpu |grep -i aesshould probably tell you what you need to know.If you don’t have hardware encryption you can use
--cipher xchacha20,aes-adiantumoption when runningcryptsetupto make it way faster than standard aes cipher in software.It does give me a result so I do have “aes”. How can I use it?
We’re talking an Intel i5-8350U. it has 16GBs of ram and 500GB of SSD.
That’s not a slow laptop. I’ve been daily driving worse for years.
To protect the data from random thief just browsing through the files I still use ecryptfs. It only encrypts the home directory, and the keys are derived from my accounts password, so no extra hassle.
The encryption is weak by the current standards, and wouldn’t stop a determined attacker, but it’s 100% better than nothing, and I’ve never noticed any performance problems.
I’m not planning on putting information on my laptop that I don’t have to. Speed for a bit of security sounds good. I’ll look into
ecryptfs. And also into boot time, lots of you are screaming at me that it’s a fast laptop. what how
You said you’re on Arch, you’ll want to go through their docs which are solid: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system
That is absolutely not a slow laptop. If it takes a long time to boot there must be something wrong. I have a similar system that takes about ten seconds to boot.
Anyways, like others said, LVM with LUKS is the simplest. It uses your hardware to quickly decrypt the drive on boot. While it is running access to your data is protected by your login manager or lock screen.
That’s a hard thing to do for a bunch of reasons. There’s someone else who went into em so I’m not gonna do that.
Unless something’s seriously wrong, it would probably be better to just make your laptop boot faster.
So, what’s your laptop, what kind of disk does it have and how long does it take to boot/login?
Is your idea to do the easier decrypt on boot, and optimize the boot times?
I could probably do that, but someone else said that there is a decrypt on hibernate, seems better.
Yeah im thinking do “normal” decrypt on boot. It’ll be easier to troubleshoot and recover from if something goes wrong and there’s fewer pitfalls to deal with.
I also suspect that theres a problem with your computer because boot times have been pretty fast for many years now.
E: I just now saw that you’re using an eighth generation intel processor, plenty of ram and an ssd.
I have the same situation but a much older processor and my boot times from button press to desktop are ~10 seconds.
Unless your expectations for boot times are way out of line, you ought to have no problem using decrypt on boot.
One possibility is that your ssd has aged and is having to read those old system file blocks hundreds of times to get it right. Badblocks -n or spinrite level 2 or 3 scan fixes this problem.
I bought it used, so I’m interested in your last point. I’ve reinstalled it - first thing I did. Do SSDs slow down overtime? And there is a linux command to fix that? Sound crazy, can you elaborate?
Yeah badblocks -n /dev/your_target_device launched from a different boot device.
You can’t run it from your install because it’s gonna read every block into memory and then write some crap to it and read it back to make sure the block works then write what was originally there back to it.
It’s really important that you check yourself before you wreck yourself with the badblocks command because you can destroy data if you use the wrong flags.
Another program that fixes that problem is spinrite. It costs money but it’s very useful and has a lot of good documentation.
Each cell in the ssd isn’t a digital “1” or “0” but a charge coupled device that stores a voltage. Over time that potential changes in a way that’s directly proportional to the number of read cycles and age of the data from first write. When it changes enough, the controller has to try to read it many times to get a sane result it can send down the bus.
That results in your ssd seeming slow.
How long does it take to boot though, and what do you expect?
I encrypt my disk with LVM on my Debian laptop. You’ll need to reinstall your operating system, as you have to do special partitioning. If your device has a TPM, you can use Clevis to set it to auto-decrypt.
LUKS2
Maybe systemd-homed is the solution you are looking for. The arch wiki has a page for it. And this can be better for your use case because only your home folder needs decryption and not the whole drive.
There is this to keep in mind since you are using KDE, but can be easily fixed: https://wiki.archlinux.org/title/Systemd-homed#Home_directory_remains_active_after_logging_out_of_Plasma
Sounds perfect. I’ll need more sources to understand what it’s doing and how to config it. Thanks!
Most filesystems now how encryption that is better optimized for their specific performance & might be worth choosing over LUKS… ZFS, Bcachefs, F2FS, ext4
With an encrypted disk, you only need to enter the encryption password when you shutdown or restart. Suspending and
sleeplock screen don’t need your encryption password.Suspending to disk usually requires a password on resume.
That’s true for hibernation, but not suspending. Hibernation stores everything in RAM onto the disk then shuts off the PC; to resume the system, you need to unlock the disk to access that data. Suspending doesn’t turn off the computer, it keeps the CPU and RAM active.
On my Fedora system, I can hit the suspend button and get back into the OS without needing to type my encryption password, only my user password.
Ok so what do you call “sleep”? You’ve now listed suspending, sleeping, and hibernating as 3 different things.
I can sleep “sleep”. All system components are still powered on at this stage, so it uses the most power. But at the same time it’s the quickest to get back into your system. All that’s really happening with sleep is that the screen turns off.
Then you have suspend. Laptops often first go to sleep but then suspend after a long period of inactivity to save battery.
Then you have hibernation. I don’t think this is used that often nowadays.
I have never met anyone refer to “screen off” as “sleep”.
https://en.wikipedia.org/wiki/Sleep_mode
The terms everybody else are using are: “sleep” = “suspend to RAM” = “S3” and “hibernation” = “suspend to disk”.
LUKS2 with a strong hash.
It will take a while to decrypt but it will so be worth it. You only have to enter the password once.
I use ZFS on my workstations with Debian, but yeah full drive is the way to go i think even Linux Mint does full drive anymore, also remember to keep backups.
Encrypting and decrypting are complex operations that requires a lot from the hardware. The resources needed to encrypt and decrypt is proportionally correlated with the amount of files you’re encrypting and decrypting.
That said, there are some alternatives
- Encrypt the whole filesystem
- Encrypt only your home folder
- Encrypt only the files you wanna
There is an app, Vaults, that allows you to create vaults to easily encrypt and decrypt folders. Take a look on this app
ChatGPT, is that you?
Well, looks like now we cannot be helpful and polite that people call you ChatGPT
Sorry :(
(But seriously that formatting and phrasing was very very AI looking.)
lets not forget AI was trained on human data. some people will “sound like AI” because they likely make up a big portion of its demographic training data.
fr
Detectors say that you are human, you use multiple languages, and you are a moderator, but it feels like a 101 AI response. It’s horrible that we’re living in an era where you need to be careful about this. You were probably trying to format it nice, but I’ve only read this phrasing from AI.
But thanks for the answer, the home folder would probably be best. I don’t want to think about it after setting it up. All my downloads and docs are there. I also feel like the whole filesystem would take forever for me to unlock/boot.
Are the detectors part for real or were you just kidding? 😲
You were probably trying to format it nice, but I’ve only read this phrasing from AI.
Yes, I was, because I like to put my text well formated… I feel pain when I have to read bad formated texts, so I try to be as clean as possible
But thanks for the answer, the home folder would probably be best. I don’t want to think about it after setting it up. All my downloads and docs are there. I also feel like the whole filesystem would take forever for me to unlock/boot.
For home folder I think there is a better alternative, like systemd-homed or something like that
Are the detectors part for real or were you just kidding? 😲
they got your back, why are you suprised?
Others also said systemd-homed. And it looks promising, I’ll try it, but honestly I have no idea how to test it? From another user? From a liveboot usb?
Because I don’t even knew that this kind of tool exists. And it was precise AF. I just got surprised/scared haha
About systemd-homed, I guess that liveusb will not work… I suggest you to try in a VM and everything going ok, you may try on another user on your pc
Oh, I think I’ll wipe my laptop, and do it live. What I wanted to ask was how do I know if it’s working?
