Encrypting File System
Hello, I collected very few documentation regarding file-system encryption on Linux. I understand that it must be done at format stage and not after the FS has been sized and installed, in order to prevent data loss. I would BTW like to ask here if, in case I decide to encrypt just my /home dir (separated partition) with the existing data it contains, which risks I'm gonna to face. Many thanks for your feedback. Regards, -- Marco Calistri Build: openSUSE Tumbleweed 20211111 Kernel:5.14.14-2-default Desktop: XFCE (4.16.0)
On 14/11/2021 17.27, Marco Calistri wrote:
Hello,
I collected very few documentation regarding file-system encryption on Linux.
I understand that it must be done at format stage and not after the FS has been sized and installed, in order to prevent data loss.
I would BTW like to ask here if, in case I decide to encrypt just my /home dir (separated partition) with the existing data it contains, which risks I'm gonna to face.
Can not be done. It is not that it is a risk, it is that the procedure erases the partition. Ok, it is not always erased. But say you could "read" the non erased data, what was an 'A' in the first by could now be a 'W', and what was an 'A' in the second position now decodes as a 'P'. So the partition is formated, ie, all sectors marked empty. And one of the procedures does erase the partition by filling it first with random data. So, if you want to encrypt your /home, first make a complete backup of it. -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On 14.11.2021 21:32, Carlos E. R. wrote:
On 14/11/2021 17.27, Marco Calistri wrote:
Hello,
I collected very few documentation regarding file-system encryption on Linux.
I understand that it must be done at format stage and not after the FS has been sized and installed, in order to prevent data loss.
I would BTW like to ask here if, in case I decide to encrypt just my /home dir (separated partition) with the existing data it contains, which risks I'm gonna to face.
Can not be done.
Actually it can. LUKS2 even supports in place encryption natively (cryptsetup reencrypt), for LUKS1 there were external tools. Of course, using them without full backup is strongly not recommended.
It is not that it is a risk, it is that the procedure erases the partition.
Ok, it is not always erased. But say you could "read" the non erased data, what was an 'A' in the first by could now be a 'W', and what was an 'A' in the second position now decodes as a 'P'. So the partition is formated, ie, all sectors marked empty.
And one of the procedures does erase the partition by filling it first with random data.
So, if you want to encrypt your /home, first make a complete backup of it.
On 14/11/2021 20.06, Andrei Borzenkov wrote:
On 14.11.2021 21:32, Carlos E. R. wrote:
On 14/11/2021 17.27, Marco Calistri wrote:
Hello,
I collected very few documentation regarding file-system encryption on Linux.
I understand that it must be done at format stage and not after the FS has been sized and installed, in order to prevent data loss.
I would BTW like to ask here if, in case I decide to encrypt just my /home dir (separated partition) with the existing data it contains, which risks I'm gonna to face.
Can not be done.
Actually it can. LUKS2 even supports in place encryption natively (cryptsetup reencrypt), for LUKS1 there were external tools. Of course, using them without full backup is strongly not recommended.
:-o -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
Dne neděle 14. listopadu 2021 17:27:37 CET, Marco Calistri napsal(a):
Hello, I collected very few documentation regarding file-system encryption on Linux. I understand that it must be done at format stage and not after the FS has been sized and installed, in order to prevent data loss. I would BTW like to ask here if, in case I decide to encrypt just my /home dir (separated partition) with the existing data it contains, which risks I'm gonna to face.
Various (meta)data can leak via unencrypted locations, like /tmp, logs, cache, etc. Also, these parts might be changed (e.g. modified binaries, well, might be too paranoic:-), so whole disk encryption gives You much higher security. Theoretically, it can be done on already existing partitions, but You are in risk of data loss, and the encryption won't be so good due to need to keep existing data, so it's not recommended in any case. -- Vojtěch Zeisek https://trapa.cz/ Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/
Il 14/11/21 13:27, Marco Calistri ha scritto:
Hello,
I collected very few documentation regarding file-system encryption on Linux.
I understand that it must be done at format stage and not after the FS has been sized and installed, in order to prevent data loss.
I would BTW like to ask here if, in case I decide to encrypt just my /home dir (separated partition) with the existing data it contains, which risks I'm gonna to face.
Many thanks for your feedback.
Regards, -- Marco Calistri Build: openSUSE Tumbleweed 20211111 Kernel:5.14.14-2-default Desktop: XFCE (4.16.0) Hello,
I will not thank one by one also to avoid loading the list. But at least I would like to give one "big thank-you" for all the people providing me their feedback regarding this matter. Best regards! -- Marco Calistri Build: openSUSE Tumbleweed 20211111 Kernel:5.14.14-2-default Desktop: XFCE (4.16.0)
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Marco Calistri -
Vojtěch Zeisek