An advice regarding disk encryption

Hi guys,

I wanted your advice regarding disk encryption.

Well, I think I do not need full disk encryption. I am most preoccupied with my personal data, like photos, videos, annotations, documents, etc, in a case where I need to send the laptop to some external technician (these days I do mostly simple and/or quick maintenance, like SSD replacement, etc).

So, I thought in to protect with encryption only these kind of data. I have 2 1 TB SSD on this machine, one of them a NVME.

I thought in to create a separate partition just for that, transferring all personal and critical data from my /home to it. So, I would encrypt just this separate new partition.

I also use this laptop for gaming, so I do not wanted to handle encryption on /home and/or any possible slowdowns or problems.

So, I needed your advice about what would be the easiest and quick way to encrypt this new data partition, if possible.

Also, I do daily backups using rsync (to external SSDs) and cloud (Mega, through Mega’s desktop app). So I also need to be able to do these backups in a non-encrypted way, if possible.

Thanks in advance for your help.

There is no appreciable slowdown or increased risk with full-disk encryption. (unless you forget your password)

Furthermore, with the scheme you propose, there are all kinds of ways data can leak to unencrypted parts of your disk (cache, thumbnails, …). Eg: Open a photo from /…/your_vault? Or even browse them with preview on? You immediately get a smaller unencrypted version of it created in /home/you/.cache/thumbnails/ (in the case of KDE; different programs use different locations).

Use FDE.

Well, I have not thought that.

What tools do you recommend for FDE? And is there some good tutorial for that in a running system, like mine?

Some partition manager tools, such as the kde partition manager and gnome-disks, will enable you to create an encrypted partition. BUT…

…While I’m sure it’s possible to encrypt a running system (well, already installed, not running as in actually powered on) I would strongly advise against trying.

It’s in the best case scenario a fairly risky operation, both in terms of “oops wrong command” and in terms of being a long operation that will eat all your data if anything happens to interrupt it.

Better to 1° backup (eg. rsync -a or whatever) your home on another disk, 2° reinstall EOS or whatever distribution you want, activating FDE when given the option (be careful if your keyboard is not QWERTY, non-us layouts are not necessarily loaded at boot time; depends on exact boot config), 3° restore your /home from backup

1 Like

Just to make sure we’re on the same page:

FDE does not prevent you from backing up to an unencrypted location.

It just means that the source disk must be unlocked before use. That can be done by you providing the password at boot, from a live CD / dual boot or whatever. Once and so long as the disk is unlocked, the encryption is completely transparent; it’s just a regular disk with data on it. En/decryption are done on the fly, in memory.

1 Like

Thank you very much.

I understood. I’ll do as you suggested and reinstall EOS.

Humm interesting read, I have taught about encryption my self.

One issue i can see is if you have to reinstall your system for whatever reason or even change distro?(yeah right as if I would get rid of EndeavourOS!) can you access and remove encryption of your files somehow?.

The optimal procedure to reinstall (assuming not losing data is priority 1) is the same as always: [unlock if encrypted,] backup /home to other disk, reinstall, restore.

You can technically remove the encryption in place, if that’s what you mean, but that’s a terrible idea, with high risk of data loss, for the same reasons as the reverse operation discussed above.

Okey thanks for info.
I’m going to look into Maby do a full encryption on next reinstall.

You’re welcome.

For laptops in particular, encryption is an absolute must. You don’t want everyone with unsupervised physical access to the laptop (e.g. thieves, or just any malicious co-worker or host) to also have easy access to all your data (accounts, etc). It takes <5 minutes and a USB key to get it otherwise, and leaves no traces.

While FDE is not strictly necessary against all probable threats – a thief is unlikely to extract leaked data from /var, cache, or swap files if only /home is encrypted – it’s both much stronger than and at least as easy to setup and live with as partial (e.g. /home) encryption. Go FDE!

Okay, that’s enough FDE cheerleading from me for today. Bye.

1 Like