If you anticipate to protect the system's data not only against physical theft, but also have a requirement of precautions against logical tampering, see dm-crypt/Specialties#Securing the unencrypted boot partition for further possibilities after following one of the scenarios.įor solid state drives you might want to consider enabling TRIM support, but be warned, there are potential security implications.
See dm-crypt/Swap encryption for alternatives. See dm-crypt/Drive preparation#Partitioning for a general overview of the partitioning strategies used in the scenarios.Īnother area to consider is whether to set up an encrypted swap partition and what kind.
See Data-at-rest encryption to plan ahead. If that is of concern, it is possible to use a combination of blockdevice and stacked filesystem encryption and reap the advantages of both. While all above scenarios provide much greater protection from outside threats than encrypted secondary filesystems, they also share a common disadvantage: any user in possession of the encryption key is able to decrypt the entire drive, and therefore can access other users' data.
#IRDETO ENCRYPTION SYSTEM HOW TO#
Shows how to encrypt a Btrfs system, including the /boot directory, also adding a partition for swap, on UEFI hardware. Same disadvantages as the scenario the installation is based on (LVM on LUKS for this particular example).the boot loader and the EFI system partition, if present Same advantages as the scenario the installation is based on (LVM on LUKS for this particular example).This scenario also employs an EFI system partition, which may be applied to the other scenarios. Shows how to encrypt the boot partition using the GRUB bootloader. Single encryption key and no option to change it.High care to all encryption parameters is required.Data resilience for cases where a LUKS header may be damaged.This scenario also employs USB devices for /boot and key storage, which may be applied to the other scenarios. without a LUKS header and its options for multiple keys. Slower boot time each encrypted LV must be unlocked seperately.Complex changing volumes requires changing encryption mappers too.Easy mix of un-/encrypted volume groups.LVM can be used to have encrypted volumes span multiple disks.Uses dm-crypt only after the LVM is setup. Less useful, if a singular volume should receive a separate key.LVM adds an additional mapping layer and hook.Easiest method to allow suspension to disk.Volume layout not transparent when locked.Only one key required to unlock all volumes (e.g.Simple partitioning with knowledge of LVM.Inflexible disk-space to be encrypted has to be pre-allocatedĪchieves partitioning flexibility by using LVM inside a single LUKS encrypted partition.On a GPT partitioned disk, systemd can auto-mount the root partition.Shows a basic and straightforward set-up for a fully LUKS encrypted root. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the boot loader and (usually) the kernel is encrypted.Īll scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below: Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate and /var/log/. Securing a root filesystem is where dm-crypt excels, feature and performance-wise. 7.5 Avoiding having to enter the passphrase twice.
0 kommentar(er)
