Disk encryption.

Discussion of software apps
Post Reply
wove
Posts: 1188
Joined: Mon May 04, 2020 4:47 pm

Disk encryption.

Post by wove »

If I expect to be using a system a good deal I like to setup disk encryption. On Linux when disk encryption is setup you typically enter the pass phrase for the encryption before the system even starts to boot. It appears that all that is loaded is Grub. The same is true for my Android Phone and my Mac install. Nothing starts to happen until the encryption pass phrase is entered.

I have bit locker setup on Windows, but it never asks for a pass phrase until it gets to the user login. And the pass phrase appears to be the same as the user log on. Yet is you try and mount an encrypted device in Windows, you will have to enter a very long key that is much much longer than a typical password. I do not I understand how an encrypted system can boot without decrypting the drive. Does it mean that the only portion of the hard drive that is encrypted is the user folder, acting much like vaults work on KDE. Does Windows safe the decryption password somewhere on the system?
User avatar
tlmiller
Posts: 4848
Joined: Tue Jan 16, 2018 12:29 pm
Location: AZ, USA

Re: Disk encryption.

Post by tlmiller »

Bitlocker doesn't use passphrase, it uses the TPM keys. So if you have a physical/virtual TPM device on your machine, Bitlocker will use those keys to encrypt the device. So if the device is booted without said TPM, it won't decrypt. It's basically what I'm waiting for to become "1-click" on Linux so that I can move to encrypted devices. SEtting it up manually takes too much work IMO.
wove
Posts: 1188
Joined: Mon May 04, 2020 4:47 pm

Re: Disk encryption.

Post by wove »

Thanks for the explanation. I would think that TPM access would be open source enough (at least have some usable API that Linux could make use of.) It would be very nice if security could be made easier to use. Some devices seem close. With the X230 using Windows, you can swipe the finger print reader and it will turn the device on and take you into your account. I picked up a Yubi key thinking you could set something up like that. I think you can, but you need a fancier Yubi key than the one I bought. Mine only does 2fa.

With Pop OS and the X230 you can set up the finger print reader to turn on the computer. Then you have to enter a decryption password, then the finger print reader will log you into your account, where you once again need to enter your password to unlock the keychain. And that entire process is done with one finger print swipe in Windows.

Apple hardware takes this one step further. The finger print swipe will decrypt boot and take you into your account, while leaving any accounts for other users still encrypted. (Apple hardware does still require you to press the power button to start the machine, no finger print power on).
User avatar
tlmiller
Posts: 4848
Joined: Tue Jan 16, 2018 12:29 pm
Location: AZ, USA

Re: Disk encryption.

Post by tlmiller »

You could probably get Linux set up with a single fingerprint swipe, it's just that it would require setting up each part and linking them together manually. Which is a lot of work. And I'm lazy. So I wait until someone else figures it out and they deliver it in a shiny "check this box while installing to enable this" feature. :D
wove
Posts: 1188
Joined: Mon May 04, 2020 4:47 pm

Re: Disk encryption.

Post by wove »

tlmiller wrote: "check this box while installing to enable this" feature.
I am a big fan. :D
User avatar
crosscourt
Posts: 11100
Joined: Sun Jan 14, 2018 5:38 pm
Location: Wash DC
Contact:

Re: Disk encryption.

Post by crosscourt »

Id avoid Bitlocker in Windows as there have been too many issues in both Win10/11 mostly caused by updates. If youre experienced thats one thing otherwise, keep your sensitive data off your pc in a safe place.
Im also a fan of the check the box methodology.
Site Moderator
User avatar
crosscourt
Posts: 11100
Joined: Sun Jan 14, 2018 5:38 pm
Location: Wash DC
Contact:

Re: Disk encryption.

Post by crosscourt »

I wanted to add that Bitlocker has already been hacked so its definitely not a guarantee. I use external drives for saving important data and keep them disconnected from my system until I need them.
Site Moderator
Post Reply