Question about the order of FDE steps with LUKS and LVM
Question about the order of FDE steps with LUKS and LVM
I'm setting up FDE and wonders which one is better. "LVM over LUKS" or "LUKS over LVM"? Or something else? Does one is definitely better then the other? What are your preference?
Thanks.
It depends where you want your encryption. If you want all of your LVM volumes to be encrypted at once then you want LVM over LUKS. If you want volumes with different encryption, or no encryption, then you want LUKS over LVM. You can also do LUKS over LVM over LUKS if you must but that's kinda dumb.
LVM over LUKS is more common as generally people want to encrypt everything.
I use ZFS native encryption, so I guess that's closer to LUKS over LVM for personal preference.
From the info I've gathered, it seems that LUKS over LVM is the "proper" way as ideally you'd only want to encrypt swap, /tmp and /var. (/tmp and /var are places for temporary files, ie. opening a .zip archive. Swap is just RAM on your hard drive, so a place where your passwords could be stored) Encrypting the root (equivalent of "program files" in Windows) won't make your system more secure, just slower. (If you live in a place where you need to keep the list of your installed apps private, you'd probably be fricced by using encryption anyways.) Home directory should obviously be encrypted ~~but for the best performance you should use file level encryption instead of block level. ~~ edit: Do your own research on the performance, a reply claims otherwise, though leaving root partition unencrypted obviously increases R/W speed.
The thing is that setting it up this way is pretty hard so distros generally use 2 easier methods to setup encryption. Either encrypt the whole disk (LVM over LUKS) or encrypt only the home directory. I wonder whether the latter is secure enough though. Mint for example does not explicitly state that swap, /var and /tmp are encrypted when you select "encrypt home directory" but on Cinnamon there is not hibernation option so there is a chance that Swap is encrypted, just with a one-time password, which gets generated on boot and deleted after shutdown. <--- citation needed...edit: I've just tried hibernating in Mint without FDE and it didn't work, you just get a new session after resuming, so that's good.
Relevant article: https://www.linuxinsider.com/story/the-case-against-full-disk-encryption-86774.html
I though FDE is to thwart physical access to exfiltrate and or recover data. Making the root partition unencrypted surely will boost performance but I feel like this opens up an additional avenue for an attacker to exploit and defeat the purpose of doing FDE? It isn't just making "installed apps private" but literally replace some binaries with a backdoored version of it with then enables access to decrypted data.
If you're not careful
/etccan also contain passwords and other sensitive files. My WiFi password is there for example because it needs to be in the wpa_supplicant config file. On servers that's TLS certificates and keys.In my experience block level is faster, and less of a hassle, and can support hibernation properly. Also much easier if you want just one big partition to not waste space on separate root home and var.
i prefer just luck, ie good luck using my crappy credit for anything if you steal my machine 😹.
for real though, i had a family member pass away and getting their crypto keys was problematic despite good planning on their part. Does anyone else have a plan for passing on access to encrypted data?