"Full" disk encryption install?

Questions about SolydX and SolydK installation.
User_1
Posts: 9
Joined: 17 Mar 2017 04:14

"Full" disk encryption install?

Postby User_1 » 17 Mar 2017 05:15

I am pleased to find the SolydXK distro and appreciate the nice work that you folks are doing, especially, the thoughtful implementation of KDE Plasma for Debian. I want to try the SolydK EE but would like to install with "full" disk encryption (all but boot). Is there a simple solution to create a condition where root, home and swap are all encrypted under a single password during install? I have read various prior discussions concerning full disk encryption in this Forum, but have yet to find any indication whether it can be created with a simple, straight forward approach.

Thanks in advance for any insight you can share.

User avatar
ilu
Posts: 2539
Joined: 09 Oct 2013 12:45

Re: "Full" disk encryption install?

Postby ilu » 18 Mar 2017 14:04

Have a look at this topic, it should work: https://forums.solydxk.com/viewtopic.php?f=72&t=5979

I'm not sure how the password is handled, because I have never done it myself. You'll have to try yourself.

User_1
Posts: 9
Joined: 17 Mar 2017 04:14

Re: "Full" disk encryption install?

Postby User_1 » 23 Mar 2017 19:13

I don't think your suggested post really addresses the question ... perhaps I am missing something? That post shows a shot of the Antergos installer, not the Solyd installer. Despite the additional reference to disk encryption being now available in a nightlies, I don't actually see it!

Having run the EE installer through a couple of times, what I see is a slightly broken interface that permits encryption of certain, individual partitions. I say 'broken' in that the installer on my verified live DVD presents no check box for partition encryption options, as is shown in the install screen shots on this website. Activating the partition encryption seems to happen almost accidentally when one clicks on the partition, and even then, inconsistenly activated. I found it impossible to activate encryption on the /swap partition, watering down further any concept of 'full-disk' encryption. Furthermore, encrypting multiple partitions seems to result in multiple passphrase login requirements, which is the thing in my post that I was looking to avoid.

Having worked through installs of both Debian 8 and 9, I note that full-disk encryption is available as an install option, but also not without issues. The solution there, is an encrypted LVM volume group that seems to produce a documented failure of the LVMETAD. I don't know if this failure is a security concern, but any bugs around the encryption solution raise concerns, for lockout if not vulnerability.

I don't mean to diss this nice distro, but I would like to know if I've missed some undocumented feature of SolydK, or even why full-disk encryption is not a higher priority in the Debian family?

User avatar
ilu
Posts: 2539
Joined: 09 Oct 2013 12:45

Re: "Full" disk encryption install?

Postby ilu » 23 Mar 2017 21:54

Of course I wasn't talking about Antergos. Later on in the posting I cited is this screenshot: https://forums.solydxk.com/viewtopic.ph ... 979#p57979. That's how it works on SolydX Jessie. Maybe I don't understand correctly what you want? Do you want to also encrypt the partition table? I don't think that's possible at the moment with SolydXK. But it might be something to discuss. Everybody is welcome to help improve the code at http://github.com/solydxk.

Since you mentioned the EE Installer: Note that EE is software in development. If something doesn't work the way it should (as you are saying), please report a bug. We are glad about anyone who reports his/her testing experiences. Which exact ISO did you use? KDE gave everybody a hard time to get things right. Try the latest ISO from http://downloads.solydxk.com/ce/testing/ although that still has problems.

Edit: Right, that was a bug that should be fixed in the ISOs in /ce/testing.

Regarding Passwords: I haven't tried, so I don't know but if something can be improved now might not be the best time because the focus atm is to get everything working for stretch.

Regarding swap: Don't use it. Most modern systems run well without, in fact some people here claim that swap actually slows them down. If your system is below about 4GB RAM, there's still the possibility to use a swap file which would be on the encrypted partition. I must admitt that I haven't tried that.

User_1
Posts: 9
Joined: 17 Mar 2017 04:14

Re: "Full" disk encryption install?

Postby User_1 » 26 Mar 2017 20:58

Thanks for these insights and the link to the "latest" EE; I was on the release from the regular CE download page and would have otherwise missed the nightlies/weeklies. Indeed, I see the encryption feature bug has now been corrected. I would like to see an "option" such as that available in Fedora's Anaconda installer. In that system it is simply a single box-check to encrypt the entire disk (except /boot); you have a single LUKS passphrase entry. And that's it! I understand that Solyd has mulled over this and has wanted to maintain the option for un-encrypted install, which is fine. HE, for anyone that wants maximum encryption (increasingly popular these days), there is great peace of mind with the simplicity and completeness of the Anaconda approach.

As for swap, I am interested to have your thoughts and may take that approach. I have ample RAM installed and wondered about the necessity of a separate partition. And yet, all the major distros still recommend a "/swap" as part of their recommended partitioning setup. Perhaps there is a need/opportunity for a linux-wide dialogue on this point. Again, thanks for the suggestion, which I will try. Installing on a single /root would indeed make full-disk encryption easy to do.

Cheers!

User avatar
ilu
Posts: 2539
Joined: 09 Oct 2013 12:45

Re: "Full" disk encryption install?

Postby ilu » 26 Mar 2017 21:30

I don't think anyone is really against that kind of disk encryption (as long as it is optional), It's just a question of (lack of) developer time. You are very welcome to contribute on http://www.github.com/solydxk :D

I don't have enough insight to contribute to the swap issue myself. Here's a thread discussing swap: https://forums.solydxk.com/viewtopic.ph ... 61&p=63238

User avatar
Arjen Balfoort
Site Admin
Posts: 9330
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: "Full" disk encryption install?

Postby Arjen Balfoort » 27 Mar 2017 08:14

Here's an experimental version of the live installer: viewtopic.php?f=78&t=6843


SolydXK needs you!
Development | Testing | Translations

User avatar
Arjen Balfoort
Site Admin
Posts: 9330
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: "Full" disk encryption install?

Postby Arjen Balfoort » 04 Apr 2017 15:37

The new live installer is now in production. Closing this topic.


SolydXK needs you!
Development | Testing | Translations


Return to “Installation”

Who is online

Users browsing this forum: No registered users and 2 guests