Microwave_Ab's Blog

Where I always sometimes document what I've been doing

Encrypting all my disks for no particular reason

Does this title really need a description?

Update 20.12.2021

So the other day I had a flash of inspiration: I must encrypt all my disks this instant. Let's not dwell on what lead me to this thought but instead focus on how the encryption is actually done, since this is a tech blog after all.

My systems (especially laptop) were completely vulnerable to physical attacks. Login screens aren't a bother when an attacker can just read the disk directly from another OS. The natural solution is to encrypt your disks so when somebody reads them, they cannot find out what is stored on them.

There are two main ways of implementing encryption: Filesystem encryption and full disk encryption. In filesystem encryption the attacker can see that there are indeed files on the disk, but cannot read their contents or even names. Nevertheless, the attacker still knows that there are something stored and can make estimates and deductions from the file sizes, which is why I chose full disk encryption. In full disk encryption the whole disk is gibberish and the attacker really cannot deduce anything other than the overall space used and in some cases not even that.

However, it turned out that full disk encryption is pretty cumbersome method after all. What if you need to have an unencrypted boot partition on the same disk? Most BIOSes do not support encrypted bootloaders. The solution is to take encryption one layer upwards, namely encrypting partitions instead of disks. That is what I ended up doing.

Microwave_Ab's Premium Solution to Data at Rest Protection

A way to encrypt partitions on linux.
  1. Encrypt non-root partitions

  2. Add keyfiles

  3. Add entries to crypttab and fstab

  4. Configuring initramfs to account for encryption

  5. Encypting root partition

  6. Configuring bootloader

  7. Profit?

"Wait what's this? This is just a checklist, not a detailed instruction?"

Yes. This is so well documented on the arch wiki that I cannot bother copy-pasting it here. Just thought I would give a little update to my blog that's all. But if you happen to have problems with implementing this yourself don't hesitate to leave a comment.

Thank you for reading