Full disk encryption with Ubuntu

Jared Norris jrnorris at gmail.com
Sun Feb 5 09:07:15 UTC 2023 

On Mon, 30 Jan 2023 at 12:07, Jeffrey Walton <noloader at gmail.com> wrote:

> On Sun, Jan 29, 2023 at 5:34 PM Hans via ubuntu-users
> <ubuntu-users at lists.ubuntu.com> wrote:
> > From: "Jared Norris" <jrnorris at gmail.com>
> > [...]
> > I'm trying to decide on the best approach, from what I can see the main
> options include
> > 1 - hardware based SED -
> https://www.crucial.com/support/articles-faq-ssd/overview-hardware-encryption
> > 2 - Ubuntu installer based LVM/LUKS - encryption option offered during
> installation
> > 3 - Ubuntu software based full disk encryption -
> https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019
> >
> > [...]
> > What is the point of having all and everything encrypted?
> > /home: ofcource, and perhaps /var, and /etc.
> > But why all regular binaries?
>
> If all binaries are encrypted using a FDE scheme, then it makes it
> difficult for an attacker to replace a binary during an evil maid
> attack.
>
> A common attack vector when you have physical access to a machine is
> to replace a binary like ls. The new ls will spawn a root console, and
> then call the real ls command. The attacker then attaches to the new
> terminal with root access.
>
> That's why Microsoft's BitLocker uses FDE with a large block diffuser.
> The diffuser is called the Elephant Diffuser, and it makes it more
> difficult to replace a binary. Essentially, it turns CBC mode into a
> wide block mode.
> https://www.google.com/search?q=Niels+Ferguson+elephant+diffuser
>
> Jeff
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>


Hi all,

Thanks everyone for your help. For reference, I ended up going down the
path of option 2 (using LVM+LUKS in the standard installer) as it seemed
the simplest for me to manage and avoided the proprietary SED issues.

For anyone looking into this I found a pretty coherent article here that
helped me understand the options better -
https://blog.cloudflare.com/speeding-up-linux-disk-encryption/

I realise adding LVM creates some additional complexity but I think it's
still easier than the 50+ steps required for option 3.

Regards,

Jared Norris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20230205/42c9df5b/attachment.html>

More information about the ubuntu-users mailing list