install for full (as possible) disk encryption options

21 replies [Last post]
ruddy
Offline
Joined: 08/27/2021

Hi

The manual directed me to install via "Install Trisquel in textmode" for disk encryption.

I tried to do this but it wouldnt allow me to complete the install without an internet connection (setting mirrors).
I didnt want to connect to the internet until after i install.
So i tried the auto install method. There was an option in it anyway to encrypt the disk. This seems to be working ok, is functionalat least with the limited time ive had in it

So my question is: is there a different result between the two install methods?

Is there a way to install via the suggested "text mode" method without being online at time?

Thanks

ruddy
Offline
Joined: 08/27/2021

I mean is there a difference in achieved disk encryption between the two install options. Thanks

nadebula.1984
Offline
Joined: 05/01/2018

The text mode installer is something like Debian Network Installer, therefore Internet connection is mandatory. However, it is still possible to install a minimal operating system (without any desktop environment) without Internet connection, although I haven't verified it. If you managed to install a minimal system, you can then connect to Internet and install a desktop environment if you need it.

Using Trisquel's graphical interfaced installer is not recommended. It's obsolete and buggy, and offer much fewer customization options compared with Debian Installer.

ruddy
Offline
Joined: 08/27/2021

Thanks that explains why the text mode installer required an internet connection

Avron
Offline
Joined: 08/18/2020

The manual directed me to install via "Install Trisquel in textmode" for disk encryption.

Sorry, which manual are you referring to?

When I used the graphical installer, I always did immediately setup the internet connection but I am not sure it was really used (even though I said I want to download updated packages) because at the first apt update/upgrade, there were always more than 300 packages to upgrade. There was a unencrypted /boot partition but the rest was encrypted.

Are you using a computer with Libreboot?

When I installed Trisquel on a computer with Libreboot, I followed https://notabug.org/libreboot/lbwww/src/8844c201ef0d1ab856fed2aa5148b89100fffe0d/site/docs/gnulinux/encrypted_trisquel.md which recommends the text mode installer.

This results in everything, including /boot, to be encrypted. But I don't how much benefit this has over the option with everything encrypted except /boot.

ruddy
Offline
Joined: 08/27/2021

Hi, i was referring to the install manual in our documentation here. It recommends using the text version over the GUI version. I installed via the GUI anyway out of need. Im sure it also said encryption was added during the process.

If anyones familiar with this method i used can you please say what level of encryption ive likely achieved?
As you can tell its quite new to me and all i want is to have as much of the disk encrypted as i can.

I have added a pic showin the partitions in 'disks'.if someone can tell me what it means as far as encryption achieved.

Yes i have Libreboot installed
Thanks

trisquelpartitions.jpg
nadebula.1984
Offline
Joined: 05/01/2018

Yes you have done FDE correctly. I agree with the documentation that recommends that the text mode installer should be preferred. Debian Installer is highly customizable. I could even put two FDE'd hard disks that came from different computers in one computer without re-installing anything, thanks to Debian Installer's rescue mode, which allowed me to rebuild initrd with minimal effort.

Theoretically you can encrypt /boot (and /boot/efi, if you used UEFI mode) as well. However, this renders the booting procedure very tricky. In practice, encrypting everything except /boot and /boot/efi already minimizes the attack surface.

ruddy
Offline
Joined: 08/27/2021

Hi, Can you please explain to me what the pic. i posted(2-inc. below) of the partitions shows?. A literal translation would be so helpful. Because i did it auto i really didnt see what happened so would just like to understand the terms there and all that.

Interesting to learn your point about the added potential to encrypt further in UEFI mode. Maybe later down the line, i have much to learn first by the looks..

Im quite new and only just familiar with terms like boot, swap, home, /. Thanks a bunch

nadebula.1984
Offline
Joined: 05/01/2018

You should begin with LVM (logical volume management). Simply search something like "logical volume management linux", and you should have many tutorials.

ruddy
Offline
Joined: 08/27/2021

lsblk result

install table.jpg
Avron
Offline
Joined: 08/18/2020

You have a partition for /boot which is not encrypted, and then you have an encrypted partition using LVM (Logical Volume Manager) that includes a root partition, a home partition and a partition for swap.

Swap is only used:
- when you use the "hibernate" feature, all the memory is saved there, so you can restart from exactly the same situation
- if you run out of memory due to too many programmes running, the system will decide to save the memory of some running programmes to the swap and, when a programme whose memory is on the disk is to run again, it will save the memory of other programmes to the disk and fetch from the disk the memory of the programme to be run. This takes quite some time so if that happens, you will notice a delay of several seconds, perhaps even minutes.

/boot only contains a few files for the system to start (linux executable and a few other things), there is no personal data and extremly limited configuration information.

/home contains user data.

/ (called "root") contains all the rest (system configuration, programmes).

Personally, I don't have a home partition, so /home is inside the root partition. When you use your system, you just see home as a directory inside /, it makes no difference whether there is a separate home partition or not. I am not sure what the benefit of having separate home partition is.

If you use the text installer and follow the instructions that I linked and were removed from Libreboot site due to being obsolete (but I followed these instructions about 4 months ago and it worked fine), you could have a setup where /boot is also encrypted.

What is the benefit of having /boot also encrypted? I don't know, perhaps someone else can say.

EDIT: I corrected as I previously missed that you had a separate home partition.

ruddy
Offline
Joined: 08/27/2021

I hear one of the main benifits of a seperate Home partition is to easily re-install the OS without affecting the Home files. Agreed not an issue if correct back-ups are done, small advantage only in that case

I had to install via auto as i didnt want to go online until was installed

-Do you see what the sda2 is doing? no titles are there

-And I have 8GB RAM, so is 2.9GB swap enough?

I will now research LMV as suggested for my understanding thanks nadebula.1984

I only seek to check all this as it was done auto so could be improved/ i want to be sure its a good set-up

Thanks

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

And I have 8GB RAM, so is 2.9GB swap enough?

Not if you plan to hibernate a system taking advantage of your 8 GB of RAM. Your swap partition should then be at least 8 GB large, and you certainly do not want it larger than that.

If you do not plan to ever hibernate, 2.9 GB for swap are probably enough (we are talking about a desktop system, right?). If the system swaps (what should be exceptional, a malfunctioning program leaking memory for instance), 2.9 GB of swap probably let you enough time to notice the system lags a lot, to save your work, to identify the faulty program and to end/kill it. With too little swap, you may not have time to do all that until the whole swap is filled as well and the kernel would kill a program to free memory. Nevertheless, it may be the wrong one, maybe the one you have been working with for hours without saving.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I am not sure what the benefit of having separate home partition is.

A benefit is that you can install another GNU/Linux system (or a new version of the existing one) onto the previous one, specifying that the existing partition is to be reused (but not formatted!), mounted at /home. For instance, Trisquel's "Something else" type of installation allows that. In this way, you do not have to restore all the user data from backup after the installation.

Another benefit is that you can specify a different types of filesystem, which may be better suited for the data the partition holds. By default, Trisquel chooses ext4 for / and XFS for /home. XFS is said to perform faster with large files, such as typically those in /home.

ruddy
Offline
Joined: 08/27/2021

-Re. Swap partition, then i will make it 9GB to have enough to hibernate but not excess in case the swappiness thing becomes involved (not sure it will but to be safe). May as well have the option to Hibernate since its on a lapTop- Battery life benefit.

Re Home partition. Nicely explained thanks. Then i will leave the home seperate it makes a benefit. I dont save data to my mobile machines only temporarily for the security benefits, now made far less anyway as im finally FDE! Happy to have it!
Interesting about the XFS benefit for /home.

-The table used was MBR. This is a lenovo x200 with Libreboot, full libre hardware. Do you think its the right table?

-Do you see what the sda2 is doing? no titles are there
Thanks a bunch

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

The table used was MBR. This is a lenovo x200 with Libreboot, full libre hardware. Do you think its the right table?

It is OK, unless the size of your disk exceeds 2 TiB.

Do you see what the sda2 is doing?

Certainly nothing: it is 1-kB large.

ruddy
Offline
Joined: 08/27/2021

So MBR type table not significantly worse off say for RAM utilisation? Perhaps there was a reason the auto installer chose it, ill leave it as is if no clear answer presents to me, im really not sure just i noticed its not that common anymore

So the tiny sda2 partition that looks like it does nothing is better removed or left anyway?

Thanks so much, a lot to learn, this install has been big lesson but its such a nice OS im very pleased so far

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

So MBR type table not significantly worse off say for RAM utilisation?

No. It is just data. A few bytes specifying where every partition physically starts on the disk, its type, its size, whether it is "active" (i.e., whether it actually exists; there are always four primary partition table entries in the MBR partition table scheme).

i noticed its not that common anymore

That is because disks exceeding 2 TiB have existed for many years now.

So the tiny sda2 partition that looks like it does nothing is better removed or left anyway?

Delete it if you wish. Nevertheless, it does not hurt and you will not miss the kB it occupies.

nadebula.1984
Offline
Joined: 05/01/2018

> Delete it if you wish.

So laughable. /dev/sda2 is the extended partition which holds logical partitions, starting with /dev/sda5

If you try to forcibly delete it, the entire LUKS will be wiped out (the LUKS header will be firstly erased). I made a similar mistake recently.

ruddy
Offline
Joined: 08/27/2021

Thanks everyone. I concluded its best to leave it there anyway then, but appreciate the different angles.

How then would i identify it as an extended partition? Because in the lsblk output i posted it just looks like a main partition?

Complex things these tables, much still to learn, more practice needed :-)

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Oops. So it should definitely be kept! I would have thought lsblk would not print it or would show /dev/sda5 as its child.

ruddy
Offline
Joined: 08/27/2021

Magic Banana im not sure if nadebula.1984 saw the other table i posted, thats a possibility. To me also it looks like a normal drive in that table. No obvious distinctions so i see why it did to you also. I cant be sure unless i get a way to identify it other than that ill just leave it there anyway.Thanks