Encryption

JoergJaeger · February 5, 2012, 6:45pm

Hi, i just wonder if you
a) need or b) can encrypt you whole harddrive.

Under Windows i used Truecrypt but i know read that under Linux you only
can encrypt a partition but not in general the whole harddrive.
I looked a little through the how-to’s but the answers weren’t
sufficient to me.

–

Windows, supports nearly all software, hardware, and viruses.
Linux Counter: 548299 https://linuxcounter.net/

robin_listas · February 5, 2012, 8:13pm

On 2012-02-05 18:45, JoergJaeger wrote:
> Hi, i just wonder if you
> a) need or b) can encrypt you whole harddrive.

a) depends on your needs.
b) yes…

With software encryption you need at least /boot outside encryption. The
hard disk firmware can also encrypt, but the support of this in Linux is
unknown. You need the bios to put the password prompt. I have never seen
this working. There is a bit of info in the smartctl manual. No, in hdparm(8).

> Under Windows i used Truecrypt but i know read that under Linux you only
> can encrypt a partition but not in general the whole harddrive.

You need at least a minimal boot system to load the driver outside the
encrypted part. If all is encrypted you can not even read the boot code.
There is always a bit outside, or bios support, or another disk.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

JoergJaeger · February 5, 2012, 8:23pm

On 05.02.2012 11:13, Carlos E. R. wrote:
> On 2012-02-05 18:45, JoergJaeger wrote:
>> Hi, i just wonder if you
>> a) need or b) can encrypt you whole harddrive.
>
> a) depends on your needs.
> b) yes…
>
> With software encryption you need at least /boot outside encryption. The
> hard disk firmware can also encrypt, but the support of this in Linux is
> unknown. You need the bios to put the password prompt. I have never seen
> this working. There is a bit of info in the smartctl manual. No, in hdparm(8).
>
>
>> Under Windows i used Truecrypt but i know read that under Linux you only
>> can encrypt a partition but not in general the whole harddrive.
>
> You need at least a minimal boot system to load the driver outside the
> encrypted part. If all is encrypted you can not even read the boot code.
> There is always a bit outside, or bios support, or another disk.
>

I am in luck then. I have a /boot partition
Well, let me read into the hdparm. It sounds like that not a lot of
people doing this. Is there any harm if i do this?

The only reason i would like to do this is in case the computer gets
stolen. Right now, if you know the password your in. Maybe even that is
not needed if you boot from a cd.

–

Windows, supports nearly all software, hardware, and viruses.
Linux Counter: 548299 https://linuxcounter.net/

robin_listas · February 5, 2012, 9:13pm

On 2012-02-05 20:23, JoergJaeger wrote:

>
> I am in luck then. I have a /boot partition
> Well, let me read into the hdparm. It sounds like that not a lot of people
> doing this. Is there any harm if i do this?

You haven’t yet read the manual, it says “yes” in big letters >:-)

I’m waiting for somebody to test it and tell me

> The only reason i would like to do this is in case the computer gets
> stolen. Right now, if you know the password your in. Maybe even that is not
> needed if you boot from a cd.

Absolutely.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

JoergJaeger · February 5, 2012, 9:20pm

On 05.02.2012 12:13, Carlos E. R. wrote:
> On 2012-02-05 20:23, JoergJaeger wrote:
>
>>
>> I am in luck then. I have a /boot partition
>> Well, let me read into the hdparm. It sounds like that not a lot of people
>> doing this. Is there any harm if i do this?
>
> You haven’t yet read the manual, it says “yes” in big letters>:-)
>
> I’m waiting for somebody to test it and tell me

I am not that fast. I will…

>
>> The only reason i would like to do this is in case the computer gets
>> stolen. Right now, if you know the password your in. Maybe even that is not
>> needed if you boot from a cd.
>
> Absolutely.
>

Aha. So then we should have that just to be safe.

–

Windows, supports nearly all software, hardware, and viruses.
Linux Counter: 548299 https://linuxcounter.net/

nrickert · February 5, 2012, 10:20pm

Yes, I am using encryption.

I have a small “/boot” partition. And then I have an encrypted LVM for everything else that is openSUSE. The installer handles this correctly, providing you are willing to accept the partitioner defaults. The initial encryption/decryption is managed in the “initrd” so that it is setup fairly early in the boot cycle.

Yes, that and safe end-of-life disposal of the disk are the main reasons for encryption.

It works rather well. The cost of the crypto overhead seems surprisingly small in my experience.