For my main desktop machines, all data is on a separate physical drive from the OS. I would like that disk to be encrypted in case the machine was stolen. Is LUKS the best way to achieve that?
Note - it is imperative that the partition can be accessed if the OS needs to be re-installed. I know that can be done using Veracrypt, but LUKS seems more integrated to the OS. Is it a better solution?
For laptops, it is a separate /partition/ rather than /physical drive/ on which the data needs to be encrypted. Does that make any difference?
Finally, am I right that “data encryption” is a totally separate issue from “secure boot”?
Much appreciate any advice, thank you.
I don’t really know whether it is the best. I am using LUKS on my systems. And it is supported in the linux kernel, which seems like a good thing. I have not actually tried Veracrypt, because LUKS seems better supported.
From any linux system that includes the “cryptsetup” command, you can simply use:
cryptsetup luksOpen /dev/whatever SOMENAME
and you will be prompted for the encryption key. After that, you access the unencrypted mapping of the device as “/dev/mapper/SOMENAME”. So it is easy enough to access if you need to reinstall.
Whether you use a separate partition or a separate disk doesn’t really matter for this. And yes, data encryption is separate from secure-boot.
You might want to also encrypt (if you are using swap). It is always possible that unencrypted data could be written to swap.
1 Like