I installed tumbleweed yesterday with full disk encryption. However I noticed that the whole process took less than 1 hour. That was strange for me, because when I do a debian installation with full disk encryption it takes more than 2 hours due to the fact that rewrite the entire large partition with random data. This is so computer forensics folks cannot determine where encryption starts and stops, making it harder to find out a way to circumvent the encryption and stuff.
So me question is this, is the opensuse installer different on this respect?
Is the partition is written with random data or not?
I tried search engines, opensuse documentation and forums regarding this specific question and I was not able to find nothing to answer the process that the opensuse installer follow when it come to encryption. So if you have any link, idea and/or document on this I will be thankful for it.
I don’t know the answer to your question, but perhaps the best way to evaluate the result is to mount your disk in another OS (can be a LiveCD) and see if the disk can be read.
As for how long it might take to encrypt/re-write, that can be entirely attributed to the algorithm used to encrypt. Some things that can affect the time…
How many bytes are read, encrypted and re-written at a time. Larger processed “chunks” can be processed much more quickly than smaller “chunks.” In most cases, there shouldn’t be any compromise processing larger chunks but the algorithm might need to be slightly more sophisticated to process the entire disk.
All encryption is affected by how much contiguous “same data” exists, and this in particular applies to empty disk space. Is that empty disk space really empty or does it contain ghost data, meta data, recoverable data? If the contiguous disk space is truly null, then it’s processed instantly. If not, then it can take considerable time.
The type of encryption. Algorithm? Single pass? Double pass? more?
Remember that you are only protecting against “data at rest.” If the data is actively accessed, the data is potentially vulnerable. And, nowadays depending on the resources of the decryptor, some (including myself) believe that “typical” strongest encryption is crackable by individuals and organizations with relatively modest resources within days, and only encryption that exceeds “typical recommended” is strong enough to require nation-state resources.
Thanks for replying, I think you are right, is probably something related with the algorithm use. I tried to access both hard drives using a live cd and the data can’t be access. But I tried with “typical tools” therefore I was not successful breaking in.
Now about your comment, what do you consider more than "typical encryption " (the one that will require nation-state resources?
Main parameter is the strength of encryption.
Today, most applications recommend 1024 bit and very recent have been recommending 2048 bit.
Some articles are starting to say (Summer 2015) that this is already not enough. Go to the next level (4096 bit) if you <really> want something very difficult to decrypt and even then who knows how long that will last.
But again, who are you really trying to protect against? And how valuable are your secrets?
At least for today the typical neighborhood thief won’t have any idea what tools to even use to crack almost any level of encryption.
More serious might be if a competitor breaks in and steals your disks and you contain business and trade secrets (more than ordinary personal information). Then you might consider the higher levels of encryption.
Remember, disk encryption has relatively limited value today. It only protects against physical theft. Nowadays data is stolen using other methods. You can get the same amount of protection (and possibly superior with less chance of accidental data loss) by simply storing your machine is a locked room or a safe.
I don’t think so. Yes, Debian installer does that, though I think I remember turning that off when I did a Debian install to encrypted LVM. I’m pretty sure that opensuse installer doesn’t do that – but you could do that manually before starting the install if it is important enough.