Ask Your Question
1

Two Questions on Full Disk Encryption

asked 2012-10-08 17:32:15 -0500

Greg1101 gravatar image

I'm completely new to Linux coming from a long history in Windows and liking it so far though I have a couple questions on the encryption. I know already nothing is full proof what so ever and know all about faults and weaknesses.

When I setup and installed Fedora on my Laptops hard drive I set it up to use the entire hard drive, encrypt the drive and use LVM. So here are my questions.

  1. Did it encrypt the entire physical hard drive or just the Boot? When using PGP in Windows and MAC their whole Disk Encryption took hours to secure the disk. This seemed to take minutes or maybe even seconds. I want to ensure the entire physical drive is encrypted from boot to operation system to my files and even free space. I also wanted to make sure this wasn't just a login password where nothing was actually encrypted behind it.
  2. My next question is how do I change that pass phrase that prompts on booting if or when i decide to?

Thanks much! Greg

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
4

answered 2012-10-08 20:36:19 -0500

sten gravatar image

1) Everything except /boot is encrypted. What you did was create an encrypted device, which then was given to the Linux logical volume manager. This took no noticeable amount of time because you weren't actually encrypting data at the time, you were just telling the device to do writes through the encryption layer. The logical volume was empty, and then you filled it with lovely Fedora stuff by completing the install. If you're not shy of the command line, run "sudo pvdisplay" - it will show you the name of your encrypted device as /dev/mapper/luks-<some hexadecimal="" gibberish="">. LUKS stands for Linux Unified Key Setup.

2) You can't actually change the password. What you can do is create a new one, and destroy the old one. As root:

cryptsetup luksAddKey /dev/mapper/luks-<hex stuff>
crypysetup luksDelKey /dev/mapper/luks-<hex stuff> 0

This assumes the old key was at slot 0. Take a look at the manpage for cryptsetup for more.

edit flag offensive delete link more

Comments

@sten How do I find what device I use in the commands to change, the passphrase/password that I type at every boot. My drive is encrypted, but I don't know what the device for it is.

somethingSomething gravatar imagesomethingSomething ( 2014-04-11 02:41:29 -0500 )edit

I'll add that some disk encryption software takes awhile to encrypt the disk because it is also scrubbing the disk with random bits in an effort to further hide your data. Fedora's implementation during anaconda doesn't do this (which is okay unless you need very high security at which point I'd ask why you are trusting anaconda to chose the correct settings for LUKS for you). Instructions for performing full disk encryption outside of anaconda can be found in the Security Guide located at https://docs.fedoraproject.org .

sparks gravatar imagesparks ( 2014-04-11 09:07:42 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2012-10-08 17:32:15 -0500

Seen: 2,367 times

Last updated: Oct 08 '12