this post was submitted on 18 Oct 2024
14 points (100.0% liked)

Linux 101 stuff. Questions are encouraged, noobs are welcome!

1063 readers
1 users here now

Linux introductions, tips and tutorials. Questions are encouraged. Any distro, any platform! Explicitly noob-friendly.

founded 1 year ago
MODERATORS
14
How to Encrypt Drives ? (self.linux4noobs)
submitted 1 month ago* (last edited 1 month ago) by gpstarman to c/linux4noobs@lemmy.world
 

This is my disk layout:

500 GB Linux - BTRFS

100 GB Windows - NTFS

400 GB Storage - NTFS (shared between linux and windows)

I want to encrypt everything. For Linux I can use luks2 but what I'm supposed to do for Windows ? (No bitlocker please)

Will veracrypt replace refind boot manager?

Note: I am talking about the one that asks password before boot (full encryption)

top 7 comments
sorted by: hot top controversial new old
[–] kugmo@sh.itjust.works 3 points 1 month ago (1 children)

For FDE including /boot you'll need to use GRUB2, from what I remember it only supports luks1 in mainline, so you'll need a grub fork that supports luks2. Arch wiki will have all of that information. For Windows encryption I have no idea if you can use Veracrypt on your C: partition, but using it on the shared data portion will work. I also remember reading that Veracrypt slows down the reading and writing of that partition a lot. Again arch wiki will have that info.

[–] gpstarman 2 points 1 month ago
[–] Maiq@lemy.lol 1 points 1 month ago (1 children)

I don't know if there is or anything about disk encryption for windows.

If grub is installed, grub should load instead of windows bootloader forcing you to decrypt before your boot selection. This will give the appearance that windows is encrypted by luks.

[–] ArcaneSlime@lemmy.dbzer0.com 3 points 1 month ago (1 children)

But if secure boot is off (or is turned off because you didn't set a pass), and someone boots any live distro*, the linux disk will still require a pass but the windows disk still won't, right?

I know when I boot into a live distro on a win10 pc I have without FDE, I can mount the hdd and bypass my windows passkey. What I don't know is if dual booting linux off the same drive would behave the same where you could still then mount the windows partition. I figure separate drives would function the way I expect.

*Any distro except Tails which blocks you from mounting the actual hdd for security reasons of course.

[–] Maiq@lemy.lol 3 points 1 month ago (2 children)

My explanation above just gives the illusion of entire computer encryption.

Say you have a separate hd for each OS. Each with bootloaders on their drives. To bypass grub running luksopen you can boot directly into windows in the bios, in this instance the windows bootloader will be used to load windows. However if your bios is set to boot your Linux HD and grub has successfully found your windows drive and created a boot entry for it, it should be selectable after luks decryption. This can give the illusion that windows is encrypted while not really being so to an advanced user. There is nothing preventing you from mounting windows as its not really encrypted, just the way grub loads Luks before OS selecton. If I remember correctly systemd-boot loads OS selection before luksopen giving no appearance of encryption till after your OS selection, you should be able to boot windows without the false sense of drive decryption.

[–] ArcaneSlime@lemmy.dbzer0.com 2 points 1 month ago

Ah ok, gotcha thanks!

[–] gpstarman 2 points 1 month ago

So, it's not possible on rEFInd too, right? Similiar to systemd-boot?

I like rEFInd's appearance but it seems that grub2 has lots of tech support also theming (still will prefer rEFInd for looks)