My laptop isn’t under my supervision most of the time. And I’d hate it if someone were to steal my SSD, or whole laptop even, when I’m not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It’s a very slow laptop. So decryption on login isn’t viable, takes too long. While booting up also takes forever, so it needs to be in a “safe” state when simply logged out. Maybe a way that’s decrypt-on-demand?

I’m on Arch with KDE.

  • sudo
    link
    fedilink
    arrow-up
    41
    arrow-down
    2
    ·
    3 months ago

    The standard route is to decrypt on boot. It happens after GRUB but before your display manager starts. IDK if there even is a setup that has you “decrypt on login”. Thats sounds like your display manager (sddm for KDE) is decrypting system which is not possible IMO.

    Unless your laptop somehow has multiple drives you’ll want to use the “LVM on LUKS” configuration. 1 small partition for /boot. The rest gets LUKS encrypted, and an LVM group is put on the LUKS container. Or you could replace LVM with btrfs.

    This will require wiping your system and reinstalling so you have some reading to do.

    The arch-install script in the live iso has options for full disk encryption.

    If you suspend to RAM your system will stay unencrypted, because your ram is not encrypted. if you suspend to disk (aka hibernate) your system will be encrypted. You go through the boot loader when waking from hibernation but it just drops you off where you left off.

    You need a swapfile for hibernation so make sure its inside the LUKS container.

    • Leaflet@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      3 months ago

      There is a way for just your home folder to be encrypted, Linux Mint has it as an option.

      • sudo
        link
        fedilink
        arrow-up
        6
        arrow-down
        3
        ·
        3 months ago

        Looks like they use eCryptFS. Never heard of it before so thats neat. I can see using it on systems where you can’t reinstall the system with Dm-crypt but it most cases I suspect Dm-crypt is a better alternative.

        Idk if its faster or slower than Dm-crypt.

    • JubilantJaguar@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      3 months ago

      To add to the comments, most distros do not offer FDE by default when installing. You have to jump thru hoops. No idea why this is still the case given how many consumer computers are laptops these days, it seems crazy.

      The big exception seems to be PopOS, an Ubuntu derivative which is intended for laptops. FDE by default so it must be pretty easy to get that up and running.

      Ubuntu itself has a solid FDE option on install, too. It sets up the LVM configuration as already described, no expertise needed. And IME works very reliably.

      • cspiegel@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        openSUSE also has a simple FDE setup. Just check a box and enter a passphrase during install. It’s not default, but it’s about as easy as possible to set up.

        • JubilantJaguar@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          Useful to know, thanks.

          For the record, I once had a bad experience with the Debian installer’s version. That is why I will not be trying Debian again. Installation is a moment of vulnerability, when you don’t have ready access to your data, or the network, and this is one extra factor. IMO it really is non-negotiable for a distro to provide a bulletproof installation experience.

      • sudo
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        3 months ago

        I’m pretty sure all the major distros have FDE as an option in the installer its just never on by default. Fedora does the same but with BTRFS on LUKS. I’m sure Debian does. Someone else says OpenSuse does. Maybe some derivative distros don’t but I suspect the ones with an graphical installer do.

        • JubilantJaguar@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          its just never on by default

          Except PopOS, as I understand it. IMO that is a major point in its favor and against its competitors, given the dominance of laptops today. I see no reason why this is still opt-in, rather than opt-out as on mobile OSs.

          • sudo
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            3 months ago

            I think PopOS can safely assume that its being installed on a laptop with only one drive. If there’s multiple drives involved then the setup gets far more complicated as you then must go to something like an LUKS on LVM setup. Basically, for a desktop there’s no safe defaults for FDE.

            • JubilantJaguar@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              3 months ago

              Sure, but in that case the default encryption could easily be switched off for multiple-drive setups. Basically, the default setting is what’s important.

      • jwt
        link
        fedilink
        arrow-up
        6
        ·
        edit-2
        3 months ago

        Keep in mind an unencrypted /boot partition still leaves you open to an evil maid attack. I’m not really paranoid (or interesting) enough that I feel the need to take measures to prevent those kinds of attacks, but your situation may differ.

      • Ark-5@lemmy.blahaj.zone
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        Dreams of Code on YouTube has a video for a full start to finish arch install specifically including full disk encryption. While my computer is far from “slow” it’s also nothing crazy, and other than adding a second password to my bootup process, the decrypting really doesn’t take long.