Full disk encryption, partition encryption, encryption of individual directives and files
Probably everyone has come across encrypted files that require a password to view. These could be archives or office files. With VeraCrypt you can encrypt folders and files very securely.
Of course, all of this is available on Linux as well. You can create encrypted archives, install VeraCrypt or another program to encrypt files and folders.
In addition to this approach to encryption, Linux installers offer full disk encryption. The bottom line is that all data on the disk is encrypted. When the computer starts up, the bootloader prompts you to enter a password to decrypt the disk. If the password is correct, then the disk is decrypted and the computer continues booting and working. With this approach, you do not need to think about encrypting individual files – everything is encrypted, so there is no danger that something can be copied from a turned off computer.
The downside of this approach is that encryption slows down the system a little, since data processing (encryption/decryption) is required when reading and writing data to disk.
Another danger is that if a disk (file system) fails, there is a possibility of losing data, or you will need to boot from a Live OS to perform disk recovery operations.
Partition encryption is an intermediate option. For example, why encrypt the root filesystem and binaries that are the same for all users? However, many users would like to encrypt their folder in the /home directory. The result is a good compromise: on the one hand, the really important data is encrypted, but the system does not slow down, since its files are mostly not encrypted.
How disks and partitions are encrypted in Linux
Of course, disk and partition encryption in Linux can be used without understanding the technical details. For example, you can see in the screenshot the option “Guided - use entire disk and set up encrypted LVM”.
If you select it, then a lot in setting up encryption of the disk (or partition) on which the OS is installed will be done automatically, the difference from the standard setting comes down to the fact that you need to come up with and remember a password to encrypt the disk.
But if problems arise, such as a file system error due to a disk failure, then you cannot simply run fsck and fix the disk errors. Again, if you want something other than the default markup configuration, then it will be difficult for you to do this without understanding LVM.
Therefore, a few words about programs for full-disk encryption.
Cryptsetup and LUKS are used for encryption.
The Kali Linux (and other Debian-based distributions) installer offers LVM for creating and managing volumes, and if you want to choose to encrypt disks or partitions, then they will be created using LVM. The LVM technology itself (Logical Volume Manager) primarily provides powerful and flexible tools for organizing disk space, for example, you can create one partition from several disks or resize partitions without rebooting the system. The Kali Linux installer uses LVM for disk partitioning and the familiar Cryptsetup and LUKS for encryption. All this you need to know at least for the fact that when a disk failure occurs, depending on the stage at which the failure occurred, before using fsck, you may need to decrypt the disk using “cryptsetup open --type luks” and/or activate the disk using lvchange/vgchange.
Disk encryption password and user account password
At first glance, it might seem that the user's login password (the same password is used for executing commands with sudo and for unlocking the screen, as well as logging in via SSH) and the password for decrypting the disk are very similar. They are both designed to keep your computer safe and secure from unauthorized access.
But in fact, from a practical point of view, these are quite different things. Account password can be easily changed or reset. Any user's password can be changed by any other user who can execute commands with sudo. Even if you do not have administrator rights, but you have physical access to the computer, you can reset the password for any user, including root, see the article “How to reset a forgotten login password in Linux” for details.
As for the disk decryption password, everything is different with it: if you forget this password, you will not be able to reset it. In theory, the password can be recovered using brute force, but this takes time and computational resources.
Full disk encryption protects user data more securely than a login password.
That is, the user password can be forgotten, but the disk decryption password must not be forgotten!
How to install Kali Linux with full disk encryption
This is the easiest option to set up and use – the entire drive will be encrypted. For encryption during the Kali Linux installation, as well as for use, you do not need to delve into how it works.
Using a cross-platform program, Etcher writes an image to a USB flash drive.
Expand
Select “Graphical install”.
Select the system language – the installer will be in the same language.
Choose a location – the time zone depends on it.
Select your keyboard layout.
Come up with a name for your system.
Leave this field blank.
Enter the user's full name – whatever.
Computer username – consists of only small English letters and numbers. The first character must be a letter.
Password for your user.
This choice affects the time zone.
To encrypt the entire disk where Kali Linux will be installed, select “Guided - use entire disk and set up encrypted LVM”.
Select the drive for encryption and OS installation.
Select “All files in one partition (recommended for new users)”.
At this stage, the installer will write the new partitioning to the disk, make sure you select the correct disk, as all data will be deleted from it. If everything is correct, then select “Yes”.
The partition to be encrypted is filled with random data – this process takes time.
Enter the password twice that will encrypt the partition – if you forget this password, it will be impossible to recover it and access to the disk will be impossible!
Specify how much disk space you want to allocate for an encrypted partition with an installed OS.
Here you can check the layout of the partitions – you can leave everything as it is.
Select “Yes”.
Select your desktop environment and set of tools.
Installation is complete, restart your computer.
When starting Kali Linux, you need to enter a password to decrypt the partition.
You will also need to enter your username and password to login.
Content of /etc/fstab file:
List of block devices:
How to install Kali Linux with encrypted user's home folder
Encrypted user folder and unencrypted system files are a good option if you want to keep your files safe but don't want to be faced with a loss in system performance.
This example will completely encrypt the /home folder. The OS partition and the encrypted partition will fit on the same disk, although you can place them on different disks.
How to install Kali Linux with encrypted user's home folder (auto-partitioning)
The installer has a template for encrypting the user's home folder and it is perfect for novice users – the default settings are quite acceptable, the setup is very simple.
The markup template has the following parameters:
EFI partition – 500 MB
/boot partition – 500 MB
/ (root) partition – 30 GB
swap (swap partition) – 1 GB
/home partition – all remaining space
Let's dwell directly on the disk layout, since the rest of the installation steps are identical.
Expand
When you come to the partitioning of the disks, then select “Guided - use entire disk and set up encrypted LVM”.
Select the drive where the system will be installed.
Select “Separate /home partition”.
We are warned that in order to start creating an encrypted one, the current partition scheme (the two partitions that we have just created) must be written to the disk – these changes cannot be reversed. Select “Yes”.
The partition to be encrypted is filled with random data – this process takes time.
Enter the password twice that will encrypt the partition.
For automatic partitioning, you can use all or part of the volume group size. If you have little idea about the possibilities of LVM, then just use the entire available size.
An overview of the configured partitions. In this example, the root partition is 30 GB and the /home directory is 224.6 GB.
Click “Finish partitioning and write changes to disk” → “Continue”.
Agree to write data to disk by selecting “Yes”.
How to install Kali Linux with encrypted user's home folder (manual partitioning)
If the above automatic disk layout template with encryption of the home folder does not suit you, then you can configure disk layout manually, below is shown how to do it.
With manual marking, remember that for a normal installation you need at least two partitions:
EFI – 200 Megabytes is enough
/ (root of the filesystem) – this is where the OS is installed. If there are no other partitions, then user files will be stored here.
In this example, in addition to the two necessary ones, we will create another partition and encrypt it, this partition will be mounted on the /home path.
Let's dwell directly on the disk layout, since the rest of the installation steps are identical.
Expand
When you come to the disk partitioning, then select “Manual”.
Select the drive where the system will be installed.
There is no partition table on the media, we agree to create it, that is, select “Yes”.
We select an unoccupied area (“FREE SPACE”).
Select “Create a new partition”.
The first partition will be EFI, 100-200 Megabytes are enough for it, allocate 200 Megabytes with a margin.
Choose “Beginning”.
In the “Use as” field, select “EFI System Partition”. Then click “Done setting up the partition”.
Select “FREE SPACE” again.
Choose “Create a new partition”.
Select the size of the partition. This partition will be the root one, OS files will be installed on it and programs will be installed here. It is not recommended to make this partition less than 20 Gigabytes.
We choose “Beginning”.
In the “Use as” field, select “Ext4 journaling file system”. Select “/” for “Mount point”. Then click “Done setting up the partition”.
Now let's move on to creating an encrypted partition. Select “Configure Encrypted Volumes”.
We are warned that in order to start creating an encrypted one, the current partition scheme (the two partitions that we have just created) must be written to the disk – these changes cannot be reversed. Select “Yes”.
Choose “Create encrypted volume”.
We choose where exactly this partition will be placed. Be especially careful if you have multiple drives. In the screenshot, the free space of the only disk is selected. But if you do not want to use all the free space, then first create a partition of the desired size and select it here. For this partition, in the “Use as” field, select “not use”.
We select “Done setting up the partition”.
Again, you need to save the current partitioning scheme to disk. Select “Yes”.
I only need one partition, so I choose “Finish”.
We are warned that the selected partition will be overwritten with random data and information from it will be lost. If everything is alright, then select “Yes”.
Enter the password to decrypt the partition.
So far we have only created an encrypted partition that has no volumes or mount points. This is all configurable in LVM.
Go to “Configure the Logical Volume Manager”.
Again, you need to write down the current partition scheme, again “Yes”.
Quite a bit of theory:
LVM manages three concepts:
Volume groups
Physical volumes
Logical volumes
A volume group is a named collection of physical and logical volumes. Typical systems only need one volume group to contain all the physical and logical volumes on the system, and I like to call my group by the name of the machine. Physical volumes correspond to disks; they are block devices that provide storage space for logical volumes. Logical volumes correspond to partitions: they contain the file system. However, unlike partitions, logical volumes are named, not numbers, they can span multiple disks, and do not have to be physically contiguous.
In this step we are creating a volume group, select “Create volume group”.
Come up with a name – you can use the name of your system, but I named it in accordance with the purpose.
Select the device for the new volume group. This device is the encrypted partition created in the previous step.
You need to write down the current partition scheme (“Yes”).
Now choose “Create logical volume”.
Choose a group – it is one.
Name the volume – the name can be arbitrary, but it is in your best interest to use meaningful name.
Specify the size of the volume.
One volume is enough for me, so I choose “Finish”.
Now you can observe the created volume, but it is not used in any way and no file system is selected for it. Click on the volume record.
In the “Use as” field, select “Ext4 journaling file system”.
Select “/home” for “Mount point”. Then click “Done setting up the partition”.
Finish partitioning the disk, select “Finish partitioning and write changes to disk” → “Continue”.
I am warned that I have not created a swap partition – I have 32 GB of RAM, I do not need a wap partition, so I choose “No”.
We are once again warned that the data will be written to the disk and the information on it will be lost, select “Yes”.
Further installation steps are identical to the first example.
If everything is done correctly, you will be prompted for a password when you turn on the computer.
You can make sure that the list of block devices is exactly as we intended it.
Commands to manage LVM encrypted disks
List block devices:
lsblk
Search for all volume groups:
sudo vgscan
Auto-activation of volume groups:
sudo vgchange -ay
Listing all logical volumes in all volume groups:
sudo lvscan
Auto-activate the specified logical volume:
sudo lvchange -ay /dev/xubuntu-vg/root
The following command decrypts and opens, that is, maps the /dev/nvme0n1p3 partition with the name nvme0n1p3_crypt.
sudo cryptsetup open --type luks /dev/nvme0n1p3 nvme0n1p3_crypt
In fact, the previous command creates a new block device at /dev/mapper/NAME with the decrypted contents, in this case it will be /dev/mapper/nvme0n1p3_crypt). This device can be mounted using the mount command.
Mounting an encrypted partition (after it has been opened with cryptsetup):
sudo mount /dev/mapper/HackWare--Kali--vg-home /home
Configuration file for encrypted block devices:
cat /etc/crypttab
Mount point information is contained in the /etc/fstab file: