this post was submitted on 02 Sep 2024
76 points (98.7% liked)
Linux
47283 readers
751 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The standard route is to decrypt on boot. It happens after GRUB but before your display manager starts. IDK if there even is a setup that has you "decrypt on login". Thats sounds like your display manager (sddm for KDE) is decrypting system which is not possible IMO.
Unless your laptop somehow has multiple drives you'll want to use the "LVM on LUKS" configuration. 1 small partition for
/boot. The rest gets LUKS encrypted, and an LVM group is put on the LUKS container. Or you could replace LVM with btrfs.This will require wiping your system and reinstalling so you have some reading to do.
The
arch-installscript in the live iso has options for full disk encryption.If you suspend to RAM your system will stay unencrypted, because your ram is not encrypted. if you suspend to disk (aka hibernate) your system will be encrypted. You go through the boot loader when waking from hibernation but it just drops you off where you left off.
You need a swapfile for hibernation so make sure its inside the LUKS container.
To add to the comments, most distros do not offer FDE by default when installing. You have to jump thru hoops. No idea why this is still the case given how many consumer computers are laptops these days, it seems crazy.
The big exception seems to be PopOS, an Ubuntu derivative which is intended for laptops. FDE by default so it must be pretty easy to get that up and running.
Ubuntu itself has a solid FDE option on install, too. It sets up the LVM configuration as already described, no expertise needed. And IME works very reliably.
I'm pretty sure all the major distros have FDE as an option in the installer its just never on by default. Fedora does the same but with BTRFS on LUKS. I'm sure Debian does. Someone else says OpenSuse does. Maybe some derivative distros don't but I suspect the ones with an graphical installer do.
Except PopOS, as I understand it. IMO that is a major point in its favor and against its competitors, given the dominance of laptops today. I see no reason why this is still opt-in, rather than opt-out as on mobile OSs.
I think PopOS can safely assume that its being installed on a laptop with only one drive. If there's multiple drives involved then the setup gets far more complicated as you then must go to something like an LUKS on LVM setup. Basically, for a desktop there's no safe defaults for FDE.
Sure, but in that case the default encryption could easily be switched off for multiple-drive setups. Basically, the default setting is what's important.