Solved Really struggling with encrypted drive to mount properly

[Huxoslos]

Just did sudo fstrim -v /mnt. Have been doing /mnt/folder after changing mount point. Pointing to the folder didn't work but /mnt alone did. So i do think trim works fine now. My mistake i guess.

Thank you all very much for taking time out of your day. You all helped solve each problem!

 

[Huxoslos]

Apparantly just doing /mnt trims root drive. So in other words, other drive still not getting trimmed. I do think maybe somehow the discard option isn't affecting system properly. Since i can't trim /mnt/folder. I am really confused at this point, like everything should work right, crypttab/fstab should be correct.

Did some reading and someone claimed that you should not trim encrypted drives, i'll look into this. If that truly is how it is then i'll not use trim.

 

[Huxoslos]

Figured it out, even figured out auto decrypt together with main drives which is a blessing. I think the only thing it seemed that was missing was having initramfs in crypttab options.

Current crypttab
luks-flower UUID=flower /crypto_keyfile.bin luks,discard,initramfs,keyscript=/bin/cat
should work fine with none and without keyscript=/bin/cat just i changed that for the auto decrypt

Current fstab
/dev/mapper/luks-flower /mnt/folder ext4 defaults 0 2

Further steps for auto decrypt
sudo cryptsetup luksAddKey /dev/nvme1n1p1 /crypto_keyfile.bin
sudo update-initramfs -u -k all

Works like a charm, trim even works now.

 

[Trml]

Did some reading and someone claimed that you should not trim encrypted drives, i'll look into this.

There's two reasons. The first is trimming zeros data blocks and thereby gives away which sectors are occupied. This enables specific attacks against the encryption and is the reason trim never made it to default with cryptsetup. I would not overstress this (an attacker must be able to observe changes to the drive, i.e. have full access to it), but that was what you reading.

The second is there is indeed quite a number of hardware where trim functionality is (half-) defective in the firmware, yet vendors don't update it. So, defaulting to a trim (also non-encrypted) can actually damage data on such (mostly older) drives, when the firmware hits a bug. The Linux kernel utilities actually maintain a blacklist of such faulty drive models (and big vendors are in there!). With that it got safer to trim, but keep in mind it is a manually maintained list.

 

[Huxoslos]

There's two reasons. The first is trimming zeros data blocks and thereby gives away which sectors are occupied. This enables specific attacks against the encryption and is the reason trim never made it to default with cryptsetup. I would not overstress this (an attacker must be able to observe changes to the drive, i.e. have full access to it), but that was what you reading.

The second is there is indeed quite a number of hardware where trim functionality is (half-) defective in the firmware, yet vendors don't update it. So, defaulting to a trim (also non-encrypted) can actually damage data on such (mostly older) drives, when the firmware hits a bug. The Linux kernel utilities actually maintain a blacklist of such faulty drive models (and big vendors are in there!). With that it got safer to trim, but keep in mind it is a manually maintained list.

Good to know thanks!

Thanks again to everyone who taken their time.

 

[MikeWalsh]

Perhaps I'm daft. But this is EXACTLY why I never bother with encryption. The supposed security benefits are FAR outweighed - to my mind - by the never-ending hassles generated by the use of it....

Then again, with Puppy's built-in security model, it's pure overkill for us anyway.

Each to their own!


Mike.

 

[Brickwizard]

Hi @MikeWalsh , i don't bother with encrypting my drive either, as we both know no OS is totally safe no matter what you do, I have my firewall set high, my browser and mail filter high, if anyone get through that they are welcome to the picture of me in my skiddies,

 

[MikeWalsh]

@Brickwizard :-

I can perhaps see the sense in it for enterprise. After all, they have to protect a lot of personal data that doesn't belong to them.

But for the average home user.......nnghh. I think you're just creating a rod for your own back, further down the line. You ever forget your password, you are STUFFED.

It's not for me. If others wish to use it, well.....that is of course THEIR choice. The choice IS there. It's up to the individual...

Just don't come crying to ME when things go t*ts-up, that's all.....'cos you'll get no sympathy. Sorry an' all that.


Mike.

 

[CaffeineAddict]

The supposed security benefits are FAR outweighed - to my mind - by the never-ending hassle generated by the setup....

as we both know no OS is totally safe no matter what you do, I have my firewall set high

You 2 are biased based on such opinions from random people that are floating on various places online.

The only security benefit of storage encryption is if your computer or disk gets stolen or physically accessed then nobody can read your data from disk.

It does not protect the data when you're using your computer (or when computer is booted or online) since for that the drive needs to be decrypted.

Many people don't know how to properly handle and treat encryption resulting in data loss, however this is no argument against it, this problem should be resolved with education rather than denial led by such opinions.

And these opinions also include how TPM is not needed as well, which is a popular opinion among Linux users.
Why?
First because it was MS who insisted that their OS require TPM but since this doesn't apply to Linux the Linux world (especially influences on YT from what I've watched) deemed TPM "useless and totally not needed for Linux".

Second reason is that it can in same way result in data loss due to lack education, but again what an argument is that?
lack of education is not encryption problem.

I can perhaps see the sense in it for enterprise. After all, they have to protect a lot of personal data that doesn't belong to them.

But for the average home user.......nnghh. I think you're just creating a rod for your own back

You never know whether some person needs encryption or not, on the other side of the board there can be a journalist trying to protect something for instance and seeking help how to do it.

But even if it's just a regular user who has nothing to hide using encryption is still useful for education on how to do it.
Even just feeling of having an extra layer of security is good reason why to care about encryption.

--

I have encryption set up on LVM which is slightly harder to set up than regular disk, yet never had any issues with it, and it's not a hassle to set up at all, the whole process takes only about 3-5 minutes during OS installation and you're done until you want reinstall OS, so I'm not sure why this should be a hassle as there is nothing hard or special to do.

 

[MikeWalsh]

@CaffeineAddict :-

Oh, I'll agree with you. In my case, I perhaps AM biased; Puppy, as she comes, OOTB, has such an awkward-to-crack, secure operating 'model' anyway that, for us, encryption honestly IS a step too far......and somewhat pointless. And that can't really be appreciated unless you use Puppy yourself.

Although Linux, in general, is far more secure than Whinedoze, I read no end of posts from people on various fora that are still coming to grief through the use of encryption, and that does make me wonder.......is encryption truly the best solution for this individual?

I will concur that it DOES engender an additional "sense of security" IF and WHEN it's done properly......but so many people are attempting this stuff when they don't HAVE anything that truly needs that degree of protection. It's provided as an option, they think "That sounds good", and then jump on it without really thinking it through, OR having the knowledge to implement it properly. And then they wonder why they come to grief.

Puppy offers the option. But I can't remember the last time anybody actually bothered with it....

Yup; I admit I'm a very atypical Linux user! Horses for courses; we all have different use-cases & requirements.


Mike.

 

[CaffeineAddict]

Puppy, as she comes, OOTB, has such an awkward-to-crack, secure operating 'model' anyway that, for us, encryption honestly IS a step too far

Out of curiosity I've read about how puppy works here

On shutdown, any changes in the RAM layer are saved to a designated save file or save folder on the boot medium.

This persistence directory on a USB from where puppy saves stuff is apparently not encrypted, so I'm not convinced that puppy doesn't need encryption, in fact this design relating to data encryption could be worse because I'm not really sure how would you go about encrypting persistence storage? is that possible to do with puppy?

I don't think one doesn't need it because puppy uses RAM to load its state because USB is not much different than disk, it can be stolen and it can go into wrong hands so it suffers from same problem as regular OS installation.

 

[KGIII]

Many people don't know how to properly handle and treat encryption resulting in data loss, however this is no argument against it, this problem should be resolved with education rather than denial led by such opinions.

Indeed. When it comes to encryption, 'it depends.' Not everything needs to be encrypted, and folks should know how to manage encrypted data properly. For example, people should already be backing up their data, but one piece that's often forgotten is to back up their recovery information.

 

[CaffeineAddict]

For example, people should already be backing up their data, but one piece that's often forgotten is to back up their recovery information.

Backup is must do yes, BUT, if you backup data that's on encrypted drive to a medium that's not then aren't you defeating the encryption?

The backup should be encrypted as well to maintain confidency , but this again means possibility of data loss if one is not careful.
There is no method to keep data encrypted and to also skip personal responsibility.

 

[KGIII]

BUT, if you backup data that's on encrypted drive to a medium that's not then aren't you defeating the encryption?

No? You can encrypt at the file level. Heck, you can compress and encrypt it all at the same time.

It will require knowing at least one password. If you can't remember one password, encryption probably isn't for you.

It's also possible to do security by obscurity. You can hide your key/password on paper elsewhere, say in the jacket of a book.

There are many ways to at least obscure it well enough to stop all but the most dedicated person. If it's a government agency, they're just going to beat you with a pipe until you give them the password.

 

[bob466]

The Net is full of people who have encrypted their Drive and now asking for help too...unless the OP is a Secret Agent, there's no reason to do it.

 

[Trml]

Heads-up to anyone wading through posts to find a solution: this thread was solved by the OP in post #23.

 

[CaffeineAddict]

You can encrypt at the file level. Heck, you can compress and encrypt it all at the same time.

This is what I'm doing for some files because I forgot to set up encryption on my external HDD used for backup and I'm not in mood to copy everything again, however I'm not sure it's as good as full disk encryption.

If it's a government agency, they're just going to beat you with a pipe until you give them the password.

Yeah, this is sadly true, I've heard about it and is real, although you have to hide something very important to them to become their victim.

 

[KGIII]

This is what I'm doing for some files because I forgot to set up encryption on my external HDD used for backup and I'm not in mood to copy everything again, however I'm not sure it's as good as full disk encryption.

I only encrypt data that should be encrypted, especially when it is data in motion. I do not encrypt full drives as I am not in a position that requires that. I have dealt with encrypted drives in the past, but I have no need to do so at this stage in my life.

 

[Huxoslos]

Using encryption, it could be for security, privacy or both combined.

One could say i don't really need encryption and haven't used it since i started using computers until now. I don't really have anything to hide per say, but i do at times have sensitive enough files floating around on the drives that i do want them encrypted. Entire drive encryption would be the most convenient solution, others could benefit from not doing full disk.

For me it all started with encrypting main drive as i are auto logged in there on many applications. Even if i don't anything to hide i still highly value privacy.

I do think a lot people might get a good use out of encryption even in general sense. Example like @CaffeineAddict mentioned, theft. It would give peace of mind that they wont have the pleasure of accessing your data.

After getting more and more into computer security and more so with privacy i don't think any of my drives in the future will not be encrypted. There has been no downsides for me other than finding the simple hiding issue (initramfs option), not noticed any performance loss yet, drives has plenty of speed and even if there was performance hit i wouldn't notice it until it is quite huge during normal operation and how drives are being used.

 

[Huxoslos]

unless the OP is a Secret Agent, there's no reason to do it.

Sorry sir we can't talk about that or else i have to k**l you