Linux filesystem hacks

Various bits of setup for a research machine

Various things I need to know to minimise fuss in reading, writing and moving data.

TRIM for SSDs

There is this whole long story about SSDs and their care and feeding. One needs to enable TRIM for optimal SSD usage; as that link explains there might be security downsides. This friendlier guide soothingly omits any security downsides but is easier to follow.

ExFAT

ExFAT is what big USB drives are formatted as.

I needed to install it on my Ubuntu:

sudo apt install exfat-fuse exfat-utils # interoperability for external drives

NTFS

a.k.a. Talking to Windows filesystems What fancy windows machines are formatted as, and some USB drives too.

Actually worth doing from Linux and I really should write down how I did it but deadlines etc.

Short version: NTFS can be whipped into providing a POSIX-compatible FS, with OK performance and is a good interchange system on a dual-boot Windows/Linux machine. (Although I don’t know how to make it encrypt in a way Windows can understand. Possibly Veracrypt?) ExFAT is also OK and a little bit faster, but does not have flexible case sensitivity FAT32 is a metadata nightmare and causes all sorts of nasty issues. NTFS can be made to not cause these issues, but you need to set it up right.

LVM

Logical Volume manager has been current for a decade, which means that it is one decade newer than what I’m used to. It’s confusing and has a lot of moving parts and its own terminology.

Key terms: physical volume which is the base storage layers (which need not be remotely physical, e.g. it can be anything that emulates a block device AFAICT) volume group which is some aggregation of physical devices I think (but for me the aggregate only ever has one disk in it) and logical volume which is a user-usable virtual partition on top of a volume group on top of a physical volume. AFAICS there is nothing stopping you from nesting LVMs inside LVMs, but it is presumably pointless. More pertinantly, putting LVM inside Encrypted volumes is the modern accepted way to do whole disk encryption for Ubuntu.

Encryption

See encrypting file systems for a run-down on why and general theory etc. There are lots of ways you can do this and lots of levels at whcih to do it.

In Ubuntu, from 19.04 LUKS/dm-crypt whole disk encryption is the default option. For per-user encryption fscrypt seems not too much trouble. It works OK on the desktop.

Downside: you need to type 2 passwords to log in, the hard drive decrypt key, plus the user key. fscrypt doesn’t have this problem; I can log in and use my keychain to decrypt specific user data. But then if my whole disk is not encrypted I am vulnerable to people sniffing the encryption keys from my swap file, so this method is convenient for my attackers as well as me.

Encrypting the whole disk is probably better in the sense that if it is stolen it will be hard to crack it. Both methods are vulnerable to evil maid attacks where someone installs a key-logger on your computer while you are out to lunch.

I probably want to go with LUKS because there is less for me to mess up in that the automatic installer configures it for me, and just deal with the horrible double-password situation.

NB the ubuntu encrypted FS docs are outdated on this issue at time of writing, but are being replaced by an updated Full Disk Encryption howto.

Filesystem stacked encryption

Ideally you want magical transparent encrypted disks which decrypt when they log in. There are lots of user-space encryption methods you could use.

Normal files full of garbled encrypted stuff that magically turn into real data if you enter the passphrase.

Is it worth trying FUSE alternatives, gocryptfs or encfs or will they simply be too slow? Perhaps not. encfs was considered insecure in a famous security audit. It is still considered insecure by Ubuntu in 2019; I’m unclear if the later versions of encfs fix that. fscrypt has also been recommended; I’m not sure where it fits in this hierarchy.

Note that file sync app rclone can encrypt files in local mode and mount the encrypted FS, albeit with some restrictions. That might be a convenient way of doing things, since everyone should always have rclone installed just in case, although it might not be well optimized for this use case.

It’s probably easier to use a friendly GUI; Cryptomator is one cuddly friendly option. zulucrypt seems popular on ubuntu.

All these options are free and simple.

If you do this you probably want to also have your swap memory encrypted in case your computer gets taken by the star chamber, but this requires, AFAICT, kernel-level disk encryption of the swap (see below) which, with things as they currently are, means you still need to have a fancy passphrase to decrypt the machine and thus have an extra password to forget.

Encrypted disk

luks, a.k.a. cryptsetup seems to be a popular whole-partition encryption solution for Linux, working on top of dm-crypt. Possible still messy for the boot partition but otherwise fine if you like full disk encryption. This is the default for Ubuntu now, and it works smoothly except that you need to type in a password every time your boot the machine, and that password must be long and difficult.

See also Veracrypt, which will do this plus bonus extra-crazy tinfoil hat stuff, and has the advantage of working on windows and macOS.

dmcrypt + LVM

If you are using LVM with encryption there are a couple of layers to deal with at once and I get the various steps int he intricate dance confused.

The best how-to guides for fiddly I found were the following.

NB if you are partitioning your entire disk the installer will probably take care of it. It does for Ubuntu. The HOWTOs are only in case of dual-booting Windows.