Various things I need to know to minimise fuss in reading, writing and moving data.
TRIM for SSDs
There is this whole long story about SSDs and their care and feeding. One needs to enable TRIM for optimal SSD usage; as that link explains there might be security downsides. This friendlier guide soothingly omits any security downsides but is easier to follow.
ExFAT is what big USB drives are formatted as.
I needed to install it on my Ubuntu for interoperability with external drives
sudo apt install exfat-fuse exfat-utils
NTFS is what modern windows machines are formatted as, and some USB drives too.
Short version: NTFS can be whipped into providing a POSIX-compatible FS, with OK performance and is a good interchange system on a dual-boot Windows/Linux machine. (Although I don’t know how to make it encrypt in a way Windows can understand. I can do full POSIX compliance, i.e. be a real Linux drive. Possibly Veracrypt?) ExFAT is also OK but does not have as many features, lacking e.g. user ownership and flexible case sensitivity. FAT32 is a metadata nightmare and causes all sorts of nasty issues. NTFS can be made to not cause these issues, but you need to set it up right.
Logical Volume Management has been current for a decade, which means that it is one decade newer than what I’m used to. It’s confusing and has a lot of moving parts and its own terminology.
physical volume which is the base storage layer (which need not be remotely physical, e.g. it can be anything that emulates a block device AFAICT.)
volume group which is some aggregation of physical devices I think (but for me the aggregate only ever has one disk in it, so it is some kind of pointless indirection layer over the not-necessarily-physical-volume) and
logical volume which is a user-usable virtual partition on top of a volume group on top of a physical volume.
AFAICS there is nothing stopping you from nesting LVMs inside LVMs, but it is presumably silly.
The exception here might be that putting LVM inside encrypted volumes is the modern accepted way to do whole disk encryption for Ubuntu.
More on that shortly.
See encrypting file systems for a run-down on why and general theory etc. There are lots of ways you can do this and lots of levels at which to do it.
Downside: you need to type 2 passwords to log in, the hard drive decrypt key, plus the user key. fscrypt doesn’t have this problem; I can log in and use my keychain to decrypt specific user data. But on the other hand if my whole disk is not encrypted I am vulnerable to people sniffing the encryption keys from my swap file, so this method is convenient for my attackers as well as me. On the third hand, the default 2-password setup does not re-lock the laptop on sleep, so I am still somewhat vulnerable to someone just leaving the damned thing turned on and trying monkey business while the machine has the decryption keys in memory. Also even trying to set it up paranoid mode, typing 2 passwords to wake from sleep seems tiresome.
Encrypting the whole disk is probably better in the sense that if it is stolen it will be hard to crack it. Both methods are vulnerable to evil maid attacks where someone installs a key-logger on your computer while you are out to lunch.
I probably want to go with LUKS because there is less for me to mess up in that the automatic installer configures it for me, and just deal with the horrible double-password situation.
Filesystem stacked encryption
Ideally you want magical transparent encrypted disks which decrypt when they log in. There are lots of user-space encryption methods you could use.
Normal files full of garbled encrypted stuff that magically turn into real data if you enter the passphrase.
Is it worth trying FUSE alternatives,
or will they simply be too slow?
encfs was considered insecure in a
famous security audit.
It is still considered insecure by Ubuntu in 2019; I’m unclear if the
later versions of encfs fix that.
fscrypt has also been
I’m not sure where it fits in this hierarchy.
Note that file sync app rclone
can encrypt files in
local mode and
mount the encrypted FS,
albeit with some restrictions.
That might be a convenient way of doing things, since everyone should always
rclone installed just in case, although it might not be well optimized
for this use case.
All these options are free and simple.
If you do this you probably want to also have your swap memory encrypted in case your computer gets taken by the star chamber, but this requires, AFAICT, kernel-level disk encryption of the swap (see below) which, with things as they currently are, means you still need to have a fancy passphrase to decrypt the machine and thus have an extra password to forget.
seems to be a popular whole-partition encryption solution for Linux, working on top of
dm-crypt. Possible still
messy for the boot partition
but otherwise fine if you like full disk encryption.
This is the default for Ubuntu now, and it works smoothly except that you need
to type in a password every time your boot the machine, and that password
must be long and difficult.
See also Veracrypt, which will do this plus bonus extra-crazy tinfoil hat stuff, and has the advantage of working on windows and macOS.
If you are using LVM with encryption there are a couple of layers to deal with at once and I get the various steps int he intricate dance confused.
The best how-to guides for fiddly I found were the following.
- Debian encrypted LVM.
- Ubuntu Updated Full Disk Encryption howto, which also discusses how to handle some shortcomings in the installer.
- Ubuntu guide to resizing encrypted partitions
NB if you are partitioning your entire disk the installer will probably take care of it. It does for Ubuntu. The HOWTOs are only in case of dual-booting Windows.