Encryption in Linux?

UNIX for Beginners Q & A
1

Hi, we have a brand new Centos 6.8 build, and after some discussion it seems that there is some interest in securing the entire system using whole disk encryption.

What is/are the best option/s, and is this something that can be done after Centos is installed (like for example PGP WDE in Windows allows you to do the encrypting once the OS is installed), or does it require formatting/starting over from scratch?

Should probably also ask, is there a significant advantage to encrypting the whole disk, rather than just the partition/s containing their sensitive data (which is really what they are concerned with losing)? This is a pretty big physical server so it's not a mobile device/laptop, and these are internal drives, but they're trying to be super cautious with this project.

---------- Post updated 02-07-17 at 06:49 AM ---------- Previous update was 02-06-17 at 06:40 PM ----------

I found what I was looking for, it looks like there is a way to do LUKS in-place conversion but it's not without risks.

Since this is a new system, I'm going to try to talk them into just encrypting partitions where the data will actually be stored, if not I'll just reinstall I guess.

2

Keep in mind that installing whole-disk-encryption, done right, means having to type in a password to boot (or provide some sort of key via flash drive or other means). Otherwise it just amounts to security by obscurity.

1 Like
3

I have a personal laptop running Ubuntu 16.04 that has an encrypted volume. In addition to that you can change the ssh port to something other than 22. I use a number well over 1,000. You can try port knocking, I haven't tried this yet, I just know its possible. You can also turn off passwords and require public/private key based cert logins. Not to mention close ports and turn off daemons that you are not going to use.

I think disk based encryption is great for laptops. But if this is a server and your server room is secure, you should not need this. What happens when there is an unplanned outage and the person/people with the encryption password are not available? Are you going to write the password on a sticky note on the server??? :wink:

1 Like