MX Linux Forum

This is an alternative to full disk encryption. Frankly, I don't worry about someone tampering with the operating system. What I care about are data files. Meanwhile, repairing an encrypted system can be difficult. I encrypt a data partition rather than home because (a) it's easier to manage backups; (b) it's easier to share an encrypted data partition on a multi-boot system; and (c) any advantage at reinstall of recycling /home other than data (e.g., config files) can be captured easily by ordinary copy-and-paste. Main drawback of the strategy is that it isn't supported by the MX installer. Can be done manually, though, by anyone moderately comfortable with command line and editing config files.

There are six steps:

1. Partition setup
2. Installation
3. Encrypt data partition
4. Create crypttab file; Edit fstab; Update initramfs
5. Create mount point and symlinks
6. Reboot to test

Partition setup. I do this with GParted in the live session, before running the installer. Main reason is that Step 3 is easier if the partition already exists. For illustration, I'm using a virtual machine (VirtualBox), BIOS boot, with two partitions: 30 GB each for System and Data partition. A real system might have an EFI parition, a larger system partition, a much larger data partition, and/or other partitions besides those three. The system and data partitions do not need to be on the same drive; for example, the system can be on an SSD and the data partiton on a separate HDD.

Installation. Same as usual, except need to use manual method (Customize the disk layout) to preserve the partition table. No home partition; will be a mere directory on the system partition. No need for a swap partition, though it's supported; if none, will get a swap file. I prefer to enable autologin on the user account screen, on the theory the data partition's LUKS password becomes, in effect, the login password.

Encrypt data partition. Shut down live session, then boot into installed system. Can do usual other steps first (e.g., update, setup, Timeshift) or wait until after have set up data partition. For the latter, open Terminal and run three commands in this form: Note: Modify /dev/sda2 if (as is likely) the data partition is located elsewhere. Another label may be used if preferred, e.g., Data-Files, but avoid spaces.

Create crypttab; Edit fstab; Update initramfs. Note: The UUID to copy for crypttab is the LUKS container, in this case sda2, not the decrypted file system. A text editor could be used to create crypttab and edit fstab; tee just seems to me easier. The discard parameter for crypttab is only useful for an SSD (enables trim), but harmless for an HDD; can be omitted for the latter if you prefer things tidy. If using a different mount point (see next), modify the fstab command to match.

Create mount point and symlinks. Note: These commands move the Big Five folders in Home to the data partition, then symlink them back. The upshot is that the folders are visible in Home, but actually located on the data partition. Mounting at /data is non-standard under the Filesystem Hierarchy Standard; /media and /mnt don't really fit either, though, so might as well use something clear and simple. If you prefer to mount in /media or /mnt, that works also; of course, modify the commands to match.

Reboot to test. Main thing we are testing is whether the LUKS password for the data partition (a) is required and (b) sufficient to reach the desktop. Also, open File Manager to make sure the Big Five folders show as symlinks.

Recap. I think it helps understand the process to see how things turn out in the end.
Note: During installation (MX-23), I modified /swap/swap to /swapfile, because that's the standard configuration and works fine with ext4. The change has no relevance to this tutorial; the installer's default would have worked just as well. Likewise, I've set the 'dump' parameter in fstab to zero, because that's what I'm used to; the MX default of '1' is harmless AFAIK.

Other Notes:

If something bad happens to encrypted data, no form of data recovery can help. Don't be the person who says, "Yeah, yeah, I know I should have ... " The backup can be encrypted or not as appropriate under the circumstances.

Other folders in home can be moved to the data partition if you want them to be encrypted. Two likely candidates are .mozilla (for Firefox) and .thunderbird (especially if you like to archive emails). As with the regular Big Five, symlink the folders from the data partition back into home at their usual location.

VirtualBox access. Be aware, VBox's shared folder function cannot access files through symlinks. (This is true whether or not encryption is in play.) If you want guests to have access to the host's data partition, you must specify the mount point (or one-or-more of its sub-folders) as the shared folder. I don't know how other virtualization apps handle symlinks.

Backup LUKS header. The header is the Achilles heel of an encrypted volume. If it gets corrupted, the volume cannot be opened. To backup, sudo cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file luksheader-data. Move from current directory (usually $HOME) to a location where it will be backed up as a matter of course. The header isn't sensitive (can't be read by a hacker), so doesn't need to be saved in an encrypted location. To restore, copy back to current directory and run sudo cryptsetup luksHeaderRestore /dev/sda2 --header-backup-file luksheader-data.

Encrypted system. The procedure described above works fine with system encryption (i.e., encrypting both partitions) if you don't mind entering two passwords (or the same password twice). You can boot with a single password, though, if you mount the data partition with a keyfile saved inside the encrypted system partition. After encrypting the data partition per Step 3, create the keyfile and add as an additional key: In Step 4, replace the crypttab command with echo "Data UUID=<copy-from-lsblk> /root/.keyfile luks,discard" | sudo tee -a /etc/crypttab. crypttab ends up with two lines, one for each partition.

cryptsetup. If not familiar, start with the man page. Then, like most thing Linux, do some research on the internet.

Very good write-up . Two remarks:

1. Another viable data encryption method is VeraCrypt. The main advantage of this is that the encrypted partition can be opened from a Windows system as well (so this is mostly of interest to people who are dual booting). I've done this sharing of a VeraCrypted volume (NTFS-formatted) between Linux and Windows for a number of years but as the number of programs I use in bare-metal Windows (as opposed to Windows in a VM) has dwindled to 2, I very rarely these days boot even into Windows so I now have reformatted the VeraCrypt partition as ext4 (not least because the system runs faster that way).

I would supply everything that's needed to use VeraCrypt instead of LUKS but I am working from a frugal install so I can't really give the level of precise detail that's required for an installed system.

2.

pbear wrote: Fri Jul 21, 2023 11:57 pmVirtualBox access. Be aware, VBox's shared folder function cannot access files through symlinks. (This is true whether or not encryption is in play.) If you want guests to have access to the host's data partition, you must specify the mount point (or one-or-more of its sub-folders) as the shared folder. I don't know how other virtualization apps handle symlinks.

Hm... I may well totally misunderstand what you're talking about but here VBox (both the 6.x and 7.x versions) does support symlinks as shared folders. In fact, my three shared folders are all symlinks and they work perfectly well in the Windows VM. Could you please clarify?

thomasl wrote: Sat Jul 22, 2023 7:54 am VBox (both the 6.x and 7.x versions) does support symlinks as shared folders. ...

depends on how the module is loaded ... regards

l0dr3

Thanks, @l0dr3, for that.

Didn't know this (or if I did, have long forgotten ). Not sure what the OOTB state is but in my case VBox has always accepted symlinks... but then again, my original install is many years old so I may well have fiddled with this.

thomasl wrote: Sat Jul 22, 2023 7:54 am Two remarks:

Thanks for the kind words.

VeraCrypt. Good point. I used to use the app (for sharing between Linux and Window) and it's very good. Also, I've noticed in my reading that it's supported by cryptsetup, so I assume can be set up to automount the same as a LUKS-encrypted data partition. Have never had occasion to work out details, though. If anyone knows and wants to post, please feel free to post in this thread.

VirtualBox. A bit off-topic, actually. I slipped that in at the last moment because I was brain-storming 'What can go wrong?' Maybe there's a way to get symlinks to work in a VBox guest, but my uniform experience, confirmed last night with MX-23 and VBox 7.0.8, is that a shared folder can't access files through a symlink. Again, if anyone knows a workaround, please feel free to post in this thread.

pbear wrote: Sat Jul 22, 2023 11:58 am Thanks for the kind words.

VeraCrypt. Good point. I used to use the app (for sharing between Linux and Window) and it's very good. Also, I've noticed in my reading that it's supported by cryptsetup, so I assume can be set up to automount the same as a LUKS-encrypted data partition. Have never had occasion to work out details, though. If anyone knows and wants to post, please feel free to post in this thread.

VirtualBox. A bit off-topic, actually. I slipped that in at the last moment because I was brain-storming 'What can go wrong?' Maybe there's a way to get symlinks to work in a VBox guest, but my uniform experience, confirmed last night with MX-23 and VBox 7.0.8, is that a shared folder can't access files through a symlink. Again, if anyone knows a workaround, please feel free to post in this thread.

Very nice post! I am also a veracrypt fan and prefer to use that for real encrypted areas. My main reasons... its portable and also I can mount it when and if I need too.

And I agree with the VB symlink issue, I have never been able to get them to work.

CharlesV wrote: Sat Jul 22, 2023 12:50 pm And I agree with the VB symlink issue, I have never been able to get them to work.

I can say (just checked), definitely, symlink-resolving works with VBox v6.1.38 on Windows-HOST with Windows-GUESTs.

Probably they won't work in

a.)Windows-Linux
b.)VBox V7.x.x

scenarios

???

l0dr3

For me:
__ Linux host & guest
__ Shared VB directory
__ In that shared directory a symlink to a another directory.

all works on the host. In the guest, there is a file with the symlink arrow and an X . When clicked, thunar asks how to open it - nothing works.

Well, as I wrote in post #2, both my Linux hosts (VBox 6.1 on MX19 and VBox 7.0 on MX23) support symlinks as shared folders for a Windows7 and a Windows10 VM (and did so for a long time). I have to the best of my knowledge not changed any settings in VBox to get there... though I could have done so and clean forgot about it.

I agree with @pbear that a VeraCrypt version would be great... perhaps someone with the know-how can provide that.

CharlesV wrote: Sat Jul 22, 2023 1:14 pm For me:
__ Linux host & guest
__ Shared VB directory
__ In that shared directory a symlink to a another directory.

all works on the host. In the guest, there is a file with the symlink arrow and an X . When clicked, thunar asks how to open it - nothing works.

confirm that - just tested: MX23-HOST vs. MX23-Guest: broken symlink

Not my 'trouble spot' ATM, but here are the links that helped me to make it run in WIN-WIN scenario

https://www.speich.net/articles/en/2018 ... -guest-os/
https://superuser.com/questions/124679/ ... ser#125981

regards

l0dr3

with

on-guest: /etc/modprobe.d/vboxsf.conf

options vboxsf follow_symlinks=1

on-host:

VBoxManage setextradata "Libretto-x64-RC1" VBoxInternal2/SharedFoldersEnableSymlinksCreate/~shares 1

SUCCESS!

regards

l0dr3

l0dr3 wrote: Sat Jul 22, 2023 1:59 pm SUCCESS!

Excellent, thank you. So, there are two ways to do shared folders on a Linux host with a data partition + symlinks. Users may employ whichever they think is easier and/or more intuitive.