探花大神

Linux devices can be encrypted in one of two ways: 

• Full-disk encryption: Encrypting the block device before it is mounted on the system.
• File-based encryption: Encrypting only a folder or file using native filesystem features. 

Full-disk encryption is preferred, as it ensures that the system is inaccessible without entering an encryption passphrase. Additionally, fscrypt doesn鈥檛 encrypt filesystem metadata except for filenames, whereas full-disk encryption ensures everything written to the disk is encrypted. After reviewing this content, you should know how to encrypt the entire disk, as well as how to encrypt only home directories on your system.

探花大神 Admins can create and apply a Linux Check Disk Encryption Policy to one device or group of devices, helping secure their data and sensitive information across their fleet of JC-managed Linux systems. Without this policy, an admin would need to manually track which devices require encryption and verify if they are encrypted to ensure proper data security and compliance. With 探花大神鈥檚 Linux Check Disk Encryption Policy, admins can specify which devices to encrypt and, more specifically, if the devices require only managed home directories or full disk encryption (FDE). Once the policy is applied, the administrator will be notified if any of the targeted devices don鈥檛 meet the encryption requirements.

Considerations:

• The Linux Check Disk Encryption Policy can be applied to any JC-supported Linux distribution.
• Due to the nature of Linux FDE and the need to enforce FDE during initial system configuration, disk encryption still needs to be manually enabled on the device. However, 探花大神 provides recommended disk encryption methodologies and guided instructions for encrypting your Linux systems.
• While the Linux Check Disk Encryption Policy doesn鈥檛 encrypt the data on the targeted device(s), it will notify the administrator if any of the targeted devices don鈥檛 comply with the configured policy. 
• This policy supports Linux Unified Key Setups (LUKs) and fscrypt.

Full Disk (Block Device) Encryption (FDE)

FDE protects the data on a block device by encrypting it. To access the device鈥檚 decrypted contents, a user must provide a passphrase or key as authentication. This provides additional security beyond existing operating system security mechanisms, as it protects the device鈥檚 contents even if it was physically removed from the system. FDE is implemented using LVM (Logical Volume Management) for disk management and LUKS (Linux Unified Key Setup) encryption in all modern distro installer wizards.

Introduction to LUKS

As a system administrator, you can encrypt your device's storage devices using LUKS, which is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase/key management policy.

LUKS uses the kernel device mapper subsystem with the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device data. You can use the cryptsetup utility to perform user-level operations such as creating and accessing encrypted devices.

What LUKS Does

• Encrypts entire block devices, making it well-suited for protecting the contents of mobile devices, such as removable storage media or laptop disk drives.
• Encrypts swap devices due to underlying contents of the encrypted block device being arbitrary. This is also convenient with certain databases that use specially formatted block devices for data storage.
• Uses the existing device mapper kernel subsystem.
• Provides passphrase strengthening, which protects against dictionary attacks.
• Allows devices to contain multiple key slots, permitting users to add backup keys or passphrases.

How to Enable LUKS Encryption

In general, you can enable LUKS encryption using LVM partition management during the initial installation of your distribution of choice.

Ubuntu

Ubuntu 16.04, 18.04 LTS releases:

Ubuntu 20.04 LTS:

Ubuntu 20.10 (currently unsupported by JC) and newer versions):

Fedora

Red Hat Enterprise Linux (RHEL)

Rocky