This stage relates to testing full-disk encryption using VeraCrypt.
Environment & required functionality
Full-disk encryption needs to run on the following machines:
- The Linux Mint Xfce 18.3 laptop "Gandalf";
- The Windows 10 laptop "Legolas".
The objective requirement is to protect user data from the
physical theft of the physical machine, to provide an additional line of
defence against data loss.
This is probably more important for Windows than for Linux
Mint. Even so, in both cases, the
operating system is likely to log activity which can reveal personal data and user
(meta)data.
Full-disk encryption does not mitigate against Microsoft’s
sinister telemetry functionality, for which the main solutions seem to be:
- Either to use tools whose developers are constantly on the prowl, hunting for the latest ways in which Microsoft seeks to breach users’ privacy;
- Or to use Linux Mint instead of Microsoft Windows.
Alternatives
For Windows, there is no viable free alternative than VeraCrypt. The next available alternative was to run BitLocker,
for which Windows 10 would need an upgrade to Windows 10 Professional at a cost
of GBP 110.
For Linux Mint, the users’ file space $HOME can be encrypted
using encryptfs as part of Mint’s normal operation. The only time this is possible in the graphical
user interface appears to be when creating the user’s account, although there
must be some way of changing the encryption status by command line. In addition, Mint 17 had a process using
LVM and cryptsetup, by which a single partition on a hard disk could be
encrypted, resulting in the same outcome as using VeraCrypt for full-disk encryption.
A longer list of encryption tools for Linux appears on https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/,
of which VeraCrypt is one suggestion.
Software selection
For this experiment, VeraCrypt was the sole selection,
because it works on both Windows and Linux.
Installation experience
On Legolas/Windows, VeraCrypt worked exactly as instructed
by the HowToGeek. Legolas is an
HP machine, so Windows Updates always overwrites the bootloader to an incorrect "Windows knows best" script. VeraCrypt’s developer published a utility VcFixBoot
that restores the correct bootloader for VeraCrypt to work. It is a bit freaky to see a laptop declare
that it is going to repair Windows: this is what happens when Windows Updates
uncorrects the bootloader, then tries to boot Windows from an encrypted
partition that it cannot decrypt.
On Gandalf/Linux, VeraCrypt installed normally, but demands
root privileges to mount the encrypted file as a partition. This isn’t permissible for a non-admin
user. But it’s clearly possible, because
google-drive-ocamlfuse permits a non-admin user to mount a virtual device. So it looks like VeraCrypt’s design is flawed, such that its demands the best be the enemy of the good. In reality, the local admin must have the exclusive right to install software, but must not have universal access rights to all data on the machine. There is one
workaround, which grants all non-admin users on the machine root
privileges. This is a bad workaround.
Conclusion
VeraCrypt failed to work on Gandalf/Linux.
VeraCrypt worked as described on Legolas/Windows.
End of post.
Comments
Post a Comment