Skip to main content

An attempt at full-disk encryption: Vera Crypt


The project is to build a Linux Mint machine to have the identical functionality and ergonomics as the existing Windows 10 machine.

This stage relates to testing full-disk encryption using VeraCrypt.

Environment & required functionality

Full-disk encryption needs to run on the following machines:
  • The Linux Mint Xfce 18.3 laptop "Gandalf";
  • The Windows 10 laptop "Legolas".

The objective requirement is to protect user data from the physical theft of the physical machine, to provide an additional line of defence against data loss.

This is probably more important for Windows than for Linux Mint.  Even so, in both cases, the operating system is likely to log activity which can reveal personal data and user (meta)data.

Full-disk encryption does not mitigate against Microsoft’s sinister telemetry functionality, for which the main solutions seem to be:
  • Either to use tools whose developers are constantly on the prowl, hunting for the latest ways in which Microsoft seeks to breach users’ privacy;
  • Or to use Linux Mint instead of Microsoft Windows.

Alternatives

For Windows, there is no viable free alternative than VeraCrypt.  The next available alternative was to run BitLocker, for which Windows 10 would need an upgrade to Windows 10 Professional at a cost of GBP 110.

For Linux Mint, the users’ file space $HOME can be encrypted using encryptfs as part of Mint’s normal operation.  The only time this is possible in the graphical user interface appears to be when creating the user’s account, although there must be some way of changing the encryption status by command line.  In addition, Mint 17 had a process using LVM and cryptsetup, by which a single partition on a hard disk could be encrypted, resulting in the same outcome as using VeraCrypt for full-disk encryption.

A longer list of encryption tools for Linux appears on https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/, of which VeraCrypt is one suggestion.

Software selection

For this experiment, VeraCrypt was the sole selection, because it works on both Windows and Linux.

Installation experience

On Legolas/Windows, VeraCrypt worked exactly as instructed by the HowToGeek.  Legolas is an HP machine, so Windows Updates always overwrites the bootloader to an incorrect "Windows knows best" script.  VeraCrypt’s developer published a utility VcFixBoot that restores the correct bootloader for VeraCrypt to work.  It is a bit freaky to see a laptop declare that it is going to repair Windows: this is what happens when Windows Updates uncorrects the bootloader, then tries to boot Windows from an encrypted partition that it cannot decrypt.

On Gandalf/Linux, VeraCrypt installed normally, but demands root privileges to mount the encrypted file as a partition.  This isn’t permissible for a non-admin user.  But it’s clearly possible, because google-drive-ocamlfuse permits a non-admin user to mount a virtual device.  So it looks like VeraCrypt’s design is flawed, such that its demands the best be the enemy of the good.  In reality, the local admin must have the exclusive right to install software, but must not have universal access rights to all data on the machine.  There is one workaround, which grants all non-admin users on the machine root privileges.  This is a bad workaround.

Conclusion

VeraCrypt failed to work on Gandalf/Linux.

VeraCrypt worked as described on Legolas/Windows.

End of post.

Comments

Post a Comment

Popular posts from this blog

Scanning & OCRring to PDF: Simple Scan, gimagereader and gscan2pdf v NAPS2 for Windows

The project is to build a Linux Mint machine to have the identical functionality and ergonomics as the existing Windows 10 machine. This stage relates to scanning paper documents to PDF and digitising the scanned text via optical character recognition. Environment & required functionality The scan-and-OCR function needs to run on the following machines: The Linux Mint Xfce 18.3 laptop " Gandalf "; A Linux Mint Xfce 18.3 virtual machine " Gimli "; The Windows 10 laptop " Legolas ". In any modern office - whether at home or at work - some transactional documents and documents from public authorities still arrive by snail-mail. This requires the ability to scan all documents, optionally with the digitisation of scanned text (typically via optical character recognition). The hardware is an old HP OfficeJet Pro 276dw, connected to the LAN instead of directly to a workstation. Alternatives There are two strategies: To use the software pr...
Post a Comment
Read more

Adjusting screen brightness

The machine on which Linux Mint is installed an old Acer Aspire 5732Z (" Gandalf ") It has buttons to adjust the brightness of the screen's backlight.  When the user uses these buttons, Linux Mint correctly presented a fading-popup box (a slider bar) to denote relative brightness.  But Linux Mint did not actually adjust the brightness of the screen. It seems to be a known issue in the Linux Mint forums  and solved in multiple  stages by the Easy Tips Project . I followed the instructions on Easy Tips section 5.2  in Gandalf's admin account, then re-booted, then logged in using the user account, and the brightness adjustment function worked correctly. Easy Tips asks the user to discover the relevant property of the machine, then creates a file that contains a script of parameters that other programs in Linux Mint understand. This method worked for Gandalf, because Gandalf has an integrated Intel chipset. Useful commands at the Terminal ALT+T (or th...
Post a Comment
Read more

FreeFileSync: data synchronisation over the local area network

The project is to build a Linux Mint machine to have the identical functionality and ergonomics as the existing Windows 10 machine. This stage relates to data synchronisation over the local area network ( now that, at last, a useful network connection has been established !) Environment & required functionality The network should be a local network - to share files and folders - between the following machines: The Linux Mint Xfce 18.3 laptop " Gandalf "; The Windows 10 laptop " Legolas ". The network is a local area network from a domestic router, the usual 192.168.x.x thing. Alternatives Peer-to-peer networking (file sharing, simple two-way server-and-client relationship) is the most efficient way for bulk data transfers, so if the network doesn’t work, then the test has failed. One alternative is already successfully tested and in use: Google Drive (via Backup & Sync for Windows and grive2 for Linux Mint) .  However, this is limited to th...
Post a Comment
Read more