What do you use to manage Linux full disk encryption centrally (like BitLocker and FileVault let you do)?<p>I know you can do FDE with LUKS but would prefer a more enterprise solution where I can store a recovery key centrally that a user can’t remove.
What problem are you trying to prevent?<p>- A novice user fatfingering `cryptsetup luksRemoveKey`? Sounds extremely unlikely.<p>- A determined user trying to deliberately destroy information? A lot of things are easier, e.g. `dd if=/dev/zero of=/dev/sda` to `shred important_document.pdf`.<p>The only thing that would protect against most accidental-destruction scenarios is not giving the users root access, and then you don't have to worry about users removing LUKS keys anyway.
I'm using LUKS, with disks being mounted with crypttab.<p>The keys for the drives are stored on an encrypted USB key, and the key for the encrypted USB key is stored on the root SSD.<p>I wanted something where i could boot unattended, and at the same time i wanted the possibility to destroy the keys and render the disks useless.<p>I have an encrypted backup of the keys, stored outside of the encrypted disk arrays.
>what do you use<p>luks<p>>what do you use to manage<p>cryptsetup<p>>prefer a more enterprise solution...<p>You have exotic needs, I doubt there is any open source solution that fits, you have to write your own.<p>You can start by reading this arch page: <a href="https://wiki.archlinux.org/index.php/dm-crypt/System_configuration" rel="nofollow">https://wiki.archlinux.org/index.php/dm-crypt/System_configu...</a>
LUKS + Clevis and Tang does all that you want. <a href="http://www.admin-magazine.com/Archive/2018/43/Automatic-data-encryption-and-decryption-with-Clevis-and-Tang" rel="nofollow">http://www.admin-magazine.com/Archive/2018/43/Automatic-data...</a> There's no way to prevent a determined user with root access from removing a key, except maybe some kind of locked down trusted boot scenario which will undoubtedly create more problems than it solves.
I have a yubikey, and this[0] tutorial has been open in a browser tab for I swear four months or more. I just haven't summoned the guts to do it -- a voice in my head keeps whispering "you'll brick your laptop, you'll brick your laptop..."<p>[0] <a href="https://github.com/agherzan/yubikey-full-disk-encryption" rel="nofollow">https://github.com/agherzan/yubikey-full-disk-encryption</a>
You can probably use luksHeaderBackup and luksHeaderRestore to make sure your recovery key will always work with the volume. Although I've never tried it so don't take my word for it, it should be pretty easy for you to try out.<p>Not that it will prevent any dedicated user with root rights from locking you out of the data if they wish to. It just raises friction from a simple luksRemoveKey
This article gives a good overview of the options and potential threats: <a href="https://www.whonix.org/wiki/Full_Disk_Encryption_and_Encrypted_Images" rel="nofollow">https://www.whonix.org/wiki/Full_Disk_Encryption_and_Encrypt...</a><p>Use whonix itself and read the privacy guides in its wiki if you are concerned with privacy beyond FDE.
Actually, this poses a question. I have disk encryption enabled on my laptop.<p>Now I want to put in a larger hard drive and clone the current drive on to it. Without disk encryption I could use clonezilla or other tools. With disk encryption enabled I can't seem to do anything to clone.<p>What is a solution?
In the past I have used LUKS and simply stored a copy of the passphrase centrally. Not very "enterprise" though.<p>A user who wants to destroy data can do so regardless. Storing a key centrally only guards against accidental loss of the key.
I'm using Debian with full disk encryption using the help of Debian Installer. Such a great tool, during installation and setup sometimes you might get confused when messing up with physical and encrypted partitions.
I wish it was so easy as on MacOS or Windows - where you can essentially turn it on with one button. I don't think enabling encryption on an existing installation of Linux can be done without reinstalling or a lot of work.