{"id":65711,"date":"2022-07-13T13:00:00","date_gmt":"2022-07-13T17:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=65711"},"modified":"2022-12-13T14:49:59","modified_gmt":"2022-12-13T19:49:59","slug":"linux-full-disk-encryption-with-jumpcloud","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/linux-full-disk-encryption-with-jumpcloud","title":{"rendered":"Easily Add Full-Disk Encryption to Linux with JumpCloud"},"content":{"rendered":"\n

Full-disk encryption (FDE)<\/a> is recognized as a mandatory security control, but applying it to Linux devices can be cumbersome and complex because there\u2019s no default option for it. JumpCloud provides step-by-step guidance on how to configure FDE<\/a> as well as Linux Check Disk Encryption Policy<\/a> to help IT teams establish security requirements for device groups.<\/p>\n\n\n\n

What Is FDE and Why Is It Important?<\/h2>\n\n\n\n

Theft happens, but there could be civil, legal, or reputational consequences if IT teams fail to safeguard against it. Theft in a corporate, governmental, or no-profit setting can run afoul of compliance requirements and lead to data exfiltration that compromises confidential or private information. Full-disk encryption protects your data while at rest: when your computer is off, the data is secure if it gets stolen. It\u2019s a low-cost security control that\u2019s simple to implement.<\/p>\n\n\n\n

Distributed workforces have increased the importance of protecting your data, wherever it may reside. There are abundant media reports of thieves becoming more brazen, because there are more attractive targets in cafes and other public areas. Linux devices are no less vulnerable to theft, and it\u2019s a best practice not to make exemptions for operating systems (OSs) that don\u2019t integrate FDE.<\/p>\n\n\n\n

The Challenges of FDE with Linux<\/h2>\n\n\n\n

\u201cSimple\u201d can be a relative term, because there\u2019s no FDE built onto Linux distributions, which necessitates some manual configuration work. Keeping track of which systems are encrypted can also pose a challenge, because there\u2019s scant visibility to know that it\u2019s in place without a policy purpose-built for auditing your FDE requirements. <\/p>\n\n\n\n

There are also technical constraints. Linux doesn’t have a switch to enable FDE after first install, but it is possible to encrypt single directories, including user homes, or to implement file-level encryption (should you choose to). It\u2019s easiest to implement FDE during the initial OS installation<\/a>, using LUKS (Linux Unified Key Setup on-disk format). LUKS is the de facto \u201cstandard\u201d for FDE on desktop Linux. It offers reasonable protection by deploying the Advanced Encryption Standard (AES) cypher, which is widely accepted as the minimal strength encryption standard by cybersecurity professionals.<\/p>\n\n\n\n

LUKS is very flexible and can be configured to use either a keystore or passphrase with backup key options. It protects against simple \u201cbrute force\u201d dictionary attacks and leverages Linux\u2019s device mapper kernel subsystem for ease of installation. It works well for all storage media, including removal disks. Please note that other options are more suitable for application servers that scale for more than eight users. LUKS can be widely deployed throughout your fleet and accommodates auditing.<\/p>\n\n\n\n

JumpCloud Provides Compliance Policies<\/h2>\n\n\n\n

FDE should be added to your checklists for when you\u2019re provisioning devices during the onboarding process. It must be set up before or during the OS installation. JumpCloud offers a policy to check if the system has encryption enabled<\/a>, and whether it is full disk or only user home directories. JumpCloud\u2019s open directory platform will notify IT admins if any of the targeted devices do not comply with the configured policy, and System Insights will provide a full report on any non-conformities. <\/p>\n\n\n\n

The policy doesn\u2019t automatically encrypt devices, however. Rather, JumpCloud provides documentation on encryption methodologies and guided instructions to help small to mid-size enterprises (SMEs) manually encrypt devices, because of how Linux full-disk encryption is deployed.<\/p>\n\n\n\n

\"JumpCloud<\/figure>\n\n\n\n

FDE Best Practices<\/h2>\n\n\n\n

The notion of having to set up clean installs and migrate data may trigger a flinch reaction, but there are several methods to make FDE more approachable. Those options include:<\/p>\n\n\n\n