Full-disk encryption is preferred, as it ensures that the system is inaccessible without entering an encryption passphrase. Additionally, fscrypt doesn\u2019t encrypt filesystem metadata except for filenames, whereas full-disk encryption ensures everything written to the disk is encrypted. After reviewing this content, you should know how to encrypt the entire disk, as well as how to encrypt only home directories on your system.<\/p>\n\n\n\n
JumpCloud Admins can create and apply a Linux Check Disk Encryption Policy to one device or group of devices, helping secure their data and sensitive information across their fleet of JC-managed Linux systems. Without this policy, an admin would need to manually track which devices require encryption and verify if they are encrypted to ensure proper data security and compliance. With JumpCloud\u2019s Linux Check Disk Encryption Policy, admins can specify which devices to encrypt and, more specifically, if the devices require only managed home directories or full disk encryption (FDE). Once the policy is applied, the administrator will be notified if any of the targeted devices don\u2019t meet the encryption requirements.<\/p>\n\n\n\n
Considerations<\/strong>:<\/p>\n\n\n\n FDE protects the data on a block device by encrypting it. To access the device\u2019s decrypted contents, a user must provide a passphrase or key as authentication. This provides additional security beyond existing operating system security mechanisms, as it protects the device\u2019s contents even if it was physically removed from the system. FDE is implemented using LVM (Logical Volume Management) for disk management and LUKS (Linux Unified Key Setup) encryption in all modern distro installer wizards.<\/p>\n\n\n\n As a system administrator, you can encrypt your device’s storage devices using LUKS, which is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase\/key management policy.<\/p>\n\n\n\n LUKS uses the kernel device mapper subsystem with the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device data. You can use the cryptsetup utility to perform user-level operations such as creating and accessing encrypted devices.<\/p>\n\n\n\n Note:<\/strong> LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device or file-level encryption.<\/p><\/div><\/div><\/div>\n\n\n\n In general, you can enable LUKS encryption using LVM partition management during the initial installation of your distribution of choice.<\/p>\n\n\n\n For a slightly more encrypted disk, you can follow this in-depth wiki article: https:\/\/help.ubuntu.com\/community\/Full_Disk_Encryption_Howto_2019<\/a>. However, the standard Ubuntu installer option is sufficient for most, and the tradeoff for usability is acceptable. <\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Ubuntu 16.04, 18.04 LTS releases:<\/p>\n\n\n\n Ubuntu 20.04 LTS:<\/p>\n\n\n\n Ubuntu 20.10 (currently unsupported by JC) and newer versions):<\/p>\n\n\n\n Ubuntu supports native ZFS encryption in 20.10 and up, which is not yet supported by JumpCloud.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n For a slightly more encrypted disk, you can follow this in-depth wiki article: https:\/\/docs.fedoraproject.org\/en-US\/quick-docs\/encrypting-drives-using-LUKS\/<\/a>. However, the standard installer option is sufficient for most, and the tradeoff for usability is acceptable.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Note:<\/strong> Rocky Linux uses the same installer as Fedora, CentOS, and RHEL, providing the same options.<\/p><\/div><\/div><\/div>\n\n\n\n Note:<\/strong> Rocky Linux uses the same installer as Fedora, CentOS, and RHEL, providing the same options.<\/p><\/div><\/div><\/div>\n\n\n\n CentOS 8<\/strong>:<\/p>\n\n\n\n CentOS 9 Stream<\/strong>:<\/p>\n\n\n\n Debian offers an installer option, as well as additional manual instructions located at https:\/\/wiki.debian.org\/Cryptsetup<\/a>.<\/p>\n\n\n\n Installer option:<\/p>\n\n\n\n For a slightly more encrypted disk, you can follow this in-depth community tutorial: https:\/\/community.linuxmint.com\/tutorial\/view\/2265<\/a>. However, the standard installer option is sufficient for most, and the tradeoff for usability is acceptable.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Amazon Linux doesn\u2019t offer an install option because it\u2019s configured via cloud-init and options within the AWS Console. However, you can use encrypted Elastic Block Store (EBS) block devices to back your EC2 instances by following the instructions at the following sites:<\/p>\n\n\n\n The JumpCloud console doesn\u2019t currently recognize encrypted EBS volumes, as they appear as regular block devices from within the instance where the agent runs.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n If you don\u2019t want to completely wipe your machine, but just encrypt your home directory (folders), you can use fscrypt. This is another built-in feature of the Linux kernel and the ext4, F2FS, and UBIFS file systems.<\/p>\n\n\n\n The absolute minimum required Linux kernel version to use fscrypt is 4.15, however, it is highly recommended<\/strong> for the kernel version to be 5.4 or later, as this allows the use of v2 encryption policies. There are several security<\/a> and usability<\/a> issues with v1 encryption policies, meaning you may not be able to use fscrypt for home directories on older versions. The latest releases of most distributions include a recent enough kernel, starting with the following versions:<\/p>\n\n\n\n Additionally, older distribution versions may not have a new enough version of fscrypt to take advantage of the kernel features. It is recommended that you start with an up to date version of the distribution you intend to use, and that the version of the fscrypt userspace tool (described later) is at least 0.2.4.<\/p>\n\n\n\n Fscrypt is available on ext4, which is the most widely used file system for Linux. It\u2019s also available on F2FS and UBIFS, which are less frequently used file systems. These are used on Android and Chrome operating systems.<\/p>\n\n\n\n For ext4<\/a>, the file system on which encryption should be used must have the encrypt feature flag enabled. To enable it, run: Once the encrypt feature is enabled, Linux versions older than 4.1 will be unable to mount the file system. Also, Linux versions older than 5.5 will be unable to mount the file system if its block size ( This Never delete the .fscrypt<\/strong> directory. Otherwise, ALL access to encrypted files will be lost.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n The fscrypt PAM<\/a> integrates encrypted folders with the Linux Pluggable Authentication Module (PAM) system.<\/p>\n\n\n\n Adjust the system PAM configuration to enable pam_fscrypt<\/strong>, unlocking login passphrase-protected directories automatically at login and keeping login passphrase-protected directories in sync with changes to the login passphrase.<\/p>\n\n\n\n Installing libpam-fscrypt <\/strong>on Ubuntu and other Debian-like systems handles the necessary file modifications in:<\/p>\n\n\n\n To automatically apply these defaults<\/strong>:<\/p>\n\n\n\n To make the modifications manually for Red Hat-based systems, follow the instructions at https:\/\/github.com\/google\/fscrypt#setting-up-for-login-protectors<\/a>, summarized below:<\/p>\n\n\n\n auth optional pam_fscrypt.so<\/p>\n<\/div><\/div>\n\n\n\n session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet The first line, taken from https:\/\/github.com\/google\/fscrypt\/issues\/95<\/a>, is a bypass for the password optional pam_fscrypt.so<\/p>\n<\/div><\/div>\n\n\n\n To encrypt a user’s home directory<\/strong>:<\/p>\n\n\n\n\n
Full Disk (Block Device) Encryption (FDE)<\/h2>\n\n\n\n
Introduction to LUKS<\/h3>\n\n\n\n
What LUKS Does<\/h3>\n\n\n\n
\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"){kind=icon}
<\/p><\/div>How to Enable LUKS Encryption<\/h3>\n\n\n\n
Ubuntu<\/h4>\n\n\n\n
<\/p><\/div>![\"Installer](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/encrypt-1604.jpeg\")
<\/figure>\n\n\n\n![\"Installer](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/encrypt-2004.jpeg\")
<\/figure>\n\n\n\n![\"Installer](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/encrypt-2010.jpeg\")
<\/figure>\n\n\n\n<\/p><\/div>Fedora<\/h4>\n\n\n\n
<\/p><\/div>![\"Installation](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/fedora-34-install.jpeg\")
<\/figure>\n\n\n\nRed Hat Enterprise Linux (RHEL)<\/h4>\n\n\n\n
![\"Installation](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/rhel-84-install.jpeg\")
<\/figure>\n\n\n\nRocky<\/h4>\n\n\n\n
<\/p><\/div>![\"Installation](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/rocky-8-install.jpeg\")
<\/figure>\n\n\n\nCentOS<\/h4>\n\n\n\n
<\/p><\/div>![\"Installation](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/install-centos-8.jpeg\")
<\/figure>\n\n\n\n![\"Installation](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/install-centos-9.jpeg\")
<\/figure>\n\n\n\nDebian<\/strong><\/h4>\n\n\n\n
![\"Installation](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/install-debian-11.jpeg\")
<\/figure>\n\n\n\nMint<\/h4>\n\n\n\n
<\/p><\/div>![\"Installation](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/04\/install-mint.jpeg\")
<\/figure>\n\n\n\nAmazon Linux<\/h4>\n\n\n\n
\n
<\/p><\/div>File-Based Encryption<\/h2>\n\n\n\n
Requirements & Process for fscrypt File-Based Encryption<\/h3>\n\n\n\n
Kernel<\/h4>\n\n\n\n
\n
File Systems<\/h4>\n\n\n\n
Fourth Extended File System (ext4)<\/h5>\n\n\n\n
# tune2fs -O encrypt \/dev\/device<\/code>.<\/p>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/warning-icon.png\"){kind=icon}
<\/p><\/div>tune2fs -l \/dev\/device | grep ‘Block size’<\/code>) differs from the system page size (getconf PAGE_SIZE<\/code>). Normally, both are 4096, which shouldn\u2019t be a problem.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\"){kind=icon}
<\/p><\/div>\n
debugfs -w -R “feature -encrypt” \/dev\/device<\/code>. Run fsck<\/a> before and after to ensure the integrity of the file system.<\/li>\n\n\n\nmkfs.ext4 -O encrypt<\/code>.<\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\nUserspace Tool<\/h5>\n\n\n\n
fscrypt<\/code> tool is used to interact with encrypted folders on the system as a user using the following steps:<\/p>\n\n\n\n\n
\n
sudo apt install fscrypt libpam-fscrypt<\/code><\/li>\n\n\n\n# fscrypt setup<\/code>.<\/em> This creates the file \/etc\/fscrypt.conf <\/strong>and the directory \/.fscrypt<\/strong>.<\/li>\n\n\n\n# fscrypt setup mountpoint<\/code>, where mountpoint<\/code> is where the file system is mounted (e.g., \/home<\/code>). This creates the directory mountpoint\/.fscrypt<\/strong> to store fscrypt policies and protectors.<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>PAM Module<\/h5>\n\n\n\n
<\/p><\/div>\n
\n
sudo pam-auth-update<\/code>.<\/em><\/li>\n\n\n\n\n
\n
session include system-auth<\/code> in the session<\/strong> section of \/etc\/pam.d\/login<\/strong>:<\/li>\n<\/ol>\n\n\n\n
session optional pam_fscrypt.so drop_caches lock_policies<\/p>\n<\/div><\/div>\n\n\n\n<\/p><\/div>systemd –user<\/code> session, which doesn’t properly close its PAM session<\/a> and would otherwise block the locking on logout.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n\n
Encrypting a Home Directory<\/h3>\n\n\n\n
<\/p><\/div>\n