- \n
- The Linux Check Disk Encryption Policy can be applied to any JC-supported Linux distribution.<\/li>\n\n\n\n
- Due to the nature of Linux FDE and the need to enforce FDE during initial system configuration, disk encryption still needs to be manually enabled on the device. However, JumpCloud provides recommended disk encryption methodologies and guided instructions for encrypting your Linux systems.<\/li>\n\n\n\n
- While the Linux Check Disk Encryption Policy doesn\u2019t encrypt the data on the targeted device(s), it will notify the administrator if any of the targeted devices don\u2019t comply with the configured policy. <\/li>\n\n\n\n
- This policy supports Linux Unified Key Setups (LUKs) and fscrypt.<\/li>\n<\/ul>\n\n\n\n
Linux devices can be encrypted in one of two ways: <\/p>\n\n\n\n
- \n
- Full disk<\/strong> encryption<\/strong> – Encrypting the block device before it is mounted on the system.<\/li>\n\n\n\n
- File-based encryption<\/strong> – Encrypting only a folder or file using native filesystem features. <\/li>\n<\/ul>\n\n\n\n
Full disk encryption is preferred, as it ensures that the system is inaccessible without entering an encryption passphrase. Additionally, fscrypt doesn\u2019t encrypt filesystem metadata except for filenames, whereas full disk encryption ensures everything written to the disk is encrypted. After reviewing this article, you should know how to encrypt the entire disk, as well as how to encrypt only home directories on your system.
This KB article covers:<\/strong><\/p>\n\n\n\n- \n
- Full Disk (Block Device) Encryption (FDE)<\/a>\n
- \n
- Introduction to LUKS<\/a><\/li>\n\n\n\n
- What LUKS Does<\/a><\/li>\n\n\n\n
- How to Enable LUKS Encryption<\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n
- File-based Encryption<\/a>\n
- \n
- Requirements & Process for fscrypt File-Based Encryption<\/a><\/li>\n\n\n\n
- Encrypting a Home Directory<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Full Disk (Block Device) Encryption (FDE)<\/strong><\/h2>\n\n\n\n
FDE protects the data on a block device by encrypting it. To access the device\u2019s decrypted contents, a user must provide a passphrase or key as authentication. This provides additional security beyond existing operating system security mechanisms, as it protects the device\u2019s contents even if it was physically removed from the system. FDE is implemented using LVM (Logical Volume Management) for disk management and LUKS (Linux Unified Key Setup) encryption in all modern distro installer wizards.<\/p>\n\n\n\n
<\/a>Introduction to LUKS<\/strong><\/h3>\n\n\n\n
As a system administrator, you can encrypt your device’s storage devices using LUKS, which is a specification for block device encryption. It establishes an on-disk format for the data, as well as a passphrase\/key management policy.<\/p>\n\n\n\n
LUKS uses the kernel device mapper subsystem with the dm-crypt module. This arrangement provides a low-level mapping that handles encryption and decryption of the device data. You can use the cryptsetup utility to perform user-level operations such as creating and accessing encrypted devices.
<\/a>What LUKS Does<\/strong>
<\/p>\n\n\n\n- \n
- Encrypts entire block devices, making it well-suited for protecting the contents of mobile devices, such as removable storage media or laptop disk drives.<\/li>\n\n\n\n
- Encrypts swap devices due to underlying contents of the encrypted block device being arbitrary. This is also convenient with certain databases that use specially formatted block devices for data storage.<\/li>\n\n\n\n
- Uses the existing device mapper kernel subsystem.<\/li>\n\n\n\n
- Provides passphrase strengthening, which protects against dictionary attacks.<\/li>\n\n\n\n
- Allows devices to contain multiple key slots, permitting users to add backup keys or passphrases.<\/li>\n<\/ul>\n\n\n\n
Note<\/strong>: LUKS is not well-suited for applications requiring more than eight users to have distinct access keys to the same device or file-level encryption.
<\/p>\n\n\n\n<\/a>How to Enable LUKS Encryption<\/strong><\/p>\n\n\n\n
In general, you can enable LUKS encryption using LVM partition management during the initial installation of your distribution of choice.<\/p>\n\n\n\n
Ubuntu<\/strong><\/p>\n\n\n\nNote<\/strong>: For a slightly more encrypted disk, you can follow this in-depth wiki article: https:\/\/help.ubuntu.com\/community\/Full_Disk_Encryption_Howto_2019<\/a>. However, the standard Ubuntu installer option is sufficient for most, and the tradeoff for usability is acceptable. <\/p>\n\n\n\n
Ubuntu 16.04, 18.04 LTS releases:
Ubuntu 20.04 LTS:
Ubuntu 20.10 (currently unsupported by JC) and newer versions):
Note<\/strong>: Ubuntu supports native ZFS encryption in 20.10 and up, which is not yet supported by JC.<\/p>\n\n\n\n
Fedora<\/strong><\/p>\n\n\n\nNote<\/strong>: For a slightly more encrypted disk, you can follow this in-depth wiki article: https:\/\/docs.fedoraproject.org\/en-US\/quick-docs\/encrypting-drives-using-LUKS\/<\/a>. However, the standard installer option is sufficient for most, and the tradeoff for usability is acceptable.
<\/p>\n\n\n\n
Red Hat Enterprise Linux (RHEL)<\/strong><\/p>\n\n\n\n<\/figure>\n\n\n\n
Rocky<\/strong><\/p>\n\n\n\nNote<\/strong>: Rocky Linux uses the same installer as Fedora, CentOS, and RHEL, providing the same options.
CentOS<\/strong><\/p>\n\n\n\n(See note for Rocky)
CentOS 8:
CentOS 9 Stream:<\/p>\n\n\n\n(See note for Rocky)
<\/p>\n\n\n\n
Debian<\/strong><\/p>\n\n\n\nDebian offers an installer option, as well as additional manual instructions located at: https:\/\/wiki.debian.org\/Cryptsetup<\/a>.
Installer option:<\/p>\n\n\n\n
Mint<\/strong><\/p>\n\n\n\nNote<\/strong>: For a slightly more encrypted disk, you can follow this in-depth community tutorial: https:\/\/community.linuxmint.com\/tutorial\/view\/2265<\/a>. However, the standard installer option is sufficient for most, and the tradeoff for usability is acceptable.
<\/p>\n\n\n\n
Amazon Linux<\/strong><\/p>\n\n\n\nAmazon Linux doesn\u2019t offer an install option, because it\u2019s configured via cloud-init and options within the AWS Console. However, you can use encrypted Elastic Block Store (EBS) block devices to back your EC2 instances by following the instructions at the following sites:
https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/EBSEncryption.html<\/a>
https:\/\/aws.amazon.com\/blogs\/security\/how-to-protect-data-at-rest-with-amazon-ec2-instance-store-encryption\/<\/a><\/p>\n\n\n\nNote<\/strong>: the JumpCloud console doesn\u2019t currently recognize encrypted EBS volumes, as they appear as regular block devices from within the instance where the agent runs.<\/p>\n\n\n\n
<\/a>File-based Encryption<\/strong><\/p>\n\n\n\n
If you don\u2019t want to completely wipe your machine, but just encrypt your home directory (folders), you can use fscrypt. This is another built-in feature of the Linux kernel and the ext4, F2FS, and UBIFS file systems.
<\/p>\n\n\n\n<\/a>Requirements & Process for fscrypt File-Based Encryption<\/strong><\/p>\n\n\n\n
Kernel<\/strong><\/p>\n\n\n\nThe absolute minimum required Linux kernel version to use fscrypt is 4.15, however, it is highly recommended<\/strong> for the kernel version to be 5.4 or later, as this allows the use of v2 encryption policies. There are several security<\/a> and usability<\/a> issues with v1 encryption policies, meaning you may not be able to use fscrypt for home directories on older versions. The latest releases of most distributions include a recent enough kernel, starting with the following versions:<\/p>\n\n\n\n
- \n
- CentOS 9<\/li>\n\n\n\n
- Debian 11<\/li>\n\n\n\n
- Fedora 32<\/li>\n\n\n\n
- Linux Mint 20.2<\/li>\n\n\n\n
- Red Hat Enterprise Linux 9.0<\/li>\n\n\n\n
- Ubuntu 20.04 LTS<\/li>\n<\/ul>\n\n\n\n
Additionally, older distribution versions may not have a new enough version of fscrypt to take advantage of the kernel features. It is recommended that you start with an up to date version of the distribution you intend to use, and that the version of the fscrypt userspace tool (described later) is at least 0.2.4.<\/p>\n\n\n\n
File Systems<\/strong>
<\/p>\n\n\n\nFscrypt is available on ext4, which is the most widely used file system for Linux. It\u2019s also available on F2FS and UBIFS, which are less frequently used file systems. These are used on Android and Chrome operating systems.<\/p>\n\n\n\n
Fourth Extended File System (ext4)<\/p>\n\n\n\n
For ext4<\/a>, the file system on which encryption should be used must have the encrypt feature flag enabled. To enable it, run: # tune2fs -O encrypt \/dev\/device.Warning<\/strong>: Once the encrypt feature is enabled, Linux versions older than 4.1 will be unable to mount the file system. Also, Linux versions older than 5.5 will be unable to mount the file system if its block size (tune2fs -l \/dev\/device | grep ‘Block size’) differs from the system page size (getconf PAGE_SIZE). Normally, both are 4096, which shouldn\u2019t be a problem.<\/p>\n\n\n\n
Tips<\/strong>:<\/p>\n\n\n\n
- \n
- The operation can be undone with debugfs -w -R “feature -encrypt” \/dev\/device. Run fsck<\/a> before and after to ensure the integrity of the file system.<\/li>\n\n\n\n
- When creating a new file system, one can enable the encrypt feature immediately with mkfs.ext4 -O encrypt.<\/li>\n<\/ul>\n\n\n\n
Userspace Tool
<\/p>\n\n\n\nThis fscrypt tool is used to interact with encrypted folders on the system as a user using the following steps:<\/p>\n\n\n\n
- \n
- Install the fscrypt<\/strong> package and the pam module. Ensure that the version installed is 0.2.4 or greater. If not, you will be able to encrypt files and folders with fscrypt, but will have problems if you attempt to encrypt home directories. If you’re not able to update your base system to at least the versions specified above in the Kernel section, proceed to follow the manual build in step 1.b. below.\n
- \n
- For Ubuntu and other Debian-based distributions, install the official packages:<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
sudo apt install fscrypt libpam-fscrypt<\/p>\n\n\n\n
- \n
- For Fedora and other Red Hat-based distributions (e.g., CentOS), follow the manual build and installation steps here: https:\/\/github.com\/google\/fscrypt#building-and-installing<\/a>.<\/li>\n<\/ol>\n\n\n\n
- \n
- Then run: # fscrypt setup.<\/em> This creates the file \/etc\/fscrypt.conf and the directory \/.fscrypt.<\/li>\n\n\n\n
- If the file system on which encryption is to be used is not the root file system, run: # fscrypt setup mountpoint<\/li>\n<\/ol>\n\n\n\n
(Where mountpoint<\/em> is where the file system is mounted (e.g., \/home)).<\/p>\n\n\n\n
This creates the directory mountpoint<\/em>\/.fscrypt to store fscrypt policies and protectors.<\/p>\n\n\n\n
Warning<\/strong>: Never delete the .fscrypt directory. Otherwise, ALL access to encrypted files will be lost.<\/p>\n\n\n\n
PAM Module
<\/p>\n\n\n\nThe fscrypt PAM<\/a> integrates encrypted folders with the Linux Pluggable Authentication module system.<\/p>\n\n\n\n
Adjust the system PAM configuration to enable pam_fscrypt, unlocking login passphrase-protected directories automatically at login and keeping login passphrase-protected directories in sync with changes to the login passphrase.<\/p>\n\n\n\n
Note<\/strong>: Installing libpam-fscrypt on Ubuntu and other Debian-like systems handles the necessary file modifications in:<\/p>\n\n\n\n
- \n
- \/etc\/pam.d\/common-auth<\/li>\n\n\n\n
- Common-session<\/li>\n\n\n\n
- Common-password <\/li>\n<\/ul>\n\n\n\n
To automatically apply these defaults:<\/p>\n\n\n\n
- \n
- Run sudo pam-auth-update.<\/em><\/li>\n\n\n\n
- Follow the on-screen instructions.<\/li>\n<\/ol>\n\n\n\n
To make the modifications manually for Red Hat-based systems, follow the instructions here: https:\/\/github.com\/google\/fscrypt#setting-up-for-login-protectors<\/a>, and summarized below:<\/p>\n\n\n\n
- \n
- Append<\/a> the following line to the auth<\/em> section in \/etc\/pam.d\/login:
auth optional pam_fscrypt.so<\/li>\n\n\n\n- Append<\/a> the following lines before<\/strong> session include system-auth in the session<\/em> section of \/etc\/pam.d\/login:<\/li>\n<\/ol>\n\n\n\n
session [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet <\/p>\n\n\n\n
session optional pam_fscrypt.so drop_caches lock_policies<\/p>\n\n\n\n
Note:<\/strong> The first line, taken from https:\/\/github.com\/google\/fscrypt\/issues\/95<\/a>, is a bypass for the systemd –user session, which doesn’t properly close its PAM session<\/a> and would otherwise block the locking on logout.<\/p>\n\n\n\n
- \n
- Append<\/a> the following line to \/etc\/pam.d\/passwd:<\/li>\n<\/ol>\n\n\n\n
password optional pam_fscrypt.so
<\/p>\n\n\n\n<\/a>Encrypting a Home Directory<\/strong><\/p>\n\n\n\n
Warnings:<\/strong><\/p>\n\n\n\n- \n
- Login protectors are only as secure as the system’s passphrase hashing in \/etc\/shadow. Before using a login protector, follow these security recommendations<\/a>.<\/li>\n\n\n\n
- If a user’s home directory is encrypted, SSH<\/a> for that user may not work until their home directory has been unlocked. To mitigate this, you must ensure that the PasswordAuthentication setting is enabled in SSH config.<\/li>\n<\/ul>\n\n\n\n
Complete the following steps to encrypt a user’s home directory:<\/p>\n\n\n\n
- \n
- Ensure that all preparations<\/a> have been completed, including enabling pam_fscrypt.<\/li>\n\n\n\n
- As the root user, create a new encrypted directory for the user using the following set of commands:<\/li>\n<\/ol>\n\n\n\n
# mkdir \/home\/newhome<\/p>\n\n\n\n
# chown USERNAME<\/em>:USERGROUP<\/em> \/home\/newhome <\/p>\n\n\n\n
# fscrypt encrypt \/home\/newhome –user=USERNAME<\/em><\/p>\n\n\n\n
Should we create a new protector? [y\/N] y<\/em><\/p>\n\n\n\n
Your data can be protected with one of the following sources:<\/em><\/p>\n\n\n\n
1 – Your login passphrase (pam_passphrase)<\/em><\/p>\n\n\n\n
2 – A custom passphrase (custom_passphrase)<\/em><\/p>\n\n\n\n
3 – A raw 256-bit key (raw_key)<\/em><\/p>\n\n\n\n
Enter the source number for the new protector [2 – custom_passphrase]: 1<\/em><\/p>\n\n\n\n
Enter login passphrase for USERNAME: <\/em><\/p>\n\n\n\n
“\/home\/newhome” is now encrypted, unlocked, and ready for use.<\/em><\/p>\n\n\n\n
- \n
- Select the option to create a new protector and to protect the directory with the user’s login passphrase.<\/li>\n\n\n\n
- Copy the contents of the user’s old home directory into the encrypted directory:<\/li>\n<\/ol>\n\n\n\n
# cp -a -T \/home\/user<\/em> \/home\/newhome<\/p>\n\n\n\n
Tip<\/strong>: If there is not enough disk space for a second copy of the home directory, consider using mv -T \/home\/user \/home\/newhome instead. However, it\u2019s strongly recommended that you make a backup<\/a> first.<\/p>\n\n\n\n
- \n
- If the cp method was used, check whether the directory is being automatically unlocked on login before using it. The simplest way to do this is to:\n
- \n
- Reboot and log in as that user. <\/li>\n\n\n\n
- Run: $ fscrypt status \/home\/newhome<\/em><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
Note<\/strong>: The following are the outputs of the command: <\/p>\n\n\n\n
“\/home\/newhome” is encrypted with fscrypt\u201d.<\/p>\n\n\n\n
Policy: 6920ad98103e52a1805d20a342044abf<\/p>\n\n\n\n
Options: padding:32 contents:AES_256_XTS filenames:AES_256_CTS policy_version:2<\/p>\n\n\n\n
Unlocked: Yes<\/p>\n\n\n\n
Protected with 1 protector:<\/p>\n\n\n\n
PROTECTOR LINKED DESCRIPTION<\/p>\n\n\n\n
ef25588cbd49f90a No login protector for testuser<\/p>\n\n\n\n
- If the cp method was used, check whether the directory is being automatically unlocked on login before using it. The simplest way to do this is to:\n
- As the root user, create a new encrypted directory for the user using the following set of commands:<\/li>\n<\/ol>\n\n\n\n
- If a user’s home directory is encrypted, SSH<\/a> for that user may not work until their home directory has been unlocked. To mitigate this, you must ensure that the PasswordAuthentication setting is enabled in SSH config.<\/li>\n<\/ul>\n\n\n\n
- Login protectors are only as secure as the system’s passphrase hashing in \/etc\/shadow. Before using a login protector, follow these security recommendations<\/a>.<\/li>\n\n\n\n
- Append<\/a> the following lines before<\/strong> session include system-auth in the session<\/em> section of \/etc\/pam.d\/login:<\/li>\n<\/ol>\n\n\n\n
- Follow the on-screen instructions.<\/li>\n<\/ol>\n\n\n\n
- Run sudo pam-auth-update.<\/em><\/li>\n\n\n\n
- If the file system on which encryption is to be used is not the root file system, run: # fscrypt setup mountpoint<\/li>\n<\/ol>\n\n\n\n
- Then run: # fscrypt setup.<\/em> This creates the file \/etc\/fscrypt.conf and the directory \/.fscrypt.<\/li>\n\n\n\n
- For Fedora and other Red Hat-based distributions (e.g., CentOS), follow the manual build and installation steps here: https:\/\/github.com\/google\/fscrypt#building-and-installing<\/a>.<\/li>\n<\/ol>\n\n\n\n
- For Ubuntu and other Debian-based distributions, install the official packages:<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
- When creating a new file system, one can enable the encrypt feature immediately with mkfs.ext4 -O encrypt.<\/li>\n<\/ul>\n\n\n\n
- The operation can be undone with debugfs -w -R “feature -encrypt” \/dev\/device. Run fsck<\/a> before and after to ensure the integrity of the file system.<\/li>\n\n\n\n
- Encrypting a Home Directory<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- What LUKS Does<\/a><\/li>\n\n\n\n
- Introduction to LUKS<\/a><\/li>\n\n\n\n
- File-based encryption<\/strong> – Encrypting only a folder or file using native filesystem features. <\/li>\n<\/ul>\n\n\n\n
- Full disk<\/strong> encryption<\/strong> – Encrypting the block device before it is mounted on the system.<\/li>\n\n\n\n