Announcement

Collapse
No announcement yet.

System76 Eyeing Disk Encryption By Default

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by molecule-eye View Post
    This should have been made default long ago, if you ask me.

    This isn't exactly relevant, but what is up with the price of their systems? The hardware is far from inspiring for what you can get for the same price in the windows world, and linux is free, so there's no OS cost, and yet their mediocre Galago Pro base system costs $959! I just picked up a Lenovo 710 15.6" for $650 with nice hardware (core i5, 256GB SSD, 8GB RAM, IPS convertible display) and slapped my preferred distro on it in less than 15 minutes. So who buys these mediocre, overpriced linux laptops? I can think of way better ways of supporting linux.
    You don't seem to understand how markets work. System76 is a small company that is just starting out in this area (check out the About Us page). They aren't a massive OEM like Lenovo or Dell, both of which are manufacturing their own laptops in high volumes to bring costs down. System76 has, however, just recently purchased their own 22.4K sq. foot manufacturing facility in Denver, so they will be selling their own laptops soon. The current models are Clevo units with Intel ME disabled, and preloaded with Pop!_OS / Ubuntu 16.04.

    So if you want Linux to succeed on the desktop, then you should invest into System76, even if the hardware is slightly more expensive than you get from a Windows OEM. That money will directly go into hiring more software & hardware engineers to work exclusively on the Linux desktop, and Linux-based desktop hardware solutions. Canonical is not manufacturing Linux-based laptops, and neither is Red Hat. They are more concerned with the Linux server & IoT spaces. The 'Year of the Linux Desktop' will only happen once a company like System76 steps up to start selling hardware to the masses in the same manner that Chromebooks, HP, Dell, Lenovo, etc. systems are being marketed and sold on TV and in stores.

    PS: I'm one of their latest hires. We're writing the installer backend in Rust, while the Elementary team is working on the UI frontend which interfaces with distinst. Encryption is a thing that we are working on, as well as replacing GRUB with systemd-boot. There are a lot of issues that Canonical has not addressed, and we are going to pick up the slack to cater to the Linux desktop. Canonical's apparently only interested in server and IoT.

    Comment


    • #12
      Originally posted by treba View Post
      I'd prefer native filesystem encryption, something close to the mac filevault, ios encryption and the new android encryption. Something that allows for multiple keys (for multi-user devices) and that can delete the keys from ram when locked. Full disk encryption as used today is so limited in these regards.
      Ext4 encryption is also being pondered, but creating an encrypted LVM partition is generally going to be easier to support than handling filesystem-specific encryption options, and whether or not they support it.

      Comment


      • #13
        Originally posted by davidbepo View Post
        i think this shouldnt be the default, but having an option is nice
        The default OEM install will not be encrypted (it would be pointless, for obvious reasons -- encryption has to be set up when it is in the user's hands, not the OEMs). There will be an option to choose to reinstall the system with FDE though. That will boot into the recovery partition to start the re-installation process. Otherwise, if the user chooses not to have encryption, they will simply go on to system/user setup.

        Comment


        • #14
          Originally posted by nll_a
          Last time I checked (which admittedly was a really long time ago), disk encryption had a very significant impact on OS performance, which is why I never got around to adopting it. But it's really been a while since I saw benchmarks for it. Do you think that's worthy of an article, Michael?
          Full disk encryption has a non-negligible impact, but I think it is absolutely worth it. Michael frequently posts articles featuring this, a simple google search will give you several. Here is one from 2017: https://www.phoronix.com/scan.php?pa...-encrypt&num=1

          Note that I said "non-negligible", which doesn't necessarily mean "large", it depends on what you are doing. Impact on gaming is close to 0 for instance.

          Comment


          • #15
            Originally posted by caligula View Post
            So now the governments know which Linux users are true criminals
            What is this in reference to?

            Comment


            • #16
              Originally posted by mmstick View Post
              as well as replacing GRUB with systemd-boot.
              This is something interesting. What size esp partition will have by default?

              Comment


              • #17
                Originally posted by mmstick View Post

                You don't seem to understand how markets work. System76 is a small company that is just starting out in this area (check out the About Us page). They aren't a massive OEM like Lenovo or Dell, both of which are manufacturing their own laptops in high volumes to bring costs down. System76 has, however, just recently purchased their own 22.4K sq. foot manufacturing facility in Denver, so they will be selling their own laptops soon. The current models are Clevo units with Intel ME disabled, and preloaded with Pop!_OS / Ubuntu 16.04.

                So if you want Linux to succeed on the desktop, then you should invest into System76, even if the hardware is slightly more expensive than you get from a Windows OEM. That money will directly go into hiring more software & hardware engineers to work exclusively on the Linux desktop, and Linux-based desktop hardware solutions. Canonical is not manufacturing Linux-based laptops, and neither is Red Hat. They are more concerned with the Linux server & IoT spaces. The 'Year of the Linux Desktop' will only happen once a company like System76 steps up to start selling hardware to the masses in the same manner that Chromebooks, HP, Dell, Lenovo, etc. systems are being marketed and sold on TV and in stores.

                PS: I'm one of their latest hires. We're writing the installer backend in Rust, while the Elementary team is working on the UI frontend which interfaces with distinst. Encryption is a thing that we are working on, as well as replacing GRUB with systemd-boot. There are a lot of issues that Canonical has not addressed, and we are going to pick up the slack to cater to the Linux desktop. Canonical's apparently only interested in server and IoT.
                Very well said.

                Additionally, as was eluded to earlier with examples like Lenovo, I trust System76 more to provide continued support for their products even after the warranty period, as they have a more focused vision and user base that value OpenSource and are more security-aware. It's also worth reiterating the selection of hardware by System76 that is known to work with Linux; not only does that benefit the end-user that purchases from System76 directly, but it also creates a bigger incentive for hardware vendors and manufacturers to provide support for Linux if they want to be included in the systems that are offered.

                Lastly, after the ongoing problems with Meltdown and Spectre, which are further exacerbated due to limited hardware vendors & providers, it should be obvious that choices in Hardware vendors and Open Hardware are becoming increasingly important. Therefore, I would say that, while it's possible to "support Linux" in other ways, there are disproportionately more "supporters" on the software side than with anything related to Open Hardware.

                Comment


                • #18
                  Originally posted by nll_a
                  Last time I checked (which admittedly was a really long time ago), disk encryption had a very significant impact on OS performance, which is why I never got around to adopting it. But it's really been a while since I saw benchmarks for it. Do you think that's worthy of an article, Michael?
                  "cryptsetup" (the binary that configures LUKS on disk for you) has a built in benchmark that runs a single-threaded test. Test it on your own machine to see how it performs.

                  Here's my system. AES-XTS 512 gives me around 1GB/s read/write on my 5 year old Core i7 Dell Vostro 3560. That's quite a deal better than my SSD hard disk can do, and with 8 cores I'm not too fussed at the performance hit for the extra security (and business compliance) it provides.

                  $ grep ^'model name' /proc/cpuinfo | head -1
                  model name : Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz

                  $ cryptsetup benchmark
                  # Tests are approximate using memory only (no storage IO).
                  PBKDF2-sha1 970903 iterations per second
                  PBKDF2-sha256 604715 iterations per second
                  PBKDF2-sha512 439838 iterations per second
                  PBKDF2-ripemd160 608222 iterations per second
                  PBKDF2-whirlpool 207392 iterations per second
                  # Algorithm | Key | Encryption | Decryption
                  aes-cbc 128b 538.1 MiB/s 1885.2 MiB/s
                  serpent-cbc 128b 77.4 MiB/s 254.6 MiB/s
                  twofish-cbc 128b 166.5 MiB/s 315.1 MiB/s
                  aes-cbc 256b 384.9 MiB/s 1386.3 MiB/s
                  serpent-cbc 256b 74.6 MiB/s 258.6 MiB/s
                  twofish-cbc 256b 161.6 MiB/s 301.1 MiB/s
                  aes-xts 256b 1559.8 MiB/s 1507.7 MiB/s
                  serpent-xts 256b 263.6 MiB/s 252.9 MiB/s
                  twofish-xts 256b 293.1 MiB/s 296.6 MiB/s
                  aes-xts 512b 1198.4 MiB/s 1223.0 MiB/s
                  serpent-xts 512b 266.8 MiB/s 260.4 MiB/s
                  twofish-xts 512b 297.0 MiB/s 309.6 MiB/s

                  Comment


                  • #19
                    Originally posted by molecule-eye View Post
                    This isn't exactly relevant, but what is up with the price of their systems? The hardware is far from inspiring for what you can get for the same price in the windows world, and linux is free, so there's no OS cost, and yet their mediocre Galago Pro base system costs $959! I just picked up a Lenovo 710 15.6" for $650 with nice hardware (core i5, 256GB SSD, 8GB RAM, IPS convertible display) and slapped my preferred distro on it in less than 15 minutes. So who buys these mediocre, overpriced linux laptops? I can think of way better ways of supporting linux.
                    Show me a Lenovo laptop that comes with full Lenovo vendor support for Linux. Or any other OEM where all of the laptop's features and functions "just work" out of the box. Laptops are notoriously fickle when it comes to drivers, and the big OEM's are Windows vendors when it comes to consumer products. They support Linux only on their high end professional workstation models, and typically only corporate distros like RHEL and SLES. And find me one big OEM that is disabling ME by default. The fact is, you get a lot for your money when you buy from System76. If you want to be a self-support penny pincher, that's your prerogative, but it's poor form to badmouth a leading Linux hardware vendor, and even more so when you haven't even used their product.
                    Last edited by torsionbar28; 01-28-2018, 09:10 PM.

                    Comment


                    • #20
                      Originally posted by M1kkko View Post
                      Well, at least on my Lenovo laptop, full disk encryption is supported on hardware level, I don't need any of that OS level nonsense and also there is no performance penalty for enabling encryption.

                      Basically when you power on the laptop, the first thing you see is a password prompt, and without entering the password there is no way to even find out what operating systems I have installed.

                      https://support.lenovo.com/en/solutions/migr-69621
                      I would never trust encryption provided by a hardware vendor not to contain backdoors for law enforcement such as a keylogger to cache a copy of the passphrase, perhaps encrypted with a key provided only to the NSA and the FBI. This goes double for Lenovo, with their history of spyware such as Superfish and malicious UEFI code to do things like reinstall Windows bloatware or string check boot executables to ensure only Windows 8 or RHEL could boot.

                      Use Lenovo's HW encryption only as an additional barrier, and then use your strong passphrase with LUKS instead and on top of that.

                      Comment

                      Working...
                      X