Announcement

Collapse
No announcement yet.

System76 Eyeing Disk Encryption By Default

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • phoronix
    started a topic System76 Eyeing Disk Encryption By Default

    System76 Eyeing Disk Encryption By Default

    Phoronix: System76 Eyeing Disk Encryption By Default

    Ubuntu-focused Linux PC vendor System76 who has also been working on their own Pop!_OS distribution is looking at enabling disk encryption by default...

    http://www.phoronix.com/scan.php?pag...yption-Default

  • elvis
    replied
    Originally posted by Flaburgan View Post
    Where does that come from? On the exact same screen where you can pick home directory encryption, you can choose to encrypt the whole hard drive as easily. I see nothing new here. Did I miss something?
    Ubuntu offers two different types of encryption:

    1) Full disk encryption, via dm-crypt, cryptsetup and LUKS. This requires device manager to encrypt at the block level, with the file system on top. YOu choose this at disk setup/partitioning time (using the "encrypted LVM" option). This is only in the advanced/TUI/server installer, not in the GUI installer:
    https://en.wikipedia.org/wiki/Dm-crypt

    2) Home directory encryption, via ecryptfs, which allows a virtual encrypted container to live on top of the file system, and be mounted per-user as required. This is an option you choose after disk partitioning, but before install, and is available in the TUI andd GUI installers.
    http://ecryptfs.org/

    Leave a comment:


  • Flaburgan
    replied
    Ubuntu offers home directory encryption via their GUI installer, but doing full-disk encryption is less straightforward on their platform
    Where does that come from? On the exact same screen where you can pick home directory encryption, you can choose to encrypt the whole hard drive as easily. I see nothing new here. Did I miss something?

    Leave a comment:


  • franglais125
    replied
    Originally posted by M1kkko View Post
    Well, at least on my Lenovo laptop, full disk encryption is supported on hardware level, I don't need any of that OS level nonsense and also there is no performance penalty for enabling encryption.

    Basically when you power on the laptop, the first thing you see is a password prompt, and without entering the password there is no way to even find out what operating systems I have installed.

    https://support.lenovo.com/en/solutions/migr-69621
    I already replied to you, but this was just too much. Please don't trust Lenovo with encryption nor security.

    https://arstechnica.com/information-...print-manager/

    Leave a comment:


  • molecule-eye
    replied
    Originally posted by torsionbar28 View Post

    Show me a Lenovo laptop that comes with full Lenovo vendor support for Linux. Or any other OEM where all of the laptop's features and functions "just work" out of the box. Laptops are notoriously fickle when it comes to drivers, and the big OEM's are Windows vendors when it comes to consumer products. They support Linux only on their high end professional workstation models, and typically only corporate distros like RHEL and SLES. And find me one big OEM that is disabling ME by default. The fact is, you get a lot for your money when you buy from System76. If you want to be a self-support penny pincher, that's your prerogative, but it's poor form to badmouth a leading Linux hardware vendor, and even more so when you haven't even used their product.
    Actually my Lenovo worked out of the box with KDE Neon, including media keys, etc. All limitations of the hardware (e.g. auto screen rotation and touch gestures) are limitations of the DE or display server, not the hardware's failing to be compatible with linux. It's pretty easy to check the specs of potential hardware purchases to check linux compatibility.

    Also, it's pretty comical to call one a "self-support penny pincher" because they question why they would purchase inferior hardware at a significant price markup just for linux support. I'm not "badmouthing" system76--I'm just wondering why it costs so much to brand a Clevo unit and put (and support) linux on it. Does the cost come mainly from the support?

    Leave a comment:


  • franglais125
    replied
    Originally posted by elvis View Post

    "cryptsetup" (the binary that configures LUKS on disk for you) has a built in benchmark that runs a single-threaded test. Test it on your own machine to see how it performs.

    $ grep ^'model name' /proc/cpuinfo | head -1
    model name : Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz

    $ cryptsetup benchmark

    I didn't know this! Nice, and thanks. I have a v131 Vostro

    Leave a comment:


  • Luke
    replied
    Originally posted by M1kkko View Post
    Well, at least on my Lenovo laptop, full disk encryption is supported on hardware level, I don't need any of that OS level nonsense and also there is no performance penalty for enabling encryption.

    Basically when you power on the laptop, the first thing you see is a password prompt, and without entering the password there is no way to even find out what operating systems I have installed.

    https://support.lenovo.com/en/solutions/migr-69621
    I would never trust encryption provided by a hardware vendor not to contain backdoors for law enforcement such as a keylogger to cache a copy of the passphrase, perhaps encrypted with a key provided only to the NSA and the FBI. This goes double for Lenovo, with their history of spyware such as Superfish and malicious UEFI code to do things like reinstall Windows bloatware or string check boot executables to ensure only Windows 8 or RHEL could boot.

    Use Lenovo's HW encryption only as an additional barrier, and then use your strong passphrase with LUKS instead and on top of that.

    Leave a comment:


  • torsionbar28
    replied
    Originally posted by molecule-eye View Post
    This isn't exactly relevant, but what is up with the price of their systems? The hardware is far from inspiring for what you can get for the same price in the windows world, and linux is free, so there's no OS cost, and yet their mediocre Galago Pro base system costs $959! I just picked up a Lenovo 710 15.6" for $650 with nice hardware (core i5, 256GB SSD, 8GB RAM, IPS convertible display) and slapped my preferred distro on it in less than 15 minutes. So who buys these mediocre, overpriced linux laptops? I can think of way better ways of supporting linux.
    Show me a Lenovo laptop that comes with full Lenovo vendor support for Linux. Or any other OEM where all of the laptop's features and functions "just work" out of the box. Laptops are notoriously fickle when it comes to drivers, and the big OEM's are Windows vendors when it comes to consumer products. They support Linux only on their high end professional workstation models, and typically only corporate distros like RHEL and SLES. And find me one big OEM that is disabling ME by default. The fact is, you get a lot for your money when you buy from System76. If you want to be a self-support penny pincher, that's your prerogative, but it's poor form to badmouth a leading Linux hardware vendor, and even more so when you haven't even used their product.
    Last edited by torsionbar28; 01-28-2018, 09:10 PM.

    Leave a comment:


  • elvis
    replied
    Originally posted by nll_a
    Last time I checked (which admittedly was a really long time ago), disk encryption had a very significant impact on OS performance, which is why I never got around to adopting it. But it's really been a while since I saw benchmarks for it. Do you think that's worthy of an article, Michael?
    "cryptsetup" (the binary that configures LUKS on disk for you) has a built in benchmark that runs a single-threaded test. Test it on your own machine to see how it performs.

    Here's my system. AES-XTS 512 gives me around 1GB/s read/write on my 5 year old Core i7 Dell Vostro 3560. That's quite a deal better than my SSD hard disk can do, and with 8 cores I'm not too fussed at the performance hit for the extra security (and business compliance) it provides.

    $ grep ^'model name' /proc/cpuinfo | head -1
    model name : Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz

    $ cryptsetup benchmark
    # Tests are approximate using memory only (no storage IO).
    PBKDF2-sha1 970903 iterations per second
    PBKDF2-sha256 604715 iterations per second
    PBKDF2-sha512 439838 iterations per second
    PBKDF2-ripemd160 608222 iterations per second
    PBKDF2-whirlpool 207392 iterations per second
    # Algorithm | Key | Encryption | Decryption
    aes-cbc 128b 538.1 MiB/s 1885.2 MiB/s
    serpent-cbc 128b 77.4 MiB/s 254.6 MiB/s
    twofish-cbc 128b 166.5 MiB/s 315.1 MiB/s
    aes-cbc 256b 384.9 MiB/s 1386.3 MiB/s
    serpent-cbc 256b 74.6 MiB/s 258.6 MiB/s
    twofish-cbc 256b 161.6 MiB/s 301.1 MiB/s
    aes-xts 256b 1559.8 MiB/s 1507.7 MiB/s
    serpent-xts 256b 263.6 MiB/s 252.9 MiB/s
    twofish-xts 256b 293.1 MiB/s 296.6 MiB/s
    aes-xts 512b 1198.4 MiB/s 1223.0 MiB/s
    serpent-xts 512b 266.8 MiB/s 260.4 MiB/s
    twofish-xts 512b 297.0 MiB/s 309.6 MiB/s

    Leave a comment:


  • azdaha
    replied
    Originally posted by mmstick View Post

    You don't seem to understand how markets work. System76 is a small company that is just starting out in this area (check out the About Us page). They aren't a massive OEM like Lenovo or Dell, both of which are manufacturing their own laptops in high volumes to bring costs down. System76 has, however, just recently purchased their own 22.4K sq. foot manufacturing facility in Denver, so they will be selling their own laptops soon. The current models are Clevo units with Intel ME disabled, and preloaded with Pop!_OS / Ubuntu 16.04.

    So if you want Linux to succeed on the desktop, then you should invest into System76, even if the hardware is slightly more expensive than you get from a Windows OEM. That money will directly go into hiring more software & hardware engineers to work exclusively on the Linux desktop, and Linux-based desktop hardware solutions. Canonical is not manufacturing Linux-based laptops, and neither is Red Hat. They are more concerned with the Linux server & IoT spaces. The 'Year of the Linux Desktop' will only happen once a company like System76 steps up to start selling hardware to the masses in the same manner that Chromebooks, HP, Dell, Lenovo, etc. systems are being marketed and sold on TV and in stores.

    PS: I'm one of their latest hires. We're writing the installer backend in Rust, while the Elementary team is working on the UI frontend which interfaces with distinst. Encryption is a thing that we are working on, as well as replacing GRUB with systemd-boot. There are a lot of issues that Canonical has not addressed, and we are going to pick up the slack to cater to the Linux desktop. Canonical's apparently only interested in server and IoT.
    Very well said.

    Additionally, as was eluded to earlier with examples like Lenovo, I trust System76 more to provide continued support for their products even after the warranty period, as they have a more focused vision and user base that value OpenSource and are more security-aware. It's also worth reiterating the selection of hardware by System76 that is known to work with Linux; not only does that benefit the end-user that purchases from System76 directly, but it also creates a bigger incentive for hardware vendors and manufacturers to provide support for Linux if they want to be included in the systems that are offered.

    Lastly, after the ongoing problems with Meltdown and Spectre, which are further exacerbated due to limited hardware vendors & providers, it should be obvious that choices in Hardware vendors and Open Hardware are becoming increasingly important. Therefore, I would say that, while it's possible to "support Linux" in other ways, there are disproportionately more "supporters" on the software side than with anything related to Open Hardware.

    Leave a comment:

Working...
X