My laptop isn’t under my supervision most of the time. And I’d hate it if someone were to steal my SSD, or whole laptop even, when I’m not around. Is there a way to encrypt everything, but still keep the device in sleep, and unclock it without much delay. It’s a very slow laptop. So decryption on login isn’t viable, takes too long. While booting up also takes forever, so it needs to be in a “safe” state when simply logged out. Maybe a way that’s decrypt-on-demand?

I’m on Arch with KDE.

  • bruhbeans@lemmy.ml
    link
    fedilink
    arrow-up
    7
    ·
    3 months ago

    How old are we talking? If the CPU is >10 years old and/or some kind of ARM, it may not have hardware encryption acceleration, which means it’ll happen in software. I did that once, it was horrible. lscpu |grep -i aes should probably tell you what you need to know.

    • UnRelatedBurner@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      2
      ·
      3 months ago

      It does give me a result so I do have “aes”. How can I use it?

      We’re talking an Intel i5-8350U. it has 16GBs of ram and 500GB of SSD.

      • deafboy@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 months ago

        That’s not a slow laptop. I’ve been daily driving worse for years.

        To protect the data from random thief just browsing through the files I still use ecryptfs. It only encrypts the home directory, and the keys are derived from my accounts password, so no extra hassle.

        The encryption is weak by the current standards, and wouldn’t stop a determined attacker, but it’s 100% better than nothing, and I’ve never noticed any performance problems.

        • UnRelatedBurner@sh.itjust.worksOP
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          I’m not planning on putting information on my laptop that I don’t have to. Speed for a bit of security sounds good. I’ll look into ecryptfs. And also into boot time, lots of you are screaming at me that it’s a fast laptop. what how

      • thepiguy@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        3 months ago

        Systemd has a good guide on how to use it https://systemd.io/HOME_DIRECTORY/

        And they also have a guide on migrating a traditional user home to this. Do remember to take backups if going this route https://systemd.io/CONVERTING_TO_HOMED/

        I personally used the arch wiki when I set it up https://wiki.archlinux.org/title/Systemd-homed

        There is not much config.

        I think the command I used for my laptop was:

        homectl create <name> --storage=luks --shell=/usr/bin/fish --member-of=wheel
        

        https://wiki.archlinux.org/title/Systemd-homed#Creation

        Gnome is working on a gui for this, but it will probably be a while until that is out. I feel like it is pretty safe to use the cli for this one.

        • UnRelatedBurner@sh.itjust.worksOP
          link
          fedilink
          arrow-up
          2
          ·
          3 months ago

          Okay I just had a bit of freetime to test it: doesn’t work… if I log out or sleep, my home dir is still mounted. Meaning it’s as good as nothing. Looked at the plasma fix, didn’t work. I have a pretty good lead, that I need the topmost template from some wiki:

          [Unit]
          PartOf=graphical-session.target
          

          Problem is, where in the world should I write this? I really don’t expect you to know, but maybe I’m talking to a genius. The internet didn’t help, or I used it wrong.

          • thepiguy@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 months ago

            The template is supposed to be something that you put in your own systemd services. plasma-kwin_x11.service and plasma-kwin_wayland.service both already have it.

            If I have to guess, it is probably a bug that will get fixed sometime in the future, meaning this is not a viable solution until then. Sorry for that.

            Just as a last bit of troubleshooting, check if cat ~/.config/startkderc shows systemBoot = true. If it does not, run kwriteconfig6 --file startkderc --group General --key systemdBoot true. I doubt this will change much, but still worth trying.

            If I get some free time, I will do some testing and let you know here

            • UnRelatedBurner@sh.itjust.worksOP
              link
              fedilink
              arrow-up
              2
              ·
              3 months ago

              cat ~/.config/startkderc returns systemdBoot=true. I’m guessing you made a typo and this is correct. In this case I guess it just doesn’t work on KDE, my next idea is LUKS on /home and hibernating instead of sleeping. Or I always wanted to try a tiling window manager… hm

              • thepiguy@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                3 months ago

                systemdBoot is supposed to be true, not a typo. But yeah, I don’t use plasma much so I don’t really know how to solve the issue… Sorry for that!

                • UnRelatedBurner@sh.itjust.worksOP
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  3 months ago

                  No problem, thanks for the help. Also I got news is that I don’t have to trust anyone with my laptop, I can keep it by my side after all. Still it’s a security mesure, that I didn’t solve in time. fun fact: LUKS on /home only breaks KDE. I really don’t want to give up kde tho, I put on sway, realised that I needed to memorise console commands to change my fking volumes, so no thank you. I got spoiled by sweet UIs. it’s so comfortable that everything is at one place.

        • UnRelatedBurner@sh.itjust.worksOP
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          3 months ago

          Hehe, Thank you. But by the time I’m reading this I’ve already done it. Got stuck on a couple or roadblocks, but figured it out. I got scared when I didn’t “enable” the service just “start” it. I’m not safe(-ish enough). :D

          edit: well not the plasma fix. wiki said if it’s a problem I need to start something, and that something should be on by default. So I didn’t do anything, maybe that’s a problem

  • toastal@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    3 months ago

    Most filesystems now how encryption that is better optimized for their specific performance & might be worth choosing over LUKS… ZFS, Bcachefs, F2FS, ext4

  • bloodfart@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    3 months ago

    That’s a hard thing to do for a bunch of reasons. There’s someone else who went into em so I’m not gonna do that.

    Unless something’s seriously wrong, it would probably be better to just make your laptop boot faster.

    So, what’s your laptop, what kind of disk does it have and how long does it take to boot/login?

    • UnRelatedBurner@sh.itjust.worksOP
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      Is your idea to do the easier decrypt on boot, and optimize the boot times?

      I could probably do that, but someone else said that there is a decrypt on hibernate, seems better.

      • bloodfart@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        3 months ago

        Yeah im thinking do “normal” decrypt on boot. It’ll be easier to troubleshoot and recover from if something goes wrong and there’s fewer pitfalls to deal with.

        I also suspect that theres a problem with your computer because boot times have been pretty fast for many years now.

        E: I just now saw that you’re using an eighth generation intel processor, plenty of ram and an ssd.

        I have the same situation but a much older processor and my boot times from button press to desktop are ~10 seconds.

        Unless your expectations for boot times are way out of line, you ought to have no problem using decrypt on boot.

        One possibility is that your ssd has aged and is having to read those old system file blocks hundreds of times to get it right. Badblocks -n or spinrite level 2 or 3 scan fixes this problem.

        • UnRelatedBurner@sh.itjust.worksOP
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          I bought it used, so I’m interested in your last point. I’ve reinstalled it - first thing I did. Do SSDs slow down overtime? And there is a linux command to fix that? Sound crazy, can you elaborate?

          • bloodfart@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 months ago

            Yeah badblocks -n /dev/your_target_device launched from a different boot device.

            You can’t run it from your install because it’s gonna read every block into memory and then write some crap to it and read it back to make sure the block works then write what was originally there back to it.

            It’s really important that you check yourself before you wreck yourself with the badblocks command because you can destroy data if you use the wrong flags.

            Another program that fixes that problem is spinrite. It costs money but it’s very useful and has a lot of good documentation.

            Each cell in the ssd isn’t a digital “1” or “0” but a charge coupled device that stores a voltage. Over time that potential changes in a way that’s directly proportional to the number of read cycles and age of the data from first write. When it changes enough, the controller has to try to read it many times to get a sane result it can send down the bus.

            That results in your ssd seeming slow.

            How long does it take to boot though, and what do you expect?

            • UnRelatedBurner@sh.itjust.worksOP
              link
              fedilink
              arrow-up
              1
              ·
              3 months ago

              didn’t run a timer, it was still fast enough, but for turning it off and on every 5 minutes (or more realisticly hour)… I’d like the fastest possible. I’ll have fun with this badblocks, sounds OP af. However I don’t think it’s a good sign if this returns anything right? I could make it so the filesystem avoids that block, that is good and all, but doesn’t that means my SSD started “turning bad”. So either way I should get a new one? If one cell fails other will soon follow, and my data is lost, no?

              • bloodfart@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                3 months ago

                Always have a backup.

                Badblocks shouldn’t output anything when run on an ssd. It’s not really useful for its intended purpose there because ssds have hundreds to thousands of bad blocks to start with (depending on how you define “blocks”) and reprovision messed up sections all the time to cover up the fact that they’re screwing up constantly from the bus.

                It’s also true of rotational hard drives nowadays, not that they’re fundamentally based on using a medium that’s incredibly prone to “failure” but that they don’t expose the actual addresses on the medium to the controller.

                The old way, what the bad blocks tool is intended to address, is like if there were a big warehouse and when you wanted something you asked for the thing in rack 6F, shelf D8. The disk goes and gets it for you and if it’s the right thing then you’re golden and if it’s wrong you got a problem.

                Badblocks -n grabs the thing on 6F,D8, sets it aside and asks the disk to put something else in there, then asks for it back. If it succeeds then wonderful! “Block” 6FD8 is good and it puts the thing that was originally there back and moves on to the next one ad infinitum.

                Of course, new rotational disks and all available ssds don’t actually work like that. You hand the disk an object and say “put this in 6FD8” and the device says “you got it” and then promptly opens the package you handed over and puts its contents wherever it wants.

                When you ask for 6FD8 back the device grabs all the stuff that’s supposed to be there, puts it all back together and hands it to you. The disk itself might have all kinds of messed up things going on internally and you only see it when the data you put in doesn’t come out the same.

                Part of what makes the secure erase functionality work on ssds is that very insane obfuscation. When there’s no actual physical structure to the way data is stored, no “raw” read of the ccd chips can make heads or tails of it. The disk can be easily and quickly “wiped” just by asking the disk itself to kindly forget its own key used to locate information requested and viola! Secure erase!

                Of course, none of that matters because we’re not using badblocks to figure out if there are bad blocks, we’re using it to force the ssd to rewrite its ccds so they respond to requests faster.

                The behavior we care about is writing something to the “block” then erasing it and rewriting the original data into it. Badblocks -n should do that.

                There are times when it might not though, the ssd may hand you porno.mov out of “6FD8”, write random data to somewhere in the ccd chip that it writes down is supposed to be 6FD8, read it back to badblocks, then when badblocks says “alright, that one passed, lets put porno.mov back there” the ssd says “wait a second, I have a string of bits that matches this!” And just update its internal ledger that 6FD8 is now what it was before that silly random data kerfuffle, never actually rewriting anything.

                It saved a write cycle on those cells after all! It did you a favor!

                So sometimes badblocks -n doesn’t work in this application. Spinrite is the “correct” tool, but for some applications it doesn’t work either (non x86 systems) so I use dd in that case to just slam the disk full of something so it can’t reprovision and save any write cycles and writes every possible cell with something. That destroys data, of course.

                • UnRelatedBurner@sh.itjust.worksOP
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  3 months ago

                  What I’m getting from this is badblocks isn’t a magical tool that makes all storage devices faster and better anymore. correct? The fact that modern storage devices do that is a bit scary. I’m guessing it’s firmware, no way to turn it off. And why would you, it helps you, just takes control away from you.

                  I wasn’t really trying to wipe my storage device, but to make it faster. However you said a bunch of interesting stuff, and I thank you for that.

  • Unyieldingly@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    I use ZFS on my workstations with Debian, but yeah full drive is the way to go i think even Linux Mint does full drive anymore, also remember to keep backups.

  • Leaflet@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    3
    ·
    edit-2
    3 months ago

    With an encrypted disk, you only need to enter the encryption password when you shutdown or restart. Suspending and sleep lock screen don’t need your encryption password.

      • Leaflet@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        edit-2
        3 months ago

        That’s true for hibernation, but not suspending. Hibernation stores everything in RAM onto the disk then shuts off the PC; to resume the system, you need to unlock the disk to access that data. Suspending doesn’t turn off the computer, it keeps the CPU and RAM active.

        On my Fedora system, I can hit the suspend button and get back into the OS without needing to type my encryption password, only my user password.

        • remram@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          3 months ago

          Ok so what do you call “sleep”? You’ve now listed suspending, sleeping, and hibernating as 3 different things.

          • Leaflet@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            3
            ·
            3 months ago

            I can sleep “sleep”. All system components are still powered on at this stage, so it uses the most power. But at the same time it’s the quickest to get back into your system. All that’s really happening with sleep is that the screen turns off.

            Then you have suspend. Laptops often first go to sleep but then suspend after a long period of inactivity to save battery.

            Then you have hibernation. I don’t think this is used that often nowadays.