Encryption advice for Silverblue

Ask Fedora
1

Context

Hello. I’m new to Fedora and Silverblue, but not new to Linux. In the past, I’ve used LUKS for block level encryption.

However, today’s project is different. I’m setting up a laptop for my parents, who have a very low threat model. The laptop never leaves home and normally it’s stored away somewhere out of sight. At most they use their laptop once per month.

I created 3 separate user accounts, me and both of my parents. They do have some files stored locally, but nothing critical. I’d like to keep the 3 account setup.

They’re coming from macOS which only requires users to enter their password in once. I’d like to keep this property in order to not make using the computer more difficult or annoying.

At first, I was going to not use any encryption at all, since this would make it the most easy for them to operate the laptop. However, I thought maybe I could do a little better. Starting from here, I’d like to increase security as much as possible—without them noticing or making it more annoying to use the laptop.

Questions

One thing I thought I could do is use eCryptfs to encrypt their home directories. Is this possible in Silverblue? I didn’t see this option in the installer. I’ve never used eCryptfs before.

Can I or should I enable Secure Boot on the laptop? Currently, it’s off and I haven’t used a Linux distro where I could turn it on before. But I thought I saw somewhere that Silverblue might work with Secure Boot? I tried turning it on, but then the OS didn’t boot.

What about TPM auto-unlocking a LUKS encrypted drive? Is this supported in Silverblue? I thought I read it kinda works, but it’ not very secure? But, I would take a 1% increase in security over nothing. (Again, my case doesn’t require high security.) Or is it not supported at all? Would an update break the auto-unlocking, preventing the laptop from booting? Could I combine this with eCryptfs home directory encryption?

A final option I thought about was to use 3 keyslots in LUKS, with each user account’s password. Then somehow configure GDM so that it displays a list of the 3 users and my parents would just click on their name—but not have to enter their password to log into their account. (Doesn’t matter if my mom enters my dad’s account after LUKS is unlocked.)

Update:
Wait, is eCryptfs deprecated?

2
  1. cant help with eCryptfs as i have only ever used LUKS
  2. secure boot works with Fedora SilverBlue no problem
  3. you enter a password or phrase for LUKS at boot which will unlock the whole partition
  4. you can set up individual passwords logins for each account

enjoy SilverBlue
best of luck, Steve ..

3

Hello @k9eqte and welcome to :fedora: !

Disk encryption and security in general for Fedora Silverblue are not much different from those for Fedora Workstation.

According to eCryptfs - Wikipedia, it is deprecated in Ubuntu, and the last stable release is 111 from May 2, 2016; 9 years ago. Apparently the package is still maintained in Fedora.

I have not used this package and am not familiar with it, so I cannot make any recommendations.

4

I would go with full-disk encryption as provided by the installer. Since your parents only boot the laptop ocasionally, an additional password entered might not be that much of an issue (with or without additional Luks passphrase slots).

You could also set one of the accounts to auto-login, since you’ve mentioned it would not be an issue if one parent uses the other parent’s account.

5

Hi there! I can tell you my experience with LUKS in silverblue.
I have a custom image based on the UniversalBlue ones and they provide a script to enable automated unlocking via TPM. The only thing I can say is: it still seems to be working :upside_down_face:
From time to time, it asks for the LUKS password, but the funny thing is that some of those times I’ve just powered off the system, started again and it booted correctly, so :person_shrugging:

6

Considering their usecase, encryption is not required at all.
If really needed, systemd-cryptenroll and it’s man page are all what you need for TPM2 unlocking.

You can use systemd-homed for homedir encryption, if really required. It uses LUKS encryption over a loopback device, the performance is great (just chattr +C /home if it is btrfs/xfs/CoW-filesystems and use fstype btrfs itself for the home-area. homectl and it’s manpage have everything required)