Full Disk Encryption of Workstation

HiddenDev · October 14, 2019, 1:46pm

I’m using Whonix on KVM with a Linux host OS to securely develop applications. I’d like to full disk encrypt the Workstation VM so a password has to be entered to unlock the data on the VM so if its not running nobody can view the data. I do have my home folder in host OS ecryptfs home encrypted but that doesnt protect me if I leave the computer running. FDE on VM I’ll be protected as long as VM isnt running with VM disk decrypted.

I used the instructions from the KVM Wiki and have the 2 100 GB .gcow2 files. I get GRUB at start but have no option to log in or full disk encrypt, not even when I first set it up and I changed the passwords. How would I enable full disk encryption? Can I do it still without having to lose all my data or do I need a fresh install?

HulaHoop · October 14, 2019, 2:01pm

Your options are running something like Zulucrypt and moving the the disk image into the mounted container and running it from there. Using libvirt’s encrypted volume feature.

Note that you may need to take additional precautions to stop data leaking outside the container during VM operation that could be written to the swap file and other places. This chapter is very relevant (Debian hosts): https://www.whonix.org/wiki/Whonix_Live#Anti-Forensics_Precautions

If you leave your machine unattended it could be compromised and then the VM encryption pw exfiltrated whenever you enter it.

I wouldn’t bother with all the hoops above when you can run LUKS FDE on the host and be done with it. You can’t trust a machine out of your sight anyhow and encrypting just the VM won’t really help there.

Patrick · October 14, 2019, 6:06pm

HiddenDev · October 14, 2019, 6:19pm

The computer is shared with multiple users so FDE password would be known by everybody. Also was planning on hosting hidden service the same way (dedicated Linux server with Whonix VMs) and want to have some kind of security, if the VM shuts down actors wouldnt have easy access to files in VM.

This is my first time using VM’s, do you have any guides to using encrypted containers? When I see LUKS I’m assuming that the filesystem has to start as LUKS at install cause that was the only time I was given the option in other versions of Linux. I have files on the Workstation I dont want to have to retransfer, can I put it in the encrypted container after already installing the OS? By encrypted container you dont mean GPG encrypt the .gcow2’s do you?

HulaHoop · October 15, 2019, 7:03pm

My advice is to modify the partitions to allow installing multiple distros on the same harddrive with your own instance with FDE enabled. Or buy your own machine because sharing a computer that needs to do anything important is a big mistake. They aren’t that expensive and have decent horsepower for most usecases.

The idea that separate file level encryption can help when FDE fails you is unrealistic because a situation where one fails is enough to fail you in both uses.

I’ve written about how to use Zulucrypt briefly in the page I linked to. There are plenty of guides on the web and a detailed manual from the author.

It’s the easier way but you can modify a non encrypted install to be one in-situ with some legwork.

GPG is great for encrypting data at rest you plan on sending across the web not designed for modifying and saving them on the fly while remaining encrypted. So no it is not a substitute for Truecrypt or Zulucrypt in this case.

HiddenDev · October 30, 2019, 12:02am

I thought FDE also encrypts the partitions? So you’re saying if I bought a computer with Windows preinstalled and then wanted to install Ubuntu with FDE I can do that without messing with the Windows partition? I always have dual boot computers but assumed you could only FDE if the Linux OS was the only OS on the system. I have GRUB boot loader and it shows all the OSs on all the partitions.

Patrick_mobile · October 30, 2019, 2:31am

It is possible. Linux can share a harddrive on its own partition. It can boot from volume boot record (VBR) rather then master boot record (MBR).

Booloader only could be on external disk.

Could BIOS boot from secondary (external) boot drive.

Endless flexibility. Usability is lacking. Nontrivial.

some tips here:

Not Whonix specific.

Can be sorted as per https://www.whonix.org/wiki/Support#Free_Support_Principle

Staying away from Windows is good another reason. For for security. A compromised Windows might infected boot loader / BIOS / hardware and spread to even FDE’d Linux.