Disk encryption?

I am wondering how to think about security and privacy with Freedombox in relation to the question of disk enryption. I know this topic has been broached elsewhere in this forum already, but it seems the conversation was started then dropped.

I am not at all an expert in these matter by any means, but here are my thoughts as best as I can express them. Freedom box gives you control of your own data through self-hosting. The apps and hardware are open source, and you are given control of where your data is stored. It is stored in your Freedombox and the devices that sync to it rather than ‘in the cloud’ (i.e. someone else’s computer). Freedombox is your NAS (among other things). But what if someone gets a hold of this NAS–as in physically gets a hold of it? This wouldn’t be any different to someone getting a hold of your unencrypted hardrive with all of your backups.

So what are the options for disk encryption? Am I missing something?

Disk encryption is done below the freedombox application in the OS today. There may be a way to do this in Cockpit, but I’m not sure if the system volume would be supported. I have done this on my laptop at install time using the debian installation dialogs. It took me a few tries to figure it out. My basic steps go something like this:

  1. Partition your disk with:
  • boot partition
  • swap partition (mine is not encrypted, but you could encrypt this for higher level paranoia)
  • rest of disk in the third partition
  1. Do luks encryption on the big 3rd partition (this will take ages to finish)

  2. make an lvm (volume manager) volume group out of encrypted partition 3

  3. make one or more lvm logical volumes out of the volume group

  • I only made one for /
  • you can make multiple if you want to mount several partitions but I don’t recommend this with FreedomBox because you’ll have personal stuff in /home, and downloads and shared files in /var. Then you have to guess how much to allocate to /, /home, /var and it’s a pain when you get it wrong unless you want to become an expert in logical volume and filesystem resizing.
  1. format your logical volume(s) with the filesystem of your choice suggesting one btrfs at / for FreedomBox integration

  2. Finally you’ll get to where you can select your filesystems:

  • /boot
  • swap
  • / for encrypted /dev/mapper/vg0-lv0 btrfs volume
  1. Continue installing as normal

I took me a few tries to get it right. Give yourself plenty of time if you want to go on this adventure.

Encrypted swap layout would be:

  • /boot
  • rest of disk as luks partition

Volme group: one volume group
Logical volumes: one for swap and a second for / using the rest of the partition
Filesystems: /boot on /dev/sda1, swap on /dev/mapper/vg0-lv0, / on /dev/mapper/vg0-lv1