1

When I try to install latest debian to my pc, the wizard ask me to input a password to do FDE(full disk encryption).

My questions are:

  1. What algorithm does Debian use? (Truecrypt = AES)
  2. Can I change a password after install?
  3. Is this really safe? I mean, FBI failed to crack Truecrypt. Can the FBI crack Debian or not?
  4. Does Debian really encrypt ALL of the DISK? (Truecrypt can do it)

I would like to read a proof, but unfortunately I can't find one. Answers with details(source) will be appreciated.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
July
  • 11
  • 2
  • 2
    Truecrypt is out of date and cannot be considered safe. http://truecrypt.sourceforge.net/ "WARNING: Using TrueCrypt is not secure" – mgjk Nov 12 '14 at 15:30
  • Truecrypt is fine, use the last real version https://www.grc.com/misc/truecrypt/truecrypt.htm – CoderGuy123 Aug 19 '19 at 06:08

2 Answers2

2

Ubuntu is Debian based so this post might be relevant. Also I believe the default program for Debian is LUKS

  1. I believe you have an option of which algorithms to use. I believe RC4/AES with SHA256 is standard.
  2. How to re-encrypt disk with different password (standard Debian)
  3. How secure is LUKS? | A look at LUKS disk encryption
  4. Yes the entire drive is encrypted. This is done by setting up the FDE upon installation of the operating system. The bootloader will see the encrypted disk and ask for a password to load the operating system.

Most Debian distributions will provide an "alternate" installation, which usually entails a USB or CD installation. This method allows for the installation of a Debian distro from an outside source, and should give an option to setup FDE.

HowTo: Setup LUKS (after OS installation)

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
RoraΖ
  • 12,347
  • 4
  • 51
  • 83
1

The full disk encryption software that Debian uses is dm-crypt with LUKS by default it uses AES and provides you with an option to change your key size but by default its 256 bit.

It is very secure and is the trusted encryption software that is offered upon installation of several Linux distros, No you don't have the ability to change the LUKS full disk encryption password and yes this is a safe method for encrypting your entire disk, while there are several attacks that can circumvent your full disk encryption, they for the most part require physical access to your device and some mistake being made on your part and not something that just anyone would know how to perform. If you choose to encrypt your entire disk then the only thing that won't be encrypted is the Boot Loader (which needs to remain unencrypted).

The fact that Truecrypt is no longer supported and has been deemed vulnerable by the developers themselves would most certainly deter me from considering using it or relying on it to encrypt anything anymore. Instead of just wondering if one encryption software is superior to another, start looking at the specifics of the software, what algorithms does it use, hashes, is it open source, is there an active community of developers who tireless work to improve and maintain the software? etc.

All of those factors go into whether or not the encryption software is truly reliable or not. The appropriate software for you is the one that best fits your threat model and increases your OpSec

CPagan
  • 154
  • 6