Encryption setup

Bonjour, hello,
For now I’m using a Qubes without security while tweaking and learning.
But once these details will be solved, and I will be ready to go for a full install (for a long time) I’m wondering about encryption.
Lucks, lucks2, Argon, … 256, 512, even more ?
What do you say ?

Most of my sensitive data is on an USB appricon keypad SSD, and I understand my laptop will never be as secure, but still, since I’m to make a clean full install, I’d like to start with the best/better option

1 Like

I would say in Qubes words:

LUKS
reasonably secure encryption algorithm :wink:

As you probably already know (Installation Guide) Qubes OS uses AES Full Disk Encryption (FDE)

Concerning the cipher parameters I found this:

For customization I found this:

Some thoughts

  • As important as the OS disk encryption itself is the backup encryption: Qubes Backup, Restoration, and Migration. Luckily, Qubes OS also uses LUKS encryption here. Depending on your security vs. comfort level you can add additional encryption layers on top to cascade your backup i.e. using VeraCrypt or hardware encrypted disks. Just keep in mind that you do not automatically add more security by adding more encryption tools.
  • If you want to have more trust to your hardware you can browse through here: Why Purism? – Purism or here https://www.nitrokey.com/ … open-source is a fundamental thing when it comes to security / trust questions.
  • At least as important as the encryption algorithm / method is the password (key, token).
    I like this one: How to make good passwords
  • My advice for password management: Qubes OS > valut VM > KeePassXC (master password + token file or Yubikey). With that you need to remember only two strong passwords.

Last remark do not overdo with encryption since at the end you still want a system which is usable and maintainable.

Have fun !

3 Likes

Thanks a lot, You are You,
I’ve contacted Puri.sm about a month ago, and am waiting for them to update the Lorem 14 with a Risc-V . I will check nitrokey later.
I guess my question is not specific enough.
I want to do a full clean install on my laptop that will last for long, so I want to make sure I’m using the latest and greatest of encryption system.
For what I understand, if I have to change encryption system in 2 years from now, I will have to do a complete reinstall of my system, which I wish to avoid.
While re-reading posts on reddit and https://crypto.stackexchange.com, I recon that I might have mixed terms and functions between LUKS, LUCKS2, Argon2, and the others.
So LUCKS2 is the greatest and latest ?

edit