Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/articles/linux-disk-encryption-end-user.md
Josh Roskos 86b07e20f0
Update linux-disk-encryption-end-user.md (#31249) 
- Noted that Fleet generates a new encryption key and the original one
does still remain under step #3 after a customer noted inconsistencies
in our docs.
- The statement was taken from our enforce-disk-encryption article.
2025-07-29 15:13:44 -04:00

3.4 KiB
Raw Blame History

Encrypt your Fleet-managed Linux device

This guide is intended for new device setup. If the operating system has already been installed without enabling disk encryption, you will need to re-install in order to turn on full disk encryption.

LUKS (Linux Unified Key Setup) is a standard tool for encrypting Linux disks. It uses a "volume key" to encrypt your data, and this key is protected by passphrases. LUKS supports multiple passphrases, allowing you to securely share access or recover encrypted data. Fleet uses LUKS to ensure that only authorized users can access the data on your work computer. Fleet supports Linux Unified Key Setup version 2 (LUKS2).

Fleet securely stores a passphrase to ensure that the data on your work computer is always recoverable. To get your computer set up for key escrow, you will first need to enable disk encryption on your end, then provide your encryption passphrase to Fleet.

Follow the steps below to get set up.

1. Enable encryption during installation

Ubuntu Linux

  • When installing Ubuntu, choose the option to "Use LVM with encryption."
  • Set a strong passphrase when prompted. This passphrase will be used to encrypt your disk and is separate from your login password.

Linux MDM Ubuntu setup "How do you want to install Ubuntu?" screen

Linux MDM Ubuntu setup: Advanced features > Use LVM and encryption

Fedora Linux

  • During Fedora installation, under Installation destination > Encryption select the "Encrypt my data" checkbox.
  • Enter a secure passphrase when prompted.

Linux MDM Fedora setup "Installation summary" screen Linux MDM Fedora setup: Installation destination > Encryption > Encrypt my data

2. Verify encryption

  • Once installation is complete, verify that your disk is encrypted by running: 
      lsblk -o NAME,MOUNTPOINT,TYPE,SIZE,FSUSED,FSTYPE,ENCRYPTED
  • Ubuntu Linux: Look for the root (/) partition, and confirm it is marked as encrypted.
  • Fedora Linux: Ensure the / (root) and /home partitions are encrypted.

3. Escrow your key with Fleet

LUKS allows multiple passphrases for decrypting the volume. The original passphrase remains active along with the escrowed passphrase created by Fleet.

  • Open Fleet Desktop. If your device is encrypted, you'll see a banner prompting you to escrow the key.
  • Click Create key. Enter your existing encryption passphrase when prompted.
  • Fleet will generate and securely store a new passphrase for recovery. This may take several minutes. A popup will appear when Fleet is done.

Now, your encryption status will update to "verified" in Fleet Desktop, meaning that your recovery key has been successfully stored.