Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/articles/linux-disk-encryption-end-user.md
Josh Roskos 86b07e20f0
Update linux-disk-encryption-end-user.md (#31249) 
- Noted that Fleet generates a new encryption key and the original one
does still remain under step #3 after a customer noted inconsistencies
in our docs.
- The statement was taken from our enforce-disk-encryption article.
2025-07-29 15:13:44 -04:00

58 lines
3.4 KiB
Markdown
Raw Blame History

# Encrypt your Fleet-managed Linux device
> This guide is intended for new device setup. If the operating system has already been installed without enabling disk encryption, you will need to re-install in order to turn on full disk encryption.
LUKS (Linux Unified Key Setup) is a standard tool for encrypting Linux disks. It uses a "volume key" to encrypt your data, and this key is protected by passphrases. LUKS supports multiple passphrases, allowing you to securely share access or recover encrypted data. Fleet uses LUKS to ensure that only authorized users can access the data on your work computer. Fleet supports Linux Unified Key Setup version 2 (LUKS2).
Fleet securely stores a passphrase to ensure that the data on your work computer is always recoverable. To get your computer set up for key escrow, you will first need to enable disk encryption on your end, then provide your encryption passphrase to Fleet.
Follow the steps below to get set up.
## 1. Enable encryption during installation
#### Ubuntu Linux
- When installing Ubuntu, choose the option to "Use LVM with encryption."
- Set a strong passphrase when prompted. This passphrase will be used to encrypt your disk and is separate from your login password.
![Linux MDM Ubuntu setup "How do you want to install Ubuntu?" screen](../website/assets/images/articles/ubuntu-1-1200x675@2x.png)
![Linux MDM Ubuntu setup: Advanced features > Use LVM and encryption](../website/assets/images/articles/ubuntu-2-1200x675@2x.png)
#### Fedora Linux
- During Fedora installation, under **Installation destination** > **Encryption** select the "Encrypt my data" checkbox.
- Enter a secure passphrase when prompted.
![Linux MDM Fedora setup "Installation summary" screen](../website/assets/images/articles/fedora-1-1200x675@2x.png)
![Linux MDM Fedora setup: Installation destination > Encryption > Encrypt my data ](../website/assets/images/articles/fedora-2-1200x675@2x.png)
## 2. Verify encryption
- Once installation is complete, verify that your disk is encrypted by running:
```bash
lsblk -o NAME,MOUNTPOINT,TYPE,SIZE,FSUSED,FSTYPE,ENCRYPTED
```
- **Ubuntu Linux**: Look for the root (`/`) partition, and confirm it is marked as encrypted.
- **Fedora Linux**: Ensure the `/` (root) and `/home` partitions are encrypted.
## 3. Escrow your key with Fleet
> LUKS allows multiple passphrases for decrypting the volume. The original passphrase remains active along with the escrowed passphrase created by Fleet.
- Open Fleet Desktop. If your device is encrypted, you'll see a banner prompting you to escrow the key.
- Click **Create key**. Enter your existing encryption passphrase when prompted.
- Fleet will generate and securely store a new passphrase for recovery. This may take several minutes. A popup will appear when Fleet is done.
Now, your encryption status will update to "verified" in Fleet Desktop, meaning that your recovery key has been successfully stored.
<meta name="articleTitle" value="Encrypt your Fleet-managed Linux device">
<meta name="authorFullName" value="Rachael Shaw">
<meta name="authorGitHubUsername" value="rachaelshaw">
<meta name="category" value="guides">
<meta name="publishedOn" value="2024-11-25">
<meta name="description" value="Instructions for end users to encrypt Linux devices enrolled in Fleet.">
<meta name="keywords" value="Linux MDM, Linux device management, open source MDM, Linux management, Linux disk encryption, Linux key escrow" />
Reference in a new issue View git blame Copy permalink