I just received my Purism Mini. I didn’t realize it was going to have luks disk encryption set up by default. I do not want that on this machine and would like to remove it. I wanted to doublecheck that the answer given here is correct, that there is no way to remove encryption from the current install, the only way is to reinstall PureOS or install a different OS. In either case, does encryption need to be disabled in the BIOS or something like that?
Thank you.
I think so.
You would hope so - as the answer comes from the Purism Support Manager!
Out of curiosity why don’t you want LUKS disk encryption?
Don’t think so. The /boot partition is, I believe, not encrypted, which means that full disk encryption is a misnomer and in any case means that BIOS does not need to know about encryption.
maybe the OP doesn’t want the extra overhead that a disk encryption entails … maybe he wants to do local encryption and that is it … the OP didn’t specify that though …
Yeah I won’t have anything important on this box and I just see it as an extra password to have to type in on every boot. I went into Gnome Disks and put the password in Encryption Options for the LUKS partition, thinking that might be a way to have the partition automatically decrypt for me, but it doesn’t save it; instead it gives me “Error updating /etc/crypttab entry. Didn’t find entry to remove (udisks-error-quark, 0)”.
So I guess I understand that the bios is not involved in the luks encryption, but I’m just curious is there no kind of BIOS settings/config accessible from a function key? The only thing it ever mentions is to press escape for boot menu. Is coreboot/seabios just a really simple setup with no options to configure?
I’ve read that you can use the TPM to automatically decrypt the disk on boot. This would provide some protection in the instance of the disk being removed from the system if that is in your threat model at all that may be worth considering in place of no encryption at all.
This is assuming the mini has a TPM which I actually haven’t checked as I’m not currently in the market for the mini.