Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Built-in checks Raw data App library Tutorials & guides API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{thisPage.meta.articleTitle}}
search

Encrypt your Fleet-managed Linux device

{{articleSubtitle}}

| The author's GitHub profile picture

Rachael Shaw

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Encrypt your Fleet-managed Linux device

{{articleSubtitle}}

| The author's GitHub profile picture

Rachael Shaw

Encrypt your Fleet-managed Linux device

An icon indicating that this section has important information

This guide is intended for new device setup. If the operating system has already been installed without enabling disk encryption, you will need to re-install in order to turn on full disk encryption.

LUKS (Linux Unified Key Setup) is a standard tool for encrypting Linux disks. It uses a "volume key" to encrypt your data, and this key is protected by passphrases. LUKS supports multiple passphrases, allowing you to securely share access or recover encrypted data. Fleet uses LUKS to ensure that only authorized users can access the data on your work computer.

Fleet securely stores a passphrase to ensure that the data on your work computer is always recoverable. To get your computer set up for key escrow, you will first need to enable disk encryption on your end, then provide your encryption passphrase to Fleet.

Follow the steps below to get set up.

1. Enable encryption during installation

Ubuntu Linux

  • When installing Ubuntu, choose the option to "Use LVM with encryption."
  • Set a strong passphrase when prompted. This passphrase will be used to encrypt your disk and is separate from your login password.

Ubuntu setup "How do you want to install Ubuntu?" screen

Ubuntu setup: Advanced features > Use LVM and encryption

Fedora Linux

  • During Fedora installation, under Installation destination > Encryption select the "Encrypt my data" checkbox.
  • Enter a secure passphrase when prompted.

Fedora setup "Installation summary" screen Fedora setup: Installation destination > Encryption > Encrypt my data

2. Verify encryption

  • Once installation is complete, verify that your disk is encrypted by running:
      lsblk -o NAME,MOUNTPOINT,TYPE,SIZE,FSUSED,FSTYPE,ENCRYPTED
  • Ubuntu Linux: Look for the root (/) partition, and confirm it is marked as encrypted.
  • Fedora Linux: Ensure the / (root) and /home partitions are encrypted.

3. Escrow your key with Fleet

  • Open Fleet Desktop. If your device is encrypted, you'll see a banner prompting you to escrow the key.
  • Click Create key. Enter your existing encryption passphrase when prompted.
  • Fleet will generate and securely store a new passphrase for recovery. This may take several minutes. A popup will appear when Fleet is done.

Now, your encryption status will update to "verified" in Fleet Desktop, meaning that your recovery key has been successfully stored.