Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers A small chevron
Stripe + Fleet

Stripe + Fleet

Stripe consolidates multiple tools with Fleet.

Foursquare + Fleet

Foursquare + Fleet

Foursquare quickly migrates to Fleet for device management.

What people are saying

What people are saying

Stories from the Fleet community.

Pricing
More A small chevron
Try it yourself Get a demo
{{thisPage.meta.articleTitle}}
search

Encrypt your Fleet-managed Linux device

{{articleSubtitle}}

| The author's GitHub profile picture

Rachael Shaw

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Get a demoGet a demo

Encrypt your Fleet-managed Linux device

{{articleSubtitle}}

| The author's GitHub profile picture

Rachael Shaw

Encrypt your Fleet-managed Linux device

An icon indicating that this section has important information

This guide is intended for new device setup. If the operating system has already been installed without enabling disk encryption, you will need to re-install in order to turn on full disk encryption.

LUKS (Linux Unified Key Setup) is a standard tool for encrypting Linux disks. It uses a "volume key" to encrypt your data, and this key is protected by passphrases. LUKS supports multiple passphrases, allowing you to securely share access or recover encrypted data. Fleet uses LUKS to ensure that only authorized users can access the data on your work computer. Fleet supports Linux Unified Key Setup version 2 (LUKS2).

Fleet securely stores a passphrase to ensure that the data on your work computer is always recoverable. To get your computer set up for key escrow, you will first need to enable disk encryption on your end, then provide your encryption passphrase to Fleet.

Follow the steps below to get set up.

1. Enable encryption during installation

Ubuntu Linux

  • When installing Ubuntu, choose the option to "Use LVM with encryption."
  • Set a strong passphrase when prompted. This passphrase will be used to encrypt your disk and is separate from your login password.

Linux MDM Ubuntu setup "How do you want to install Ubuntu?" screen

Linux MDM Ubuntu setup: Advanced features > Use LVM and encryption

Fedora Linux

  • During Fedora installation, under Installation destination > Encryption select the "Encrypt my data" checkbox.
  • Enter a secure passphrase when prompted.

Linux MDM Fedora setup "Installation summary" screen Linux MDM Fedora setup: Installation destination > Encryption > Encrypt my data

2. Verify encryption

  • Once installation is complete, verify that your disk is encrypted by running:
      lsblk -o NAME,MOUNTPOINT,TYPE,SIZE,FSUSED,FSTYPE,ENCRYPTED
  • Ubuntu Linux: Look for the root (/) partition, and confirm it is marked as encrypted.
  • Fedora Linux: Ensure the / (root) and /home partitions are encrypted.

3. Escrow your key with Fleet

An icon indicating that this section has important information

LUKS allows multiple passphrases for decrypting the volume. The original passphrase remains active along with the escrowed passphrase created by Fleet.

  • Open Fleet Desktop. If your device is encrypted, you'll see a banner prompting you to escrow the key.
  • Click Create key. Enter your existing encryption passphrase when prompted.
  • Fleet will generate and securely store a new passphrase for recovery. This may take several minutes. A popup will appear when Fleet is done.

Now, your encryption status will update to "verified" in Fleet Desktop, meaning that your recovery key has been successfully stored.