Linux – How to encrypt the whole Linux filesystem with Veracrypt

encryptionhard drivelinuxtruecryptveracrypt

I'm running Kali Dojo 2.0 and I'd like to encrypt the entire drive.

I've encrypted my Windows 7 Home Premium drive with Veracrypt, and it was a simple setup and I'd like to do something similar on this drive.

On that drive, everything was encrypted, aside from boot files, and thats what I would like to do with this drive as well. It doesn't have to be Veracrypt that is just a preference.

Unless it is my only option, I do not want to make a container to put certain files in.

Best Answer

Linux has supported boot/system volume encryption like Veracrypt for a long time using its own separate integrated system called LUKS, which is not compatible with Truecrypt/Veracrypt.

Veracrypt (if it's like Truecrypt) is implemented on Linux via FUSE. FUSE is a way to implement filesystems without writing a kernel driver, the cost of this is speed. LUKS is part of the kernel and is faster than Veracrypt would be, so this is why LUKS is preferred if you are using Linux.

LUKS is well supported by Debian and other distribution installers, it's fairly simple to encrypt your full system, or full Linux partition, except for a small boot partition containing the kernel and initial RAM disk. This is equivalent to everything being encrypted on Truecrypt/Veracrypt except the bootloader, which has to be unencrypted so the BIOS/UEFI can read it.

I have never used Kali, but if it uses the standard Debian installer, you do this to encrypt the full partition (reference):

To create an encrypted partition, you must first assign an available partition for this purpose.

To do so, select a partition and indicate that it is to be used as a “physical volume for encryption”. After partitioning the disk containing the physical volume to be made, choose “Configure encrypted volumes”.

The software will then propose to initialize the physical volume with random data (making the localization of the real data more difficult), and will ask you to enter an “encryption passphrase”, which you will have to enter every time you boot your computer in order to access the content of the encrypted partition.

Once this step has been completed, and you have returned to the partitioning tool menu, a new partition will be available in an “encrypted volume”, which you can then configure just like any other partition.

In most cases, this partition is used as a physical volume for LVM so as to protect several partitions (LVM logical volumes) with the same encryption key, including the swap partition (see sidebar SECURITY Encrypted swap partition).

One thing to note is that I don't believe there is a tool that will encrypt/decrypt a currently running system like Truecrypt/Veracrypt does.

It's technically possible to mount the root filesystem via FUSE - meaning I believe it's possible to boot Linux off of a Veracrypt-encrypted partition if you really wanted to, but since it provides inferior speed to LUKS under Linux, it's not surprising if no one has developed this method.

Related Solutions

TrueCrypt/VeraCrypt – Using One HDD with Encrypted and Unencrypted Win7 Partition

Finally figured out a workable solution.

I wiped the 100mb Win7 system partition, & replaced it up with grub4dos. grub4dos does the same job as the Win7 boot menu - but it can be written in a way that doesn't require any user interaction:

#Don't show this menu to the user
timeout 0

#First try to load the encrypted OS.  If that fails...
default 0

#...Fallback on the unencrypted
fallback 1

#Main OS
title 1
root (hd0,1)
chainloader /bootmgr

#Decoy OS
title 2
root (hd0,2)
chainloader /bootmgr

So what happens is, the VeraCrypt bootloader appears. Whether you type your password or press ESC, it will load the grub menu & try to boot the encrypted OS.

*If you typed your password, the encrypted OS will be available and will successfully boot.

*If you pressed ESC, the encrypted OS will fail to boot and grub will fallback on the unencrypted.

So to the user, everything is invisible & automatic, and it essentially behaves the same as the two-disk situation :)

Linux – Dual boot Windows + Linux with encryption

I'm quite sure it is possible to achieve a dual-boot system with Windows and Linux where both are encrypted on only one hard drive, unfortunately, I did not achieve it.

As a solution, I bought a second hard drive, installed Windows on it with BitLocker. Unplug it, plug the second hard drive, installed Linux with cryptsetup on the whole hard drive. Shutdown, plugged both, boot in Linux (configurable in your BIOS to know which one to boot), update grub, something like "sudo update-grub", it will automatically detect the other hard drive as Windows. Then when you reboot, you will have the GRUB interface, no password asked but after you select Windows or Linux, you will be asked for the password of the encryption. It's a perfect solution but you do need 2 hard drives.

Best Answer

Related Solutions

TrueCrypt/VeraCrypt – Using One HDD with Encrypted and Unencrypted Win7 Partition

Linux – Dual boot Windows + Linux with encryption

Related Question