As title says, does the FDE option in the 18.04 installer (which is the only encryption option as the home
only encryption has been dropped) encrypt the other partitions too? Will it break an existing Windows partition?
Ubuntu – Does the full disk encryption in the Ubuntu 18.04 installer encrypt all partitions
18.04encryption
Related Solutions
Canonical implemented this feature (full disk encryption) in Ubuntu installer edition from 12.10 because Alternate CDs are dropped. From QQ Alternate CD are no longer available.
"Encrypting full disk" stands for creating encrypted volumes (luks) and it uses full disk, not only /home folder. Encrypting full disk is more secure and with that option you can uncheck "Encrypt my home folder". There is no need to use two kinds of encryption. If you want just to encrypting your home folder (without encrypted / and swap partition) use only the second option.
Okay, before I answer your questions, I need to first explain the difference between "Quick format" and "Full format" (to borrow Windows terminology), and the difference between a logical volume and a physical volume:
Quick format: Writes the file system structure onto the drive (on top of existing data).
Full format: Erases the drive (typically by writing 0's) before writing the file system structure.
All file systems in use today (ext2, ext3, ext4, btrfs, zfs, xfs) perform a "quick format" by default. This means that previous data that resided on the disk, while not directly visible through the file system, is still available if you were to scan the disk using data recovery software.
As an example: you have a 100GB hard drive which used to store photos. You decide to format this hard drive and install Ubuntu. Let's pretend the Ubuntu installation will take ~4GB. After installing Ubuntu approximately 4GB of the 100GB of data would be overwritten with your Ubuntu installation. The remaining 96GB of photo data is still physically present on the hard drive. If you used data recovery software, you should be able to retrieve most of these photos, despite the fact that the drive was "formatted" during the Ubuntu installation.
Logical volume: Any region of a storage medium, up to and including the entire physical space. e.g. if you create a partition of 100MB on a disk of 100GB, the 100MB partition is considered a logical volume
Physical volume: The entire physical capacity of the hardware^. In our example with a 100GB hard drive, the physical volume is the entire device (100GB) without any smaller volumes allocated inside.
^ The hardware itself will have additional capacity (over provisioning) to handle degradation of the physical medium. This additional capacity is managed by the device itself and is not visible to the operating system except through the S.M.A.R.T. interface, which you can access by installing smartmontools
.
Now on to your questions...
But if that would be true, then the "Encrypt the new Ubuntu installation for security" option in the installer is not full disk encryption at all.
This is a difference of definition/perspective. You are interpreting "full disk encryption" as meaning the entire contents of the physical volume is encrypted, while Ubuntu is using "full disk encryption" to mean the contents of the logical volume where Ubuntu is installed is encrypted.
Therefore if you installed Ubuntu and filled up the hard drive completely with data, the encrypted logical volume would fill the entire physical volume.
However there are cases where someone installs Ubuntu along side Windows on their disk. In this case, the Windows installation may be unencrypted but the Ubuntu installation is encrypted.
In this scenario, Ubuntu is still providing "full disk encryption" because all data on Ubuntu's logical volume is encrypted. Ubuntu doesn't care about the data on other logical volumes which are present on the physical volume.
If he is correct, then it does not encrypt the entire disk then. It only encrypts used disk space. The empty space is not encrypted then.
Yes because encrypting empty space would make the system much slower, and there is no security benefit to doing so.
Now, the question is: If that option is checked, does it just overwrite the empty disk space? Or does it also encrypt it?
I have not verified myself, but it is most likely overwriting the unused disk space with random data. It is certainly not encrypting the empty space. Properly encrypted data is indecipherable from random data, so filling the disk with random data before installing Ubuntu would make it impossible to tell which portions of the disk are "empty" and which are encrypted
I was assuming that it only overwrites it with zeros before encrypting it. I was assuming that the entire disk would be encrypted anyway using the "Encrypt the new Ubuntu installation for security" option
Again, "full disk encryption" in this context refers to the encryption of all logical data on disk, not encrypting the entire physical device.
There is no security benefit whatsoever to encrypting empty space. If you are concerned about free space not being encrypted, then select the "For more security: Overwrite empty disk space (The installation might take much longer.)" option during installation to overwrite the entire physical disk.
Now, it is possible to purchase a self-encrypting drive (SED). For SSDs the relevant feature is called OPAL. If your computer has an SED installed, the encryption is handled by specialized encryption hardware within the device. All data written to the physical medium (magnetic platters for a hard drive, or silicon for an SSD) is encrypted by the device before being written. This means if someone were to remove the platters or silicon chips, they cannot read the data. However, it does depend on you trusting the SED's encryption implementation. As the device firmware is closed source and rarely audited, you're placing trust in the vendor to have implemented it properly and without any backdoors. You decrypt the SED at boot by providing a password.
Related Question
- Ubuntu – New encryption feature in Ubuntu 12.10: home encryption or full disk encryption? or both
- Ubuntu – Why does Ubuntu’s full disk encryption require no time
- Ubuntu – How to Encrypt /home on Ubuntu 18.04
- Ubuntu – Encrypt the whole disk after installing 18.04
- Ubuntu – How to Make BIOS/UEFI Flash Drive with Full Disk Encryption
Best Answer
"Full" Disk encryption
I was eager to give 18.04's Full Disk Encryption a try.
With previous versions of Ubuntu, Full Disk Encryption did not work with flash drives.
After making an encrypted install to USB I examined the results with both Disks and GParted.
The encrypted extended partition was fully encrypted. Swap is a file within this partition, (and not a partition on it's own), and thus is also encrypted.
The Boot partition is not encrypted. The disk must first be booted before it can be decrypted.