I would like to set up disk encryption on Ubuntu 13.10 such that I have
- plain
/
- encrypted
/home
partition - encrypted swap partition
- working hibernation and resume
As these requirements suggest, this is to protect me from a potential laptop thief reading my personal data. With /
being unencrypted, it does not protect from somebody taking the laptop, installing a keylogger, and giving it back to me.
I have read EnableHibernateWithEncryptedSwap but it's written for Ubuntu 12.04, and I'm not confident that it still works or that it's the recommended way.
What would be up-to-date setup?
Best Answer
I managed to set up an encrypted home and encrypted swap with working hibernate.
I use
uswsusp
and largely followed this article - still works for Ubuntu 13.10.apt-get install uswsusp
, Ubuntu automatically switchedpm-hibernate
to use uswsusp, so all GUI tools use it as well.Some parts of my setup:
Creating the encrypted partitions
I use
aes-xts-plain
because it is the fastest incryptsetup benchmark
(only works with cryptsetup >= 1.6). Many guides usesaes-cbc-essiv
, but from what I've read so far,xts
protects against watermarking just as well ascbc-essiv
. If you use partitions >= 2TB, you should useaes-xts-plain64
instead of-plain
. More info about these options and choices can be found here.After creating these partitions, you of course have to create the according filesystems on them, e.g. with
mkswap /dev/mapper/cryptoposwap
andmkfs.ext4 /dev/mapper/cryptohome
./etc/crypttab
/etc/fstab
discard
option in bothscrypttab
andfstab
to enable TRIM for the SSD I'm using./etc/initramfs-tools/conf.d/resume
away from the old swap UUID to the new/dev/mapper/cryptoswap
to get rid of a warning atupdate-initramfs -u -k all
.This is still very similar to EnableHibernateWithEncryptedSwap, but it looks like I didn't have to edit
/usr/share/initramfs-tools/scripts/local-top/cryptroot
,/etc/acpi/hibernate.sh
(if you have a hint why it was needed, please leave a comment - maybe the difference is that this setup usesuswsusp
?).