Ubuntu – How to encrypt the entire disk on alternate installation

encryptioninstallationluks

Is it possible to install Ubuntu 11.04 with full disk encryption?

Previously versions have had an alternate install cd with a text interface where you could enable encryption for your drives.
This one is fully graphical and is missing that encryption option.

Best Answer

Go to releases.ubuntu.com/11.04 and download the alternate install CD for your architecture.
Burn the .iso to a blank CD.
Reboot with the CD in the drive, and allow the computer to boot from the CD.
On the Ubuntu alternate CD's menu, select "Install":
Follow the installer's instructions until you get to the step entitled "Partition Disks".
Choose "Guided - use entire disk and set up encrypted LVM" from the menu.
Finish the installation by following the instructions on the screen.

Related Solutions

Ubuntu – Are there any known vulnerabilities to Ubuntu’s full disk encryption feature

There are no currently known vulnerabilities in encryption in Ubuntu 11.10. There have been some. Generally the ecryptfs vulnerabilities involved an attacker already logged into your system who could cause denial of service. There was a LUKS problem in which users were surprised that a simple configuration option in a partitioning tool could fully and permanently destroy a partition.

In about 5 * 10^9 years, we expect this planet will be engulfed by the expanding Sun. AES-256 encryption can quite possibly resist attack for that long. However, as you seem to be aware, there are many other potential weaknesses and they bear repeating.

Will you know that you encrypted the disk effectively? It's complicated. Thoughtful people disagree about which installation options are sufficiently effective. Did you know that you're supposed to install full-disk encryption from Ubuntu's alternate install CD using LUKS, not ecryptfs? Did you know that LUKS has stored the passphrase in RAM in plain text, or that once a file is unlocked by any user via ecryptfs, then ecryptfs does not protect it from any other user? Was your disk ever connected to a system that permitted attaching unencrypted storage, rather than setting an explicit SELinux policy to prohibit that? Where did you keep your backups of your encrypted disk? You made backups because you knew that encrypted disks are much more sensitive to normal errors, right?

Are you sure your passphrase is not among the top billions (more like trillions, or whatever it is now) of possibilities that might be guessed? Is the person attempting to decrypt your disk really a random, poorly motivated and funded, unresourceful stranger? Are you sure your passphrase could not have been obtained by software tampering ("evil maid" attack), observing the running system ("shoulder surfing", "black bag" or "cold boot" attacks), etc.? How well have you avoided attacks that everyone gets: email and download viruses, malicious JavaScript, phishing?

How deeply are you committed to keeping your passphrase secret? What jurisdictions will you be in? Would you be content to go to prison? Are there other people who know the secrets that are protected by your disk encryption? Do you want to pay the price for your secrets even if those people reveal them?

Ubuntu – How to migrate an encrypted LVM install to a new disk

Partitioning and file copy - while running

I did this by starting with the running system. I plugged the new SSD into a USB SATA adapter and partitioned it, set up LVM and copied the files across.

# confirm disk size is as expected for sdc
sudo fdisk -l /dev/sdc
# now partition - 500 MB partition as boot, the rest as a single (logical) partition
sudo cfdisk /dev/sdc

Your disk should now look like:

sudo fdisk -l /dev/sdc
Disk /dev/sda: 120.0 GB, 120034123776 bytes
255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63      979964      489951   83  Linux
/dev/sda2          979965   234441647   116730841+   5  Extended
/dev/sda5          980028   234441647   116730810   82  Linux swap / Solaris

The next step is to put encryption on the partition and LVM on top of the encryption.

sudo cryptsetup -y luksFormat /dev/sdc5
sudo cryptsetup luksOpen /dev/sdc5 crypt
sudo vgcreate crypt-lvm /dev/mapper/crypt
sudo lvcreate -L4G -nswap crypt-lvm
sudo lvcreate -l100%FREE -nroot crypt-lvm

Now make the filesystems and mount them and copy your system across.

sudo mkfs.ext2 /dev/sdc1
# you do ls /dev/mapper to check the name if different
sudo mkfs.ext4 /dev/mapper/crypt-root
sudo mkdir /mnt/boot
sudo mkdir /mnt/root
sudo mount -t ext2 /dev/sdc1 /mnt/boot
sudo mount -t ext4 /dev/mapper/crypt-root /mnt/root

# rsync files
sudo rsync -a /boot/* /mnt/boot/
sudo rsync -aHAX --devices --specials --delete --one-file-system --exclude proc --exclude run --exclude boot --exclude sys --exclude tmp /* /mnt/root/

Up to this point you can keep the system running and use it. Now you need to shutdown and boot into a live CD/USB so you can get the system in a shutdown state.

Partitioning and file copy - live CD/USB

Once you have booted, open a terminal and:

sudo apt-get install lvm2

# mount old hard drive
sudo cryptsetup luksOpen /dev/sda5 sda5_crypt
sudo mkdir /mnt/sdaroot
# you can do ls /dev/mapper to check the name if it is different
sudo mount -t ext4 /dev/mapper/sda5_crypt--root /mnt/sdaroot

# mount new hard drive (over USB)
sudo cryptsetup luksOpen /dev/sdc5 sdc5_crypt
sudo mkdir /mnt/sdcroot
sudo mount -t ext4 /dev/mapper/sdc5_crypt--root /mnt/sdcroot

# final rsync
sudo rsync -aHAX --devices --specials --delete --one-file-system --exclude proc --exclude run --exclude boot --exclude sys --exclude tmp /mnt/sdaroot/* /mnt/sdcroot/

chroot

# prepare chroot
cd /mnt/sdcroot
sudo mkdir boot

# these directories are set up by the system and we need them inside the chroot
sudo mount -t proc proc /mnt/sdcroot/proc
sudo mount -t sysfs sys /mnt/sdcroot/sys
sudo mount -o bind /dev /mnt/sdcroot/dev

# now enter the chroot
sudo chroot /mnt/root/

Changing UUIDs

Now we are root inside the chroot and run the following commands:

# inside chroot, as root
mount -t ext2 /dev/sdc1 /boot
blkid

Now you will see all the UUIDs for the various disk in the system. You will need to edit the UUIDs in /etc/fstab and /etc/crypttab to match the values for /dev/sdc?

In /etc/fstab you need to use the UUID for the boot disk - /dev/sdc1 if your disks have the same letter as me.

In /etc/crypttab you need to use the UUID for the other (big) partition - /dev/sdc5 if your disks have the same letter as me.

initramfs and grub

# now update initramfs for all installed kernels
update-initramfs -u -k all

# install grub and ensure it is up to date
grub-install /dev/sdc      # NOTE sdc NOT sdc1
update-grub

# hit Ctrl-D to exit chroot
sudo umount /mnt/root

Now shutdown, put the SSD inside your laptop, cross your fingers and boot up.