I'm using Ubuntu in a corporate environment, and our security policy states that we have to use full disk encryption.
I've also got a laptop with a 32GB mSATA SSD and 750GB of spinning rust. My current installation uses bcache to leverage this, installed using this procedure. This provides a very welcome performance boost without me having to worry about filling up the SSD.
This will be a bountied question. The bounty will be awarded for :
- A clear, reliable method of performing a fresh install of Ubuntu
- Any release is acceptable but 15.04 (Vivid) will be fine
- The entire filesystem will be encrypted
- The preference here is to use the relevant checkbox in the default Ubiquity installer program (dm-crypt encryption)
- The filesystem will be cached on an SSD
- For preference, the kernel dm-cache / lvmcache method see here for method to do this with Debian Jessie
- The cache must also be secured (ie encrypted)
- There must be a clear explanation as to why the cache is also encrypted
Have already tried the method for Debian Jessie above, but it refuses to boot for me. Have not so far tried the method described in the comments here.
The posted solutions will be tested on a VirtualBox VM with two blank virtual disks and a release copy of 15.04 desktop (amd64 release). Bounty goes to the first solution that I adopt to reinstall my actual hardware.
Please write your solution as if it were going into the community wiki.
I've awarded the bounty – I think there is still potential for a "LUKS-on-LVM" solution that combines the ease of the approved answer in only having one password, with only using device-mapper components.
Best Answer
LVM on LUKS on bcache
Here the russian doll game is a little deeper with 3 stacks/layers...
My initial idea about this question was to use a default Ubuntu install with LVM on LUKS and convert it into a bcache backing device with blocks but it did not work for me on my test with LVM.
Moreover, the ubuntu installer (ubiquity) is too limited to install inside a bcache device prepared in advance (at least with LUKS on LVM), so we fallback to a method of doing things manually.
Boot into the live CD/USB and choose "Try Ubuntu" and open up a terminal
Pre-install
Installation
Keep the terminal opened and now run the installation. Choose "Something else" when partitioning and specify
/dev/sda2
)/dev/mapper/vg-root
)/dev/mapper/vg-swap
)and check the checkbox to format your partitions
At the end of the installation, don't reboot but just click "Continue trying ubuntu"
Post-install
In our opened terminal
There is a known Ubuntu 15.04 reboot bug from Live CD/USB so you might have to force reboot/shutdown
Check
Once booted, you can check that
/dev/bcache0
is in fact a LUKS partition withThis is because it is the cache of your LUKS partition, and you now access your data via the device
/dev/bcache0
and never from the original backing device (/dev/sda3
here)References
http://bcache.evilpiepirate.org/
https://wiki.archlinux.org/index.php/Bcache
https://wiki.archlinux.org/index.php/Dm-crypt
bcache-status is not officially merged into bcache-tools, yet. You can have it here: https://gist.github.com/djwong/6343451
[1] There might be better ways to do this wiping