Ubuntu – How to set up Full Disk Encryption on an SSD

encryptionssd

I have a new Lenovo Thinkpad with an Intel SSD. I want to set up full disk encryption with pre-authentication boot. From reading I see there is a Guided Setup with Encryption option on the alternate CD installer. If I select this and follow the prompts, will I be all set? Are there any specific partitions or anything I need to create? Are there any special things I need to do before, during, or after installation because I'm installing on an SSD and not on an HDD?

The Thinkpad came preinstalled with Windows 7. I will be installing Natty Narwhal on the whole disk. I will not be dual-booting.

Best Answer

There's no special considerations at all for SSD versus spinning HDD.

And if you're comfortable using the Ubuntu Alternate Installer, it's fairly straightforward to setup full disk encryption.

LVM on LUKS on bcache

Here the russian doll game is a little deeper with 3 stacks/layers...

My initial idea about this question was to use a default Ubuntu install with LVM on LUKS and convert it into a bcache backing device with blocks but it did not work for me on my test with LVM.

Moreover, the ubuntu installer (ubiquity) is too limited to install inside a bcache device prepared in advance (at least with LUKS on LVM), so we fallback to a method of doing things manually.

Boot into the live CD/USB and choose "Try Ubuntu" and open up a terminal

Pre-install

sudo -i
# Define some variable to avoid confusion and error
luks_part=/dev/sda3
boot=/dev/sda2                    # boot partition
caching_bcache=/dev/sdb           # SSD or partition in SSD

# Do secure erase of encrypted backing and caching device (see Notes [1])
dd if=/dev/urandom of=$luks_part || dd if=/dev/urandom of=$caching_bcache
# Go and grab some coffe, this will take a while...

apt-get install bcache-tools
# Setup bcache caching and backing devices
make-bcache -C $caching_bcache -B $luks_part
# (Optional) Tweak bcache
echo writeback > /sys/block/bcache0/bcache/cache_mode

# Below we now create manually what ubiquity should have done for us
# Setup LUKS device on bcache device
cryptsetup --key-size 512 luksFormat /dev/bcache0
cryptsetup luksOpen /dev/bcache0 crypted

# Setup LVM on LUKS
# You can skip that part if you don't want to use a swap
# or don't want to use multiple partition. Use /dev/mapper/crypted
# as you root latter on
pvcreate  /dev/mapper/crypted
vgcreate vg /dev/mapper/crypted
lvcreate -L 1G vg -n swap
lvcreate -l 100%FREE vg -n root

Installation

Keep the terminal opened and now run the installation. Choose "Something else" when partitioning and specify

your boot partition (/dev/sda2)
your root partition (/dev/mapper/vg-root)
your swap (/dev/mapper/vg-swap)

and check the checkbox to format your partitions

At the end of the installation, don't reboot but just click "Continue trying ubuntu"

Post-install

In our opened terminal

# Install bcache-tools to add bcache module to initramfs
mount /dev/mapper/vg-root /mnt
mount $boot /mnt/boot
mount -o bind /sys /mnt/sys
mount -o bind /proc /mnt/proc
mount -o bind /dev /mnt/dev
chroot /mnt
# To get apt-get running in the chroot
echo 'nameserver 8.8.8.8' > /run/resolvconf/resolv.conf
apt-get install bcache-tools

# Create /etc/crypttab to add crypted bcached partition
echo "crypted UUID=`blkid -o value /dev/bcache0|head -1` none luks" > /etc/crypttab

exit
sync
umount /mnt/sys
umount /mnt/proc
umount /mnt/dev
umount /mnt/boot
umount /mnt
vgchange -an /dev/mapper/crypted
cryptsetup luksClose crypted
sync

# Reboot & enjoy

There is a known Ubuntu 15.04 reboot bug from Live CD/USB so you might have to force reboot/shutdown

Check

Once booted, you can check that /dev/bcache0 is in fact a LUKS partition with

if sudo cryptsetup isLuks /dev/bcache0; then \
    echo "crypted";\
    else echo "unencrypted";\
fi

This is because it is the cache of your LUKS partition, and you now access your data via the device /dev/bcache0 and never from the original backing device (/dev/sda3 here)

References

http://bcache.evilpiepirate.org/

https://wiki.archlinux.org/index.php/Bcache

https://wiki.archlinux.org/index.php/Dm-crypt

bcache-status is not officially merged into bcache-tools, yet. You can have it here: https://gist.github.com/djwong/6343451

[1] There might be better ways to do this wiping

Full Disk Encryption – Using Ubiquity for Encrypted Install on /dev/sdb

If installing Ubuntu in UEFI boot mode to a second drive, either internal or external as full install, you need to have drive seen as sda gpt partitioned with an ESP - efi system partition, FAT32 formatted with boot flag, 100 to 500MB. You also want an ESP on the drive you install Ubuntu, but it may not be used, during install. Best to copy ESP boot files back to install drive if sda drive ever fails/is removed or other issues.

Grub seems to only want to install its UEFI boot files to an ESP on drive seen as sda. It may even say during install, installing to sdb, but will error out if no ESP on sda. Can be a bigger issue on a few systems where install flash drive is seen as sda.

Once you start using UEFI, best that all drives be gpt and every drive with an install has an ESP partition near beginning of drive. Since I also suggest an install on every drive, then every drive should have an ESP, even if just for future use.

Update for removeable drives:

Two drive or any second, external or other drive than sda. Note that full install to any drive other than sda in UEFI mode has some issues. Grub only installs to the ESP - efi system partition on sda. And you then have to copy files to your install.

And Ubuntu's UEFI grub only installs to the ESP on sda, or not the external drive and not to /EFI/Boot/bootx64.efi. For my PC UEFI full install to a flash drive I manually copied /EFI/ubuntu on sda's ESP to flash drive's ESP. Then copied it again to /EFI/Boot and renamed shimx64.efi to bootx64.efi. I then updated fstab to have correct UUID for ESP on external drive.

The version of grub in a full install is hard coded to find the rest of grub in /EFI/ubuntu so both copies are required. There are ways to directly install grub as bootx64.efi, but then you have to manually maintain grub.cfg.

And if you do not want UEFI entries on internal drive, after copying entries to external:

How do I remove "Ubuntu" in the bios boot menu? (UEFI)