18.04encryptionnvmeopal-2.0thinkpad
I have a fresh install of Ubuntu 18.04.1 on a Lenovo ThinkPad L480 with an Opal 2.0 compatible NVMe SSD inside. As far as I understand, the drive is always encrypted, but I need to set a password so that the encrytion key itself is also protected.
Questions:
First of all, if I remember correctly you have to check a box to install Ubuntu with an encrypted home directory, but I could be wrong. It certainly looks like it's encrypted.
Secondly, the bad news: if you encrypted the home directory at boot, it doesn't use your account password, but a separate pass phrase. After you first booted a pop up comes up with the question if you want to backup your encryption pass phrase for the home directory, recommending you get save it somewhere safe. There is a way to get the password at a later stage, but only if you can access it, so before anything goes wrong with your system. If you don't have the pass phrase, the only possible way to get it back is by brute forcing it, which, at the moment, is practically impossible.
Now that I think of it, after writing the previous text, if you made regular backups, you should be able get the key back. Did you make backups?
Edit:
Just test this answer and it works to get the pass phrase on a still working system, but you should save it somewhere safe, of course. :D
Edit2:
So I just looked further into it and if:
you have a backup of your old home files AND;
it included the ~/.ecryptfs folder with the wrapped-passphrase file
you can unlock it with the command:
ecryptfs-unwrap-passphrase /path/to/wrapped-passphrase
It will ask for a password. This is the account password you said you remember correctly. It should give you a output of seemingly random characters: this is the pass phrase to unlock the home partition.
I hope you still have that file backed up. Let me know if you run into any problems.
Okay, before I answer your questions, I need to first explain the difference between "Quick format" and "Full format" (to borrow Windows terminology), and the difference between a logical volume and a physical volume:
Quick format: Writes the file system structure onto the drive (on top of existing data).
Full format: Erases the drive (typically by writing 0's) before writing the file system structure.
All file systems in use today (ext2, ext3, ext4, btrfs, zfs, xfs) perform a "quick format" by default. This means that previous data that resided on the disk, while not directly visible through the file system, is still available if you were to scan the disk using data recovery software.
As an example: you have a 100GB hard drive which used to store photos. You decide to format this hard drive and install Ubuntu. Let's pretend the Ubuntu installation will take ~4GB. After installing Ubuntu approximately 4GB of the 100GB of data would be overwritten with your Ubuntu installation. The remaining 96GB of photo data is still physically present on the hard drive. If you used data recovery software, you should be able to retrieve most of these photos, despite the fact that the drive was "formatted" during the Ubuntu installation.
Logical volume: Any region of a storage medium, up to and including the entire physical space. e.g. if you create a partition of 100MB on a disk of 100GB, the 100MB partition is considered a logical volume
Physical volume: The entire physical capacity of the hardware^. In our example with a 100GB hard drive, the physical volume is the entire device (100GB) without any smaller volumes allocated inside.
^ The hardware itself will have additional capacity (over provisioning) to handle degradation of the physical medium. This additional capacity is managed by the device itself and is not visible to the operating system except through the S.M.A.R.T. interface, which you can access by installing smartmontools.
Now on to your questions...
But if that would be true, then the "Encrypt the new Ubuntu installation for security" option in the installer is not full disk encryption at all.
This is a difference of definition/perspective. You are interpreting "full disk encryption" as meaning the entire contents of the physical volume is encrypted, while Ubuntu is using "full disk encryption" to mean the contents of the logical volume where Ubuntu is installed is encrypted.
Therefore if you installed Ubuntu and filled up the hard drive completely with data, the encrypted logical volume would fill the entire physical volume.
However there are cases where someone installs Ubuntu along side Windows on their disk. In this case, the Windows installation may be unencrypted but the Ubuntu installation is encrypted.
In this scenario, Ubuntu is still providing "full disk encryption" because all data on Ubuntu's logical volume is encrypted. Ubuntu doesn't care about the data on other logical volumes which are present on the physical volume.
If he is correct, then it does not encrypt the entire disk then. It only encrypts used disk space. The empty space is not encrypted then.
Yes because encrypting empty space would make the system much slower, and there is no security benefit to doing so.
Now, the question is: If that option is checked, does it just overwrite the empty disk space? Or does it also encrypt it?
I have not verified myself, but it is most likely overwriting the unused disk space with random data. It is certainly not encrypting the empty space. Properly encrypted data is indecipherable from random data, so filling the disk with random data before installing Ubuntu would make it impossible to tell which portions of the disk are "empty" and which are encrypted
I was assuming that it only overwrites it with zeros before encrypting it. I was assuming that the entire disk would be encrypted anyway using the "Encrypt the new Ubuntu installation for security" option
Again, "full disk encryption" in this context refers to the encryption of all logical data on disk, not encrypting the entire physical device.
There is no security benefit whatsoever to encrypting empty space. If you are concerned about free space not being encrypted, then select the "For more security: Overwrite empty disk space (The installation might take much longer.)" option during installation to overwrite the entire physical disk.
Now, it is possible to purchase a self-encrypting drive (SED). For SSDs the relevant feature is called OPAL. If your computer has an SED installed, the encryption is handled by specialized encryption hardware within the device. All data written to the physical medium (magnetic platters for a hard drive, or silicon for an SSD) is encrypted by the device before being written. This means if someone were to remove the platters or silicon chips, they cannot read the data. However, it does depend on you trusting the SED's encryption implementation. As the device firmware is closed source and rarely audited, you're placing trust in the vendor to have implemented it properly and without any backdoors. You decrypt the SED at boot by providing a password.
Best Answer
The Lenovo ThinkPad L480 with an Opal supported SSD uses a Samsung "MZ-V6E500BW SSD 960 EVO NVMe M.2 500GB", 256GB, or an Intel "180GB Solid State Drive SATA3.2" OPAL2.0 M.2 drive depending on chosen options. Apparently the Intel SSDs have some management capabilities related to vPro that the non-Intel drives don't, such as remote wiping and the ability to enable/disable certain encryption modes.
It also seems that sometimes other drives, such as the Seagate 1200 Pro SSD, are used; so it's important when using Windows to know which drive is being used so you can visit the manufacturer's website.
Once you install a custom operating system you need to use the tools available for that OS. The two main ones for Linux are hdparm and sedutil, see my answer on UNIX and Linux Stack Exchange.
Additional information:
Samsung SSDs have software available to setup their operation, this only works for certain SSDs and operating systems, otherwise the default is no password and encryption is enabled.
For "Ubuntu 12.04 LTS and later" (source: user manual, DC Toolkit .PDF, page 10) the Samsung SSD DC Toolkit is designed to work with Samsung SSD products including PM863, PM863a, SM863, SM863a, PM963 non-customized, 860 DCT, 883 DCT, 983 DCT, 983 DCT M.2, and 983 ZET.
This software is not compatible with other manufacturers' SSDs, nor is it certain to work with other Samsung SSDs. It also has limited support for Windows Server 2012 R2, Widows Server 2016 RS1 (Version 10.0.14393), RHEL 5.7 up to 6.4 (6.4 and later has full support), and CentOS.
For Windows and Samsung SSDs the software used is called: "Samsung SSD Magician DC 2.0". Using a bootable USB drive with Windows and Samsung's Windows software is another, albeit inconvenient, option for setting up your SSD for use with another operating system.
The user manual for the Enterprise edition of the Magician software claims to only support Samsung SSD SM863 and PM863. The consumer version claims the Magician SSD management utility is designed to work with all Samsung SSD products including 470 Series, 750 Series, 830 Series, 840 Series, 850 Series, 860 Series, 950 Series, 960 Series and 970 Series.
In your circumstances you are probably best off using hdparm or getting sedutil setup.
Don't forget to set your screensaver to a short time and hibernation should also be brief if you want the encrypted drive to remain secure, see my other answer linked to above, a powered on encrypted drive is unlocked once it's successfully booted
A helpful article for Arch Linux explains ATA BIOS Passwords and sedutil with drives supporting Opal under Linux, it explains the need to set
libata.allow_tpm. See also the Stack Overflow Q&A: "ATA Trusted commands - How to set libata allow_tpm" and especially Dell's article: "Encrypting Your Ubuntu Operating System Using a SED Hard Drive" where they explain a lengthy procedure (last modified: 01/02/2019 01:05 PM).