I know this question is old, but comes up when searching for the small boot partition problem and using disk encryption.
Ubuntu installer ubiquity
uses partman
for partitioning. When "Use the entire disk" option is selected, the partition configurations come from partman recipe files in /lib/partman/recipes-[arch]/*
and /lib/partman/recipes/*
on the live CD. Find the recipe used by the installer, and modify the maximum size for /boot
partition. On my system, the default recipe used is /lib/partman/recipes/30atomic
. Open the Terminal:
ubuntu@ubuntu:~$ sudo nano /lib/partman/recipes/30atomic
Go to the section for the boot partition and change the third number (256 below) to the size you want (I'd recommend at least 512):
128 512 256 ext2
$defaultignore{ }
method{ format }
format{ }
use_filesystem{ }
filesystem{ ext2 }
mountpoint{ /boot }
This section says size is going to be between 128M and 256M with a priority of 512, which determines how important the size of this partition with respect to others.
Save it with Ctrl+O, Enter. Then start the installer, install as usual.
full disk encrypted my laptop [...] swap partition [...]
It's totally up to you where you put swap partitions. Some typical set ups:
dm-crypt on raw partition and /boot
as small plain parition, then on top of the large crypto 'device' as LVM Physical Volume:
-> LVM Volume Group (one PV as member) crypto
-> LVM Logical Volumes:
- crypto-rootfs as
/
- crypto-homes as
/home
(optional)
- crypto-swap as
swap
(optional)
- leave some room in the volume group to be able to use LVM's features
Don't try to set it up the other way around - crypto on top of individual LVs is not going to be of any advantage, but only giving you headaches.
dm-crypt on raw partition as /
with separate /boot
and separate non-encrypted swap
.
- less flexible, yet more portable without LVM (e.g. FreeOTFE)
- if more crypto partitions are needed this means multiple times unlocking at boot using passphrases
- swap could be set up to use a random key crypto on every boot - disables hibernation
The above without any swap. Might be a good idea if you have plenty of RAM anyway.
The 'alternate' installer for 12.04 will allow you to do this in a semi-GUI way. See for example: "How to install Ubuntu 11.04 on an encrypted LVM file system" (while a bit old, still relevant for 12.04).
will the thief be able to extract my files from the swap partition?
Not directly. Swap contains bare memory pages. It would be a hell of puzzle to reassemble this, but even single memory pages might contain too much secret data already. It is considered unsafe to have swap unencrypted. As long as you put your swap op top of a crypto device (no matter using LVM, RAID, or whatever), you're fine.
I am assuming s/he will not be able to extract anything from the main partition without doing some form of bruteforce code breaking attack?
No, it's fairly safe, as that's the whole point of good encryption! To see more about the technical details like the cryptography used, please refer to What is used in the 12.10 full disk encryption? (which also covers 12.04 in my answer).
Security concerns are elsewhere. You'll need a separate unencrypted /boot
, no matter how you set it up. It contains kernel and initramfs. If someone can fiddle with the unlocking scripts or even put a backdoor in the kernel, they can steal your secret data. Practical advice: never leave your laptop unattended.
Workarounds for this (advanced set up!):
- Use a smartcard+reader rather than a password and carry it on your body if your laptop is not in use.
- Put the
dm-crypt
encrypted key on a separate flash drive, rather than on the disk itself. Make copies of this encrypted key in case your flash drive dies and put them in a safe where nobody can reach it.
- Always use a trusted set of kernel and initramfs, for example by using the same USB flash drive as
/boot
- and always carry this with you.
Best Answer
It's extremely useful to have an "on-the-go" Ubuntu running on USB with full disk encryption. Imagine you can boot up on almost every computer with your USB, and work in your own personalized environment anywhere, without carrying a notebook. I managed to install Ubuntu 16.04 in a USB HDD this way:
Download the latest Ubuntu installer.
Make a bootable pendrive. I use LiLi on Windows and
dd
command on Linux. You can google it.Boot up from Ubuntu pendrive. The Ubuntu installer detects the internal HDD and offers to install Ubuntu and keep the other OS, or make a clean install, optionally with encryption. However, this window only shows the internal HDD. If you want to install to USB, you have to select the "Other" option. But it is really hard to setup an encrypted install manually.
I did the following: take out my internal HDD from my notebook, and boot up Ubuntu installer again. If the USB drive is connected, but the internal HDD is taken out, the installer will display the USB drive as primary drive and offers to make a clear install with encryption. You can also choose to overwrite your disk before install if you want.
Start the installation with your preferred options. Same as usual from now on.
I tested my USB Ubuntu on 5 different computer from old to "new" and it works like a charm. No problem with drivers, not a single error or question window when I boot up on a different PC.