Ubuntu – way to do full disk encryption after the install?

encryption

Is there a way to do full disk encryption after the install?

I have Ubuntu 11.10 installed with /home encrypted but really need the whole drive encrypted. I would really like to do that with out a re-install. Is there anyway to do that?

Best Answer

LUKS in-place encryption exists. But you need to set up your environment a little as per the pictures:

(Also see this question)

Related Solutions

Ubuntu – Are there any known vulnerabilities to Ubuntu’s full disk encryption feature

There are no currently known vulnerabilities in encryption in Ubuntu 11.10. There have been some. Generally the ecryptfs vulnerabilities involved an attacker already logged into your system who could cause denial of service. There was a LUKS problem in which users were surprised that a simple configuration option in a partitioning tool could fully and permanently destroy a partition.

In about 5 * 10^9 years, we expect this planet will be engulfed by the expanding Sun. AES-256 encryption can quite possibly resist attack for that long. However, as you seem to be aware, there are many other potential weaknesses and they bear repeating.

Will you know that you encrypted the disk effectively? It's complicated. Thoughtful people disagree about which installation options are sufficiently effective. Did you know that you're supposed to install full-disk encryption from Ubuntu's alternate install CD using LUKS, not ecryptfs? Did you know that LUKS has stored the passphrase in RAM in plain text, or that once a file is unlocked by any user via ecryptfs, then ecryptfs does not protect it from any other user? Was your disk ever connected to a system that permitted attaching unencrypted storage, rather than setting an explicit SELinux policy to prohibit that? Where did you keep your backups of your encrypted disk? You made backups because you knew that encrypted disks are much more sensitive to normal errors, right?

Are you sure your passphrase is not among the top billions (more like trillions, or whatever it is now) of possibilities that might be guessed? Is the person attempting to decrypt your disk really a random, poorly motivated and funded, unresourceful stranger? Are you sure your passphrase could not have been obtained by software tampering ("evil maid" attack), observing the running system ("shoulder surfing", "black bag" or "cold boot" attacks), etc.? How well have you avoided attacks that everyone gets: email and download viruses, malicious JavaScript, phishing?

How deeply are you committed to keeping your passphrase secret? What jurisdictions will you be in? Would you be content to go to prison? Are there other people who know the secrets that are protected by your disk encryption? Do you want to pay the price for your secrets even if those people reveal them?

Ubuntu – How to install Ubuntu with full disk encryption without having to “erase everything”

Yes! You can use the Ubiquity installer to manually install Ubuntu inside an encrypted LVM volume. And you can do it on the same drive as a Windows 10 installation.

Disclaimer: There is a heightened risk of data loss when installing Operating Systems or making changes to partition tables. It is easy to make mistakes, so you should have sufficient backups before doing any of this.

Prepare for Installation

First, boot up your Ubuntu installation media as LiveUSB ("Try Ubuntu").

Open the Disks application and navigate to the disk that contains Windows, where you would also like to install Ubuntu. You can also see the partition with your Windows install, as well as an EFI partition and Windows system and recovery partitions. Leave these alone. Take a note of the /dev/sdx# identifiers. In this example, /dev/sda is the disk we are going to work on.

Verify that you have un-partitioned "Free Space" available. Ubuntu cannot shrink a partition with a Windows install leaving it intact. If you can't free up space here by deleting non-essential partitions, you will need to consult with Windows' documentation on how to shrink your Windows partition before going any further.

Begin the Installer

Click "Install Ubuntu" on the desktop, or reboot back to the USB and select "Install Ubuntu".

Proceed through the installation prompts until you get to Installation type.

Here you will click "Something Else" and Continue.

Set up Encryption and boot partitions

Here you will see another representation of the partitions of your drives.

1) Set the Device for boot loader installation as the same physical disk as your Windows install. In our example it is /dev/sda.

2) Create the /boot partition: Select your free space partition that we verified/created earlier, and click the + button. Set the mount point as /boot and set the size. In our example we have set 500MB. (If you like to keep lots of old kernels you might want to increase this amount) Click OK.

3) Create your encrypted root partition: In the remaining free space, again click the + button. Change Use as: to "physical volume for encryption" and set up your password. This will be the password that you need to enter after selecting Ubuntu in GRUB. You will not be able to decrypt your OS without it so don't forget this password.

4) Set / mount point: Double click on the newly created volume. In this example, it is the ext4 partition labeled dev/mapper/sda6_crypt. Change the "Mount point" to / and click OK.

5) Verify EFI partition: Just to be sure, let's also double-click on the EFI partition with Windows Boot Manager. Make sure Use As is set to EFI System Partition and click OK.

Final Check & Install

Make sure your /boot and / and EFI partitions are where they are supposed to be, and double check that the device for bootloader installation is correct. If everything is in order, you are ready to Install Now.

This concludes the setup of your encryption/LVM and partitions. Once the installation is complete, your system should boot to GRUB with Ubuntu and Windows as options. When you select Ubuntu, you will be required to enter a password to unlock sdx#_crypt to continue booting.