As far as I understand, the "Encrypt the new Ubuntu installation for security" option in the Ubuntu installer is meant to provide full disk encryption.
However, when using that option, it seems like as if the encryption would finish instantly, it literally does not seem to take any time at all.
When using BitLocker on Windows to encrypt the entire disk, it can take hours to fully encrypt the disk, even on SSDs. With BitLocker and other encryption tools like DiskCryptor or TrueCrypt for example, there's also a progress indicator, which shows how much of the disk is encrypted already.
Why is that not the case with the "Encrypt the new Ubuntu installation for security" option in the Ubuntu installer?
Even on my 1 TB SSD the encryption seems to be set up instantly and there's no progress indicator whatsoever.
How's that possible?
Someone on the forum said:
http://ubuntuforums.org/showthread.php?t=2330425&p=13516293#post13516293
Data doesn't become encrypted until written
But if that would be true, then the "Encrypt the new Ubuntu installation for security" option in the installer is not full disk encryption at all.
If he is correct, then it does not encrypt the entire disk then. It only encrypts used disk space. The empty space is not encrypted then.
At least with BitLocker you have the option to choose between encrypting used disk space only or encrypting the entire disk, see following screenshot for example:
https://i-technet.sec.s-msft.com/en-us/windows/jj983729.bitlocker-screen(en-us,MSDN.10).jpg
.jpg){kind=link}
On the same forum thread it was also mentioned that:
If you want to randomly initialize the storage areas PRIOR to writing anything,
that will take some. I seem to recall it being an optional checkbox for the installation.
And, indeed, there is a "For more security: Overwrite empty disk space (The installation might take much longer.)" option on the next screen after the screen which has the "Encrypt the new Ubuntu installation for security" option.
Now, the question is: If that option is checked, does it just overwrite the empty disk space? Or does it also encrypt it?
I was assuming that it only overwrites it with zeros before encrypting it. I was assuming that the entire disk would be encrypted anyway using the "Encrypt the new Ubuntu installation for security" option, regardless of the "For more security: Overwrite empty disk space (The installation might take much longer.)" option.
Regards
Best Answer
Okay, before I answer your questions, I need to first explain the difference between "Quick format" and "Full format" (to borrow Windows terminology), and the difference between a logical volume and a physical volume:
Quick format: Writes the file system structure onto the drive (on top of existing data).
Full format: Erases the drive (typically by writing 0's) before writing the file system structure.
All file systems in use today (ext2, ext3, ext4, btrfs, zfs, xfs) perform a "quick format" by default. This means that previous data that resided on the disk, while not directly visible through the file system, is still available if you were to scan the disk using data recovery software.
As an example: you have a 100GB hard drive which used to store photos. You decide to format this hard drive and install Ubuntu. Let's pretend the Ubuntu installation will take ~4GB. After installing Ubuntu approximately 4GB of the 100GB of data would be overwritten with your Ubuntu installation. The remaining 96GB of photo data is still physically present on the hard drive. If you used data recovery software, you should be able to retrieve most of these photos, despite the fact that the drive was "formatted" during the Ubuntu installation.
Logical volume: Any region of a storage medium, up to and including the entire physical space. e.g. if you create a partition of 100MB on a disk of 100GB, the 100MB partition is considered a logical volume
Physical volume: The entire physical capacity of the hardware^. In our example with a 100GB hard drive, the physical volume is the entire device (100GB) without any smaller volumes allocated inside.
^ The hardware itself will have additional capacity (over provisioning) to handle degradation of the physical medium. This additional capacity is managed by the device itself and is not visible to the operating system except through the S.M.A.R.T. interface, which you can access by installing
smartmontools.Now on to your questions...
This is a difference of definition/perspective. You are interpreting "full disk encryption" as meaning the entire contents of the physical volume is encrypted, while Ubuntu is using "full disk encryption" to mean the contents of the logical volume where Ubuntu is installed is encrypted.
Therefore if you installed Ubuntu and filled up the hard drive completely with data, the encrypted logical volume would fill the entire physical volume.
However there are cases where someone installs Ubuntu along side Windows on their disk. In this case, the Windows installation may be unencrypted but the Ubuntu installation is encrypted.
In this scenario, Ubuntu is still providing "full disk encryption" because all data on Ubuntu's logical volume is encrypted. Ubuntu doesn't care about the data on other logical volumes which are present on the physical volume.
Yes because encrypting empty space would make the system much slower, and there is no security benefit to doing so.
I have not verified myself, but it is most likely overwriting the unused disk space with random data. It is certainly not encrypting the empty space. Properly encrypted data is indecipherable from random data, so filling the disk with random data before installing Ubuntu would make it impossible to tell which portions of the disk are "empty" and which are encrypted
Again, "full disk encryption" in this context refers to the encryption of all logical data on disk, not encrypting the entire physical device.
There is no security benefit whatsoever to encrypting empty space. If you are concerned about free space not being encrypted, then select the "For more security: Overwrite empty disk space (The installation might take much longer.)" option during installation to overwrite the entire physical disk.
Now, it is possible to purchase a self-encrypting drive (SED). For SSDs the relevant feature is called OPAL. If your computer has an SED installed, the encryption is handled by specialized encryption hardware within the device. All data written to the physical medium (magnetic platters for a hard drive, or silicon for an SSD) is encrypted by the device before being written. This means if someone were to remove the platters or silicon chips, they cannot read the data. However, it does depend on you trusting the SED's encryption implementation. As the device firmware is closed source and rarely audited, you're placing trust in the vendor to have implemented it properly and without any backdoors. You decrypt the SED at boot by providing a password.