Encrypt1

Disk encryption is one of several security features built into the Linux kernel that you may use to enhance the physical security rating and posture of a Linux installation. Disk encryption used to be widely recommended for notebook computers, and the reason is such mobile computers are more likely to be stolen than a desktop or server in a home or business. But that has changed. The general recommendation is this: Encrypt every disk. Whether it is in your notebook, desktop, or server. To paraphrase the late Johnny Cochran, If you have a disk, you must encrypt.

The primary purpose of disk encryption is to deny unauthorized (physical) access to your data. And the most effective method of enforcing that is to deny unauthorized persons from being able to boot your computer completely. In essence, deny such persons access to your login screen. When your computer boots, you want the person sitting in front of the keyboard to see something similar to this:
Passphrase before booting

No passphrase, no access. Keep in mind that the most effective encryption scheme entails encrypting everything but the boot partition. Which means that Swap must also be encrypted. If Swap is not encrypted, sensitive data written out to disk can be recovered by anybody with access to the disk. Such data might even be the encryption key or passphrase.

Related Post:  Linux Mint 6 Installation with Custom Disk Partitioning

The problem on the Linux front is few distributions support disk encryption during installation. If you use Ubuntu, you are in luck because it supports it. You must know, however, that the Live CD version and the Alternate Installation version support different types of encryption. The former supports encryption of the home directory. As shown in the image below, you can enable encryption of your home directory during the user account setup step. That, however, does not very little to boost the physical security posture of the computer. And the reason is simple: Once you log in, your home directory is decrypted.

And that is the main reason why automatic login (“Log in automatically”) should not be enabled. It is a very convenient feature, but it comes with a hefty price tag. The gist here is if you want full disk encryption, do not install Ubuntu from a Live CD ISO image.
Encrypt

You should instead use an Alternate Installer ISO image. Aside from full disk encryption, it also supports LVM, the Linux Logical Volume Manager, and if you chose the option shown in the image below, the installer will set up two partitions. The first partition, used for /boot, will not be encrypted. The system needs an unencrypted boot partition to complete some preliminary boot steps. The second partition, which will be initialized for use by LVM, will be encrypted, and under it, the system sets up two logical volumes – one for the root directory, and the other for Swap. That is how full disk encryption should be configured. That, by the way, is how it is configured on Debian, Fedora, and Sabayon.
Encrypt1

Related Post:  Searching for a software development company? Here's what you need to know

If you do not want to use LVM, you can set up a non-LVM disk partitioning scheme and enable encryption for the partitions manually. However, because of the benefits of LVM, it is highly recommended that you use it. There is no downside. Or none that you will notice. An article, to be published by end of day tomorrow, will provide a step-by-step guide on how to install Ubuntu 11.04 on an encrypted LVM partitioning scheme. To have it delivered automatically to your Feed Reader or Inbox, subscribe via RSS or email.

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer runs network ads?  Yep, no more ads from the usual suspects that track you across the Internet.  But since  I still need to pay to keep the site running, feel free to make a small donation by PayPal.

Subscribe for updates. Trust me, no spam!

Mailchimp Signup Form

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event for 2020.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

53 Responses

  1. Thanks for this article. Novice user like me will get benefited by this step by guidance. I have installed ubantu 18.04 successfully on my laptop.

  2. Thanks for walking us through it. I’m installing on a hard drive where I’ve got a partition I want to keep plus some free space.

    5-star tutorial!

  3. Thank you for the awesome article. I am installing Ubuntu 13.04 on my Mac mini, and this tutorial helped me a lot.

    The only one thing that differs from your tutorial is that the system asked me to create an EFI boot partition (not the same as /boot), when I clicked on the Install Now Button.

    I made it a logical partition. Should I have made it primary, or there is no much difference?

    Anyway, my first Linux is going to be installed in a few minutes. Thanks again!

      1. Thank you for a quick answer!

        I guess it is better to have just an EFI boot partition on a Mac. I made a second installation without a /boot partition and it works fine. In fact, when I had 2 boot partitions (/boot set as a primary and EFI boot as logical) I wasn’t able to install Ubuntu from USB drive (my Mac just didn’t show it as a bootable device), so I had to insert Mac OS X DVD, get to the Disk Utility, format/erase my HD, and force restart my Mac. This way Mac just loads the Ubuntu installation from USB drive. But, as I said, on a second installation I went just with EFI boot partition set to Primary (Macs don’t have BIOS), and if you hold Option/Alt on power up, it gives you an EFI boot option. This way you don’t need to insert Mac OSX DVD in order to install/reinstall Ubuntu, and it’s a good way to have just one OS installed.

        I hope this will help some new Mac/Ubuntu users, since I’ve seen a lot of problems booting from USB drive on a Mac on forums that people encounter.

  4. Can I install /boot as a logical sda5? Do I need a logical /usr and /usr/local also? I have a 500 GB hdd. Computer is for home and office use and some games via MAME Arcade emulator.

    1. Yes, /boot can be a logical partition.

      Unless you have a special need for them, you don’t need /usr or /usr/local. Those are typically for server usage. If you want, you can create a separate partition mounted at /opt for your 3rd party games. It’s not necessary, but the option is there and it won’t break anything.

  5. I wanted Ubuntu to see my second hard drive so I used this paritioning method (auto-partitioning doesn’t allow me to use both HDD’s).
    After installing I got an error while booting (no such device: . grub rescue

  6. Thank you so much. My first Ubuntu installation is one the way. Still cant understand why Linux needs so many file systems but i guess its OK…

Leave a Reply to Suraj Cancel reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter
Mailchimp Signup Form

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.

Anastasia Marchenkova

An invitation from Anastasia Marchenkova

Hya, after stints as a quantum researcher at Georgia Tech Quantum Optics & Quantum Telecom Lab, and the University of Maryland Joint Quantum Institute, I’m now working on superconducting qubit quantum processors at Bleximo. I’ll be speaking during Algorithm Conference in Austin, Texas, July 16 – 18, 2020. Meet me there and let’s chat about progress and hype in quantum computing.