Disk encryption is one of several security features built into the Linux kernel that you may use to enhance the physical security rating and posture of a Linux installation. Disk encryption used to be widely recommended for notebook computers, and the reason is such mobile computers are more likely to be stolen than a desktop or server in a home or business. But that has changed. The general recommendation is this: Encrypt every disk. Whether it is in your notebook, desktop, or server. To paraphrase the late Johnny Cochran, If you have a disk, you must encrypt.

The primary purpose of disk encryption is to deny unauthorized (physical) access to your data. And the most effective method of enforcing that is to deny unauthorized persons from being able to boot your computer completely. In essence, deny such persons access to your login screen. When your computer boots, you want the person sitting in front of the keyboard to see something similar to this:
Passphrase before booting

No passphrase, no access. Keep in mind that the most effective encryption scheme entails encrypting everything but the boot partition. Which means that Swap must also be encrypted. If Swap is not encrypted, sensitive data written out to disk can be recovered by anybody with access to the disk. Such data might even be the encryption key or passphrase.

Related Post:  Configure OSSEC to not email alerts on IPTables denied messages

The problem on the Linux front is few distributions support disk encryption during installation. If you use Ubuntu, you are in luck because it supports it. You must know, however, that the Live CD version and the Alternate Installation version support different types of encryption. The former supports encryption of the home directory. As shown in the image below, you can enable encryption of your home directory during the user account setup step. That, however, does not very little to boost the physical security posture of the computer. And the reason is simple: Once you log in, your home directory is decrypted.

And that is the main reason why automatic login (“Log in automatically”) should not be enabled. It is a very convenient feature, but it comes with a hefty price tag. The gist here is if you want full disk encryption, do not install Ubuntu from a Live CD ISO image.

You should instead use an Alternate Installer ISO image. Aside from full disk encryption, it also supports LVM, the Linux Logical Volume Manager, and if you chose the option shown in the image below, the installer will set up two partitions. The first partition, used for /boot, will not be encrypted. The system needs an unencrypted boot partition to complete some preliminary boot steps. The second partition, which will be initialized for use by LVM, will be encrypted, and under it, the system sets up two logical volumes – one for the root directory, and the other for Swap. That is how full disk encryption should be configured. That, by the way, is how it is configured on Debian, Fedora, and Sabayon.

Related Post:  What I can say about KDE Plasma 5 that I can't say about Windows 8

If you do not want to use LVM, you can set up a non-LVM disk partitioning scheme and enable encryption for the partitions manually. However, because of the benefits of LVM, it is highly recommended that you use it. There is no downside. Or none that you will notice. An article, to be published by end of day tomorrow, will provide a step-by-step guide on how to install Ubuntu 11.04 on an encrypted LVM partitioning scheme. To have it delivered automatically to your Feed Reader or Inbox, subscribe via RSS or email.


Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Hola! Did you notice that LinuxBSDos.com no longer runs network ads?  Yep, no more ads from the usual suspects that track you across the Internet.  But since  I still need to pay to keep the site running, feel free to make a small donation by PayPal.

Subscribe for updates. Trust me, no spam!

Mailchimp Signup Form

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event for 2020.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

25 Responses

  1. I installed Linux Mint 18.1 Cinnamon to an external hard drive this way. First I took the hdd out of its enclosure. Next I installed it in the desktop and disconnected the windows hdd. I installed Linux Mint. I then removed the external hdd and returned the windows hdd. I then installed the external hdd in the case attached it to the desktop with the USB and set BIOS to boot from the external. Everything is working fine. I would like a boot loader that allows me to select the operation system at start up. Sometimes I just gotta use windows.

    1. Well, with that setup, you only need to run sudo update-grub while logged into the Linux distro on the external drive. That will add any OS it detects, including Windows, to the GRUB menu,

  2. Hello I followed your tutorial and it worked fine… But I changed the default boot settings in the boot launcher of osx. Since then, the system does not recognize the external hard drive like if Grub is not the default boot manger anymore. Is there a way to fix that without reinstalling Ubuntu? I did that because I was not able to boot in windows and Mac anymore. Thanks for this tuto!

    1. That all depends on where the boot loader was installed. If it was installed on the internal hard drive, then Ubuntu will only boot as long as the external hard drive is connecte to that computer. GRUB should be installed in the MBR or EFI Boot Partition of the external hard drive, otherwise you risk problems booting the OS on the internal hard drive if the external drive is not connected.

      Do you know exactly where GRUB was installed?

  3. I followed the tutorial exactly and still messed my internal hdd.
    Booting to black screen with
    terminal where i can write comamands

    I did that on macbook pro 2011 that had just ubuntu on the internal drive before that.
    The whole partition was encrypted when installing it.

    I installed the second ubuntu on a USB stick and it works just fine there.

    I will have to reinstall now I guess?

      1. I have this problem too having exactly followed the instructions in this article with particular care to ensure “sda” was not selected for the bootloader.

        When I type exit at the “grub>” prompt a big message box, in the ugly PC/BIOS font, appears saying “no bootable device found.”. When I hit enter I get a boot menu from BIOS from which I can select Windows boot manager. However this is a PITA. How can this be fixed so when the external HDD is not plugged in the PC simply boots to Windows?

        BIOS shows the following boot order: 1. “ubuntu”, 2. “Windows boot manager”, 3. “USB HDD” (which changes to include the disk name when the USB disk is connected). If I swap 1 and 2 it always boots into Windows. If I change the order to 3, 2, 1, it won’t boot linux when the external HDD is plugged in.

  4. Seeing as how there’s been no response, allow me to add some specifics. I want to install ONLY Ubuntu Linux onto my external HDD (no other OS, so Swap Space really would not be necessary). I have been able to do this with a USB flash drive, but for some reason with my external hard drive I receive an error on (re)booting into the external drive stating: “error: attempt to read or write ourtside of disk ‘hd0’.
    Entering rescue mode.

    Thus far, nothing online has provided a viable solution. The only two conclusions I can come to is that either some jack*** who made the drive thinks it’s funny; or a 300 GB external hard drive is less capable than an 8 GB flash drive to perform this…making the company that made the hard drive a bunch of overpaid morons.

    Once again, if someone can provide a workable solution, it’d be appreciated.

    1. Did you really install it to a USB stick or you just transferred it to the USB stick? Big difference, there.

      From my experience, the main problem with installing a Linux distro to an external drive connected to a recent PC, that is, one with UEFI firmware, is that you stand a good change of messing up both the internal HDD and the external one. And it comes from how the boot loaders are handled and/or the failure of the installer to install the bootloader in the proper place.

      Try this: Access the computer’s boot menu (I think the F11 or F12 will get you there). You should see a list of attached HDDs and also a list of boot managers for all the OSs that have been installed on that system. you should see one for Ubuntu. Select that and see if it will boot.

      The reason why this is a trial and error thing, is that each PC vendor implements UEFI in a different way. So on some PCs, you can boot an OS by selecting the entry for the HDD on which the OS is installed on, but not on others. This is why moving a Linux external HDD from one PC to another has become a major pain. As far as I’m concerned, UEFI is a curse, for Linux, that is.

      All this is assuming that your PC has UEFI firmware.

      Keep me posted.

      1. I don’t misspeak. I’m very literal. I have a 16GB flash drive which has the Ubuntu Linux OS installed on it and runs just fine. For some reason, the external hard drive I have is just (expletive) stupid and will not install the same way. It comes up “No filesystem found” no matter how it is installed.

        With the flash drive, accessing the boot menu (F9 on an HP Probook) is how I boot into Linux on the flash drive. The 300GB external HDD doesn’t seem to want to do the job though. It’s how I’ve always done it, though. Install just to an external drive (I’ve done Ubuntu and Fedora on flash drives) and after install, use the boot menu options to boot into Linux. (If I don’t go to the boot menu options Linux isn’t even listed. That’s how I set it up in the first place, and how I want it. Too see more clearly what I mean, you can view my video on how to install it to a flash drive at https://www.youtube.com/watch?v=rYWlUNSMJrY&list=UUqlWSPlnC9XmWrrXY_TfdhQ

      2. On a sidenote, I did mention that it’s listed, but it provides the error: “error: attempt to read or write ourtside of disk ‘hd0′.
        Entering rescue mode.

        Though, comparatively, the error should read, “The people who made the hard drive are a bunch of overpaid idiots…but we keep them on staff because…’merica.” The external HDD is made by Maxtor/Western Digital/or Seagate…what ever you choose to call those ****-ups.

          1. Can’t….as I said (and my linked video shows), it works just fine if installed onto a flash drive. For some reason, the Maxtor OneTouch does not feel it should function as well as an 8 or 16 GB flash drive though. If it were the PC’s implementation of UEFI, it wouldn’t work via flash drive neither…but it does.

          2. Hi Xander!

            I come a very similar experience, and guess what, my flash card worked and still works like a charm! Whereas the hard drive (500Gb) all of the sudden would not boot and enter grub rescue mode…..So to make the long story short, you better make sure that the USB cable is very short and of good quality!! That solved the problem for me.


        1. Honestly, if my cable were any shorter, it’d be an internal drive. For some reason, as I mentioned on a YouTube video about this, the solution seems to be the definition of insanity…doing the same thing repeatedly expecting a different result.

          1. The problem, me thinks, is the installer not installing GRUB on the correct HDD. I should try this using Ubuntu 15.04 and see if it works as expected.

    2. Hey, I was having the same problem. In bios i change my boot to CSM from UEFI. The stupid hard drive wanted to be stupid the first time i tried. so to make sure that it was not my external being dumb. i removed my internal HDD and booted. To my surprise it started up with Ubuntu. I am curious to know how it will react when i put the internal hdd back in.

  5. Nope…didn’t work. When trying to boot the external drive, it goes right to rescue mode. Any insight? Working insight, that is. No just guessing.

  6. My Vaio came with 6 partitions from factory, I don’t even get the “install alongside” option and I’m really scared about installing Ubuntu (I have done it many times) because I’m suspecting I’m about to destroy my installation and I don’t want to spend days repairing my laptop. Do you know if there’s a problem with Ubuntu with multiple partitions (the partitions are from Sony and Windows)?

    For my computer I believe the Device for boot loader should be the hard drive (not a partition), and then I should just use both / and swap normally but again, the gazzilion partitions (recovery, and who knows what) are making me nervous

    Sorry this is slightly off-topic.

    1. I’m guessing that the Vaio uses UEFI firmware and that those 6 partitions are GTP partitions. Is that right?

      When you boot the PC from the Ubuntu install CD, list the device names of the partitions you see from Ubuntu’s advanced partition tool.

  7. Thank You for the great article. I followed your instructions and it (mostly) worked, but
    I have a question, I can not find answer for in the message boards. I installed Ubuntu 13.10 from Live USB flash stick to another USB flash stick(128GB). Since I am new to Linux, I did not want to mess with the Windows 8.1 on my computer, trying to create a dual boot. So as a training facility I thought I can install Ubuntu on a USB drive first.
    I followed exactly the same path as described. Well first I disabled secure boot in my UEFI BIOS, set the external drive to be the prime bootable source, then let the install create /, /home and SWAP area, and made sure the boot loader installation to be on dev/sdc (the USB where I was installing). Everything went well – with the USB plugged in when I reboot grub offers me Ubuntu or Windows and both load up and seem to work. But when I shut down and reboot with no USB plugged, instead of going directly to Windows I get a black screen and grub> prompt. Did I somehow damaged by internal HDD boot, or is this some setting in grub that I have to change? Any lead is greatly appreciated!

    1. When installing a Linux distribution to an external HDD connected to a PC with UEFI firmware, it’s always a good idea to disconnect the SATA cord from the internal HDD.

      But we are past that point in this case, so here’s what you can try, before you hit the mild-panic button: As the PC boots, press the appropriate F-key that will take you to the boot menu. If your computer is anything like my testing unit, you should see an entry for a Windows Boot Manager and Ubuntu on there. Select the former and see if it will boot Windows.

      1. Thank You finid! I did this installation to an USB as a precursor to installing 13.10 to the Internal HDD (creating a dual boot), so did not occur to me to isolate it that much. Later I found the suggestion here and there.
        But I have been reading and people say the fact that grub> shows up, means grub starts, but can not find the correct continuation.
        Actually I managed manually to start Windows by following the commands from grub.cfg that is on the USB. I just do not know where to recreate it on the boot partition on the HDD (if it is possible of course).

Leave a Reply to finid Cancel reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter
Mailchimp Signup Form

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.


The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.

Anastasia Marchenkova

An invitation from Anastasia Marchenkova

Hya, after stints as a quantum researcher at Georgia Tech Quantum Optics & Quantum Telecom Lab, and the University of Maryland Joint Quantum Institute, I’m now working on superconducting qubit quantum processors at Bleximo. I’ll be speaking during Algorithm Conference in Austin, Texas, July 16 – 18, 2020. Meet me there and let’s chat about progress and hype in quantum computing.