Home directory and full disk encryption in Ubuntu 11.04

Encrypt1

Disk encryption is one of several security features built into the Linux kernel that you may use to enhance the physical security rating and posture of a Linux installation. Disk encryption used to be widely recommended for notebook computers, and the reason is such mobile computers are more likely to be stolen than a desktop or server in a home or business. But that has changed. The general recommendation is this: Encrypt every disk. Whether it is in your notebook, desktop, or server. To paraphrase the late Johnny Cochran, If you have a disk, you must encrypt.

The primary purpose of disk encryption is to deny unauthorized (physical) access to your data. And the most effective method of enforcing that is to deny unauthorized persons from being able to boot your computer completely. In essence, deny such persons access to your login screen. When your computer boots, you want the person sitting in front of the keyboard to see something similar to this:
Passphrase before booting

No passphrase, no access. Keep in mind that the most effective encryption scheme entails encrypting everything but the boot partition. Which means that Swap must also be encrypted. If Swap is not encrypted, sensitive data written out to disk can be recovered by anybody with access to the disk. Such data might even be the encryption key or passphrase.

Related Post:  How to custmize KDE's window titlebar buttons

The problem on the Linux front is few distributions support disk encryption during installation. If you use Ubuntu, you are in luck because it supports it. You must know, however, that the Live CD version and the Alternate Installation version support different types of encryption. The former supports encryption of the home directory. As shown in the image below, you can enable encryption of your home directory during the user account setup step. That, however, does not very little to boost the physical security posture of the computer. And the reason is simple: Once you log in, your home directory is decrypted.

And that is the main reason why automatic login (“Log in automatically”) should not be enabled. It is a very convenient feature, but it comes with a hefty price tag. The gist here is if you want full disk encryption, do not install Ubuntu from a Live CD ISO image.
Encrypt

You should instead use an Alternate Installer ISO image. Aside from full disk encryption, it also supports LVM, the Linux Logical Volume Manager, and if you chose the option shown in the image below, the installer will set up two partitions. The first partition, used for /boot, will not be encrypted. The system needs an unencrypted boot partition to complete some preliminary boot steps. The second partition, which will be initialized for use by LVM, will be encrypted, and under it, the system sets up two logical volumes – one for the root directory, and the other for Swap. That is how full disk encryption should be configured. That, by the way, is how it is configured on Debian, Fedora, and Sabayon.
Encrypt1

Related Post:  How to configure caching in Nginx

If you do not want to use LVM, you can set up a non-LVM disk partitioning scheme and enable encryption for the partitions manually. However, because of the benefits of LVM, it is highly recommended that you use it. There is no downside. Or none that you will notice. An article, to be published by end of day tomorrow, will provide a step-by-step guide on how to install Ubuntu 11.04 on an encrypted LVM partitioning scheme. To have it delivered automatically to your Feed Reader or Inbox, subscribe via RSS or email.

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

Upcoming events

14 Responses

  1. Ubuntu now has the option to encrypt the whole disk or the home folder from the installation process on the live CD as of 12.10. If you have already setup and want some tools to encrypt partitions or other folders you can do so from gnome-disk-utility which is a handy GUI frontend for formatting disks, this allows you to encrypt partitions in ext4 during format. If you prefer folders then install encfs and cryptkeeper, or gnome-encfs-manager, which will allow you to encrypt hidden folders and mount them when decrypted. Encfs and cryptkeeper work very well with dropbox and Ubuntu one.

  2. I have installed 12.04 on my laptop and marked the option to encrypt my home folder. After reading you post, the immediate question in my mind is: when I’m logged in using my computer, if somebody gains access to it via network and decide to download my files, are they going to be encrypted or decrypted?

    1. Logging in decrypts your home folder, otherwise, you’d be required to authenticate before opening your files. So, yes, if you using the system, anybody with network access can read and write to the machine. For example, anyone with legal or illegal permission can ssh to your computer, while you are logged in, and do anything they want. Encryption does not stop that type of activity.

      Encryption prevents unauthorized access before the system boots. On a multi-user PC, encrypting your home folder prevents other users from accessing it while they are using the machine from their own account.

  3. I have already setup my laptop with ubuntu 11.10.

    Can I now encrypt the whole hard disk , so the next time I reboot , it should ask me for a password ,akin to the screen shot you have above. ?

  4. Hi, if i already have a windows partition on my hard drive.
    How should i set up ubuntu on another partition with encryption so i can dualboot.

Leave a Reply to Rodolpho Cancel reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.