It’s no secret that strong encryption is virtually uncrackable and there’s no denying its growing popularity. Creating encrypted volumes with TrueCrypt or Gnome Disk Utility is great for securing portable USB drives and sensitive material within a file system. But that doesn’t solve a major security problem. On most consumer computers the majority of personal information about its users’ life and habits is stored completely in the clear. Even with a login and password, when unencrypted computers or hard drives are stolen, presumably all of the data stored within it is very easily accessible through any number of means. Laptops are sweet targets for burglars. Hard drives are espionage gold to dumpster divers. Beyond that, computer systems are very frequently targeted during police and military raids of all sorts.
The purpose of full disk encryption (FDE) is to lock down the everyday-files including documents, pictures, stored communications (email), memory and application caches, and so on. When a system is properly encrypted a passphrase is required (preboot authentication) before any booting may occur and, without that passphrase, the files cannot be read. TrueCrypt can create a fully encrypted Windows installation and the most recent version of Apple OSX (10.7) comes packaged with it’s own FDE. There are a few security vulnerabilities to be aware of, but in this writer’s opinion every computer system should use FDE as standard practice.
When it comes to Linux, a distribution (or “distro”) is an operating system package that usually includes a graphic desktop environment and any number/variety of additional applications. If you’re new to Linux, test drive different distros and desktop environments as they can vary greatly and it’s ultimately up to user preference. Most Linux distros can be booted from a live CD, DVD, or USB. UNetbootin makes it easy to create portable live USB devices with any Linux distro. Unetbootin even offers a comprehensive list of distros available for direct download. It’s very smooth and simple.
Backup everything before proceeding. Installing either Ubuntu or Fedora using the method laid out in this article starts with deleting everything on the installation disk(s). Once the disk partitioning begins there is no going back. Having access to another computer with Internet access is always a good thing when installing an operating system just in case something goes wrong with the installation media and you delete your only operating system. Doh!
Immediately following the installation of any operating system, run system updates to ensure that everything is up to speed with the latest stable software and drivers.
Ubuntu 11.10 Alternate Installer Download
Ubuntu 11.10 offers home folder encryption with the standard installation, which is a great feature, but full disk encryption is only available with the alternate installer. Because of potential problems with USB disks during the installation process, I recommend using a CD or DVD. After booting to the disc the process isn’t visually stunning, but it is straight forward. A network connection isn’t needed; selecting “continue” through most of the network screens will result in bypassing that setup until after the installation. The partitioner is specifically where the encryption magic happens, at the prompt asking “Guided” or “Manual” disk configuration. For maximum control, always choose “Manual.”
At the partitioner:
- Delete the partition table for the devices that will be used. This will delete everything on the selected device, so make sure that you have everything backed up on external media.
- Create a new partition for the boot files.
- The boot partition must be unencrypted for the system to boot.
- No more than 256MB is needed for this partition and it can be kept on a usb drive for extra security.
- The file system should be set to Ext4 and set the mount point “/boot”.
- Since this is the boot partition, “Bootable flag” should be “on.”
- Create another partition to be an encrypted volume for the swap space.
- The size of this partition varies depending on the computer. Personally, I make it around 2xRAM.
- Set “Use as” to “Physical for Encryption.”
- Create a third partition for the root file system that should be around 6GB.
- Select “Physical for Encryption” on this partition, also.
- The last space that needs to be defined is the home partition which will be encrypted by Ubuntu and decrypted at user log in. This is where documents, pictures, music, desktop files and downloads are stored.
- Make this partition any size that you’d like.
- Personally, I use separate physical disks for my home folder and system files.
- Choose “Ext4” at the “Use as” prompt.
- Set “Mount point: /home”.
With the partitions created, the swap and root volumes need to be configured:
- Select “Configure encrypted volumes.”
- Then “Create encrypted volumes.”
- Highlight and select the volumes that are listed as “crypto” by pressing spacebar, then continue.
- Enter a strong passphrase for each encrypted volume. This is the passphrase that you will be required before the system will mount the volumes and boot.
- Finish and write changes
Each encrypted volume will now have space available inside of it. To configure these volumes, select the space listed under each encrypted volume.
- Setup the first encrypted volume as swap space (choose this option under “Use as”).
- The second encrypted volume, which was previously reserved for root system files, should be set to Ext4 and set the mount point to: “/”.
The final configuration should contain:
- Encrypted volume > Swap space
- Encrypted volume > Ext4, Root (“/”) volume
- Unencrypted Ext4 Boot partition
- Unencrypted Ext4 Home partition.
With everything setup, select “Finish partitioning and write changes to disk” and continue through the remaining installation prompts.
- Create a username and password (different than encrypted disk passphrase)
- When asked to “Encrypt your home directory”, select “Yes”.
- This actually encrypts the user folder inside of the home directory but not the home partition itself.
- The first time that the first user logs in to Ubuntu, a strong key is generated and can be recorded at that time. This is different than the passphrase(s) used for the root and swap partitions.
- At the prompt regarding GRUB boot loader, select “yes” to install it on the master boot record, changing this could result in your system not booting.
After rebooting, Ubuntu will prompt for a preboot authentication passphrase that’s needed to unlock encrypted system disks. With this method there will be a prompt for the swap disk and one for the system disk, even if the passphrases are identical. In my experience, there will be an error on boot that says: “No video mode active”, this is caused by missing font files and is nothing to worry about.
Logical Volume Management
Alternatively, or in combination with this method, the disks can be configured using Logical Volume Management (LVM) within a single encrypted volume that will only require one passphrase to unlock. With Ubuntu’s alternate installer partition manager, the process of LVM setup is slightly more complicated and there are various reasons to use either method. It ultimately depends on the desired system configuration and user preference.
Fedora 16 Download
Full disk encryption comes standard with Fedora 16 live CD installer and there are also many variations, called spins, to suit every system configuration and user lifestyle. The installation is much more user friendly with Fedora, versus Ubuntu, and it comes wrapped up in a nice GUI, as well. To install Fedora with FDE, boot from CD, DVD, or USB to the live desktop and locate the installer application. From there, it’s really just a matter of creating the disk partitions and checking the “encrypt” checkbox where applicable.
One of the first screens in the installer will ask what type of devices will be involved with the installation. “Basic Storage Devices” will work for most users, although installing with “Specialized Storage Devices” is pretty straight forward, too. Don’t be scared.
- Sort through the standard installation prompts, pick a language and create a root password (not encryption related).
- When the installer asks “What type of installation would you like?”, to maintain control, select “Create Custom Layout” and continue to the disk partitioning configuration.
- In the next window, choose the target devices to use by placing them on the right side and select the device on which to store the boot loader.
- Should be the disk where the boot partition is located.
- For added security, this could be a USB device.
Encrypted partitions for the target devices will be built and configured on the next screen.
- Start by selecting each device that will be used and click “delete”. This deletes the partitions that already exist on the device, gauranteeing a clean slate to build upon.
- With clean disks, select the desired boot disk and create a 1MB partition – Set the file system to “BIOS Boot”.
- Then create a second, standard partition on the boot device for the “/boot” files (about 250MB).
- File System Type: ext4
- The boot partition must remain unencrypted to ensure accessiblility to boot the system.
- Create a standard partition for the swap space
- Select “swap space” as the file system type.
- Set the size however you’d like (2xRAM is usually good).
- Check the “Encrypt” checkbox.
- Create another standard partition with mount point: “/”
- Check the “encrypt” checkbox.
- If it’s only for system files, then 6GB should be okay.
- Finally, create a partition with mount point “/home” and check the encrypt checkbox there, too.
- Any number of encrypted partitions can be created here, they will all use the same passphrase and you’ll only be prompted once for preboot authentication.
- Once the partitions are setup to your liking, click “Next”, write the changes to the disk and continue the Fedora installation.
When prompted about where to install the boot loader, go with the default setting (changing this could result in non-booting). At this point, there’s an option to add a password to lock the boot loader. This doesn’t encrypt the boot loader and also doesn’t actually work, in my experience.
Having a fully encrypted hard disk feels a little superhero like. With the boot volume on an external USB disk, you could take it a step further and install a “dummy,” unencrypted Linux desktop on your internal hard disk which will boot when the USB boot key is not present. It’s important to recognize that Linux distros often come with quirks of their own. Adding full disk encryption to the installation process does add another variable to consider if things go awry, but will usually not cause any additional problems.
The latest versions of both Ubuntu and Fedora are excellent, stable, and easy enough to use that there shouldn’t be any major problems with the installation process. However, it does ultimately depend on each individual system configuration. Internet searches for errors and symptoms usually yield great results for troubleshooting all things Linux.
Known issue: With Ubuntu and Fedora, I have run into a booting problem, which I believe to be connected to nVidia video drivers. Following an error about “nouveau” the system seems to lock but pressing any key on the keyboard reveals the preboot authentication prompt. The error is present with non-encrypted installations on the same system, the difference being that the password prompt causes booting to halt, waiting for input, while the non-encrypted system is allowed to move forward automatically. With Ubuntu, installing the most recent nVidia drivers resolves the problem completely. This appears to be somewhat rare, as I cannot find a solution.