Full Disk Encryption For Ubuntu And Fedora

February 20th, 2012   Submitted by Ryan Taylor

It’s no secret that strong encryption is virtually uncrackable and there’s no denying its growing popularity. Creating encrypted volumes with TrueCrypt or Gnome Disk Utility is great for securing portable USB drives and sensitive material within a file system. But that doesn’t solve a major security problem. On most consumer computers the majority of personal information about its users’ life and habits is stored completely in the clear. Even with a login and password, when unencrypted computers or hard drives are stolen, presumably all of the data stored within it is very easily accessible through any number of means. Laptops are sweet targets for burglars. Hard drives are espionage gold to dumpster divers. Beyond that, computer systems are very frequently targeted during police and military raids of all sorts.

The purpose of full disk encryption (FDE) is to lock down the everyday-files including documents, pictures, stored communications (email), memory and application caches, and so on. When a system is properly encrypted a passphrase is required (preboot authentication) before any booting may occur and, without that passphrase, the files cannot be read. TrueCrypt can create a fully encrypted Windows installation and the most recent version of Apple OSX (10.7) comes packaged with it’s own FDE. There are a few security vulnerabilities to be aware of, but in this writer’s opinion every computer system should use FDE as standard practice.

Linux Distributions

When it comes to Linux, a distribution (or “distro”) is an operating system package that usually includes a graphic desktop environment and any number/variety of additional applications. If you’re new to Linux, test drive different distros and desktop environments as they can vary greatly and it’s ultimately up to user preference. Most Linux distros can be booted from a live CD, DVD, or USB. UNetbootin makes it easy to create portable live USB devices with any Linux distro. Unetbootin even offers a comprehensive list of distros available for direct download. It’s very smooth and simple.

Backup everything before proceeding. Installing either Ubuntu or Fedora using the method laid out in this article starts with deleting everything on the installation disk(s). Once the disk partitioning begins there is no going back. Having access to another computer with Internet access is always a good thing when installing an operating system just in case something goes wrong with the installation media and you delete your only operating system. Doh!

Immediately following the installation of any operating system, run system updates to ensure that everything is up to speed with the latest stable software and drivers.

Ubuntu 11.10 Alternate Installer Download

Ubuntu 11.10 offers home folder encryption with the standard installation, which is a great feature, but full disk encryption is only available with the alternate installer. Because of potential problems with USB disks during the installation process, I recommend using a CD or DVD. After booting to the disc the process isn’t visually stunning, but it is straight forward. A network connection isn’t needed; selecting “continue” through most of the network screens will result in bypassing that setup until after the installation. The partitioner is specifically where the encryption magic happens, at the prompt asking “Guided” or “Manual” disk configuration. For maximum control, always choose “Manual.”

At the partitioner:

  1. Delete the partition table for the devices that will be used. This will delete everything on the selected device, so make sure that you have everything backed up on external media.
  2. Create a new partition for the boot files.
    • The boot partition must be unencrypted for the system to boot.
    • No more than 256MB is needed for this partition and it can be kept on a usb drive for extra security.
    • The file system should be set to Ext4 and set the mount point “/boot”.
    • Since this is the boot partition, “Bootable flag” should be “on.”
  3. Create another partition to be an encrypted volume for the swap space.
    • The size of this partition varies depending on the computer. Personally, I make it around 2xRAM.
    • Set “Use as” to “Physical for Encryption.”
  4. Create a third partition for the root file system that should be around 6GB.
    • Select “Physical for Encryption” on this partition, also.
  5. The last space that needs to be defined is the home partition which will be encrypted by Ubuntu and decrypted at user log in. This is where documents, pictures, music, desktop files and downloads are stored.
    • Make this partition any size that you’d like.
    • Personally, I use separate physical disks for my home folder and system files.
    • Choose “Ext4” at the “Use as” prompt.
    • Set “Mount point: /home”.

With the partitions created, the swap and root volumes need to be configured:

  1. Select “Configure encrypted volumes.”
  2. Then “Create encrypted volumes.”
  3. Highlight and select the volumes that are listed as “crypto” by pressing spacebar, then continue.
  4. Enter a strong passphrase for each encrypted volume. This is the passphrase that you will be required before the system will mount the volumes and boot.
  5. Finish and write changes

Each encrypted volume will now have space available inside of it. To configure these volumes, select the space listed under each encrypted volume.

  • Setup the first encrypted volume as swap space (choose this option under “Use as”).
  • The second encrypted volume, which was previously reserved for root system files, should be set to Ext4 and set the mount point to: “/”.

The final configuration should contain:

  • Encrypted volume > Swap space
  • Encrypted volume > Ext4, Root (“/”) volume
  • Unencrypted Ext4 Boot partition
  • Unencrypted Ext4 Home partition.

With everything setup, select “Finish partitioning and write changes to disk” and continue through the remaining installation prompts.

  1. Create a username and password (different than encrypted disk passphrase)
  2. When asked to “Encrypt your home directory”, select “Yes”.
    • This actually encrypts the user folder inside of the home directory but not the home partition itself.
    • The first time that the first user logs in to Ubuntu, a strong key is generated and can be recorded at that time. This is different than the passphrase(s) used for the root and swap partitions.
  3. At the prompt regarding GRUB boot loader, select “yes” to install it on the master boot record, changing this could result in your system not booting.

After rebooting, Ubuntu will prompt for a preboot authentication passphrase that’s needed to unlock encrypted system disks. With this method there will be a prompt for the swap disk and one for the system disk, even if the passphrases are identical. In my experience, there will be an error on boot that says: “No video mode active”, this is caused by missing font files and is nothing to worry about.

Logical Volume Management

Alternatively, or in combination with this method, the disks can be configured using Logical Volume Management (LVM) within a single encrypted volume that will only require one passphrase to unlock. With Ubuntu’s alternate installer partition manager, the process of LVM setup is slightly more complicated and there are various reasons to use either method. It ultimately depends on the desired system configuration and user preference.

Fedora 16 Download

Full disk encryption comes standard with Fedora 16 live CD installer and there are also many variations, called spins, to suit every system configuration and user lifestyle. The installation is much more user friendly with Fedora, versus Ubuntu, and it comes wrapped up in a nice GUI, as well. To install Fedora with FDE, boot from CD, DVD, or USB to the live desktop and locate the installer application. From there, it’s really just a matter of creating the disk partitions and checking the “encrypt” checkbox where applicable.

One of the first screens in the installer will ask what type of devices will be involved with the installation. “Basic Storage Devices” will work for most users, although installing with “Specialized Storage Devices” is pretty straight forward, too. Don’t be scared.

  1. Sort through the standard installation prompts, pick a language and create a root password (not encryption related).
  2. When the installer asks “What type of installation would you like?”, to maintain control, select “Create Custom Layout” and continue to the disk partitioning configuration.
  3. In the next window, choose the target devices to use by placing them on the right side and select the device on which to store the boot loader.
    • Should be the disk where the boot partition is located.
    • For added security, this could be a USB device.

Encrypted partitions for the target devices will be built and configured on the next screen.

  1. Start by selecting each device that will be used and click “delete”. This deletes the partitions that already exist on the device, gauranteeing a clean slate to build upon.
  2. With clean disks, select the desired boot disk and create a 1MB partition – Set the file system to “BIOS Boot”.
  3. Then create a second, standard partition on the boot device for the “/boot” files (about 250MB).
    • File System Type: ext4
    • The boot partition must remain unencrypted to ensure accessiblility to boot the system.
  4. Create a standard partition for the swap space
    • Select “swap space” as the file system type.
    • Set the size however you’d like (2xRAM is usually good).
    • Check the “Encrypt” checkbox.
  5. Create another standard partition with mount point: “/”
    • Check the “encrypt” checkbox.
    • If it’s only for system files, then 6GB should be okay.
  6. Finally, create a partition with mount point “/home” and check the encrypt checkbox there, too.
  7. Any number of encrypted partitions can be created here, they will all use the same passphrase and you’ll only be prompted once for preboot authentication.
  8. Once the partitions are setup to your liking, click “Next”, write the changes to the disk and continue the Fedora installation.

When prompted about where to install the boot loader, go with the default setting (changing this could result in non-booting). At this point, there’s an option to add a password to lock the boot loader. This doesn’t encrypt the boot loader and also doesn’t actually work, in my experience.

Final Notes

Having a fully encrypted hard disk feels a little superhero like. With the boot volume on an external USB disk, you could take it a step further and install a “dummy,” unencrypted Linux desktop on your internal hard disk which will boot when the USB boot key is not present. It’s important to recognize that Linux distros often come with quirks of their own. Adding full disk encryption to the installation process does add another variable to consider if things go awry, but will usually not cause any additional problems.

The latest versions of both Ubuntu and Fedora are excellent, stable, and easy enough to use that there shouldn’t be any major problems with the installation process. However, it does ultimately depend on each individual system configuration. Internet searches for errors and symptoms usually yield great results for troubleshooting all things Linux.

Known issue: With Ubuntu and Fedora, I have run into a booting problem, which I believe to be connected to nVidia video drivers. Following an error about “nouveau” the system seems to lock but pressing any key on the keyboard reveals the preboot authentication prompt. The error is present with non-encrypted installations on the same system, the difference being that the password prompt causes booting to halt, waiting for input, while the non-encrypted system is allowed to move forward automatically. With Ubuntu, installing the most recent nVidia drivers resolves the problem completely. This appears to be somewhat rare, as I cannot find a solution.

32 Responses to “Full Disk Encryption For Ubuntu And Fedora”

  1. You could run your linux distro in a VM, encrypt that, keep it on a network drive, fully encrypt the drive as an auxilliary drive to a host encrypted os, and then you’d really have some bad-ass security.

    • Ryan TaylorNo Gravatar says:

      Very true. There are tons of different ways to do FDE in all sorts of configurations. Ultimately it depends on the individual user’s goal, skills and amount of desired secrecy.

  2. BradleyNo Gravatar says:

    Yes, amen to the previous comment.

    This is an excellent guide which covers this: http://anoncentral.tumblr.com/Security

    If there is any group that should know how to remain anonymous/secure it’s anonymous!! I mean just look at their name, that’s an absolute guarantee ;).

    The guide even goes as far as to use a hidden volume, so that you can reveal a decoy password if coerced/extorted.

    I installed ubuntu some weeks ago because I wanted to use it only when doing sensitive stuff, I trust it more than windows. But dualbooting was tedious and time consuming. However now with running ubuntu/dsl virtualized from within windows it will be a much easier and more convenient transition.

    • Ryan TaylorNo Gravatar says:

      That is a great guide from Anonymous that covers many aspects of security and anonymity from start to finish. Their process is different than the one I’ve described, as is their purpose. For starters, their guide is written for Windows and intended for people who want a dual-booting or virtual machine system. Since I have no interest in running Windows on my PC, the process of setting up a linux OS with FDE is entirely different.
      It’s interesting to me that Anonymous doesn’t go into installing Windows with FDE prior to installing the VM with Ubuntu.

      • BradleyNo Gravatar says:

        How come you find it’s interesting if I may ask?

        Would you recommend FDE on windows as a compliment if one was to follow that setup? Or would that be overkill since everything sensitive is contained within the guest OS anyway? That is as long as one is careful with not doing anything sensitive on windows.

        I will personally go with FDE in windows as well, I’m a happy pirate as everyone else and all that media/cracked software I still use in windows, albeit the risk with govt. going after one for that stuff alone is slim to none.

        /TOR and VPN tunnel enabled 😉

        • Ryan TaylorNo Gravatar says:

          Full disk encryption protects the operating system and swap data at the most fundamental level possible, so it makes sense to me that anyone wanting maximum protection would start there. Personally, if I wanted Windows installed, I would start with FDE on Windows (using TrueCrypt) and then install other operating systems, either multi-boot or VM.
          There’s a good argument for having and using an unencrypted OS that will automatically boot without a USB boot drive, allowing for plausible deniability. The Anonymous guide would essentially accomplish this in a different way but then why not have a separate, encrypted Windows installation for piracy?
          There are so many different techniques to accomplish FDE for various means and ends. As I was writing this guide, I actually devised a more advanced way to incorporate LVM but wanted to keep this process simple and direct.

  3. siluetasNo Gravatar says:

    This is great. I knew how to do the stuff in the actual article, but the follow-up techniques in the comments were new, and I’m happy this article was here for everyone else to share knowledge under.

  4. Bob RobertsonNo Gravatar says:

    The problem being that it will always be “nearly” full disk encryption, because there must be something outside of the encrypted area in order for the kernel to load.

    Debian has a standard selection during install to build the system with everything except the /boot area encrypted. No need for all the extra steps and alternative downloads.

    Combine that with a utility to compare the contents of /boot with checksums and such (or even just a duplicate directory with “diff /boot /home/bob/encrypted_boot”) during startup, and you can tell if your system has been compromised while you were away from home. Sadly that would require actually booting into your encrypted system, so if it has been compromised your password is already sniffed and very likely sent on to the bad guys already.

    Unless you’re smart and don’t start networking until _after_ the check.

    Anyway, anyone who hasn’t tried Debian should do so, if for no other reason than I like it, and I’m perfect, so I know you will too.

    • Ryan TaylorNo Gravatar says:

      It’s good to hear that Debian has such an easy FDE option. I’ve been wanting to check it out but am currently very pleased with Ubuntu. I love trying new systems though so I’ll take your recommendation.
      Good points on the nearly FDE problem. That’s why it’s a good idea to put the boot partition on a small USB drive and some people say that you should keep it on your person at all times. 100% security isn’t possible but the simple procedures should be practiced anyway.

      • Bob RobertsonNo Gravatar says:

        I very much like having the boot system on a USB drive. Some day I may even do it.

        Also there is the option of writing the image to a boot CD, just in case. I would hate to lose an entire system just because I lost a thumb drive.

      • PaulNo Gravatar says:

        Ubuntu 13.04, and some Ubuntu derivatives based on the same version such as Linux Mint now have FDE option when installing the system, and of course less hassle of installing everything like you have to do on Debian.

  5. AgoristTeen1994No Gravatar says:

    Hey quick question…is it possible to use FDE with Fedora 16 AFTER installing it…because I installed it already and I would much prefer to not have to reinstall it.

  6. RocketNo Gravatar says:

    Great article, very informative and well written. Thanks. Back before I switched over to linux and I was still running windows, I had FDE but with the number of viruses etc that windows inherently accumulates even with virus software which oftentimes only comes to the rescue after the victim’s throat is slit, my system eventually resembled a fortress surrounding a garbage dump. Now, anything that I want to keep completely off radar I only save to key chain flash drives, the ones resembling rabbit’s feet and the like, but I think there is value to FDE, absolutely. Not so much VMs though unless they are used as an environment for windows, and after converting to Linux, I don’t even like to think about windows. Also, even though this is out of the scope of your article and though it may or may not be of use to your readers, they might want to take a look at Linux Bastille, which although looks to have hit a dead end, is actually a good lesson in net security and system hardening and maybe the occasional use of sherpa for checkups. But again, great article.

  7. RocketNo Gravatar says:

    Note: please read all documentation for system hardening programs as they are not for beginners, sorry meant to mention this in my original post

  8. LiveFreeNo Gravatar says:

    Curious…do you install the BIOS Boot AND the /boot on the USB key or just the BIOS boot?

  9. GeorgeNo Gravatar says:

    Very informative article! However, when I try to partition an USB thumb drive as the /boot in Ubuntu, I get dumped to grub rescue (unknown filesystem) when cold boot. However a warm boot (enter BIOS -> save&exit -> restart) Ubuntu boots OK. Any ideas how to resolve this? (I checked the bootable flag with the USB partition, BIOS is also set to boot first from USB.)

    A second question is, regarding the GRUB boot loader, if it’s installed to MBR, then it’s on the hard drive, no? So the vulnerability that we’re trying to avoid by putting the /boot onto a USB is not solved. Correct?

  10. Ryan TaylorNo Gravatar says:

    My first reaction is that it’s really strange that it boots after you enter the bios but won’t boot cold. That indicates to me that your USB boot device might not be getting power soon enough in the boot process. That seems like a stretch, though.
    I actually ran into the GRUB rescue (unknown filesystem) error while I was working through this guide but, of course, it’s hard for me to recreate it now. It’s possible that your two questions are closely related as it sounds to me like your computer is getting confused as to where the operating system is in relation to GRUB. The default configuration for GRUB loader is to put it on the same device as the boot partition, with this setup that means that it will go on the USB device.
    If my memory serves me well, the solution to your problem is at the GRUB bootloader prompt, toward the end of the installation process. If selecting “Yes” on that screen didn’t work, then you could try setting it manually to the same device as the boot partition.

    • GeorgeNo Gravatar says:

      Yes, manual select did the trick. Thanks! 1:0 for fedora though, as this whole issue is avoided with the GUI install.

  11. StevoblevoNo Gravatar says:

    Isn’t SElinux a version of encryption? I know fedora at least has it

    • Ryan TaylorNo Gravatar says:

      I don’t have first-hand experience with SELinux but, from what I can tell, it’s a kernel modification that allows higher control over user access restrictions but doesn’t have specifically to do with encryption. Linux disk encryption is LUKS.

    • Bob RobertsonNo Gravatar says:

      No. SELinux is purely a permissions structure, that allows only permitted binaries to run, and limits their access to resources and files. The reason for SELinux is to prevent unauthorized access. That’s all.

      Once a system is running, Full Disk Encryption is effectively disabled. The “system” sees the disk as wide open while the system is running. The function of full disk encryption is to prevent data access if the hardware is stolen or otherwise compromised while the system is OFF.

      • Bob RobertsonNo Gravatar says:

        Let me fix that.

        SELinux secures a running system from unauthorized access. It doesn’t stop someone from booting from a thumb-drive and seeing the disk as wide open.

        Full Disk Encryption secures a non-running system that is physically compromised, stolen, imaged while you’re not home, etc. As long as the system is running, the system and applications see the disk as wide open.

        You can do both, they’re entirely independent.

  12. JonesNo Gravatar says:

    What about if you dual boot Windows and Linux? Is it possible to encrypt the entire Windows volume with TrueCrypt, and then the entire Linux volume with the alternate installer, have your /boot on a USB device and have to whole thing still work? Or is there a better (simpler) solution for FDE on a dual boot HDD?

    • Ryan TaylorNo Gravatar says:

      Installing Windows on your system with you linux boot volume on a USB device is actually quite easy. While partitioning during the linux installation, leave empty space, intended for your Windows system volume. After installing your linux distro, remove the USB device that contains your boot volume and boot from the Windows installation disc. Install Windows as you would normally, onto the empty volume that was created earlier.
      Your BIOS will need to be setup to boot, when the USB device is not present, from the hard drive containing your new Windows installation. This will keep your Windows Boot Loader and linux GRUB separate.
      After Windows is installed, install TrueCrypt and use it to encrypt your Windows system volume. During this process, select “Single Boot” as your system type when prompted by TrueCrypt.
      Now, when the USB drive containing your linux boot volume is present and set in the BIOS as the primary boot device, the system will boot into your encrypted linux distro. If the USB drive is not connect, your system will boot to the hard drive containing the encrypted Windows installation and TrueCrypt will prompt for pre-boot authentication before booting into the Windows OS.
      Neither OS will be able to natively identify the other system drives, however you can use TrueCrypt in linux to mount and access the Windows system device. Windows has no way of accessing or identifying an encrypted linux device.

  13. ReneNo Gravatar says:

    Thanks for the cool howto.

    I’d like to have a bootable usb memory stick with Fedora 16 so I can have my own operating environment anywhere I can find a piece of hardware connected to the internet, but as usb sticks are easy to lose I’d like to apply FDE to the stick. How can that be done?

    • ryrypunkNo Gravatar says:

      That’s a great idea!
      It’s pretty much the same setup as any other Fedora FDE installation but you want to put all of your partitions your USB stick. The BIOS boot and /boot partitions should be the only unencrypted partitions. You might need to change the BIOS settings on whatever computer you are booting so that it will attempt to boot from the USB stick first, then it will prompt you for your encryption password and everything will proceed as normal.
      The only real catch to using a USB stick for your entire OS, encrypted or not, is that if you run out of space on your root partition (“/”) then the OS will crash and you probably won’t be able to boot back into it unless you can delete files from another computer and it could get really messy.
      Make sure that the USB stick is large enough to have a root partition that can handle apps that you’ll want to install and still have space to spare. Plus, you’ll definitely want to make your home folder (/home) a separate partition (on the USB stick) so files saved to the desktop, downloads folder, etc. don’t consume the last few MB of your system partition and cause a meltdown.
      I have done this with Fedora Xfce and highly recommend using a light-weight Fedora Spin, in this case, to keep the OS space requirement down, or use a 16GB+ USB stick.

      • ReneNo Gravatar says:

        I’ve tried several times now. Using either Fedoras own “LiveUSB creater” or YUMI works fine – but they don’t have any option to apply FDE – and any other method installing to a USB stick, applying FDE, fails with some obscure error after it completes the last “writing image to disk” part. Maybe you could give it a try and let me know if you have more luck with it.

  14. Just wanted an update. I just installed Ubuntu 12.04.1 alternate, and it handles FDE during the install process, is you select “Guided encrypted LVM”. Just did it, it is incredibly easy. Now I’m gonna play with it and see what the actual system looks like in a few minutes when it’s done with the base install.

  15. gjksNo Gravatar says:

    This should be obvious by now, but I will say it again. You cannot trust Windows or Mac for anything security related whatsoever.

    The Iranian Govt. can’t secure their Windows boxes, and neither can you or SymanNortAfee (see Stuxnet and Flame virus).

    Even if you never connect Windows to the Internet, the reccomended way of using Window, the pseudo-random number generator in Windows, CryptGenRandom, has had a lot of problems, and there is no reason to trust whatever Windows uses now. Whatever private GPG/PGP keys generated on Windows machines are probably not very good.

    We don’t know what Windows is capable of doing to an otherwise secure OS running in VirtualBox. Likewise, nobody knows what it can do when you dual boot. Get another harddrive and install Debian on it, and nYou should not trust the ever attach it when Windows is running. To transfer files, boot from Debian and copy and paste to your Windows HD.

    And I do not hate Windows; it is the best for editing movies and photos and playing games. However, if you’re thinking of using it for security, look at the security guides provided by the NSA; you’ll see that learning to use a better OS is an easier solution.

    http://www.nsa.gov/ia/mitigation_guidance/security_configuration_ guides/operating_systems.shtml

  16. Seth KingNo Gravatar says:

    According to this article it looks as if Ubuntu finally put FDE into it’s standard install.

    https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-di sk-encryption

    I may have to make the switch from Fedora back to Ubuntu now.