Full Disk Encryption for Ubuntu Linux: How?
-
So, I've got a system equipped with a card reader (that I can boot from), a solid-state drive, and 2 conventional hard drives. I want to install Ubuntu on it and have all of it (except the boot partition because it can't) be fully encrypted. Just so there's no confusion here:
- Full disk encryption: the use of disk encryption software or hardware to ensure that every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users. That means anything on the disk that can be covered by encryption will be covered by encryption.
- Linux newbie: Yes. That's me.
- The setup I'm trying to achieve: (Click to see the diagram. [^])
I've already done this successfully using Windows BitLocker on the same system (though I had to apply some blunt-force trauma to get it to do what I want, and it boots without prompting for a password). The same seems to take a bit more work under Ubuntu since the official installers won't perform full-disk encryption without forcing me to type the same passphrase for every partition that needs to be decrypted. From what I've read elsewhere, I've got a general idea what I have to do (install normally, move directories, change mount points, modify fstab and cryptab), but nothing concrete.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d :) Now I can Google this value and find all my Code Project posts!
-
So, I've got a system equipped with a card reader (that I can boot from), a solid-state drive, and 2 conventional hard drives. I want to install Ubuntu on it and have all of it (except the boot partition because it can't) be fully encrypted. Just so there's no confusion here:
- Full disk encryption: the use of disk encryption software or hardware to ensure that every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users. That means anything on the disk that can be covered by encryption will be covered by encryption.
- Linux newbie: Yes. That's me.
- The setup I'm trying to achieve: (Click to see the diagram. [^])
I've already done this successfully using Windows BitLocker on the same system (though I had to apply some blunt-force trauma to get it to do what I want, and it boots without prompting for a password). The same seems to take a bit more work under Ubuntu since the official installers won't perform full-disk encryption without forcing me to type the same passphrase for every partition that needs to be decrypted. From what I've read elsewhere, I've got a general idea what I have to do (install normally, move directories, change mount points, modify fstab and cryptab), but nothing concrete.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d :) Now I can Google this value and find all my Code Project posts!
Cryptesetup uses the software in ubuntu already. File systems Howto (implementation is outdated) Covers some encryption Ubuntu (like other linux) has an extensive community. The forums and irc channel are very good.
-
Cryptesetup uses the software in ubuntu already. File systems Howto (implementation is outdated) Covers some encryption Ubuntu (like other linux) has an extensive community. The forums and irc channel are very good.
I've read the first two before posting, but the third one pretty much describes the same thing. The problem I have with the official installer's behavior is that it requires typing in a password for every single encrypted device even and doesn't give the option to use a single password to decrypt all of them—hence my desire to introduce a "key partition" in a removable medium to handle automatically decrypting them; I would only have to type in the password for the key partition achieving a convenient 2-factor authentication setup.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d :) Now I can Google this value and find all my Code Project posts!
-
I've read the first two before posting, but the third one pretty much describes the same thing. The problem I have with the official installer's behavior is that it requires typing in a password for every single encrypted device even and doesn't give the option to use a single password to decrypt all of them—hence my desire to introduce a "key partition" in a removable medium to handle automatically decrypting them; I would only have to type in the password for the key partition achieving a convenient 2-factor authentication setup.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d :) Now I can Google this value and find all my Code Project posts!
There are systems (like MobileArmor/DataArmor, which I used previously) that encrypt under the OS. My company uses one by McAffee that is smart enough to log me into Win7 without a 2 password requirement, though Win7 handles login from locked system. I'd google FIPS 140-2 and linux. Here is an open source system that rides under linux[^] I suspect there are others. FIPS 140-2 is one of the NIST certifications for encryption sw. It was the standard a DoD project I worked on used. Good luck.
Opacity, the new Transparency.
-
So, I've got a system equipped with a card reader (that I can boot from), a solid-state drive, and 2 conventional hard drives. I want to install Ubuntu on it and have all of it (except the boot partition because it can't) be fully encrypted. Just so there's no confusion here:
- Full disk encryption: the use of disk encryption software or hardware to ensure that every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users. That means anything on the disk that can be covered by encryption will be covered by encryption.
- Linux newbie: Yes. That's me.
- The setup I'm trying to achieve: (Click to see the diagram. [^])
I've already done this successfully using Windows BitLocker on the same system (though I had to apply some blunt-force trauma to get it to do what I want, and it boots without prompting for a password). The same seems to take a bit more work under Ubuntu since the official installers won't perform full-disk encryption without forcing me to type the same passphrase for every partition that needs to be decrypted. From what I've read elsewhere, I've got a general idea what I have to do (install normally, move directories, change mount points, modify fstab and cryptab), but nothing concrete.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d :) Now I can Google this value and find all my Code Project posts!
Lee, Gun-Woon, Just to pitch in my two cents... You may not be able to achieve what you want with a solution other than TrueCrypt. The only reason I say that is because you made it very clear that you want...
Lee, Gun-Woon wrote:
"...every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users."
However, you very likely already know that there are elements on the disk that cannot be encrypted (ie: boot partition). There is one additional element that cannot be encrypted using any FDE software that boots from the same disk (or any that I am aware of) - the partition definitions (ie: start and stop LBAs). The reason TrueCrypt is excellent in a situation like this is because it can create an altogether hidden operating system[^]. Their methods are rather tactful and if your situation requires security that can thwart others' attempts at getting to your data *even after you give them the pre-boot authentication password*, than this is what you want. Now, about your BitLocker setup. The reason BitLocker isn't requesting a password for it's pre-boot authentication is because your motherboard has something called a Trusted Platform Module (TPM) installed on it. You probably already know that since you likely had to activate the thing before the encryption process could start. Anyway, the TPM holds the en/decryption keys to your encrypted partition. When the system boots, the system partition (Windows' 100MB boot partition) authenticates with the TPM, exchanges keys, and boots the encrypted partition by decrypting it on-the-fly. When the TPM is locked or the disk configuration changed, or the disk is booted on a different system, or any number of things - this will cause Windows to start the BitLocker bootloader in a recovery mode. You will be prompted for a password if and when this occurs. I'm also new to Linux myself (I've been aspiring to the genius required to understand Unix's simplicity[^] for some time now...). Anyway, I think you'll be hard pressed to find an Open Source Software (OSS) implementation of a FDE package that supports hardware en/decryption components. The only one I've seen tha
-
Lee, Gun-Woon, Just to pitch in my two cents... You may not be able to achieve what you want with a solution other than TrueCrypt. The only reason I say that is because you made it very clear that you want...
Lee, Gun-Woon wrote:
"...every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users."
However, you very likely already know that there are elements on the disk that cannot be encrypted (ie: boot partition). There is one additional element that cannot be encrypted using any FDE software that boots from the same disk (or any that I am aware of) - the partition definitions (ie: start and stop LBAs). The reason TrueCrypt is excellent in a situation like this is because it can create an altogether hidden operating system[^]. Their methods are rather tactful and if your situation requires security that can thwart others' attempts at getting to your data *even after you give them the pre-boot authentication password*, than this is what you want. Now, about your BitLocker setup. The reason BitLocker isn't requesting a password for it's pre-boot authentication is because your motherboard has something called a Trusted Platform Module (TPM) installed on it. You probably already know that since you likely had to activate the thing before the encryption process could start. Anyway, the TPM holds the en/decryption keys to your encrypted partition. When the system boots, the system partition (Windows' 100MB boot partition) authenticates with the TPM, exchanges keys, and boots the encrypted partition by decrypting it on-the-fly. When the TPM is locked or the disk configuration changed, or the disk is booted on a different system, or any number of things - this will cause Windows to start the BitLocker bootloader in a recovery mode. You will be prompted for a password if and when this occurs. I'm also new to Linux myself (I've been aspiring to the genius required to understand Unix's simplicity[^] for some time now...). Anyway, I think you'll be hard pressed to find an Open Source Software (OSS) implementation of a FDE package that supports hardware en/decryption components. The only one I've seen tha
I actually have TrueCrypt working on my other Ubuntu installations, but they just protect the files and not the entire system[^]. It's one reason TrueCrypt isn't an option. For my Windows BitLocker setup, I built the entire system myself. I couldn't find any motherboard with a TPM, so I had to make a few group policy changes as an administrator to force BitLocker to work without it. Using the command line tools for managing BitLocker, I made it deposit the boot key in the 100MiB system partition; since the system partition resides on a removable medium there's nothing an attacker can tamper with on the hard drives but pure "random" bits. As for the setup I'm trying to achieve, Linux's dm-crypt is pretty much the only free and flexible solution that I know of that allows for it. In fact, I've gotten as far as make it work like in the diagram[^] (2-factor authentication and all) except it asks for the password 4 times (once for each partition). It's quite annoying and an issue that I'm willing to investigate how to eliminate in an otherwise perfect setup.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d :) Now I can Google this value and find all my Code Project posts!