Installing Ubuntu 8.04 with full disk encryption

“Update”: it’s been ages since this was first posted, but I still use a system that’s configured as described below. The hardware under it has changed, and it’s seen some distribution upgrades, but I’m quite happy with this old disk layout. It’s good news then, that Ahmad, Niels, and Matt report that you can still do the same on Ubuntu 10.04 LTS. Thanks guys, means I still don’t have to write anything new!

This is a brief walk-through of installing Ubuntu Hardy Heron (I used the release candidate, see the previous post) with a LUKS encrypted LVM partition, and preparing it for snapshot backup (explained below). You will need the “alternate” installer for this (ie. not the “desktop” Live CD).

A couple of months ago I did the same thing for my other machine using the Debian 4.0 (Etch) installer and as far as I can remember it was exactly the same procedure. At the time I was planning to run this installation again in a virtual machine and take screenshots, but actually it is really simple (cheers to the team that wrote the installer!) and if you’re attempting this you probably don’t appreciate such hand-holding anyway. So I didn’t bother to make neat virtual-machine screenshots, but to lighten up the text I did put in some crufty digital-camera screenshots here and there.

Why would you want this?

For a home user like me, I think it makes most sense to have this on a laptop. While even strong encryption can’t guarantee that no one will ever read your data, the real-world scenario is of course that you don’t really have anything to hide. Encryption is rather an extra convenience: if someone steals your laptop, you’ll worry a lot less about them getting access to your email and other important accounts (think browser cookies…). In case you’re wondering why the user login won’t protect you: anyone with physical access to the machine – like a thief – can just reboot and start in single-user mode, thereby getting root user privileges. Not so with an encrypted disk.

An objection here is that your CPU will have to do some extra crypto-exercise whenever you read or write to disk, and that will cost some battery life. I haven’t quantitated this but it doesn’t seem to make a huge difference (sorry, that’s a worthless statement indeed). I didn’t notice any slowdown either, using a 1.8GHz Turion64 (more worthless subjectiveness).

What about the LVM stuff? The whole logical volume management thing was mainly designed to give you flexible storage options (eg. add a hard disk and simply expand your existing partitions onto it), and of course that’s not really important for a home user. Heh, in a laptop you’re certainly not very likely to add a new disk. However there’s one feature of LVM that I think is useful to us: snapshots. An LVM snapshot gives special access to your file system as if frozen at some point in time. That means you can run a backup using the snapshot and you can continue working at the same time, without worrying that the backup will catch files in some inconsistent state because you were writing to them.

That’s not a big advantage, because it’s not a big problem most of the time. But as it’s so easy to set up now, why not do it? One downside I can see is that it makes it a bit trickier to access your file system from a recovery disk. Any recovery tool understands plain ext3 partitions (even MS Windows can access those), but if you want to open an (encrypted) LVM partition you might need to check the feature page of the recovery tool, and jump through a few more hoops. In the end, of course, you set this up to enable snapshot backups – so you shouldn’t need recovery tools to begin with ;)

Enough talking, let’s get on with it

Ubuntu installer boot menu

All rise please :)

What follows below is really confusing, because everything is referred to as a “partition”. The traditional partitions on your physical hard disk are called partitions, but then inside your encrypted volume you’ll also create an LVM partition, and as far as the installer is concerned the logical volumes you’ll create inside the LVM are also called partitions. There’s probably a more formal lingo for this but I don’t know it. Besides, calling all these things partitions also shows the elegance and transparancy of the system: despite the fancy stuff all your encrypted logical volumes eventually appear to be plain partitions.

One more note: on my laptop, I had to disable the frame buffer (see yesterday’s post). The crufty camera shots below may look slightly different than what you’ll get served.

Ok, so you have the alternate install cd. Boot it and answer some basic stuff (keyboard layout etc) until you get to the disk partitioner. The partitioner has an automatic option “set up encrypted LVM”, which uses the entire disk, creates a small unencrypted boot partition, fills the rest of the disk with an encrypted LVM partition, and creates two volumes within it: one for swap space and one that holds your root file system.

For our purposes, we’ll have to opt out of the automatic option: it doesn’t leave free space for snapshots, and I also really prefer a separate volume for /home. Manual partitioning it is, then.

We start with creating a plain partition to mount as /boot later. I think 100MB has always been more than enough for that, but the automatic partitioner took 250MB: good if you want to be on the safe side. All you need to do is specify the mount point – the standard options for an ext3 file system are fine I think.

I took one big partition to cover the rest of the disk. Here, we choose to use it as “physical volume for encryption”. Again, all the standard dm-crypt options are just fine as far as I’m concerned. But never trust a lame blogger: you can read more about your choices in the Debian Installation manual – currently, section 6.3.2.4 covers encrypted volume options. After that, you’re “Done setting up the partition”.

/boot and crypto volume

The partitions overview by now

At this point, the main partitioner menu becomes a little bit unintuitive (it’s just a layout problem really): the option to Configure encrypted volumes appears at the top, where you may not expect it because you’ve been configuring partitions in the lines below. This prompts you to commit your partition changes and wait for the secure erase of the partition to be encrypted (this fills the partition with random bits and takes quite a while). When that’s done, you’ll need to choose a passphrase that unlocks the partition.

You’ll be typing this passphrase quite often (unless you suspend rather than hibernate or shut-down most of the time – note that disk encryption doesn’t protect your suspended system in any way) so my advice is not to pick something too secure ;) If you want to be fancy, you can later create a key file to unlock the system disk using a USB key. Here’s a description that works for Debian Etch; I didn’t try on Ubuntu Hardy yet, but I believe there have been alterations to the boot process which may change the details slightly.

encrypted volume

Note the new entry

Now, when you get back to the main partitioner menu, “Encrypted volume” should show up as a new disk. There’s one partition inside it, marked #1, which we’ll use as “physical volume for LVM”. Back in the main menu, again a new option appears at the top – Configure the logical volume manager.

Create a volume group, using your one LVM partition (this seems a bit silly in this context but it would make sense if we had many disks to manage). Now you can create logical volumes within that volume group. I took a generous 10GB to configure as / later, a 1GB swap partition (note: take more if you have more RAM installed and want to write a hibernation file to it), and most of the rest of the disk to mount as /home later. At this point I left a few GB free to be able to create snapshot volumes later.

LVM configuration

The LVM config menu

LVM configuration

Configuration details: note the bit of free space left. Volume names are arbitrary.

You don’t need much space for a snapshot volume: it only stores reverse changes of your main file system from the time point where you created the snapshot. Unless you leave your snapshot around for days, “a few GB” is in fact far too much. If you’re getting curious how the snapshot backups will work, see this guide from the LVM HOWTO.

with logical volumes now

Back in the main menu…

So now you’re finished configuring LVM, and you get back to the main partitioner menu. It’s really crowded now: the LVM logical volumes show up as separate disks in addition to the physical disks and the encrypted volume. This is where you configure the partitions on the logical volumes, which are again marked #1. I’m only deviating from the default options in one case: for /home I chose to reserve 0% reserved blocks – I don’t think a full /home can bring the system down (but correct me if I’m wrong! update: it seems I am, see this comment below).

What else? Nothing. Scroll all the way down to find the “Finish partitioning” option and wait while your system gets installed. Unlike with the “desktop” installer you don’t have a live system that allows you to browse the internet while the install is running, so bring out your knitting kit now… (you’ll have to do speed-knitting though, the installer is pretty fast).

How simple was that? I’d say: another cheer for the installer team!

About these ads

160 Responses to “Installing Ubuntu 8.04 with full disk encryption”


  1. 1 Joe 24 April 2008 at 16:57

    Thanks! Worked well.

  2. 2 yungchin 24 April 2008 at 20:57

    Hi Joe, thanks for leaving a comment! Glad it worked.

    Extra info: I just found that Phoronix evaluated the performance of a setup with an encrypted file system recently:
    http://www.phoronix.com/scan.php?page=article&item=ubuntu_hdd_encrypt&num=1

  3. 3 Jon 25 April 2008 at 19:35

    Thank you! This was a great guide. Easy to follow even for a beginner like me. But the linked page on how to setup passwordless disk encryption is VERY hard to grasp in comparison. I can’t manage it. Which is sad because I was really looking forward to using a keyfile for my encrypted drive. When I read about that feature being added to Hardy I assumed that it would be doable through the installer menus. Maybe in the next release…

  4. 4 Dieter_be 26 April 2008 at 11:12

    Great post! Exactly what I was looking for.

    Btw ext reserved space is also used to avoid fragmentation. I usually reserve 1% for non-root filesystems

  5. 5 yungchin 26 April 2008 at 23:37

    Thanks, Jon – and I agree, that tutorial is not so easy. It works though (I used it on my desktop machine). It would be very cool if it became an automated part in the next installer.

    Hi Dieter, thanks – I’ll flag the reserved-blocks item as bad advice. I searched for a bit but couldn’t find a good explanation of how ext2/3 prevent fragmentation, and I’m curious now… would you have any pointers for me?

    (ps: I’m removing some pingbacks that came from my other posts this week… starts to look like I’m talking to myself too much :))

  6. 6 John 27 April 2008 at 8:13

    Thanks for the article! I didn’t realise the Ubuntu installer had this feature. It adds a bit of peace-of-mind when I’m lugging my old laptop from city to city…

    Now, I was wondering. Is there an easy way to change the password later?

  7. 7 yungchin 27 April 2008 at 9:58

    Hi, thanks – yes it’s not too hard to do that:

    Basically you add a second password with something like “sudo cryptsetup luksAddKey /dev/sda2″ where you use the device name of the encrypted partition. It prompts you for the existing password and then tells you in which “slot” that is.

    You can then use the new password to remove the old one. It’s a kind of nice and safe procedure. See “man cryptsetup” for the exact commands, there’s luksAddKey and luksDelKey and some more stuff.

  8. 8 Stuart 28 April 2008 at 22:24

    You mention making snapshots to do backups. I have a ext3 filesystem encrypted with cryptsetup (luks) on a LVM partition and would like to make snapshot of the partition so that I can back it up with dump. Making the snapshot is easy enough

    lvcreate –size 1m –snapshot –name snap /dev/vg0/archive
    cryptsetup luksOpen /dev/mapper/vg0-snap snap
    mount -r /dev/mapper/snap /mnt

    but cryptsetup needs to know the passphrase to mount the snapshot. This of course means that I cannot do my backups in a script at 4am. Can you see a way around this or does using encryption make unattended snapshots impossible?

  9. 9 yungchin 28 April 2008 at 23:14

    I think there’s a way around that (unless I misunderstand the situation). You can store a key file that unlocks /dev/vg0/archive on /dev/vg0/archive.

    Sounds unintuitive, but I assume you have /dev/vg0/archive mounted (why make snapshots, otherwise?). So now you can let the script use the key file to unlock /dev/mapper/vg0-snap.

    When you unmount the partition, nobody can see the keyfile because the partition is encrypted, so this is still safe (you can make it readable only by root, in addition). Here’s a tutorial of how you add a key file.

    Thanks for visiting!

  10. 10 Leona Magusky 29 April 2008 at 15:14

    “Back in the main menu, again a new option appears at the top – Configure the logical volume manager.”

    That option never appears for me. After I create the encrypted partition, I only have 3 options at the top: config encrypted vol, guided part, and help on part.
    I see the Encrypted volume created as #1, I but I don’t have the menu option.

  11. 11 yungchin 29 April 2008 at 16:13

    Hi Leona, thanks for leaving a comment!
    So when you select the #1 entry under Encrypted volume (highlight it as in the photo, then hit enter), you can choose what to use it as. In the photo it is still set to use as ext3, but you want to change this to “physical volume for LVM”. Hope that helps, good luck!

  12. 12 Leona Magusky 29 April 2008 at 19:00

    yungchin: THANKS! it worked as described.

  13. 13 Rick 5 May 2008 at 4:01

    How does this work if I want to dual-boot with windows?

  14. 14 yungchin 6 May 2008 at 18:44

    Hi Rick,

    In that case you want to leave your Windows partition in place, so the /boot and LVM partitions would not span the whole disk.

    There’s an extra step at the beginning should you need to resize your Windows partition. I’m afraid I don’t have any screenshots for that – I deleted my Windows partition this time around!

    As for encryption options, you can only use the LUKS encryption on the non-Windows partitions I think (with some effort you could read the encrypted partitions from within Windows but you can’t put your Windows system on such a partition). You can however use Truecrypt for the Windows partition.

  15. 15 Vato' 14 May 2008 at 21:30

    If you need it, FreeOTFE allows LUKS volumes to be mounted under MS Windows. For more info: http://www.freeotfe.org/features.html

    You can encrypt your Windoze system partition with Truecrypt as suggested by yungchin and install FreeOTFE within it to gain access to the encrypted LUKS volume. I’m not sure but to access the ext3 or ext2 filesystem inside LUKS partition from Windoze, you may also need “Explore2fs” (http://uranus.it.swin.edu.au/~jn/linux/explore2fs-old.htm).

    Finally:
    – FreeOTFE (at the moment, as from its feature’s list) doesn’t support Windows system partition encryption but can mount LUKS volumes.
    – Truecrypt (see its feature’s list) support Windows system partition encryption but doesn’t LUKS volumes

  16. 16 Jon 16 May 2008 at 0:43

    Ok, I’ve tested making several encrypted hardy installs now (through virtualization software) and start to feel that I’ve gotten the hang of it. Now I’m thinking about trying to setup a keyfile.

    I’m most of all hoping that someone will make a guide as great and pedagogical as this one but covering keyfile setup. Though I’m willing to attempt even without that. But could you yungchin, or anyone else likewise experienced with this, tell me if there are any parts of the linked page
    http://wejn.org/how-to-make-passwordless-cryptsetup.html
    that are likely to be different when trying to setup a keyfile for Hardy?

  17. 17 yungchin 16 May 2008 at 11:25

    Hi Jon,

    I don’t think there should be any differences, but I didn’t try it!
    When I tried it for Etch, I formatted my USB stick with ext2 by the way. That saves you having to build FAT support into the boot loader.

    Oh and: you don’t have to leave an email address here by any requirement – so no need to cook one up ;)

    Vato: thanks!

  18. 19 Jon 28 May 2008 at 1:00

    Ok, I finally got around to try this…
    I’ve completed all steps in the linked guide. Everything worked for me except part 3, step 1:

    # echo -e “vfat\nfat\nnls_cp437\nnls_iso8859_1″ >> /etc/initramfs-tools/modules

    That gives me an error message: “permission denied.” I’ve also tried it with the sudo prefix but get the same error.

    The USB stick I wish to use is formatted in FAT. You wrote that you formatted your stick with ext2. Does that mean that you could skip part 3, step 1? If so, how do I format a USB stick to ext2?

  19. 20 yungchin 28 May 2008 at 6:45

    Yes, that would fail with sudo: if you cut up the command in the way bash interprets it, it says: run echo with superuser rights, then append the output of it to /etc/…/modules. But it’s actually the latter that you need to be superuser for.

    I don’t know how to do it that way (piping output with sudo), so instead I’d use sudoedit to write the line at the end of the file. But yes, you can skip that line when you have an ext2-formatted stick. You can use mkfs or, more precisely, mke2fs to format the stick (I don’t think I used many switches but I really can’t remember all that stuff so I have to read the man page everytime I use mkfs :)).

  20. 21 Jon 28 May 2008 at 9:42

    Ah, so all that command part does is to append the first textstring to the modules file? I didn’t lie when I said I was a beginner as you can see :-) I’ll give the sudoedit way a try now instead.

  21. 22 yungchin 28 May 2008 at 9:51

    Yes, that’s all it does. By the way, I just realised it’s not called piping – I got the terms mixed up. It’s called redirecting: see this section of the Bash Reference Manual.

  22. 23 Jon 28 May 2008 at 11:19

    Ok, back after lunch… I made the changes to /etc/initramfs-tools/modules (I used “sudo gedit /etc/initramfs-tools/modules) and copied the root.key to the USB pendrive. But it was still not found at boot. When editing modules it says “you must run update-initramfs(8) to effect this change.” Could that be the problem? “update-initramfs(8)” and “sudo update-initramfs(8)” fails, so how do I do that?

  23. 24 yungchin 28 May 2008 at 11:25

    Just a check: when you edited the modules file, did you replace “\n” by line breaks (you should)? I’m just thinking that maybe this is why update-initramfs fails.

  24. 25 Jon 28 May 2008 at 14:24

    You mean this part: vfat\nfat\nnls_cp437\nnls_iso8859_1 ?

    I entered it like this into the modules file:
    vfat
    nfat
    nnls_cp437
    nnls_iso8859_1

    I’m testdriving this on Hardy through VirtualBox running in Win XP btw. I have activated USB for VirtualBox and can use the USB stick within (virtual) Hardy but maybe it is VirtualBox that gives some problem with the USB stick…

    I’ll try to format it the stick to ext3 after all and see if that solves it.

  25. 26 Jon 28 May 2008 at 17:45

    I re-formatted the USB stick with mkfs and copied root.key to it (I can’t drag and drop copy to the stick now btw, but “sudo cp” worked…). But I get the same error at boot: “FAILED to find suitable USB keychain …”

  26. 27 Jon 28 May 2008 at 20:49

    I just tried again with another USB stick (fat formatted). VirtualBox recognizes the stick during boot so that does not seem to be the problem…

    Did you perhaps put the root.key file in some folder on the USB stick? (I can’t see any such folder in the script source but I’m starting to run out of things to try so I’m asking anyway…)

    Here’s a screencap of when the keyfile is not found (and the step right after the password is entered) – there’s an error message there. Could that be relevant?
    http://img148.imageshack.us/my.php?image=keynotfoundpd3.png

    Oh, and sorry for just pouring a lot of question onto you. It’s not your instruction I’m trying to follow so feel completely free to opt out of answering any of these questions any time you feel like it. That said, I’m of course really glad if you do help me out.

  27. 28 Jon 28 May 2008 at 21:30

    Doh!

    I just reread you last comment: “28 May 2008 at 11:25 Just a check: when you edited the modules file, did you replace “\n” by line breaks (you should)?”

    That indeed was the problem! I sloppily replaced the \’s (not the \n’s ) with linebreaks which incorrectly left three n’s at the start of line 2,3&4 below:
    vfat
    nfat
    nnls_cp437
    nnls_iso8859_1

    It should of course be:
    vfat
    fat
    nls_cp437
    nls_iso8859_1

    Now everything works! Great, I’m really glad I didn’t give up. Thanks for the help and for your terrific post that lead me onto this. If that hadn’t been so well written I would probably never even had the guts to try this more complicated procedure with the keyfile.

  28. 29 yungchin 28 May 2008 at 21:42

    No problem, I’m happy to help (I’m not sure I’m much help here though!).

    Yes, I put the file in the root folder, that’s where the script looks for it. Looking at the original script now, I think I forgot to mention something: if you use ext2 you need to modify the mount command in the script! It says “-t vfat” in the example, which of course fails if it’s not vfat. Sorry about that!

    You can also check that this is wrong by removing “2> /dev/null” from the end of that line – this redirects the error output of the mount command. Probably if you remove that it tells you that something is wrong with the file system type.

    One more thing I noticed from the screenshot: it seems to show your luks password in clear text. Not terribly dangerous, but that could be better… I know it’s possible to change this but I’m not sure how.

    EDIT: ow, I see we’re cross-posting! Well, I’m glad it worked (and probably we also know why the ext2 version didn’t work now…). Thanks for your returning visits – makes my blog feel alive! :)

  29. 30 Jon 28 May 2008 at 21:57

    Hi,
    re: cleartext password. Yes I noticed that too. My password “test” was probably a bit weak anyhow ;-) But for real use then I’d also prefer if the typed password became asterixed. I guess something in these lines in crypto-usb-key.sh needs to be changed but I don’t know what:

    echo -n “Try to enter your password: ” >&2
    read -s -r A </dev/console
    echo -n “$A”

    I’ll google for a solution and, if that fails, email the script author

    Thanks again!

  30. 32 Jon 28 May 2008 at 22:47

    I tried this:

    stty -echo
    read -s -r A
    stty -echo

    but get this error: http://img146.imageshack.us/my.php?image=errorjl5.png

  31. 33 yungchin 29 May 2008 at 5:12

    Bummer. Yeah, not all commands are available at boot time. So probably we would need to write this in C – too much work ;)

  32. 34 Goran 30 May 2008 at 7:06

    Hello,

    Have you tried this procedure on external USB hard drive? I tried but when I am booting for the first time Ubuntu cannot find crypted partition. Any ideas?

    Thank you,
    Goran

  33. 35 yungchin 30 May 2008 at 7:30

    Nope, I haven’t tried that. Sounds like a nice experiment :)
    There’s a lot of tricky stuff when booting from USB drives – sometimes they pretend to be floppy disks so then you can’t see the whole drive, things like that. But it’s been maybe three years since I played with that so I can’t really remember, sorry!
    I think Vincent said he was toying with Hardy on a USB drive, so you might want to keep an eye on his blog.

  34. 36 Jon 30 May 2008 at 12:11

    Ok, I emailed the author of the keyfile setup guide ( http://wejn.org/how-to-make-passwordless-cryptsetup.html ) about the visible typed characters. He suggested that I’d try:

    busybox stty -echo
    read -r A
    busybox stty echo

    but that didn’t work when I tried it just now. So unless someone else has any suggestion on how to solve that I think I’ll just leave that as it is for the moment. The keyfile support is really great. I’ll testdrive it some more in virtual machines and will start to use it permanently on my real laptop soon.

    Btw, Imagine if that functionality came prepacked with the next Ubuntu, it’s setup controlled through some easy GUI. I’m sure lots of people would use it!

  35. 37 Milhaus 3 June 2008 at 19:53

    Stty is not compiled in default initramfs busybox, but you can create following file to include regular stty binary in initrd image – /etc/initramfs-tools/hooks/stty:
    –CUT—–
    #! /bin/sh -e
    PREREQ=””

    prereqs () {
    echo “$PREREQ”
    }

    case $1 in
    prereqs)
    prereqs
    exit 0
    ;;
    esac

    . /usr/share/initramfs-tools/hook-functions

    # Files needed for getting cryptochain
    copy_exec /bin/stty /bin

    exit 0
    –CUT—–

    and then just use:
    stty -echo
    read -r A
    stty echo

  36. 38 Jon 3 June 2008 at 21:49

    Hi Milhaus!
    I tried your suggestion but then get this error when booting:
    /keyscripts/crypto-usb-key.sh: /keyscripts/crypto-usb-key.sh: 45: stty: not found

    I can still input the password after that, but it is also still visible as I type.

    screencap (“test” is my password) of it all: http://img209.imageshack.us/img209/9430/45cf3.png

  37. 39 giancarlo 6 June 2008 at 8:28

    i’ m not able to add the “keyfile” to a slot,
    it return the error the “sdb2_crypt is not a LUKS partition”

  38. 40 yungchin 7 June 2008 at 14:38

    Hi Giancarlo – I’m not sure what your problem could be, sorry. Maybe you’re just not pointing to the right partition?

  39. 41 Milhaus 8 June 2008 at 14:09

    Jon: I forgot to mention, that you need to rerun “update-initramfs -u all” to generate new initrd image…

  40. 42 Justin 9 June 2008 at 19:59

    I think suspend should be safe enough if you lock the screen on suspend, right? As long as there’s no way into the running system (e.g. kernel hotkey or some exploit via peripherals), then the attacker can’t really do anything. The hard disk is useless, suspend or not. I guess it really comes down to whether the RAM is more vulnerable when the system is on.

    It would make for a suspenseful scene in a movie, the hero trying to extract the RAM of a live system without crashing it. Setting up electrical current bypasses, etc. Like bomb diffusion!

  41. 43 Jon 11 June 2008 at 0:19

    Milhaus: I did rerun “update-initramfs -u all”. But I still got that error.

  42. 44 yungchin 11 June 2008 at 10:37

    Hi Milhaus, hi Jon, welcome back :)

    Justin: you’re right, the system should be pretty secure when suspended because of the password lock. If somebody really wants to get in though, extracting the RAM (with the decryption key) from the system is indeed an option. Apparently that’s not so hard – did you see the Princeton stuff I linked to above? http://citp.princeton.edu/memory/

  43. 45 Milhaus 13 June 2008 at 12:43

    Jon, does “/bin/stty” exist in your system? It’s part of coreutils package so it should be there. In such a case there should be a problem with hook script, please check its rights:

    -rwxr-xr-x 1 root root 222 2008-06-01 11:11 /etc/initramfs-tools/hooks/stty

    Also I would check if you don’t have some weird nonpritable characters like ^M in it:
    cat -A /etc/initramfs-tools/hooks/stty

    Maybe you can also try to run verbose initrd update:
    update-initramfs -v -u all

    Or put some debug print messages into the /etc/initramfs-tools/hooks/stty script just to see if it’s executed correctly.

    Finally just to confirm, I have it working on 8.04 server:
    >cat /etc/lsb-release
    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=8.04
    DISTRIB_CODENAME=hardy
    DISTRIB_DESCRIPTION=”Ubuntu 8.04″

    >uname -r
    2.6.24-16-server

  44. 46 mp 16 June 2008 at 12:41

    Hi, if I am dualbooting Windows XP and Ubuntu HH, and want both of them encrypted, the former with Truecrypt, the latter as described above:
    on which partition should I put GRUB? During setup I tried to install it on the unencrypted /boot partition of Ubuntu, but I could not because of an error. Also I do not want to place it in the MBR because it will be used by Truecrypt’s boot manager.
    thanks

  45. 47 yungchin 18 June 2008 at 22:55

    Hi mp,
    Putting GRUB on the /boot partition sounds like a fine plan to me. What kind of error does that give you?

  46. 48 Crom 24 June 2008 at 15:38

    Hi yungchin,
    Thanks for the guide, I’ve managed to setup my laptop with an encrypted drive thanks to you.

    I’ve been following the comments that Jon and you have left re:setting up a passwordless drive using a usb stick.

    I’ve finally managed to recreate what you guys have done but the stick had to be reformatted to ext2.

    My question is: would it be possible to use an SD card instead of a USB flash drive? My laptop has a built in drive and its much less conspicious to use a SD card. And for more security, I can separate the SD card from the laptop (keeping it with my camera) instead of having to plug in a flash drive.

    Thanks in advance,

    Crom.

  47. 49 yungchin 25 June 2008 at 19:39

    Hi Crom,

    I would think that that is possible, and it sounds like a very neat solution.

    My guess is that you need to do something similar to what’s done in the keyfile on usb-stick tutorial. At the stage where you select the modules for initramfs you’ll probably need to list your SD-reader module. In the shell script that looks for the usb-stick, you need to modprobe the SD module instead and try reading from it.

    I’ll be curious if it works out!

  48. 50 Crom 28 June 2008 at 18:18

    Hi yungchin,

    After about a week of trying and numerous emails to the author of the usb keychain page, I’ve managed to get my laptop to read the keyfile from an SD card.

    =D I’ve posted what I did in the ubuntuforums.
    http://ubuntuforums.org/showthread.php?p=5280616#post5280616

    I’m sure that someone could make my kludge more elegant and robust. But for now, I’m just really happy that it works. I’m still very new to linux and this is my first time trying to do something like this.

    Anyway, thanks for your guide. =D It helped a lot.

  49. 51 Richard 17 July 2008 at 4:53

    Yungchin,
    Just another thanks for a handy article. Encrypted LVM is up and running, USB Key trick next. Always a blast learning new things…

  50. 52 yungchin 25 July 2008 at 17:34

    Hi Crom, sorry for the slow reaction – I’ve been away for a few weeks. Awesome work with the SD reader! I really need to sit down and follow up on this blog post; I’ve been planning to play with the LVM snapshotting but can’t find time…

    Hello Richard: thanks!!

  51. 53 jon 17 August 2008 at 19:59

    Crom, awesome! I’m honored that my repeated beginners questions was to some use to someone other than me. I bet yungchin’s and others helpful answers to my questions were even more useful of course. Anyway, cool indeed that you’ve extended the neat keyfile support to include SD cards.

    I haven’t had any time for these encryption issues at all during the summer but I will test your revision some time or other and will try to post feedback afterwards (in that ubuntuforums-thread).

    Has anyone thought of a way to make the steps involved even easier? Maybe a script or a small GUI application that automates some of them?

  52. 54 jon 17 August 2008 at 20:03

    One more thing: I have toyed with the idea of making a dual boot machine (XP/ubuntu)where both are encrypted (trucrypt WDE/LUKS) and where the ubuntu half supports keyfile on usb/SD.

    I have found this general dual-boot guide:
    http://blog.redinnovation.com/2008/07/15/perfect-dual-boot-crypted-hard-disk-setup-with-truecrypt-and-luks/

    But I’m not sure if the keyfile support steps discussed here would bring complications. Any ideas on that?

  53. 55 jon 17 August 2008 at 20:08

    One last thing (really! for now!): I just saw that the original keyfile support instruction site http://wejn.org/how-to-make-passwordless-cryptsetup.html now includes some other updated versions, the latest being the one posted here:
    http://tjworld.net/wiki/Linux/Ubuntu/HardyRAID5EncryptedLVM

  54. 56 Nexxux 27 August 2008 at 9:41

    Hey on my encrypted LVM partition i left some free space and now i have no idea how to create a new partition useing the rest of the free room any help?

  55. 57 yungchin 28 August 2008 at 9:44

    After you unlock the partition with your LUKS passphrase, it’s just as good as any old LVM partition as far as the LVM-handling is concerned (That is, if you did it like I did here – if on the other hand you created an LVM partition and then encrypted one of the logical volumes, that’s different).

    So basically you can create additional logical volumes in the way the LVM-HOWTO describes. If you wan’t to grow an existing partition to take up the free space, you can do that too: see this chapter.

  56. 58 Nexxux 29 August 2008 at 8:04

    When I do the snapshot what do I want to “snap” and how?

  57. 59 Aleks 23 September 2008 at 21:45

    I have just used the alternate cd to make a whole disk encryption and I have some questions if anyone knows.

    1)What kind of encryption/which algorithm is used? I could not find any specifications.

    2)What are the known vulnerabilities of this specific type of encryption? I mean if someone tries to check my disk, what he will try to exploit?

    3)Is this encryption trusworthy/reliable? Is the whole disk/system really encrypted? When I tried to encrypt the whole disk with truecrypt in Windows it took several hours. This encryption, on the contrary was much faster which really makes me wonder about its reliability.

    If someones knows any answer to the above questions or can give me some relevant urls, I would be gratefull. I could not find anything on google

    Thank you!!!

  58. 60 yungchin 24 September 2008 at 6:22

    Hi Aleks,

    (Nexxux: sorry I didn’t see your reply – I don’t get the question though?)

    1) you can find what cipher your setup uses with the luksDump option in cryptsetup. If your encrypted partition is e.g. /dev/sda3, then you’d type “sudo cryptsetup luksDump /dev/sda3″. See the man page of cryptsetup for details of the command.

    2) the author of LUKS has some papers of his at his website, maybe that’s a starting point?

    3) I think the difficulty Truecrypt has to face is that it has to encrypt a disk that already holds data. Setting up LUKS/dm-crypt at install-time means you can just burst-write the whole disk.

  59. 61 Anonymous 24 September 2008 at 12:47

    Thank you yungchin. I have visited the authors site but it’s not very helpfull.

    I ‘ve run the command that you gave me and I found something about SHA1 and SHA256 and I don’t know if these are algorithms. Is there a way that I can change the algorithm to AES?

    How can I choose a different algorithm during installation? I was not promted for one when I installed ubuntu using the alternate cd.

  60. 62 yungchin 24 September 2008 at 15:22

    Hi Aleks, are you sure the cipher name isn’t AES already?

    SHA256 is a hash algorithm. In my very limited understanding of encryption routines, you need to mix your data with some other data (like a hash) that an attacker cannot predict to be there. Otherwise, by guessing what data is on the system (you can expect there to be say a certain version of libc and other standard GNU binaries), you’d have a better chance of breaking the cipher. So that’s what I think the SHA256 is for – it’s not the encryption algorithm.

    There’s some more on that here (sorry, again the author’s site) but I should say I didn’t get to read that thoroughly yet.

    During installation you can configure the encryption options in the partitioner: it’s in the screen after you select the partition format to be “volume for encryption”.

  61. 63 Aleks 24 September 2008 at 20:04

    I did manage to check the algorithm and it IS AES! Thank you again :):):) The link does not work however…

  62. 64 yungchin 24 September 2008 at 20:24

    Oops :) I think I fixed it now.

  63. 65 Nexxux 26 September 2008 at 22:05

    I’m not sure how to create a snapshot volume/take a snapshot of Ubuntu

  64. 66 Anonymous 27 September 2008 at 7:50

    thanks very much for the guide, just what i’m looking for! i think i’ll do it immediately with my new hard drive. however, this business about snapshots is still confusing to me even after reading the links you provided.

    this comment too seems useful but still confusing to me, http://learninginlinux.wordpress.com/2008/04/23/installing-ubuntu-804-with-full-disk-encryption/#comment-54

    i have an external hdd which will be truecrypt encrypted and mounted while ubuntu is running, that i would like to automatically backup the system to every night when i’m sleeping. i would also like it to make a differential backup so i can have several days of backups without taking up as much bytes. i do something like this now on my windows systems with acronis.

    um, so, how can i automate that? and where does this snapshot business come into play? you say leave a few GB free for the snapshots, but how does that space get used? i don’t see any mention of how to allocate that space. also, you say that is probably too much free space. what is a general rule for how much space to leave? i only have a 32 GB disk for ubuntu and it looks like in your example you have an 80 GB disk….

    thx

  65. 67 yungchin 27 September 2008 at 11:12

    Hi, thanks to both of you for visiting (again)!

    I’ve been working on a post about LVM-snapshots; just can’t find time to continue working on it… so hopefully some more on that when I get it done.

    Basically, after you create a snapshot, the logical volume manager keeps track of changes to a logical volume. The snapshot volume looks exactly like the original volume except for the changes that have been made to it.

    This is not a backup of your data – the data you see on the snapshot volume is not a copy, it’s the same data as the original! Rather, the LVM snapshot allows you to take a good backup snapshot: by backing up from the snapshot, you avoid problems with files changing during the backup process.

    The snapshot volume needs space only to store changes to the original volume during the lifetime of the snapshot. So if, let’s say, you want to be able to edit a 300MB movie file while you have the snapshot stuff going on, you’ll need more than 300MB for the snapshot volume. Usually though, it should be a lot less: just a couple of log-files, the odd email message, and a few small documents you’re working on while you run your backup.

    I thought the LVM-HOWTO was a nice link for more info, but please let me know if/what’s unclear there.

    As for Stuart’s comment about automating this – I haven’t tried the solution I suggested yet, and it seems Stuart hasn’t come back. But I’m quite convinced it will work fine that way.

  66. 68 Aleks 3 October 2008 at 8:54

    Greetings again:) I tried to install ubuntu with full disk encryption to a usb external disk following the exact same procedure that I followed when I made the installation to my internal disk.

    Unfortunately, though no error messages are shown, just after ubuntu initial screen is shown I just see the following:

    “BusyBox v1.1.3 (Debian….. etc.etc.

    (initramfs)”

    minus the quotes of course :)

    I also don’t get any password promt.

    I made the installation thrice with the same cd that I used for installing ubuntu on my laptop (so it’s not a cd problem).

    Any ideas on what could be wrong?

    Thank you :)

  67. 69 gauthma 5 October 2008 at 23:19

    Awesome tutorial! I’ll definitely add a link ;-)

    Just a note: when I booted the alternate CD in my laptop (a Sony Vaio), without handling any option to the kernel other what came by default, I got a kernel panic… rebooting and passing fb=false fixed that.

  68. 70 yungchin 7 October 2008 at 10:00

    Hi Aleks, I’m not sure how to fix that… one guess of what may be wrong: if the /dev entry for the usb disk is in the configuration files somewhere (e.g. in /etc/crypttab) the boot-loader will have trouble finding it when the /dev entry changes. But a lot of other stuff could be wrong. (I think the clues must be in the “etc. etc.” bit ;)). Did you try at a place like ubuntuforums? There might be a few more people with experience booting from usb-disk there.

    gauthma: thanks!! :)

  69. 71 Nex 7 October 2008 at 20:15

    Hey thx for all your help, but now i’ve got one more question. Does anyone know how to mount the encrypted drive, then mount the lvm under windows?

  70. 72 yungchin 7 October 2008 at 22:26

    Hi again!

    Well let me first say I hardly get to work with Windows these days and the most complicated thing I’ve done on Windows in the last two years is watching a DVD… :) So really I don’t know what I’m talking about and therefore the following links may be very bad choices.

    I know that FreeOTFE understands LUKS partitions, but have no hands-on experience with it. The combination with LVM makes life probably even trickier, but I just found (through Google) that Explore2FS lists LVM support on their webpage. So in theory you should be able to do as you say – unlock the encrypted volume, then mount your LVM volumes.

  71. 73 Aleks 8 October 2008 at 22:42

    Thank you for your answer! Yes, I have asked EVERYWHERE!!!!! Ubuntu forums in two languages, support forums, even a neighbour accross the street! No answer at all. Not even a hint or suggestion :(.

    I also tried to make the installation using an alternate cd of the 64bit version as well as to a usb stick instead of my hd. Always the same problem (in the 64bit case the error message was different but the result the same).

    I don’t think that encrypted installation to a usb external disk is possible. As a matter of fact, I do believe that there must be some kind of bug. Do you know where I should report it in order to be fixed in the next version?

  72. 74 yungchin 9 October 2008 at 9:10

    Ubuntu bugs are managed at Launchpad, but is it really a bug? I mean, the installer was perhaps not intended for setting up encrypted systems on usb devices.

    Did you try the same thing but without encryption? Maybe it’s just a thing with usb installs in general. I’ve never tried that sort of thing, but you might check out pendrivelinux.com

  73. 75 Aleks 9 October 2008 at 10:22

    No, I haven’t tried to install it without the encryption using the alternate cd. However ubuntu does function on usb drives. I have used the live cd to install it to the same usb stick (not the hd – but I read it works even better) and it was just fine (apart of being REALLY slow).

    Encrypted installation on the other hand seems to be IMPOSSIBLE :(

  74. 76 Aleks 11 October 2008 at 13:59

    What about encrypting only the home folder and swap and leaving the root unencrypted? How could we do that?

    And what about this bug: https://bugs.launchpad.net/ubuntu/+bug/231451 ???

  75. 77 jon 12 October 2008 at 1:10

    Hi, just a heads up: the original keyfile instruction site ( http://wejn.org/how-to-make-passwordless-cryptsetup.html ) now has another update:

    “Update: Improvement of TJ’s script by Hendrik
    Hendrik van Antwerpen sent me his update to TJ’s keyscript (colored version).
    Improvements:
    supports encrypted (password protected) key devices
    password reading now uses stty (when available)
    password reading uses oficial function under usplash
    refactored debug code ”

    Works great!

  76. 78 yungchin 14 October 2008 at 9:41

    Hi Aleks, you could do that if you put the encrypted volumes inside the LVM partition instead of the other way around. That’s actually what I did on my new laptop (didn’t get to write about it yet).

    I didn’t run into the bug you refer to but I do have a problem with hibernation (on resuming the swap partition is not unlocked in time and so I just get a cold boot – have to still look into this, too).

    Thanks for the update, Jon!

  77. 79 jon 22 October 2008 at 13:47

    Another update: I’ve now successfully set up a working dual-boot system in VirtualBox: (Win XP + truecrypt FDE) and (Ubuntu 8.04 + FDE + keyfile support). Yay! :-) I followed this http://blog.redinnovation.com/2008/07/15/perfect-dual-boot-crypted-hard-disk-setup-with-truecrypt-and-luks/ guide for the dualboot part. BTW, VirtualBox is great for testdriving these things in general so if anyone reading this want to test encryption but hesitate to test it on your main system, then try that first a couple of times.

  78. 80 Callum 30 October 2008 at 12:41

    Nice, thanks for this. I’m waiting for 8.10 tomorrow then whipping my 500GB disk into my laptop and going fully encrypted. I’ve bookmarked this page and will refer back tomorrow. You answered my main question, I need the alternate installer. :)

  79. 81 Callum 9 November 2008 at 23:05

    Just installed 8.10 Intrepid Ibex and it worked flawlessly. I wasn’t prompted to overwrite my disk with random data though. I was very glad of that as I’d spent ~36 hours wiping the disk in preparation and didn’t fancy repeating that!

    One or two of the options were a little different, but it was pretty painless, particularly once I noticed that the menus to manage encrypted volumes and logical volumes were at the top of the page. Thanks for that tip.

    This message comes to you from Intrepid on a fully encrypted disk. :)

  80. 82 Anonymous 18 November 2008 at 8:22

    so i have created the snapshot volume and mounted it, by following the example in the link you provided, http://tldp.org/HOWTO/LVM-HOWTO/snapshots_backup.html

    now i am ready to make the backup.
    {
    13.4.3. Do the backup

    I assume you will have a more sophisticated backup strategy than this!

    # tar -cf /dev/rmt0 /mnt/ops/dbbackup
    tar: Removing leading `/’ from member names
    }

    so, what do you think is more sophisticated? i haven’t used tar in a while. without reading thru the whole man page, can you tell me your opinion in what strategy you would use?

  81. 83 scar 19 November 2008 at 21:09

    hey i’m back. i wanted to kind of answer my own question (above) and ask some more ;)

    what i did was run “simple backup config” in (system > administration) and i configured my backup options to my liking. finally, i chose “manual backups only” on the general tab.

    all this is is a front-end to configure the /etc/sbackup.conf, which is used by the python script /usr/sbin/sbackupd

    now, i just made a script to create the snapshot volume, mount it, run the backup, unmount the snapshot volume, and delete the snapshot volume:

    lvcreate -L450M -s -n backup /dev/ubuntu/root
    mount /dev/ubuntu/backup /mnt/backup
    /usr/sbin/sbackupd
    umount /mnt/backup
    echo y|lvremove /dev/ubuntu/backup

    and i saved this in a file like ~/backup

    then, i did “sudo mkdir /mnt/backup” to create the mount point for the snapshot (only need to do this once)

    then, i made this file executable with “chmod +x ~/backup”

    then, i edited my crontab with “crontab -e”, and added this line:

    0 4 * * * sudo /home/scar/backup

    and saved. this will run ~/backup every morning at 4 AM

    finally, i had to edit the sudoers file to allow this command to be run without a password:

    sudo visudo
    shift+g (to go to end of file)
    o (to insert a new line)
    scar ALL=NOPASSWD: /home/scar/backup
    :wq (to save the file and quit)

    now, you might be wondering, why this editing of the sudoers file? i did try to “sudo vi /root/backup” and save the script there, and then “sudo crontab -e” instead to run /root/backup everyday at 4 AM. but, when i looked at the backup created, there is nothing saved in the tgz archive. so, i’m not sure why that is. if anyone knows, i think it would be a bit cleaner to not have to edit the sudoers file and have this script run in root’s crontab….

    another thing, regarding restoring backups. i am used to acronis. suppose my hard drive gets fried and i have to replace it. with acronis, i would just boot the acronis bootdisk, select the backup archive, and it would restore it to the new hard drive. i could even backup/restore multiple partitions and resize them to fit in the new hard drive.

    so, now i am in a little different situation with full disk encryption. how can i accomplish the same thing, if i need to replace the hard drive? i am thinking it won’t be quite as easy, which isn’t such a big deal as long as i can have the same results (namely, getting back into the exact environment i was in before the hard drive crashed, with all the same programs installed, etc.) for example, i am thinking i would have to go thru the setup process explained in your tutorial to get the system running again, and then run the “simple backup restore” to restore all of /. is that going to work well?

  82. 84 yungchin 20 November 2008 at 8:24

    Hi scar, sorry I was slow to react… thanks for coming back, and for all the useful info! I didn’t know sbackup. I’ve been “playing” with rdiff-backup and backuppc, but was holding back on posting about it until I had really tested my backups (and of course that didn’t happen yet).

    I think the problem with “sudo crontab -e” is that sudo doesn’t change all the environment variables (e.g. $HOME doesn’t point to /root), which is not always what you want. Thus you might have ended up editing your own crontab rather than root’s. You can use the -u switch on crontab to specify that you want to edit root’s crontab.

    For restore, I would guess the approach you suggest should work for the most part; it might well break in the details – you wouldn’t e.g. want to overwrite /etc/fstab with the backup, which probably points to different uuids of the old partitions. In any case, I haven’t tried a such a “bare metal” restore from backup yet – only single files…

    I’ll be playing around with this!

  83. 85 swistak 27 November 2008 at 21:46

    For anybody wondering how it works with Windows.
    FreeOTFE mounts LUKS volumes, no problem at all. It’s in a different place in menu though and may be confusing.
    If you have IFS driver installed windows will be able to read and write the mounted drive.
    I had no luck with explore2fs.
    All in all, encrypted ext3 works with read and write. Encrypted LVM with ext3 on it doesn’t work.

  84. 86 harmony 22 December 2008 at 6:50

    does ‘full disk encryption’ work on a dual boot scenario? lets say i have a windows on one partition and ubuntu on the other. can i just have the ubuntu partition encrypted?

    and also,

    lets say i already have ubuntu (without full disk encryption) set up, is there some way to introduce full disk encryption easily into the system? it seems that i need to do it partition by partition (ie, home, swap, root)… am i right?

    thank you!

  85. 87 harmony 22 December 2008 at 6:52

    nevermind. i saw the first question i have on dual-boot.

  86. 88 yungchin 23 December 2008 at 13:40

    swistak: thanks!

    harmony: I don’t think you can encrypt unencrypted volumes in-place with these tools. I believe that Truecrypt can pull tricks like that though. edit: …but only for MS Windows volumes. I just meant that technically it’s not unimaginable…

  87. 89 Human Being 25 December 2008 at 0:42

    Thank you so very much!!! Amazing tutorial!!

  88. 90 ByrdOfPray 10 January 2009 at 14:45

    Hi Aleks,

    Regarding the installation on a USB-flash… I installed 8.04, using a alternate CD, this way: one partition for “/” and one encrypted partition for 2 LVM volumes – swap and home. I could not make a full encrypted installation, got similar errors like you did.
    Still this is not the safest storage for personal data. There could be personal data in /tmp, /var too.
    However for my standards, this is “safe” enough. Having a USB-flash whit /home and swap encrypted, that I quite use on other PC’s when I travel is good enough for me.

    Have fun

  89. 91 yungchin 2 February 2009 at 13:59

    A funny reality check: http://xkcd.com/538/ :)
    Of course, that is not why I encrypt my disks. So if anyone comes and demands the passphrase, they won’t need to bring a wrench to get it from me!

  90. 92 Mark Sanborn 6 February 2009 at 18:21

    Wow, Awesome tutorial. Didn’t know it was that easy to setup.

  91. 93 Fletcher 24 February 2009 at 23:34

    Wanted to say thanks as this is the second time I’ve referenced this posting. I had to encrypt my work laptop and was able to successfully create a Linux installation next to the encrypted XP system provided by the office. Things had bee going well for quite some time; until today. I foolishly upgraded to Intrepid Ibex which broke… too many things. :)rather than fix it, I’m just wiping and reinstalling Hardy.

    So this time, I’m leaving some snapshot space in the LVM within the encrypted container so I can recover when I next feel like upgrading.

    Thanks!
    &

    • 94 yungchin 9 March 2009 at 23:34

      Thanks, I’m glad it was of use!

      I’ve been meaning two work out the snapshot-upgrade stuff for over a year now (halfway through my laptop died, which put a lot of plans on the backburner I guess…). Two things need to be sorted I think: a simple recipe to let one choose between device-mapping either the snapshot or the underlying volume (these will have the same UUIDs I suppose?), and a graceful way to keep a useable copy of the pre-upgrade /boot partition as well as a dist-upgraded /boot partition (our computer officer suggested software RAID-1 to me, where the mirror should be broken just prior to the dist-upgrade – seems tricky though…).

  92. 95 Jim Van Zandt 16 March 2009 at 0:49

    Thanks for the tutorial. It would be nice if you could point to some recovery/”live” CDs that have the tools and kernel modules needed to mount and fix an encrypted disk.

    • 96 yungchin 16 March 2009 at 10:26

      Hi, thanks! I’ve been using SystemRescueCd for that, which contains all the tools to mount encrypted disks and manage LVM volumes. You can actually also use the Debian installer / Ubuntu Alternate installer for this (I drafted some notes on that here), but SystemRescueCd is more convenient: it presents a more powerful shell, most of the modules will have been loaded, and there’s Firefox on hand to look for help.

  93. 98 micha 11 April 2009 at 21:08

    Hi guys!

    I have already “regular” (unencrypted) system installed and configured – Is there a way to encrypt an existing disk?

    • 99 yungchin 12 April 2009 at 23:43

      Hi Micha, thanks. I guess the answer is no and yes: in principle what you want should be possible, but I’m not aware of anyone who has written the code that would be able to do this…

  94. 100 clovepower 15 April 2009 at 20:20

    Thanks, very clear and useful….

  95. 101 jon 18 April 2009 at 20:07

    Ok, Ubuntu 9.04 is soon to be released and I’m gearing up to reinstall an encrypted dualboot (Ubuntu + XP) system, where the Ubuntu FDE will again have keyfile support as detailed earlier in this blog post + comments.

    So I’m wondering if yungchin (or anyone else reading this) knows of any new developments in simplifying the setup? Perhaps some script with/without a GUI that automates some of the (previously manual) steps or something like that?

    • 102 yungchin 18 April 2009 at 23:37

      Hi, no, nothing that I’m aware of, I’m afraid. The live-installer offers the option of an encrypted home directory I think – but that’s of course not quite full disk encryption.

      Something I’d be interested to play with, but just can’t find time for, is using a smartcard to unlock the encrypted volume, see e.g. these notes (I have a Dell Latitude D630 now, which has a built-in card reader).

      You might also be interested in work being done on Grub2 which should eventually allow the bootloader to unlock the cryptovolume (and which would thus allow you to also encrypt /boot, protecting you somewhat better against a tampered-with kernel).

  96. 103 picasso 15 May 2009 at 1:18

    thank you fro this great how to, I was looking for something similar, you just made it, worked like a charm
    Tx again and vive Linux

  97. 104 Alfreds 17 May 2009 at 16:08

    A tips for next time would be to use some sort of virtualization-software to make the pictures, instead of taking pictures of a screen, which just looks awfull ;-)

  98. 106 trick1 19 May 2009 at 14:19

    Thx yungchin for the detailed howto… BUT I made very bad experiences with Ubuntu and finally am happy with the same approach applied to Debian Lenny.

    Lenny is much more stable than Ubuntu!

  99. 107 JohnComment 19 May 2009 at 17:22

    Exactily what I was looking for.
    Thank you.

  100. 108 Anonymous 20 May 2009 at 10:49

    Hi,

    Nicely written blog, thanks. I don’t think it quite shows what I am looking for though. I want to encrypt my existing Ubuntu installation.

  101. 110 john m 31 May 2009 at 22:44

    very good and inspirational!!!
    the most important sentence for me was : “…a little bit unintuitive (it’s just a layout problem really)…”
    then read about what LVM is and the extract from the debian information and voila you know what to do.
    thanks!

  102. 111 Infosyst 16 June 2009 at 19:49

    I got this setup ok, but have one minor concern. I have two 1TB hard drives and the system handles them separately. As a result, I have to put in my pass-phrase twice on boot, once for each drives. Is there a way to setup the encryption so that it use the same encryption for both drives?

  103. 112 yungchin 17 June 2009 at 22:53

    john m: Thanks – I agree that’s really the essence of it, totally! Should have pointed it out in the introduction…

    Infosyst: With LVM, you may bundle the two disks into one logical volume (or have you already pumped them full with data?), or otherwise you could put a keyfile to unlock the second disk somewhere on the first disk, but that’s a little messy perhaps.

    • 113 Infosyst 19 June 2009 at 18:05

      Ok, I tried rebuilding it and configuring LVM before encryption. That worked to a point, but now I have to use a pass-phrase for each partition (including swap) so I’m basically in the same situation. They keyfile idea would probably work, but yes it is a bit messy so I would like to avoid that.
      Unless someone has a bright idea I will probably go back to the fist configuration, since there are only two pass-phrases regardless of partitions. Thanks for the write-up btw, very helpful for getting me this far!

      • 114 yungchin 21 June 2009 at 10:15

        I’m sorry, that was a poorly thought-out suggestion I made there. Purely theoretically, you could use LVM to create one big logical volume across the two disks, then turn that into a cryptodevice, then put another level of LVM on that cryptodevice… I’d imagine that wouldn’t do much good for disk performance though… So, I wouldn’t really know a better way to do this.

        Unrelated, but maybe of note for people reading the comments-feed: it seems Ubuntu 9.10 will use Grub2 as the boot loader. That could be interesting for us because Grub2 might support LUKS directly at some point…

  104. 115 Frapell 7 July 2009 at 4:34

    Hi, very nice guide, everything was great, thanks ! :D

    by the way, suppose i run into trouble, and i need to do a system reinstall, or i just want to switch from Ubuntu to Debian or something… how can i open the encrypted volume from the install program, to select the / partition to format and reinstall there ?

  105. 117 Joe Baker 8 July 2009 at 4:11

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    Ubuntu Version Bumps
    – ——————–

    It would be nice if Ubuntu actually supported going from one version to another using LUKS encrypted LVM systems. Ask for this feature and then commit time to debugging it for a month before release date. This has NEVER worked for me in the past. I have to back up my home directory and re-install from scratch.

    Another task for the astute sysadmins amoung you is to prepare for an unbootable situation where you need to boot from a CDROM and mount the LVM filesystems for recovery.

    That’s my 2 cents.

    I love the encrypted filesystem options!

    Sincerely,
    Joe Baker
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.9 (GNU/Linux)

    iEYEARECAAYFAkpUHIIACgkQ7J1dPd3sAmD9hQCgj6JwX17c6cCaF78rXQyCVukU
    s9sAn3LJZ96jzD+jYLZJ+U0xdu2kTTQZ
    =aprH
    —–END PGP SIGNATURE—–

    • 118 yungchin 8 July 2009 at 9:24

      Hi Joe, thanks. So what breaks when you dist-upgrade? As for manually mounting things: see Frapell’s post above.

      PS: first time I get a PGP-signed comment :)

  106. 119 qbert 10 July 2009 at 13:34

    Does this work on Jaunty? I wouldn’t want to install an older version (i.e Hardy) just because I can’t find a newer HOWTO.

    • 120 Frapell 10 July 2009 at 13:43

      I installed Jaunty following this guide and it works fine.
      I recall that i had to do something a bit different than explained here, but was fairly straight forward.

      good luck ;)

  107. 122 yungchin 17 July 2009 at 23:47

    Remotely related reading at Schneier on Security: Laptop Security while Crossing Borders – not sure if I should laugh or cry (given that it seems we need to protect ourselves from our own customs officers…)

  108. 123 Anonymous 8 October 2009 at 14:39

    Not what I was looking for: only interested in remote full disk encryption setup.

  109. 124 Wolfram 28 October 2009 at 13:46

    Thanks, that helped me.

  110. 125 Wolfgang 27 January 2010 at 21:33

    Hi Yungchin,
    Thank you very much for your good work! It worked like a charm.

    But I have one question left. I created two partitions. The first one contains systemroot and swap as logical Volumes of the lvm setup. The second one is a partition formatted with fat32. Both partitions have the same passphrase.

    When I boot, I am asked for the passphrase twice. I want to avoid that. But I don’t know how to go about it. Do you have any idea? (I hope the answer is not here before my eyes and I did not see it ;-))

    Thank you!

    • 126 yungchin 27 January 2010 at 22:31

      Hi, thanks!

      One thing you could do is unlocking the fat partition using a keyfile. If you make sure the system-root is unlocked and mounted before that, then you can safely store the keyfile on there. I’m a bit rusty on the details (I haven’t changed anything to my machine in ages), so you’re best off checking the crypttab manpage for how to configure this.

      Hope that’s a good starting point, have fun!

  111. 127 Wolfgang 28 January 2010 at 8:49

    Thanks! I will try that.

  112. 128 scar 30 January 2010 at 0:13

    hi, i followed this guide quite some time ago, i see my comments are still here ;) i am now running 9.04 through upgrading and i haven’t had any problems at all.

    i come to you today because i do not quite still understand how i partitioned my disk, and i would like to allocate a new partition so i can put a virtual machine’s disk image there.

    i have a 300 GB disk, and i mostly followed your instructions. i allocated about 100MB to /boot, and the rest was allocated to an encrypted partition, inside of which is a 20 GB / (root) partition and a 4 GB swap partition, leaving approximately 270 GB of unused space inside the encrypted partition as far as i know.

    now i would like to just create another 10 GB partition to store a virtual machine disk image on, and i cannot figure out how to do that, with all of the pv* and lv* commands.

    can you help me understand the disk layout i have created and how to manage/create/delete additional partitions, should i need them? thanks

  113. 130 scar 31 January 2010 at 19:00

    awesome! thanks. i installed system-config-lvm package. it was extremely easy to use.

  114. 131 Tim McCormack 2 March 2010 at 16:18

    What if I wanted to boot the system from USB key? I don’t like the idea of having an unencrypted boot partition sitting around on my hard disk. Is there a way I could have GRUB and whatever else is needed to open LUKS/LVM on the key, and chain to the OS inside the LVM?

  115. 132 Tim McCormack 8 March 2010 at 16:11

    I seem to have answered my own question! The trick is to select the USB drive’s partition to be mounted as /boot, and the installer will put GRUB on that drive.

    • 133 yungchin 9 March 2010 at 13:04

      Thanks, both for the question and the answer! So I guess this means you need to remember to mount the USB-stick partition whenever there are kernel or grub updates, but otherwise you can leave the stick out during use?

  116. 134 Ahmad 2 May 2010 at 5:16

    This tutorial worked perfectly with Ubuntu 10.4 (Text-based Installer). Thanks!

  117. 135 Matt 4 May 2010 at 22:34

    Just used your guide with Ubuntu 10.04 Alternate install CD. A few minor differences, but otherwise EXCELLENT! Thanks so much for your work on this!

  118. 136 Robert 3 July 2010 at 8:28

    Dear author, thank you for your tutorial.

    I have got a variant suggestion to ask you:

    let say I have a dedicated linux box server, made by me (obviously) and to be sold to some customers. It delivers services I have put a lot of my knowledge to set it up. Let say a special proxy or a special fax server.

    Once I place that box to a customer site it may be cloned by somebody to take advantage of my installation and configuration.
    This is the unwanted part.

    While the real end user must have some access to some configuration files if any modification is needed, i.e. add some websites to whitelist or to blacklists.

    How to make this mechanism working and prevent unauthorized copies of my server system or configuration? Is it encyption a solution? Or it could be a mixture of encrypting some directories while other must simply be protected at user level?

    Thank you for any tip.

    Robert

  119. 137 Tim McCormack 6 July 2010 at 18:01

    Robert: You want them to have a computer that they can turn on, but can’t access the internals of? Well, I’m not sure you can do that with purely digital means, such as encryption — they’ll have to provide the computer with a passphrase, which they could use with a LiveCD.

    • 138 yungchin 6 July 2010 at 18:35

      I agree with Tim, no, in fact I don’t think you can do that at all. You want someone to be able to use something, but at the same time you don’t: this is Digital Restrictions Management, and if you think about it, it is broken by its very principle.

      Also, I’d say that obscuring the configuration scripts is, while perhaps not against the letter, certainly against the spirit of the GPL.

  120. 139 ea 15 July 2010 at 10:14

    Hello,

    it has been two years now, since I followed this tutorial and set up my laptop with ubuntu and full disk encryption. I use my SD card reader to store the passphrases. Pretty easy and beatiful in contrast to USB Flash drives.

    Now that Ubuntu 10 is released, I would like to do an aptitude dist-upgrade.

    Did anybody try this one out. Success reports?
    I’d expect problems with the upgraded init-ramdisk image.

    Regards

    • 140 Tim McCormack 5 August 2010 at 18:14

      @ea: I upgraded from 9.10 to 10.04. I had some trouble during the grub portion — each time I would go to reinstall grub, it would unmount my USB /boot partition and throw an inscrutable error. Eventually, I gave up and rebooted… and everything works fine. Dunno what the problem was.

  121. 141 scar 6 September 2010 at 21:17

    i am now running 10.04 too. i have a question about the backup scheme, because i am getting about many messages like:

    EXT4-fs (dm-3): ext4_orphan_cleanup: deleting unreferenced inode 130636

    EXT4-fs (dm-3): 39 orphan inodes deleted
    EXT4-fs (dm-3): recovery complete
    EXT4-fs (dm-3): mounted filesystem with ordered data mode

    exactly every day, so i think they are occurring around the time i am running the backup. my backup script that runs everyday is simple:

    lvcreate -L450M -s -n backup /dev/den/root
    mount /dev/den/backup /mnt/backup
    /usr/sbin/sbackupd
    umount /mnt/backup
    echo y|lvremove /dev/den/backup

    do you know what is causing the messages? how i can investigate further? i think it may be related to the snapshot volume that is created and then deleted. maybe it gets unmounted/removed to quickly? not sure…

    thanks

  122. 142 borepstein 21 September 2010 at 15:01

    Great manual, thanks!

    If I have a dual-boot (Ubuntu and Windows) machine is there a good way to encrypt my Windows installation at the same time?


  1. 1 StaticNAT » I put my bird in Fort Knox…go on try to steal it. Trackback on 24 April 2008 at 20:33
  2. 2 Eight tips for a robust Ubuntu Hardy installation « oei.yungchin.NL Trackback on 26 April 2008 at 23:11
  3. 3 Logiciel Libre » Blog Archive » Ubuntu and Encryption Trackback on 26 May 2008 at 23:10
  4. 4 links for 2008-08-04 [delicious.com] « Stand on the shoulders of giants Trackback on 5 August 2008 at 5:03
  5. 5 [K]Ubuntu + LUKS + LVM « erroneous thoughts Trackback on 5 October 2008 at 23:25
  6. 6 Security Justice » Blog Archive » Security Justice - Episode 6 Trackback on 17 October 2008 at 4:07
  7. 7 Full encryption is go! at Callum Macdonald Trackback on 9 November 2008 at 23:23
  8. 8 Reusing existing encrypted logical volumes while installing Ubuntu 8.10 « Learning in Linux Trackback on 23 December 2008 at 13:31
  9. 9 Targz » Blog Archive » Curs administració de sistemes GNU/Linux. Sessió 40. 21 de maig de 2009 Trackback on 21 May 2009 at 12:24
  10. 10 Truecrypt help - Overclock.net - Overclocking.net Trackback on 5 June 2009 at 20:02
  11. 11 Ksplice Uptrack quick-test on Ubuntu 9.04 Live « YC’s playground Trackback on 28 June 2009 at 0:23
  12. 12 DualBoot OS FDE : Windows chiffré + Linux chiffré | Artiflo Inside Trackback on 24 July 2009 at 9:02
  13. 13 Full Disk Encryption and Server Installation « Josh's Ambry Trackback on 11 November 2009 at 4:53
  14. 14 Ubuntu Encrypted LVM Trackback on 15 December 2009 at 15:49
  15. 15 Secure Linux system? - HEXUS.community discussion forums Trackback on 6 March 2010 at 12:06
  16. 16 dev. » How to install Ubuntu 10.04 on a Netbook with Full Disk Encryption Trackback on 2 May 2010 at 12:56
  17. 17 Whole-disk encryption « Mike Beach Trackback on 14 November 2011 at 0:08
  18. 18 Full disk encryption for both Windows and Ubuntu on a dual-boot drive » Moonflare Blog - Technical miscellanea by Derrick Coetzee Trackback on 19 April 2012 at 4:43
Comments are currently closed.




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: