How to enable whole-disk encryption in Debian and Ubuntu

Recently, work has begun issuing new, high-end laptops to engineers, and I felt it was a good time to emphasise the need to encrypt everything on the laptop. There is virtually no overhead for doing this—it’s just a matter of getting it set up.

Below, I describe how to do this on Ubuntu 12.04 (precise). The procedure is all the same on recent versions of Debian and Ubuntu, though—they all just use partman-crypto to do the configuration.

On Ubuntu, you need to use the alternate CD, not the desktop one. On Debian, just use the standard text-mode installer. Do the configuration up to the disk partitioning section:

Guided partitioning selection

If you normally use guided partitioning, just use the “Guided—use entire disk and set up encrypted LVM”. The only extra thing you have to do is type in the encryption passphrase. It’s as simple as that, and you can stop reading here. :-)

The rest of this article is for people who like to do manual partitioning. Because of this, I will go into a fair amount of detail, so you can see how to control the whole process. (However, to be kind to my workmates, I am doing this using non-expert mode. The steps may be different for expert mode.)

The general principle of the process is this:

  1. Set up a /boot volume so that the initramfs containing the crypto bootstrap code has somewhere to live. (This is the Achilles’ heel of the whole system, and I don’t know how to work around it.)
  2. Encrypt the whole rest of the disk.
  3. The “rest of the disk” cannot have a partition table, so we will use LVM to do the volume management.

Okay, so, here we go. :-)

First, create an empty partition table on your disk if necessary, then add a small partition for /boot. I usually use 64 MB.

Setting up /boot

So now, we should have most of our disk still free:

/boot set up, leaving most of disk free

Set up that free space for encryption:

Encrypted volume setup

You can choose between AES-128, AES-192, and AES-256. I think AES-128 is sufficient, but that’s your choice.

The encryption mode (listed as “IV algorithm”) in that window is more significant. Wikipedia has a good overview of the various modes, but the long and short is that there are only three modes that you are supposed to use:

  • cbc-essiv
  • lrw-benbi
  • xts-plain

Of the three, XTS is the most secure and is the industry standard for disk encryption. (BTW, never use cbc-plain or lrw-plain; they are insecure modes.) However, partman-crypto does not currently support LRW or XTS modes, so if you want to use XTS, there is more work to do (covered in a later article). However, if industry standard is not a big deal for you, ESSIV is probably sufficient.

Okay, let’s set up the encrypted volume’s passphrase:

Onward to passphrase

There, just select “Configure encrypted volumes”, then “Finish”, and you’ll be prompted for the passphrase to use. Then we’re ready for LVM setup:

Completed setting up crypto

Select the line after “Encrypted volume”, then set that up as “physical volume for LVM”. Then we’re ready to configure LVM:

Ready to configure LVM

Create a volume group containing the encrypted volume:

Create volume group

Then add the volumes you want to use. For example, some people might want to have root, swap, usr, var, opt, and home. At a minimum, you will need root and swap, so that’s what I’ve used for the next screenshot for simplicity. When done, you should see the following:

After LVM volume setup

Now just set up each of the LVM volumes with filesystem or swap volumes, and you’re done:

All done!


  1. dyscourse posted this