How to enable whole-disk encryption in Debian and Ubuntu
Recently, work has begun issuing new, high-end laptops to engineers, and I felt it was a good time to emphasise the need to encrypt everything on the laptop. There is virtually no overhead for doing this—it’s just a matter of getting it set up.
Below, I describe how to do this on Ubuntu 12.04 (precise). The procedure is all the same on recent versions of Debian and Ubuntu, though—they all just use
partman-crypto to do the configuration.
On Ubuntu, you need to use the
alternate CD, not the
desktop one. On Debian, just use the standard text-mode installer. Do the configuration up to the disk partitioning section:
If you normally use guided partitioning, just use the “Guided—use entire disk and set up encrypted LVM”. The only extra thing you have to do is type in the encryption passphrase. It’s as simple as that, and you can stop reading here. :-)
The rest of this article is for people who like to do manual partitioning. Because of this, I will go into a fair amount of detail, so you can see how to control the whole process. (However, to be kind to my workmates, I am doing this using non-expert mode. The steps may be different for expert mode.)
The general principle of the process is this:
- Set up a
/bootvolume so that the
initramfscontaining the crypto bootstrap code has somewhere to live. (This is the Achilles’ heel of the whole system, and I don’t know how to work around it.)
- Encrypt the whole rest of the disk.
- The “rest of the disk” cannot have a partition table, so we will use LVM to do the volume management.
Okay, so, here we go. :-)
First, create an empty partition table on your disk if necessary, then add a small partition for
/boot. I usually use 64 MB.
So now, we should have most of our disk still free:
Set up that free space for encryption:
You can choose between AES-128, AES-192, and AES-256. I think AES-128 is sufficient, but that’s your choice.
The encryption mode (listed as “IV algorithm”) in that window is more significant. Wikipedia has a good overview of the various modes, but the long and short is that there are only three modes that you are supposed to use:
Of the three, XTS is the most secure and is the industry standard for disk encryption. (BTW, never use
lrw-plain; they are insecure modes.) However,
partman-crypto does not currently support LRW or XTS modes, so if you want to use XTS, there is more work to do (covered in a later article). However, if industry standard is not a big deal for you, ESSIV is probably sufficient.
Okay, let’s set up the encrypted volume’s passphrase:
There, just select “Configure encrypted volumes”, then “Finish”, and you’ll be prompted for the passphrase to use. Then we’re ready for LVM setup:
Select the line after “Encrypted volume”, then set that up as “physical volume for LVM”. Then we’re ready to configure LVM:
Create a volume group containing the encrypted volume:
Then add the volumes you want to use. For example, some people might want to have
home. At a minimum, you will need
swap, so that’s what I’ve used for the next screenshot for simplicity. When done, you should see the following:
Now just set up each of the LVM volumes with filesystem or swap volumes, and you’re done: