How to do full disk encryption.

9 replies [Last post]
dread71
Offline
Joined: 10/19/2016

I'm a noob. I pressed the "encrypt the installation for security" thing in he installer but when I look at my partitions I see an unencrypted partitions "Filesystem partition 1 20gb Ext4" then there is "extended partition partition 2 230 GB" then an encrypted partition "partition 5 230 GB LUKS" then "230 GB LVM2 PV" which appears unencrypted. How do I encrypt everything?

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

https://trisquel.info/en/wiki/full-disk-encryption-install explains how to install Trisquel with a full disk encryption.

However, as far as I understand, you have successfully encrypted /home. The second most sensitive part of the disk is the swap (assuming you have a swap partition or a swap file). To encrypt it, you only need to execute this command while the swap is on (it is, by default):
$ sudo ecryptfs-setup-swap

dread71
Offline
Joined: 10/19/2016

I don't have a swap partition. Is there anything else I should encrypt?

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

You have encrypted the most sensitive data. However things written in /tmp (and maybe in /var) can reveal personal information. If you decide that you need fukll-disk encryption, then it is easier to install Trisquel again: https://trisquel.info/en/wiki/full-disk-encryption-install

Misty
Offline
Joined: 03/22/2016

I need to understand this better so I can do that too, and re-read the instructions to see if they answer my questions, if not, I'll be back here to ask.

Legimet
Offline
Joined: 12/10/2013

Before doing anything else, backup! Make a LUKS container and a volume group in it. This way you only have to enter one passphrase to decrypt the whole thing.
When creating the LUKS container, if you had unencrypted data in that part of the disk, you should choose to wipe it so that it can't be accessed again. This may take some time. Afterwards, you can create the volume group and partition your system however you want (I usually make 3 logical volumes: /, /home, and swap). It is unnecessary to create a separate unencrypted /boot partition as used to be the case.
Once you reach the step of installing GRUB, you will get an error. You need to enable GRUB's cryptodisk module so that it can decrypt the partition. Switch to a tty and go to the place where the installation is mounted. Edit the etc/grub/default file and add the following line:
GRUB_ENABLE_CRYPTODISK=y
The GRUB installation should then succeed, as well as the rest of the installation.

You will have to type your passphrase twice when booting up. To avoid this, see http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

The file is "/etc/default/grub", not "etc/grub/default".

Legimet
Offline
Joined: 12/10/2013

Yes, it is /etc/default/grub. Unfortunately, I can't edit it anymore.

Misty
Offline
Joined: 03/22/2016

oh wow this stuff is so over my head. :(

Backups I know how to do, partitions and swap, no, but I know I won't learn it by not trying. I will need to have instructions, including what to do it I screw it up, how to get out of it, start over, whatever, commands for fixing it, if my machine will be functional at all. My crapware Mac still works, in case I totally wreck this one.

Today is not the day for me to try this, so I'll be gathering info and deciding if I even wanna risk killing another computer. Many years ago on a different OS I tried encrypting files, that worked fine, but I couldn't decrypt them- lucky I had backups.

Alexander Stephen Thomas Ross
Offline
Joined: 09/17/2012

hmm...
with full disk encryption there is small partition of around
200MB-hmm300MB(?) of size. which is where the boot loader/kernel is
stored. other wise whats left to load the OS? some software has to be
loaded else how to decrypt and load the system ;)

what can be done is to have the boot partition -as its called- on
another drive, like a usb flash drive. that way only encrypted data is
on the drive in the computer and you can keep the all important
non-encrypted boot partition on a usb drive/sick which you can keep on
your person at all times but for when your using/have the laptop booted.
so its harder for an attacker to physical get hold of it and add a backdoor.

i think this is helpful, when getting though air port "security".

so it depends on your threat level or convenience level