Full disk encryption during OEM install?

Hi there. This is my first topic here. Please put it somewhere else if I put it in the wrong place

Anyway, I’m selling some laptops with Ubuntu MATE 16.10 installed and as such I’m using the OEM install mode.

I got a request from one of my potential customers, a novice Linux user that is security aware, to have full disk encryption on by default. As he, and potential other people, are novice users I could help guide them in reinstalling Ubuntu MATE, but I’d prefer to streamline the process.

Sadly, as far as I’m aware, enabling full disk encryption isn’t easily possible after install, never mind disabling (if so desired). The ideal solution here would be something like macOS does with their FileVault, which can be enabled or disabled at will from the System Preferences. After reboot, the disk start encoding your volume in the background.

But, wishlists aside, what would otherwise be a great option is an extension of the current OEM setup, where you can enable it after initial setup and after reboot the new owner will be asked to setup a new user account etc.

So, would it be possible to enable the “prepare for end user” option and after reboot, the end user will enter the OEM disk encryption password (something simple, like 123456) and be forced to immediately choose a new password before the rest of the OS starts?

No idea but I’d love to know how to do it. Just want to mention that encryption is about privacy over security but it can be debated. Also, full disk encryption depends on the partition format and it may slow the system down significantly depending on the processor. So your customer may be wanting encryption but not full disk encryption.

Thank you for your reply

Regarding the speed compromise: these systems have an Intel Core i5-6200U and 256GB SSD’s. They’re formatted with the default settings, I believe Ubuntu MATE defaults on EXT4? With such high end though, I doubt this will be much of an issue, no?

Not a problem. Default is ext4. Look at this.

Full disk encryption with LUKS is usually done at install time.
There is other solutions to encrypt that you can use without reformatting the hole disk.

You could encrypt your home partition encrypt home

You could encrypt other part of your system.

Take look at veracrypt
It allows you to create a volume in a file on your actual filesystem.
You could encrypt any part of your system but will have to correct /etc/fstab to mount the encrypted containers.
You need to have a certain linux knowledge for that.

There are other solutions, just google “linux disk encryption” for more

Thank you for your reply. You reply to this as if this was directed to an end user, which is fine. I myself am perfectly fine setting up encrypted volumes. But this is not about me. The devices I sell are packaged and shipped and come with 90 days of phone support. And while I’m well aware that I could SSH into a remote computer, this is getting besides the point. From my end, it would be easier to nuke and pave and do a clean install.

I’m also aware of home directory encryption via ecryptfs. This was actually the first suggestion I had in reply to this question: just create a new user and put your user data in it. Seems straightforward enough. But the question remained with said customer.

But as I understand from your reply, it seems that a clean install is the only feasible way to go.

Is this something that you’ll get asked to do often? In terms of a business-case, if just one or two people are asking for this, it wouldn’t make sense to develop a complex solution, such as building in encryption support to the OEM install. If this is something that will be commonly asked, then I can see the point.

One thing you can do, is skip the OEM install, and set it up for them manually with a fresh install. Then when they get it, they can have you walk them through changing the passphrase.

[quote=“jay, post:7, topic:9653, full:true”]
Is this something that you’ll get asked to do often? In terms of a business-case, if just one or two people are asking for this, it wouldn’t make sense to develop a complex solution, such as building in encryption support to the OEM install. If this is something that will be commonly asked, then I can see the point.[/quote]
That remains to be seen

This actually spurred me to look further, as I didn’t know how easy you can actually change the LUKS passphrase after install. But Gnome Disk Utility can do it just fine and since it is installed by default on MATE, this should be a useful workaround and doesn’t even require me to drop the OEM setup!