Installing Ubuntu with Full Disk Encryption

Tips, Tricks and Tutorials Tutorials & Guides
#1

Background

Encrypting your hard drive is the only decent counter measure against someone gaining physical access to your computer. Encrypting your hard drive does not protect you from malware ex-filtrating your data while your computer is being used. Full disk encryption is different from home folder encryption in that an attacker that gains access to your computer cannot plant malware into the operating system. Home folder encryption does not protect you from that kind of attack since only your personal data is encrypted, which means the attacker can boot your computer, plant malware in the OS, shut it down and wait for you to login - activating the malware that will then ex-filtrate your files over the network.

This guide is only for users that don't have an English/US keyboard layout (Querty) and are using the default keyboard layout for their country (Sorry, MAC users - this guide won't help you.)
Other more blessed users should not have any problems just following the classic installation path.

Using Ubuntu with Full Disk Encryption is a Pain for people with non-US keyboard layouts because of a very simple design decision error (please mark yourself as affected on the bug report if you've been hit by this in the past) that is known to affect every version since the FDE feature was introduced.

I will describe here the only one step that is critical to setting it up successfully.

Step 1:

Power On With your installation disk first in the boot sequence Sadly how to do that is hardware specific so [see here for some instructions on how to do that](https://help.ubuntu.com/community/BootFromCD#BIOS_is_not_set_to_boot_from_CD_or_DVD_drive).

Step 2: This one is the critical step. It's not hard to do but if you don't you'll end up with an unbootable system.

When you see this screen with the little dude at the bottom:

e1.png642×559 20.8 KB

Press a key, so you get to this screen:

e2.png642×559 31.3 KB

Then pick your language and hit enter.
You should then see a boot screen like this in your local language:
e3.png642×559 25.8 KB

Step 3: and I'm tired of giving a number to steps so I won't do it again. The rest is easy anyway.

Pick the Install option using the arrow keys. Then keep going with your default language choice during the following steps:
image.png802×679 70.8 KB

On the "Installation Type" screen check "Encrypt the new installation for security" or whatever the equivalent in your language is.

image.png802×679 93.6 KB

Next pick your security key for unlocking the encrypted drive. (this does not have to be - and should not be the same password as your user password)
If you're afflicted with an "original" keyboard variant you should only use keys that you know always map to the same characters.

image.png802×679 90.9 KB

On the next step you can choose your keyboard variant if needed, but keep in mind that this will not help if the drive encryption key contains characters that are misplaced across keyboard variants.

Now then, the installation is gonna go on for quite a while and after it completes and you reboot you should see this:

image.png722×479 20.1 KB

Assuming you can clear this screen, you're all setup.
If something failed, well hopefully someone from Canonical will wake up one of these days. :/

3 Likes
How can I check to verify my Ubuntu MATE OS is encrypted?
#2

Hi, is there a way to encrypt my disk after installation. thanks

#3

If a disk is fully encrypted, what happens if you forget the password ?
( I backup impt. files to a separate drive.)

I ask because the root user password can be changed with an installation disk.

Does Clonezilla work with an encrypted disk ?

#4

If you forget the password ‘normally’ you can’t access anymore the data on the disk.

#6

@kernel, I don’t think it’s possible to do this kind of disk encryption after installation, and even if I’m wrong, it’s probably way more difficult than simply reinstalling.

@fixit7, with FDE you can’t reset the password, because you can’t even drop to a root (recovery) shell. Attempting to alter the disk before the passphrase is entered will result in full data loss.

Since Clonezilla works on the OS, it only operates once the decryption passphrase has been entered so I don’t see why it wouldn’t work, but I haven’t tested this myself.

2 Likes
#7

Clonezilla works with partitions, so it’ll backup/restore an encrypted partition with no problems, no passphrase needed. Because all the data is scrambled, the resulting image will be larger and similar to a dd clone, because the filesystem can’t be identified.

1 Like
#9

Thanks ouroumov for the good info.

Why would scrambled data result in a bigger image ?

I thought that part of disk compression process counted the frequency of letters and characters in the file or system being compressed.

Or that the image is just a bit by bit copy ?

#10

The image is a bit by bit copy, as you say. I had a look at my Clonezilla backup of an encrypted partition and it seems by default, it simply didn’t bother with compression. I just tried gzip on a 4.1 GB image file and it could only shrink it by 237135 bytes (237 kB!!).

It would be wise to compress first, then encrypt it, but it’s a quite complicated to unlock the disk to do that.

I suppose it’s a downside to using full disk encryption, but worth it to stop people from accessing any of your data. :thumbsup:

1 Like
#11

I think I will pass on full disk encryption.

If I forgot the password, I would have to do a full re-install. :frowning:

And I am the only one who has physical access to my computer.

You are right. 237 kb is a negligible compression.