sandbox
|
Size: 3771
Comment:
|
Size: 3915
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| #title Full Disk Encryption with Manual Control | #title Full System Encryption with Manual Control |
| Line 11: | Line 11: |
| This document is for you if you wish to use '''full-disk encryption''' with all of these features: | This document is for you if you wish to use '''full system encryption''' with all of these features: |
| Line 17: | Line 17: |
| * encrypted hibernation (optional) * hybrid suspend (optional) *&* * dual-booting (optional) * multi-disk installation (optional) |
and optionally any of these features: * encrypted hibernation * hybrid suspend *&* * dual-booting * multi-disk installation |
| Line 30: | Line 33: |
| * Always, when you install a system, there is a chance of '''data loss'''. Power failures are dealt with by checkpoints in the process, but no matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. <<BR>><<BR>> Therefore, take a '''''full backup of all your data''''' before you start the process. If you know how to use [[http://clonezilla.org/|CloneZilla]], you would be well advised to back up your entire disk beforehand. |
* Always, when you install a system, there is a chance of '''data loss'''. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore: {{{#!wiki warning Take a '''''full backup of all your data''''' before you start the process. If you know how to use [[http://clonezilla.org/|CloneZilla]], you would be well advised to back up your entire disk beforehand. }}} |
| Line 42: | Line 47: |
| * Having a strong passphrase does not obviate the need for a '''good account password'''. * If you leave your computer unattended while powered on, you must lock it, otherwise anyone with physical access can access your account. This includes installing malware such as a keylogger. * Without a password, a hacker (even without physical access) can access your account and install malware. |
* Having a strong passphrase does not obviate the need for a '''good account password'''. Without a password, or with only a weak password: * You cannot lock the computer when it is unattended and powered on. * Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger. |
| Line 50: | Line 55: |
| Because the default Ubuntu Installer supports only the first two of the above-mentioned features (LUKS and LVM), this installation process is rather more complicated than one would like. Thus, this document is organised into several categories. They are intended to be read in this order. | Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and even then only for full-disk encryption, this installation process is rather more complicated than you might prefer. Thus, this document is organised into several sections. They are intended to be read in this order. |
| Line 53: | Line 58: |
| 1. [[/Basics|Basics of]] entering commands, partitioning, LUKS and LVM<<BR>>If you are new to Linux, or you don't know much about some or all of these, this section is for you. You can safely skip it if you already understand the concepts. | 1. [[/Basics|Basics of]] entering commands, partitioning, LUKS and LVM<<BR>>If you are new to Linux, or you don't know much about some or all of these, this section is for you. You can safely skip it if you are already familiar with these. |
| Line 55: | Line 62: |
| Line 56: | Line 64: |
| 1. [[/Troubleshooting|Troubleshooting]]<<BR>>Sometimes something goes wrong and you struggle to figure out what. Messages and errors can seem bewildering, so here are some pointers. | 1. [[/Troubleshooting|Troubleshooting]]<<BR>>Sometimes something goes wrong and you struggle to figure out what. Messages and errors can seem bewildering. Here are some pointers. |
Contents |
1. Purpose
This document is for you if you wish to use full system encryption with all of these features:
- LUKS
- LVM
- encrypted Boot
- manual partitioning
and optionally any of these features:
- encrypted hibernation
hybrid suspend *&*
- dual-booting
- multi-disk installation
As LVM is used, you can also use snapshots. This advanced topic is not covered here, but it is mentioned in the partitioning section.
2. Caveats
It is important for you to know the possible limitations (described in the Background) and the potential problems.
Always, when you install a system, there is a chance of data loss. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore:
Take a full backup of all your data before you start the process. If you know how to use CloneZilla, you would be well advised to back up your entire disk beforehand.
The process optionally enables hibernation. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation.
A consequence of full-disk encryption is that you need to type in a password or passphrase each time you power on your computer, including after hibernation.
If you share your computer with anyone else, they need to know the passphrase, even if they only use Windows.
You need a strong passphrase to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's a pretty good method for paranoid mode.
Having a strong passphrase does not obviate the need for a good account password. Without a password, or with only a weak password:
- You cannot lock the computer when it is unattended and powered on.
- Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger.
3. Organisation
Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and even then only for full-disk encryption, this installation process is rather more complicated than you might prefer. Thus, this document is organised into several sections. They are intended to be read in this order.
Background
A summary of the options; features; pros and cons; and purpose and limitations.Basics of entering commands, partitioning, LUKS and LVM
If you are new to Linux, or you don't know much about some or all of these, this section is for you. You can safely skip it if you are already familiar with these.High-level overview
What this process will achieve, and what you need to do to prepare.Detailed process
Exactly how to prepare your system and install Ubuntu with encryption. Checkpoints are given along the way. It takes into account dual-booting and, optionally, paranoid mode.Troubleshooting
Sometimes something goes wrong and you struggle to figure out what. Messages and errors can seem bewildering. Here are some pointers.
paddy-landau/sandbox (last edited 2017-04-04 18:58:46 by paddy-landau)