sandbox
Differences between revisions 19 and 59 (spanning 40 versions)
|
Size: 5661
Comment:
|
Size: 1168
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| #title Full System Encryption with Manual Control | #title Manual Full System Encryption (with Extras) |
| Line 8: | Line 8: |
| = Purpose = | = Sandbox = |
| Line 11: | Line 11: |
| This document is for you if you wish to use '''full system encryption''' with all of these features: * LUKS * LVM * encrypted Boot * manual partitioning and optionally any of these features: * encrypted hibernation * hybrid suspend * dual-booting * multi-disk installation As LVM is used, you can also use snapshots. This advanced topic is not covered here, but it is mentioned in the partitioning section. |
A sandbox for Paddy Landau to develop documentation. |
| Line 28: | Line 14: |
| = Caveats = | = Other pages = |
| Line 31: | Line 17: |
| It is important for you to know the possible limitations (described in the [[/Background|Background]]) and the potential problems. | Other pages by Paddy |
| Line 33: | Line 19: |
| * Always, when you install a system, there is a chance of '''data loss'''. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore: | * [[https://help.ubuntu.com/community/PlayOnLinux|PlayOnLinux]] This is somewhat outdated, but could still be useful for a beginner wanting to use Wine. |
| Line 35: | Line 22: |
| {{{#!wiki warning Take a '''''full backup''''' of '''''all of your data''''' before you start the process. }}} |
* [[https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap|Enable hibernation with encrypted swap]] For older systems that use encrypted folders but nothing else encrypted. |
| Line 39: | Line 25: |
| If you know how to use [[http://clonezilla.org/|CloneZilla]], you would be well advised to back up your entire disk beforehand. | * [[https://help.ubuntu.com/community/PostInstallationEncryption|Post-installation encryption]] For older systems that don't have any encryption, how to encrypt your folder. |
| Line 41: | Line 28: |
| * The process optionally enables '''hibernation'''. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation. * A consequence of full system encryption is that you need to type in your passphrase '''each time you power on''' your computer, including after hibernation. * An unfortunate and inconvenient quirk is that if you mistype the passphrase, you have to reboot your computer to try again. I do not know a way around this. * If you share your computer with anyone else, '''they need to know the passphrase''', even if they only use Windows. * You need a '''strong passphrase''' to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's a [[https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/|pretty good method]] for paranoid mode. * Having a strong passphrase does not obviate the need for a '''good account password'''. Without a password, or with only a weak password: * You cannot lock the computer when it is unattended and powered on. * Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger. Remember that the ''passphrase for your computer'' and the ''password for your account'' are not the same. One lets you access your computer in the first place, whereas the other lets you log in after you have accessed your computer.<<FootNote(In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login.)>> * This process has been tested for a modern computer with EFI (aka UEFI). If your computer is too old to have EFI, the process would probably work if you omit any step that refers to it, but be aware that this type of encryption might slow down your old computer. * Encrypting everything is more CPU-intensive. Modern computers tend to have fast multiple CPUs and dedicated AES (encryption) chips, so on a modern computer, this pose no problem at all. You would be likely to find slower responses only on old computers. * This process has been test on Ubuntu 16.04 (Xenial Xerus) and partially on Ubuntu 16.10 (Yakkety Yak). It is unlikely to work on previous versions. It will probably will work on later versions, at least for a few years. = Document Structure = Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and even then only for full-disk encryption, this installation process is rather more complicated than you might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here. 1. [[/Background|Background]]<<BR>>A summary of the options; features; benefits and downsides; and purpose and limitations.<<BR>> It contains important notes and further caveats, so please read the Background before proceeding. 1. [[/Basics|Basics of]]… * Hybrid suspend * Command line interface (CLI), aka the terminal * Partitioning * LUKS * LVM * Editing files from root If you are new to Linux, or you don't know much about some or all of these features, this section is for you. You can safely skip the Basics if you are already familiar with all of these concepts. 1. [[/Overview|High-level overview]]<<BR>>What this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all. 1. [[/Process|Detailed process]]<<BR>>Exactly how to prepare your system and install Ubuntu with encryption. Checkpoints are given along the way. It takes into account dual-booting and, optionally, paranoid mode. 1. [[/Troubleshooting|Troubleshooting]]<<BR>>Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering. Here are some pointers. ---- ---------- |
* [[https://help.ubuntu.com/community/ManualFullSystemEncryption|Manual full-system encryption]] For newer systems (starting with Ubuntu 16.04), how to install Ubuntu fully encrypted, while optionally being able to dual-boot with other systems, say Windows. |
Contents |
1. Sandbox
A sandbox for Paddy Landau to develop documentation.
2. Other pages
Other pages by Paddy
- This is somewhat outdated, but could still be useful for a beginner wanting to use Wine.
Enable hibernation with encrypted swap
- For older systems that use encrypted folders but nothing else encrypted.
- For older systems that don't have any encryption, how to encrypt your folder.
- For newer systems (starting with Ubuntu 16.04), how to install Ubuntu fully encrypted, while optionally being able to dual-boot with other systems, say Windows.
paddy-landau/sandbox (last edited 2017-04-04 18:58:46 by paddy-landau)