sandbox
|
Size: 3138
Comment:
|
Size: 9151
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| <<Include(WikiGuide/Toolkit/MenuBar)>> | #language en #pragma section-numbers on #title Manual Full System Encryption (with Extras) |
| Line 3: | Line 5: |
| = Full disk manual encryption = | ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents(2)>>|| |
| Line 5: | Line 7: |
| ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents>>|| | = Purpose = ---- ~+'''April 2017:'''+~ * ~+'''These instructions are in "beta", which means that some errors may be present.'''+~ ---- This document is for you if you wish to use '''full system encryption''' with all of these features: * LUKS * LVM * encrypted Boot * manual partitioning and optionally any of these features: * dual-booting * encrypted hibernation * hybrid suspend * multi-disk installation == Advanced features == The following advanced features are possible, but are not covered in this process. Snapshot:: :: Take a snapshot of your Ubuntu system, e.g. before doing a risky upgrade, and easily roll back if required. :: Requires a good knowledge of LVM, and strongly recommended to have a separate partition for `/home`. Boot from external USB:: :: Put the two small unencrypted parts of the boot system — the bootloader and the ESP (EFI System Partition) — onto a USB stick, so that the computer cannot be started without the USB stick. Nothing unencrypted is left on the computer, except for what comes built in with the hardware and any existing system such as Windows.`` Computer without UEFI:: :: This process only works on computers with UEFI. :: On a computer without UEFI, a modified process will work, but the Boot partition cannot be encrypted. However, you can boot from an external USB to mitigate this problem (see the previous point). If you don't know whether or not your computer uses UEFI, see [[/BasicsEFI|Basics of EFI]]. = Advanced users and newcomers to Ubuntu = These instructions have tried to assume the least amount of prior knowledge of Linux. Seasoned users will fly through them and will find some of the instructions blatantly obvious, while newcomers will need to read the various sections carefully. = Paranoid mode = Encryption can be taken a little further, which might be an idea if you deal with huge volumes of sensitive customer data; government secrets or spying; confidential proprietary business research; or conspiracy theories and aliens. Where appropriate, notes will be made for this in the instructions. Although, thinking about it, you are probably at higher risk from social engineering and online hacking. = Caveats = There are quite a few notes below, but as it is important for you to know the possible potential problems, please read them all. (Further limitations are described in the [[/Background|Background]].) == Support == * These instructions are not officially supported by Canonical, and so you use them at your own risk. * This process has been tested on Ubuntu 16.04 (Xenial Xerus) and partially on Ubuntu 16.10 (Yakkety Yak). It is unlikely to work on previous versions. It will probably will work on later versions, at least for several years. * This process has not been tested on versions other than Ubuntu, but all Ubuntu-based distributions (, e.g. [[http://lubuntu.net/|Lubuntu]] and [[https://linuxmint.com/|Mint]]) are likely to work. == Data loss == * Always, when you install a system, there is a chance of '''data loss'''. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore: {{{#!wiki warning Take a '''''full backup''''' of '''''all of your data''''' before you start the process. }}} If you know how to use [[http://clonezilla.org/|CloneZilla]], you would be well advised to back up your entire disk beforehand. == Hardware compatibility == * These instructions are tailored for computers with UEFI as noted in [[#Advanced_features|Advanced features]] above. * Hardware can be quite different, and sometimes an OEM does not properly adhere to the standards. This means that the installation cannot be guaranteed to work on your specific hardware, sorry. * These instructions are designed only for Windows and Linux-based computers, and do not cover any other system including Apple devices. If you wish to adapt these instructions to Apple or other devices, they probably will work with the right modifications, but I cannot promise this. * The process enables '''hibernation''' and '''hybrid suspend'''. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation. * Encrypting everything is CPU-intensive. Modern computers tend to have fast multiple CPUs and dedicated AES (encryption) chips, so on a modern computer, this poses no problem at all. If you are using this process on an older machine, you might notice decreased speed. == Encryption == * A consequence of full system encryption is that you need to type in your system passphrase '''each time you power on''' your computer, including after hibernation. This is only for access to Ubuntu; you won't need it for access to other installed systems (e.g. Windows). * An unfortunate and inconvenient quirk is that if you mistype the system passphrase, you have to reboot your computer to try again. I do not know a way around this. * If you share your computer with anyone else, '''they need to know the system passphrase''' — but only if they use Ubuntu. * You need a '''strong system passphrase''' to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's one [[https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/|pretty good method]] for paranoid mode. * Having a strong system passphrase does not obviate the need for a '''good account password'''. Without a password, or with only a weak password: * You cannot lock the computer when it is unattended and powered on. * Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger. Remember that the ''system passphrase'' and the ''password for your account'' are not the same. One lets you access Ubunu in the first place, whereas the other lets you log into Ubuntu after you have accessed your computer.<<FootNote(In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login.)>> = Document Structure = Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and then only for full-disk encryption, this installation process is rather more complicated than we might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here. |
| Line 9: | Line 134: |
| === Default installation options === | |
| Line 11: | Line 135: |
| The Ubuntu Installer provides two encryption options upon installation. | The [[/Background|Background]] provides summary of the options; features; benefits and downsides; and purpose and limitations. |
| Line 13: | Line 137: |
| 1. Encrypted home folder. This protects only your personal data, not the programs or anything else (although swap is encrypted). 1. Full-disk encryption, which protects everything, including the surreptitious installation of malware. |
It contains important notes and further caveats, so please read the Background before proceeding. |
| Line 16: | Line 139: |
| Unfortunately, both of these options have important problems. | |
| Line 18: | Line 140: |
| 1. Encrypted home folder * Leaves the system open to anyone with physical access to install a keylogger or any other malware. * Hibernation isn't enabled. * Temporary files are stored by default on unencrypted `/tmp`, which is unencrypted, and can leave exposed data. 1. Full-disk encryption * You cannot dual-boot with another system, and your entire disk is wiped. So, if you have Windows, well, goodbye Windows! * Boot is unencrypted, leaving an open vector for malware. * It doesn't support manual partitioning; * or hibernation; * or dual-booting; * or multi-disk installation (e.g. SSD for the system and hard drive for Home). |
== The basics == |
| Line 30: | Line 142: |
| === The manual system === | |
| Line 32: | Line 143: |
| ==== The pros ==== | Understanding several concepts is necessary to successfully complete the installation. |
| Line 34: | Line 145: |
| * Full encryption using LUKS; * including Boot * Manual partitioning; * with LVM * Encrypted hibernation * Dual-booting * Multi-disk installation |
If you are a newcomer, read through each of the following sections, preferably in order. They are uncomplicated, and the subsequent detailed instructions will lead you carefully through each step. But you need an understanding otherwise you might be confused later. |
| Line 42: | Line 147: |
| ==== The cons ==== | A seasoned user can skip each section where you are already familiar and experienced with the topic. |
| Line 44: | Line 149: |
| There are, unfortunately, some cons. | * [[/BasicsHybridSuspend|Hybrid suspend]] |
| Line 46: | Line 151: |
| * It is a lengthy process to set up, and a small error can cause failure to boot (which is solvable, but with some difficulty). The installer should provide an automatic option to do this, but sadly it doesn't. * It is a little difficult for newcomers to Ubuntu, so if you're a newcomer: * You'll have to first learn a bit about partitioning and its naming standards in Linux. If you come from a Windows background, you'll also have to learn the difference between a disk and a partition, which Windows unhelpfully obscures. * You'll need to learn how to use the Terminal. It's easy (dead easy), but still. Actually, much if not all of these instructions can be done through GUI applications, but ironically that would be slower, more error-prone, and far more difficult to document. * It doesn't encrypt Windows or other systems. * Note: Encrypted Windows is in fact possible if you have sufficient RAM, a powerful-enough machine, and are willing to run it in a virtual machine. I contacted Microsoft, and the advisor told me that you can do this with the computer's existing Windows license, as long as the virtual machine stays on the computer to which Windows is licensed.) |
* [[/BasicsCommandLineInterface|Command line interface]] (CLI), aka the terminal |
| Line 53: | Line 153: |
| ==== Retrofitting encryption onto an existing system ==== | * [[/BasicsEFI|EFI]], aka UEFI |
| Line 55: | Line 155: |
| You can retro-fit encryption onto an already-installed system, but these instructions do not cover how to do this. You will probably find it significantly easier to do a full backup, install Ubuntu afresh as described here, and restore your data. | * [[/BasicsPartitioning|Partitioning]], including naming of partitions and of file systems |
| Line 57: | Line 157: |
| == Why use encryption? == | * [[/BasicsLUKS|LUKS encryption]] * [[/BasicsLVM|LVM]] * [[/BasicsTextFiles|Text files]], including how to edit them during the installation == High-level overview == Complete the [[/Overview|high-level overview]] before you proceed. It explains what this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all. == Detailed process == The [[/DetailedProcess|detailed process]] shows exactly how to prepare your system and install Ubuntu with encryption. The process takes into account dual-booting and, optionally, paranoid mode. == Troubleshooting == Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering. Refer to the [[/Troubleshooting|troubleshooting guide]] for some pointers. ---- ---------- |
1. Purpose
April 2017:
These instructions are in "beta", which means that some errors may be present.
This document is for you if you wish to use full system encryption with all of these features:
- LUKS
- LVM
- encrypted Boot
- manual partitioning
and optionally any of these features:
- dual-booting
- encrypted hibernation
- hybrid suspend
- multi-disk installation
1.1. Advanced features
The following advanced features are possible, but are not covered in this process.
- Snapshot
- Take a snapshot of your Ubuntu system, e.g. before doing a risky upgrade, and easily roll back if required.
Requires a good knowledge of LVM, and strongly recommended to have a separate partition for /home.
- Boot from external USB
Put the two small unencrypted parts of the boot system — the bootloader and the ESP (EFI System Partition) — onto a USB stick, so that the computer cannot be started without the USB stick. Nothing unencrypted is left on the computer, except for what comes built in with the hardware and any existing system such as Windows.
- Computer without UEFI
- This process only works on computers with UEFI.
- On a computer without UEFI, a modified process will work, but the Boot partition cannot be encrypted. However, you can boot from an external USB to mitigate this problem (see the previous point).
If you don't know whether or not your computer uses UEFI, see Basics of EFI.
2. Advanced users and newcomers to Ubuntu
These instructions have tried to assume the least amount of prior knowledge of Linux. Seasoned users will fly through them and will find some of the instructions blatantly obvious, while newcomers will need to read the various sections carefully.
3. Paranoid mode
Encryption can be taken a little further, which might be an idea if you deal with huge volumes of sensitive customer data; government secrets or spying; confidential proprietary business research; or conspiracy theories and aliens.
Where appropriate, notes will be made for this in the instructions. Although, thinking about it, you are probably at higher risk from social engineering and online hacking.
4. Caveats
There are quite a few notes below, but as it is important for you to know the possible potential problems, please read them all. (Further limitations are described in the Background.)
4.1. Support
- These instructions are not officially supported by Canonical, and so you use them at your own risk.
- This process has been tested on Ubuntu 16.04 (Xenial Xerus) and partially on Ubuntu 16.10 (Yakkety Yak). It is unlikely to work on previous versions. It will probably will work on later versions, at least for several years.
This process has not been tested on versions other than Ubuntu, but all Ubuntu-based distributions (, e.g. Lubuntu and Mint) are likely to work.
4.2. Data loss
Always, when you install a system, there is a chance of data loss. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore:
Take a full backup of all of your data before you start the process.
If you know how to use CloneZilla, you would be well advised to back up your entire disk beforehand.
4.3. Hardware compatibility
These instructions are tailored for computers with UEFI as noted in Advanced features above.
- Hardware can be quite different, and sometimes an OEM does not properly adhere to the standards. This means that the installation cannot be guaranteed to work on your specific hardware, sorry.
- These instructions are designed only for Windows and Linux-based computers, and do not cover any other system including Apple devices. If you wish to adapt these instructions to Apple or other devices, they probably will work with the right modifications, but I cannot promise this.
The process enables hibernation and hybrid suspend. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation.
- Encrypting everything is CPU-intensive. Modern computers tend to have fast multiple CPUs and dedicated AES (encryption) chips, so on a modern computer, this poses no problem at all. If you are using this process on an older machine, you might notice decreased speed.
4.4. Encryption
A consequence of full system encryption is that you need to type in your system passphrase each time you power on your computer, including after hibernation. This is only for access to Ubuntu; you won't need it for access to other installed systems (e.g. Windows).
- An unfortunate and inconvenient quirk is that if you mistype the system passphrase, you have to reboot your computer to try again. I do not know a way around this.
If you share your computer with anyone else, they need to know the system passphrase — but only if they use Ubuntu.
You need a strong system passphrase to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's one pretty good method for paranoid mode.
Having a strong system passphrase does not obviate the need for a good account password. Without a password, or with only a weak password:
- You cannot lock the computer when it is unattended and powered on.
- Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger.
Remember that the system passphrase and the password for your account are not the same. One lets you access Ubunu in the first place, whereas the other lets you log into Ubuntu after you have accessed your computer.1
5. Document Structure
Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and then only for full-disk encryption, this installation process is rather more complicated than we might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here.
5.1. Background
The Background provides summary of the options; features; benefits and downsides; and purpose and limitations.
It contains important notes and further caveats, so please read the Background before proceeding.
5.2. The basics
Understanding several concepts is necessary to successfully complete the installation.
If you are a newcomer, read through each of the following sections, preferably in order. They are uncomplicated, and the subsequent detailed instructions will lead you carefully through each step. But you need an understanding otherwise you might be confused later.
A seasoned user can skip each section where you are already familiar and experienced with the topic.
Command line interface (CLI), aka the terminal
EFI, aka UEFI
Partitioning, including naming of partitions and of file systems
Text files, including how to edit them during the installation
5.3. High-level overview
Complete the high-level overview before you proceed. It explains what this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all.
5.4. Detailed process
The detailed process shows exactly how to prepare your system and install Ubuntu with encryption.
The process takes into account dual-booting and, optionally, paranoid mode.
5.5. Troubleshooting
Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering.
Refer to the troubleshooting guide for some pointers.
In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login. (1)
paddy-landau/sandbox (last edited 2017-04-04 18:58:46 by paddy-landau)