sandbox

Differences between revisions 6 and 37 (spanning 31 versions)
Revision 6 as of 2017-03-14 10:08:33
Size: 3276
Editor: paddy-landau
Comment:
Revision 37 as of 2017-03-20 16:02:52
Size: 7822
Editor: paddy-landau
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
#title Full Disk Encryption with Manual Control #title Full System Encryption with Extras
Line 5: Line 5:
= Full disk manual encryption = ||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents(2)>>||
Line 7: Line 7:
= *&* https://wiki.ubuntu.com/paddy-landau/sandbox =
Line 9: Line 8:
||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents>>|| = Purpose =
Line 11: Line 10:
== Purpose ==
Line 13: Line 11:
This document is for you if you wish to use '''full-disk encryption''' with all of these features: This document is for you if you wish to use '''full system encryption''' with all of these features:
Line 16: Line 14:
 * LVM
Line 18: Line 17:
 * LVM
and optionally any of these features:
Line 20: Line 21:
 * hybrid susend *&*
 * dual-booting (optional)
 * multi-disk installation (optional)		  * hybrid suspend
 * dual-booting
 * multi-disk installation
Line 24: Line 25:
== Organisation == The following advanced features are available, but are not covered in this process.
Line 26: Line 27:
Because the default Ubuntu Installer does not support several of the above-mentioned features, the process is rather more complicated than one would like. Thus, this document is organised into several categories. Please read them in order to prevent being confused.  * Snapshot: Take a snapshot of your system, e.g. before doing a risky upgrade, and easily roll back if required.
Line 28: Line 29:
 1. [[/Background|Background]]<<BR>>A summary of the options; features; pros and cons; and purpose and limitations.
 1. [[/Basics|Basics of]] entering commands, partitioning, LUKS and LVM<<BR>>If you are new to Linux, or you don't know much about some or all of these, this section is for you. You can safely skip it if you already know about these three things.
 1. [[/Overview|High-level overview]]<<BR>>What this process will achieve, and what you need to do to prepare.
 1. [[/Process|Detailed process]]<<BR>>Exactly how to prepare your system and install Ubuntu with encryption. It takes into account dual-booting and the optional paranoid mode.
 1. [[/Troubleshooting|Troubleshooting]]<<BR>>Sometimes something goes wrong and you struggle to figure out what. Messages and errors can seem bewildering, so here are some pointers.		  * Boot from external USB: Put the two small unencrypted parts of the boot system (the bootloader and the ESP) onto a USB stick, so the computer cannot be started without the USB stick. Nothing unencrypted is left on the computer, except for what comes built in with the hardware and any existing system such as Windows.


== Paranoid mode ==


Encryption can be taken a little further, which might be an idea if you deal with huge volumes of sensitive customer data; government secrets or spying; confidential proprietary business research; or conspiracy theories and aliens.

Where appropriate, notes will be made for this in the instructions. Although, thinking about it, you are probably at higher risk from social engineering and online hacking.
Line 36: Line 42:
It is important for you to know the possible limitations (described in the [[/Background|Background]]) and the potential problems.
Line 38: Line 43:
 * When you install a system, there is always the chance of data loss. There are quite a few notes below, but as it is important for you to know the possible potential problems, please read them all. (Further limitations are described in the [[/Background|Background]].)
Line 40: Line 45:
    * If the power fails during the installation, you can restart from the beginning or (depending on when the failure occurred) a checkpoint.  * Always, when you install a system, there is a chance of '''data loss'''. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore:
Line 42: Line 47:
    * No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. {{{#!wiki warning
 Take a '''''full backup''''' of '''''all of your data''''' before you start the process.
}}}
Line 44: Line 51:
 Therefore, take a '''''full backup of all your data''''' before you start the process. If you know how to use [[http://clonezilla.org/|CloneZilla]], you would be well advised to back up your entire disk beforehand.    If you know how to use [[http://clonezilla.org/|CloneZilla]], you would be well advised to back up your entire disk beforehand.
Line 46: Line 53:
 * The process optionally enables hibernation. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation.  * The process optionally enables '''hibernation'''. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation.
Line 48: Line 55:
 * A consequence of full-disk encryption is that you need to type in a password or passphrase each time you power on your computer.  * A consequence of full system encryption is that you need to type in your passphrase '''each time you power on''' your computer, including after hibernation.
Line 50: Line 57:
   * If you share your computer with anyone else, that person needs to know the passphrase, even if they only use Windows.    * An unfortunate and inconvenient quirk is that if you mistype the passphrase, you have to reboot your computer to try again. I do not know a way around this.
Line 52: Line 59:
   * If your passphrase isn't '''strong''', it will be easy for a hacker with physical access to your machine to break the encryption. You can look up "strong passphrase" for yourself; here's a [[https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/|pretty good method]] for paranoid mode.    * If you share your computer with anyone else, '''they need to know the passphrase''', even if they only use Windows.

   * You need a '''strong passphrase''' to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's a [[https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/|pretty good method]] for paranoid mode.

 * Having a strong passphrase does not obviate the need for a '''good account password'''. Without a password, or with only a weak password:
   * You cannot lock the computer when it is unattended and powered on.
   * Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger.
 Remember that the ''passphrase for your computer'' and the ''password for your account'' are not the same. One lets you access your computer in the first place, whereas the other lets you log in after you have accessed your computer.<<FootNote(In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login.)>>

 * This process has been tested for a modern computer with EFI. See [[/Basics#EFI|Basics → EFI]] for further information.

 * Encrypting everything is more CPU-intensive. Modern computers tend to have fast multiple CPUs and dedicated AES (encryption) chips, so on a modern computer, this poses no problem at all. You would be likely to notice slower responses only on very old computers.

 * This process has been test on Ubuntu 16.04 (Xenial Xerus) and partially on Ubuntu 16.10 (Yakkety Yak). It is unlikely to work on previous versions. It will probably will work on later versions, at least for a few years.

 * These instructions are designed only for Windows and Linux-based computers, and do not cover any other system including Apple devices. If you wish to adapt these instructions to Apple or other devices, they probably will work, but I cannot promise this.

 * Hardware can be quite different, and sometimes an OEM will not adhere to the proper standards. This means that the installation cannot be guaranteed to work on your specific system, sorry.


= Distributions other than Ubuntu =


This process has not been tested on other Linux versions, but all Ubuntu-based distributions (, e.g. [[http://lubuntu.net/|Lubuntu]] and [[https://linuxmint.com/|Mint]]) are likely to work with this process.


= Document Structure =


Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and even then only for full-disk encryption, this installation process is rather more complicated than you might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here.


== Background ==


The [[/Background|Background]] provides summary of the options; features; benefits and downsides; and purpose and limitations.

It contains important notes and further caveats, so please read the Background before proceeding.


== The basics ==


Understanding several concepts is necessary to successfully complete the installation.

If you are a newcomer, read through each of the following sections, preferably in order. They are uncomplicated, and the subsequent detailed instructions will lead you carefully through each step. But you need an understanding otherwise they you might be confused later.

A seasoned user can skip each section where you are already familiar and experienced with the topic.

    * [[/BasicsHybridSuspend|Hybrid suspend]]

    * [[/BasicsCommandLineInterface|Command line interface]] (CLI), aka the terminal

    * [[/BasicsEFI|EFI]] (aka UEFI)

    * [[/BasicsPartitioning|Partitioning]], including naming of partitions and file systems

    * [[/BasicsLUKS|LUKS encryption]]

    * [[/BasicsLVM|LVM]]

    * [[/BasicsTextFiles|Text files]], including how to edit them during the installation


== High-level overview ==


The [[/Overview|high-level overview]] explains what this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all.


== Detailed process ==


The [[/DetailedProcess|detailed process]] shows exactly how to prepare your system and install Ubuntu with encryption.

Checkpoints are given along the way.

It takes into account dual-booting and, optionally, paranoid mode.


== Troubleshooting ==


Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering. Here are some pointers.

Refer to the [[/Troubleshooting|troubleshooting guide]] to help.

----
----------

1. Purpose

This document is for you if you wish to use full system encryption with all of these features:

  • LUKS
  • LVM
  • encrypted Boot
  • manual partitioning

and optionally any of these features:

  • encrypted hibernation
  • hybrid suspend
  • dual-booting
  • multi-disk installation

The following advanced features are available, but are not covered in this process.

  • Snapshot: Take a snapshot of your system, e.g. before doing a risky upgrade, and easily roll back if required.
  • Boot from external USB: Put the two small unencrypted parts of the boot system (the bootloader and the ESP) onto a USB stick, so the computer cannot be started without the USB stick. Nothing unencrypted is left on the computer, except for what comes built in with the hardware and any existing system such as Windows.

1.1. Paranoid mode

Encryption can be taken a little further, which might be an idea if you deal with huge volumes of sensitive customer data; government secrets or spying; confidential proprietary business research; or conspiracy theories and aliens.

Where appropriate, notes will be made for this in the instructions. Although, thinking about it, you are probably at higher risk from social engineering and online hacking.

2. Caveats

There are quite a few notes below, but as it is important for you to know the possible potential problems, please read them all. (Further limitations are described in the Background.)

  • Always, when you install a system, there is a chance of data loss. No matter how careful you are, sometimes a person makes a silly mistake. For example, you accidentally delete the Windows partition. Or, something else can go wrong (I've had an installation cause data loss because a previously-unused part of the hard drive was faulty and caused it to crash). Therefore:

  • Take a full backup of all of your data before you start the process.

  • If you know how to use CloneZilla, you would be well advised to back up your entire disk beforehand.

  • The process optionally enables hibernation. While this should work well, some people have reported hardware that doesn't support it. So, you will need to test this on your machine after installation.

  • A consequence of full system encryption is that you need to type in your passphrase each time you power on your computer, including after hibernation.

    • An unfortunate and inconvenient quirk is that if you mistype the passphrase, you have to reboot your computer to try again. I do not know a way around this.

    • If you share your computer with anyone else, they need to know the passphrase, even if they only use Windows.

    • You need a strong passphrase to prevent a hacker with physical access to your machine from breaking the encryption. You can look up "strong passphrase" for yourself; here's a pretty good method for paranoid mode.

  • Having a strong passphrase does not obviate the need for a good account password. Without a password, or with only a weak password:

    • You cannot lock the computer when it is unattended and powered on.
    • Anyone with physical access, or a hacker with Internet access, will find it easy to access your account and steal data or install malware such as a keylogger.

    Remember that the passphrase for your computer and the password for your account are not the same. One lets you access your computer in the first place, whereas the other lets you log in after you have accessed your computer.1

  • This process has been tested for a modern computer with EFI. See Basics → EFI for further information.

  • Encrypting everything is more CPU-intensive. Modern computers tend to have fast multiple CPUs and dedicated AES (encryption) chips, so on a modern computer, this poses no problem at all. You would be likely to notice slower responses only on very old computers.
  • This process has been test on Ubuntu 16.04 (Xenial Xerus) and partially on Ubuntu 16.10 (Yakkety Yak). It is unlikely to work on previous versions. It will probably will work on later versions, at least for a few years.
  • These instructions are designed only for Windows and Linux-based computers, and do not cover any other system including Apple devices. If you wish to adapt these instructions to Apple or other devices, they probably will work, but I cannot promise this.
  • Hardware can be quite different, and sometimes an OEM will not adhere to the proper standards. This means that the installation cannot be guaranteed to work on your specific system, sorry.

3. Distributions other than Ubuntu

This process has not been tested on other Linux versions, but all Ubuntu-based distributions (, e.g. Lubuntu and Mint) are likely to work with this process.

4. Document Structure

Because the default Ubuntu Installer supports only the first two of the above-mentioned features (i.e. LUKS and LVM), and even then only for full-disk encryption, this installation process is rather more complicated than you might prefer. Thus, this document is organised into several sections. They are intended to be read in the order given here.

4.1. Background

The Background provides summary of the options; features; benefits and downsides; and purpose and limitations.

It contains important notes and further caveats, so please read the Background before proceeding.

4.2. The basics

Understanding several concepts is necessary to successfully complete the installation.

If you are a newcomer, read through each of the following sections, preferably in order. They are uncomplicated, and the subsequent detailed instructions will lead you carefully through each step. But you need an understanding otherwise they you might be confused later.

A seasoned user can skip each section where you are already familiar and experienced with the topic.

4.3. High-level overview

The high-level overview explains what this process will achieve, and what you need to do to prepare. It includes freeing space on your hard drive if your current system has taken it all.

4.4. Detailed process

The detailed process shows exactly how to prepare your system and install Ubuntu with encryption.

Checkpoints are given along the way.

It takes into account dual-booting and, optionally, paranoid mode.

4.5. Troubleshooting

Sometimes something goes wrong and you struggle to figure out what. Errors and their messages can seem bewildering. Here are some pointers.

Refer to the troubleshooting guide to help.

  1. In this context, the terms "passphrase" and "password" are interchangeable, but in this document, I use "passphrase" for your computer decryption, and "password" for your account login. (1)

paddy-landau/sandbox (last edited 2017-04-04 18:58:46 by paddy-landau)