How To Encrypt Ubuntu?

Discussion in 'privacy problems' started by tetrohedron, Jul 6, 2012.

Thread Status:
Not open for further replies.
  1. tetrohedron

    tetrohedron Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    2
    Location:
    USA
    I posted this in privacy technology but I think it belongs here. I will try to delete the original post.

    For the past few months, I have been playing with linux oses. Now that I have a better idea about what I want from my computer, I am going to set up a dual boot with Windows 7 and Ubuntu. I generally consider my Windows 7 partition to be my public everybody have fun and use my computer partition, and my linux partition a bit more of a private playground for my various computer projects. As such, I would like to encrypt Ubuntu.

    If possible, I would really like to use truecrypt to do this. It seems state of the art and frankly I like the idea of it. However, I don't want to encrypt my whole system. I am not a black hat, or a criminal, or a government spook. I don't need it. I just want some privacy and the satisfaction of knowing that nobody can crack into my Ubuntu os (not that I am expecting anybody to try).

    What are my options?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Have you considered running Ubuntu as a VM? With dual boot, you may end up rebooting more often than you like. Using the alternate Ubuntu install ISO, you can easily create a VM with encrypted LVM.
     
  3. tetrohedron

    tetrohedron Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    2
    Location:
    USA
    Yes. One thing that I would like to do on Ubuntu is to run a few virtual machines. I would definitely prefer the dual boot.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    OK. Using the Ubuntu alternate install disk, you'll need two partitions for encrypted LVM: 1) 200-300 MB for unencrypted boot; and 2) another for encrypted LVM (swap, root and home). You want to use the manual method, to avoid trashing the Windows partition. And see -http://ubuntuforums.org/showthread.php?t=2004220- about potential problem installing grub.
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I just answered you on the Ubuntu forums, but will answer here too.

    You can't. Truecrypt does not support encrypting Linux OS's (only supports containers).

    To encrypt the entire Ubuntu installation, you only have one option: the alternate install CD. You will need to download and burn that first. After that you will have to setup LVM and LUKS partitions. Here's a decent guide: http://www.linuxbsdos.com/2011/05/10/how-to-install-ubuntu-11-04-on-an-encrypted-lvm-file-system/
     
  6. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I second the above link. Best tutorial I found for Encrypted Ubuntu.

    PD
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    The OP also needs a good link about dual booting with Windows 7.
     
  8. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Here's how I did it. It's more advanced than the poster wants, and is more 'involved', but it is *one* way to do it.

    Partition the first partition for Windows 7. Leave the second partition unformatted. You can install Windows 7 first or last...shouldn't matter and I can't recall what I did, but I think I had Windows on there first. If you know your computer can boot from USB/SD Card in the BIOS:

    Install Ubuntu from the Alternate Install Disk, using the dmcrypt/LUKS LVM tutorial.

    When you get to the part about /boot, specify your USB/SD Card.

    This will allow Windows to boot up by just powering on.

    When you want encrypted Ubuntu, insert your USB/SD Card and hit the BIOS key for booting from an external device.

    Boot that, and you will get the LUKS passphrase entry screen and then Ubuntu will boot.

    This also has the advantage that no one can mess with your boot loader/kernel (Evil Maid) and is kind of a 2 Factor Auth.

    The only caveat is to have /boot mounted when you do any updates (which is the default unless you unmount and remove for security after booting), in case Ubuntu wants to upgrade the kernel.

    You can make copies of /boot by doing a DD to another device and then running updategrub.

    PD
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Cool :) I'd forgotten that your approach includes dual boot with Windows 7.

    What's the risk of Windows messing with the encrypted LVM partition?
     
  10. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    No idea! :D I just thought I should learn some 'nix and used it for about 6 months...didn't notice any problems. I don't use it anymore, because LUKS is like a big red beacon with it's header :D Went back to TC.

    PD
     
  11. sthmptn

    sthmptn Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    31
    Hi Pauly

    Re: the visible LUKS header, are you just referring to the "plausible deniability" aspect, i.e. someone knowing you have an encrypted partition, and not that the system is in any other way less secure?

    I use LUKS so am interested in your views - not here to argue the point...

    Thanks
     
  12. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Yes, just PD, not any other weakness.

    PD
     
  13. x942

    x942 Guest

    A couple nice things I have found over the years with LUKS.

    This script (http://community.linuxmint.com/tutorial/view/344) works on any Ubuntu based distro I have tried and is far easier than the Alternative disk (and faster). It works on 12.04 and Linux Mint 12 but I can't get it to work on Linux Mint 13 (the installer crashes).


    The other nice thing I found was that since LUKS headers store the encrypted encryption key to decrypt the HDD if you need to ever wipe the HDD in a hurry you can perform a

    Code:
    head -c 1052672 /dev/urandom > /dev/sdb1; sync &&  head -c 1052672 /dev/urandom > /dev/sdb2; sync
    I put this in a script and bind it to a hotkey. It wipes out the first 10MB of the disk (LUKS header + a little extra to be safe) with random data. Without that header the is NO WAY to recover your data even with your password (the key is gone for good). On my test machine it wipes it in about 90-120 seconds. Which is more than fast enough to nuke your data compared to wiping the whole drive.

    I also put both the /boot partition (/dev/sdb1) and the / partition (/dev/sdb2) in my script.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    This -http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions- is a great FAQ!

    Notwithstanding arguments against plausible deniability, I wonder whether one could use partial LUKS header wiping plus cryptsetup luksHeaderBackup and luksHeaderRestore (see section 6.2 of the FAQ). You could keep the backup in a small dm-crypt encrypted loop file system on the same USB/SD card with your /boot. Maybe I'll try it.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    It's quite simple.

    First backup the LUKS header:

    Code:
    cryptsetup -v luksHeaderBackup --header-backup-file=/boot/LUKS-header /dev/sdb1
    If the command was successful, wipe the LUKS header:

    Code:
    head -c 1052672 /dev/urandom > /dev/sdb1; sync
    Reboot. LUKS will be hosed. Hit ESC and wait for the (initramfs) prompt.

    Mount /boot:

    Code:
    mkdir /tmp/boot
    mount /dev/sda1 /tmp/boot
    Restore the LUKS header:

    Code:
    cryptsetup -v luksHeaderRestore --header-backup-file=/tmp/boot/LUKS-header /dev/sdb1
    You'll get a warning:

    Code:
    WARNING!
    ========
    Device /dev/sdb1 does not contain LUKS header. Replacing header can destroy data on that device.
    
    Are you sure? (Type uppercase yes):
    
    If the command was successful, reboot. All will be fine again :)

    If /boot is on a USB drive or SD card, there should be no evidence of a LUKS partition on the machine after wiping the LUKS header.

    What am I missing? It can't be that simple!
     
  16. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Nice work my friend.

    PD
     
Loading...
Thread Status:
Not open for further replies.