This document belongs to Manual Full System Encryption (with Extras).
1. Default Ubuntu Installer
1.1. The options
The Ubuntu Installer provides two encryption options upon installation.
Encrypted home folder
- Prior to 18.04: Protects your personal data and the swap partition.
- From 18.04: Home folder encryption is broken and is therefore unavailable. (You can manually implement it after installation.)
- Protects everything, except the boot partition.
You can use both encrypted home folder and full-disk encryption, and in certain cases it is recommended to do so (even though it involves some redundancy).
1.2. The problems
Unfortunately, both of these options have important faults.
Encrypted home folder
- Leaves the system open to anyone with physical access to install a keylogger or any other malware, because the operating system is unencrypted.
- Hibernation is disabled.
Data can be exposed by the swap file (used in Ubuntu version 17.04 and later) and /tmp
These problems are solved by using full-disk encryption.
- You cannot dual-boot with another system.
- Your entire disk is wiped. So, if you have Windows, say, "Goodbye, Windows!"
- Boot is unencrypted, leaving an open vector for malware.
- It doesn't support manual partitioning…
- … or hibernation…
- … or hybrid suspend…
- … or dual-booting…
- … or multi-disk installation (e.g. an SSD for the system and a hard drive for Home).
2. This manual full-system encryption
- Full encryption using LUKS…
- … including Boot
- Manual partitioning…
- … with LVM
- Encrypted hibernation
- Hybrid suspend
- Multi-disk installation
There are, unfortunately, some problems with this manual method.
- It is a manual process, albeit that some parts have been automated.. Ideally, the installer would provide this option, but sadly the developers probably lack the time to make it happen.
The installation is a little difficult for newcomers to Ubuntu, so if you're a newcomer, be sure to read the Basics first.
This fully protects your Ubuntu system, but no other system (see Dual-booting).
2.3. Retrofitting encryption onto an existing system
Although you can retrofit encryption onto an already-installed system, it is a lengthy operation and would likely be useful only for critical missions where the current system should not be tampered with — a catch-22 situation. Therefore, these instructions do not cover retrofitting.
3. Why encrypt?
3.1. What encryption protects
- If your computer is powered off, no one can access anything on your computer, nor can they install anything. For example, no one can plant keylogging software. This is important if you hold client information, secret government work, or confidential business plans.
- If your computer is locked and unattended, the only way in is to restart your computer, which will of course leave it fully encrypted. Not even a Live CD can solve this.
When the time comes to say goodbye to your computer because it's too old or has broken, you won't need to worry about securely disposing of your drive. You won't have to shred it, overwrite it, hit it with a hammer, or anything else. Just dispose of the system passphrase, and your data passphrase if you have one. This makes all of the data irretrievable.1
3.2. What encryption doesn't protect
- The NSA sneaking software onto your computer while you are logged in and connected to the Internet.
- A nefarious person planting keylogging hardware into your computer.
Someone beating you over the head until you reveal your password.
- Visiting dodgy sites and installing malware.
Windows or other systems (see Dual-booting).
- The EFI partition. This runs the initial boot sequence. Theoretically at least, the UEFI hardware prevents this from having a knock-on effect to your system, but in practice it can happen.
- This method encrypts everything Ubuntu, including parts of Grub (the boot process) and swap.
It doesn't encrypt Windows or other systems. They remain unencrypted.3
5. Sharing your computer
As mentioned in Caveats, anyone who is permitted to use Ubuntu must have a system passphrase (up to seven people can have their own passphrase). Obviously, this is up to you to manage, because encryption is useless against someone who knows the system passphrase — even if that person is not an Administrator.
That is why you should use encrypted home folders to protect each user's data from each other if it's available (unfortunately this requires a workaround post-installation in 18.04) — assuming that none of them installs malware!
There are concerns that quantum computing, when it comes of age, will be able to crack current encryption. If this concerns you, you should still look at destroying your drive. These instructions, however, use the highest available encryption available by this method. (1)
The computer encrypts everything with a "private key". Your system passphrase, and your data phassphrase if you have one, unlocks this private key, but is not itself stored in RAM. (2)
Windows can in fact be fully encrypted if you run Windows in a virtual machine, whether or not fully within Ubuntu. Licensing is an important consideration if you choose to do this. These instructions do not cover virtualization. (3)