This document belongs to Manual Full System Encryption (with Extras).

1. Default Ubuntu Installer

1.1. The options

The Ubuntu Installer provides two encryption options upon installation.

Encrypted home folder

Full-disk encryption

You can use both encrypted home folder and full-disk encryption, and in certain cases it is recommended to do so (even though it involves some redundancy).

1.2. The problems

Unfortunately, both of these options have important faults.

Encrypted home folder

These problems are solved by using full-disk encryption.

Full-disk encryption

2. This manual full-system encryption

2.1. Benefits

2.2. Downsides

There are, unfortunately, some problems with this manual method.

2.3. Retrofitting encryption onto an existing system

Although you can retrofit encryption onto an already-installed system, it is a lengthy operation and would likely be useful only for critical missions where the current system should not be tampered with — a catch-22 situation. Therefore, these instructions do not cover retrofitting.

3. Why encrypt?

3.1. What encryption protects

3.2. What encryption doesn't protect

4. Dual-booting

5. Sharing your computer

As mentioned in Caveats, anyone who is permitted to use Ubuntu must have a system passphrase (up to seven people can have their own passphrase). Obviously, this is up to you to manage, because encryption is useless against someone who knows the system passphrase — even if that person is not an Administrator.

That is why you should use encrypted home folders to protect each user's data from each other if it's available (unfortunately this requires a workaround post-installation in 18.04) — assuming that none of them installs malware!


  1. There are concerns that quantum computing, when it comes of age, will be able to crack current encryption. If this concerns you, you should still look at destroying your drive. These instructions, however, use the highest available encryption available by this method. (1)

  2. The computer encrypts everything with a "private key". Your system passphrase, and your data phassphrase if you have one, unlocks this private key, but is not itself stored in RAM. (2)

  3. Windows can in fact be fully encrypted if you run Windows in a virtual machine, whether or not fully within Ubuntu. Licensing is an important consideration if you choose to do this. These instructions do not cover virtualization. (3)

ManualFullSystemEncryption/Background (last edited 2018-08-21 14:19:19 by paddy-landau)