This document belongs to Manual Full System Encryption (with Extras).

1. Definitions

drive

A storage medium that, for the purposes of this document, may be either a hard drive or an SSD. (There are other types of drives, e.g. DVD, pendrive, and virtual cloud drives, but we're not interested in them here.)

hard drive

A spinning disk that holds operating systems, programs, data and so forth.

SSD

A computer chip (solid state drive) that pretends to be a hard drive but is very much faster.

partition

a section of a drive that has been reserved for a specific use.

file system

A structure to store data (files) on a partition.

1.1. It's like this

1.2. Blank space

Imagine that the chest of drawers is missing a drawer. That part is empty and cannot take any files.

On a drive, it is possible to have a blank space that is missing a partition. That can happen when a partition hasn't been created in that space, or when an existing partition is deleted.

Depending on your starting point, part of this process might require you to delete a partition. This will leave a blank space that will be later filled in with a new partition (a new drawer).

1.3. More on file systems

A partition contains either no file system (which makes it useless until you add one), or it contains one file system. A partition cannot contain two or more file systems.

There are many different types of file systems. You might have come across the terms FAT and NTFS. USB sticks often use FAT32; Windows prefers NTFS; Ubuntu prefers ext4. Linux systems support a large range of file systems including those that Windows uses. DVDs, CDs and Blue Ray all have their own file systems, which can differ according to the type of content (e.g. a DVD can contain a program or a video, and they use different file systems).

File systems that we use in this process are as follows.

FAT32

An old system, required by EFI.

ext4

A modern, fast and reliable system preferred by some Linux distributions, including Ubuntu.

swap

A special file system used by hibernation including hybrid suspend. Also used by the operating system when it runs out of RAM (working memory).

Modern systems can also use a "swap file", which is a normal file that pretends to be a swap partition. Swap partitions and swap files are usually considered to be equal in speed and efficiency. Unfortunately, swap files break hibernation with encryption, so these instructions will offer the option of a swap partition.¹ If you don't want hibernation, you don't need a swap partition.

Two additional special file systems, which aren't usually thought of as file systems, add a layer of abstraction to provide extra functionality and flexibility.

LUKS

Used to encrypt the partitions.

LVM

Used for greater flexibility and extra features, allowing virtual partitions inside a real partition. We use LVM to allow a single passphrase instead of multiple ones when powering on your computer; it also hides your partition structure from people with physical access to your computer but not your passphrase or password.

1.3.1. A special note for Windows users

There is an important thing to know about file names in Linux. While file systems that originated in Windows (FAT, NTFS) don't care whether a file name uses uppercase or lowercase letters, the file systems used by Linux do care.

So, in a typical Windows installation, a file called Cats and Dogs.txt is the very same file as cats and dogs.txt and CATS AND DOGS.TXT.

In Linux, however, they would be three different files.

So, whenever you enter file names, partition names and file system names, please ensure that you use the case given by these instructions. If the instructions say to create a file /etc/crypttab, but you create /etc/CryptTab, the changes won't work!

The same generally goes for the contents of those files. E.g., the file /etc/fstab includes a keyword swap, which must be in lowercase. Simply follow the case given in the instructions, and you won't go wrong.

2. For Windows users

If you come from Windows, it is vital to know the difference between a drive and a partition. This is because Windows unhelpfully conflates the two, and calls them by the same name (a "drive").

It is normal for modern Windows computers to have two drives, namely a C: drive and a D: drive. However, what you will most likely find is that there is just one physical hard drive, which is divided into several partitions. A typical layout is:

So, you see, typically, the C: drive and the D: drive are not drives at all, but in fact are two partitions on the same drive. This is not always the case, of course, but every drive must be divided into partitions, or just a single partition. The C: drive is always a partition, not a drive.

If your computer actually comes with two drives (probably an SSD for the first drive, and a hard drive for the second drive), you might find that the setup looks like the following. Notice the only differences are for the Data partition, which is on the second drive on the first (and only) partition, and the Linux name, which is sdb1 instead of sda5.

• First drive

• Second drive

2.1. Linux partition naming

Did you notice how Linux names the partitions?

/dev

/dev lists all devices (hence the name "dev").

/sda1

"sd" stands for "SCSI device", which is a historical term that you needn't worry about. The important parts are the letter 'a' and the digit 1. The first drive that the computer finds is called 'a'; the second drive, 'b'; the third, 'c'; and so on. Each partition is given a number. The first partition on each drive is 1; the second partition, 2; the third, 3; and so on.

Hence the fourth partition on the first drive (C: or "Windows") is called 'a4', thus /dev/sda4.
The first partition on the second drive (D: or "Data") is called 'b1', thus /dev/sdb1.

It is possible for partition numbers to be ordered differently from the physical disk, and even for some to be missing, depending on how they were created, deleted and recreated. So don't be worried if you see a strange numbering order on your physical drive.

Linux doesn't only use /sd… for its naming convention. There are other forms, e.g. /nvme0n1 would be the equivalent of /sda, and /nvme0n1p2 of /sda2. (NVME stands for Non-Volatile Memory Express, but you don't have to know that.) You will have to use whichever form your computer uses, which you will see when you open gparted (as described in the instructions later).

3. Warning about old systems

tl;dr If you're a newbie and you have an old-style system (Windows 7 or earlier), or Windows 7 upgraded to Windows 10, full-system encryption is probably not for you. If your computer came with Windows 10, you probably can use full-system encryption.

MBR

Old systems (typically Windows 7 and earlier) usually — but not always — use an old style of partitioning called MBR. If you need to have more than four partitions, which this process requires if you have Windows, it becomes complicated. This manual full-system encryption process is highly unlikely to work, even with significant modifications, and these instructions don't cover it.

GPT

Computers that come with Windows 8 and later use a new style of partitioning called GPT. These instructions assume that you have GPT; if you have MBR, you need to either know all about MBR partitioning or convert to GPT.

4. Does my drive use MBR or GPT?

4.1. Windows

If your computer came with Windows 8 or later, it has GPT.

Otherwise, read How to Check if a Disk Uses GPT or MBR, and Convert Between the Two.

4.2. Linux

1. Open a terminal (press Ctrl+Alt+T).

2. Enter the command:
   

   • sudo fdisk --list /dev/sda

   You'll be asked to enter your account password. Nothing will be displayed while you type it.

3. In the output, if you see
   

   • Disklabel type: dos
     

   you have the old-style MBR. If you see
   

   • Disklabel type: gpt
     

   you have the new-style GPT.

5. Human-friendly names

The final thing that you need to know about partitions is human-friendly naming. Human-friendly naming helps when dealing with partitions and file systems.

drive

A drive cannot be given a friendly name.

partition

Every partition can be given a friendly name, and this process will instruct you accordingly. The friendly name is helpful when setting up or maintaining the system. This name is important and visible only in setting up and maintaining the system; it won't be used in your day-to-day work. MBR does not support this type of naming.

file system

In addition to a partition having a friendly name, a file system can also have a friendly name. It is helpful in maintenance. This process will instruct you accordingly.

Example: In Windows, if you right-click your C: drive (partition) and select Properties, you can name your C: drive. In fact, this names neither your drive nor the Windows partition, but instead the Windows NTFS file system!

In Windows, file system names are normally unimportant, because your "drives" are called C:, D: and so forth, and you have no choice in that.

But in Linux, you would identify the file system (which is what you really work with) by its friendly name. Some applications (such as Disks on Ubuntu) use the friendly name when mounting (i.e. making it available to you).

You can use a different name for your partition and file system. For example, you might name the C: drive partition "Windows 10" (because that is what it holds), and the C: drive file system "Chris" (because the system belongs to Chris).

• CategoryInstallation CategorySecurity