This document belongs to Manual Full System Encryption (with Extras): Detailed Process.
1. Get ready (for the newbie)
You have started the computer using your Live DVD or Live USB.
- Learn how to open the menu for your chosen distribution. For Ubuntu, you press the "Super" key (on most keyboards, this is known as the Windows key), and then start typing what you want.
- Learn how to start GPartEd.
In Ubuntu and Kubuntu, press the Super key, type the word gparted and select its icon.
- In other distributions, you'll find GPartEd in the menu under System Tools.
- You should already know how to open the Terminal
Press Ctrl+Alt+T
In Mint, this doesn't work, so find it in the menu > Accessories.
2. Set up the drive
If you are installing onto a system that already has a drive, or drives, with something on them (e.g. Windows), skip this step and continue with Set up the ESP below.
However, if you are installing a system from scratch on a new, empty drive, it will need to have a partition table.
In our example, there are two drives: /dev/sda, which isn't empty (it contains Windows), and /dev/sdb, which is empty and which will contain the data. You can see from the following screenshot of GParted that the drive /dev/sdb is empty.
Your system might have a different naming convention such as /dev/nvme0n1.
Beware
This step will erase all data from the entire drive!
Do it only if the drive is already completely empty.
In gparted, ensure that the correct drive is selected at the top right. The default is /dev/sda, so change it if wrong. In the example, it is /dev/sdb.
- Check that the drive is empty, as per the image above.
Select the menu item Device > Create Partition Tableā¦
In the drop-down menu, select gpt. Press Apply.
3. Set up the ESP
- ESP
- EFI System Partition. A special partition required for a computer with UEFI to be able to boot.
This step is only if your computer doesn't already have an ESP. If your computer already has an ESP, skip this step and proceed with Create the system partition below.
In gparted, at the top right-hand corner, select the drive where the ESP is to go.
- Visually locate the empty space where the ESP is to go.
Select that space, and right-click > New.
- Set the following fields:
Free space preceding
Change only if required (it might not accept zero)
New Size
Required ESP size (recommended 550MiB, but as little as 100MiB works on most hardware)
Free space following
(will be calculated automatically)
Align to
MiB
Partition Name
EFI System Partition
File System
fat32
Label
ESP
Press Add, and then the big green tick and "Apply".
- Right-click your new partition (with the name "EFI System Partition") and select "Manage Flags".
- Select "esp", which will automatically change a couple of other flags. Press Close.
Done right, you might see something like this screenshot, although of course your setup might be quite different.
4. Create the system partition
As described previously, you should have cleared a space for the system partition. This must be large enough to take Boot, Root and swap; and if you want it to also hold your data, large enough to hold your data as well. If you will never use hibernation, you won't need swap, as it's now handled with a swap file.
Our example (as seen in a previous page) has spare space on /dev/sda. You will find your specific space, wherever it is, and add the system partition there.
In gparted, at the top right-hand corner, select the drive where the system partition is to go.
- Visually locate the empty space where the system partition is to go.
Select that space, and right-click > New.
- Set the following fields:
Free space preceding
Change only if required (it might not accept zero)
New Size
The size that you require; the default is the entire available (spare) space
Free space following
(will be calculated automatically)
Align to
MiB
Partition Name
system
File System
cleared
Label
system
Press Add, and then the big green tick and "Apply".
Done right, you might see something like this screenshot (where /dev/sda5 is the new partition), although of course your setup might be quite different.
5. Create the data partition
If you have chosen to hold your data in the same partition as the system partition, skip this step and head on to Data fill below.
If you have chosen to hold your data in a separate partition, create it now.
Our example (as seen in Set up the drive above) will use all the spare space on /dev/sdb. You will find your specific space, wherever it is, and add the data partition there.
In gparted, at the top right-hand corner, select the drive where the system partition is to go.
- Visually locate the empty space where the system partition is to go.
Select that space, and right-click > New.
- Set the following fields:
Free space preceding
Change only if required (it might not accept zero)
New Size
The size that you require; the default is the entire available (spare) space
Free space following
(will be calculated automatically)
Align to
MiB
Partition Name
data
File System
cleared
Label
data
Press Add, and then the big green tick and "Apply".
Close gparted now, because it has done its job and cannot correctly handle encryption.
6. Data fill for paranoid mode
This section is only for the paranoid. Skip to Summary if you don't need this.
This fills the partition with random data.1 2
Warnings
- Ensure that you choose the correct partition, otherwise you will destroy existing data.
- If your partition is on an SSD (rather than a hard drive), it can be heavy work for the SSD and might not completely fill it with random data, especially if there is already an existing system (such as Windows).
- This potentially takes a long, long time to run, depending on the size of your partition and the speed of your hardware.
Open the terminal.
Enter the following command to randomise your system partition.
Special note: I don't know which partition you have chosen for your system, so I've put /dev/PARTITION. Replace that with the actual partition, e.g. /dev/sda5 (as in our example), or /dev/nvme0n1p5, or whatever yours is.
sudo dd bs=16M if=/dev/urandom of=/dev/PARTITION
If you also have a separate data partition, repeat the command but this time with your data partition (in our example, it's /dev/sdb1).
7. Summary
Close gparted (if open), because it has done its job and cannot correctly handle encryption.
At this point, the physical disk is fully set up and ready for the next step.
Return to the detailed process and continue from there.
For the pedantic: Random data is obtained from /dev/urandom. Some people say that this is unreliable and that /dev/random is better because of entropy. This is incorrect for two reasons. (1) /dev/urandom is unpredictable, which is all that matters for this purpose. (2) If you use /dev/random, it will quickly run out of characters and take potentially years to refill for the volume of data required. (1)
Again for the pedantic: Some people claim that it would be quicker to use /dev/zero and use LUKS to encrypt the partition. I find that unlikely, because LUKS needs to take the zeroes and encrypt them according to a complex algorithm, whereas /dev/random generates large volumes of random data with a simple algorithm. My tests have been inconclusive, probably because the bottleneck is the speed of writing to disk, not the CPU calculations. (2)