This document belongs to Manual Full System Encryption (with Extras): Detailed Process.

1. Get ready (for the newbie)

You have started the computer using your Live DVD or Live USB.

  1. Learn how to open the Dash.
    • Either

      • Press the Super key on your keyboard. On most keyboards, this is known as the Windows key.
      Or
      • Press the Ubuntu dash icon at the top-left of your screen.
        Ubuntu dash icon.png

    • Type the name of the program that you want to open.
  2. Learn how to start GPartEd.
    • Open the Dash.
    • Type the word gparted.

    • Select the "GParted" icon.
  3. You should already know how to open the Terminal
    • Either

      • Press Ctrl+Alt+T

      Or
      • Open the dash, type terminal, and select the Terminal icon

2. Set up the drive


If you are installing onto a system that already has a drive, or drives, with something on them (e.g. Windows), skip this step and continue with Set up the ESP below.


However, if you are installing a system from scratch on a new, empty drive, it will need to have a partition table.

In our example, there are two drives: /dev/sda, which isn't empty (it contains Windows), and /dev/sdb, which is empty and which will contain the data. You can see from the following screenshot of GParted that the drive /dev/sdb is empty.

gparted-sdb-before.png

Beware

This step will erase all data from the entire drive!

Do it only if the drive is already completely empty.

  1. In gparted, ensure that the correct drive is selected at the top right. The default is /dev/sda, so change it if wrong. In the example, it is /dev/sdb.

  2. Check that the drive is empty, as per the image above.
  3. Select the menu item Device > Create Partition Tableā€¦

  4. In the drop-down menu, select gpt. Press Apply.

3. Set up the ESP

ESP
EFI System Partition. A special partition required for a computer with UEFI to be able to boot.

This step is only if your computer doesn't already have an ESP. If your computer already has an ESP, skip this step and proceed with Create the system partition below.

  1. In gparted, at the top right-hand corner, select the drive where the ESP is to go.

  2. Visually locate the empty space where the ESP is to go.
  3. Select that space, and right-click > New.

  4. Set the following fields:
    • Free space preceding

      Change only if required (it might not accept zero)

      New Size

      Required ESP size (recommended 550MiB, but as little as 100MiB works on most hardware)

      Free space following

      (will be calculated automatically)

      Align to

      MiB

      Partition Name

      EFI System Partition

      File System

      fat32

      Label

      ESP

  5. Press Add, and then the big green tick and "Apply".

  6. Right-click your new partition (with the name "EFI System Partition") and select "Manage Flags".
  7. Select "esp", which will automatically change a couple of other flags. Press Close.

Done right, you might see something like this screenshot, although of course your setup might be quite different.

gparted-ESP-created.png

4. Create the system partition

As described previously, you should have cleared a space for the system partition. This must be large enough to take Boot, Root and swap; and if you want it to also hold your data, large enough to hold your data as well.

Our example (as seen in a previous page) has spare space on /dev/sda. You will find your specific space, wherever it is, and add the system partition there.

  1. In gparted, at the top right-hand corner, select the drive where the system partition is to go.

  2. Visually locate the empty space where the system partition is to go.
  3. Select that space, and right-click > New.

  4. Set the following fields:
    • Free space preceding

      Change only if required (it might not accept zero)

      New Size

      The size that you require; the default is the entire available (spare) space

      Free space following

      (will be calculated automatically)

      Align to

      MiB

      Partition Name

      system

      File System

      cleared

      Label

      system

  5. Press Add, and then the big green tick and "Apply".

Done right, you might see something like this screenshot (where /dev/sda5 is the new partition), although of course your setup might be quite different.

gparted-system-partition-created.png

5. Create the data partition


If you have chosen to hold your data in the same partition as the system partition, skip this step and head on to Data fill below.


If you have chosen to hold your data in a separate partition, create it now.

Our example (as seen in Set up the drive above) will use all the spare space on /dev/sdb. You will find your specific space, wherever it is, and add the data partition there.

  1. In gparted, at the top right-hand corner, select the drive where the system partition is to go.

  2. Visually locate the empty space where the system partition is to go.
  3. Select that space, and right-click > New.

  4. Set the following fields:
    • Free space preceding

      Change only if required (it might not accept zero)

      New Size

      The size that you require; the default is the entire available (spare) space

      Free space following

      (will be calculated automatically)

      Align to

      MiB

      Partition Name

      data

      File System

      cleared

      Label

      data

  5. Press Add, and then the big green tick and "Apply".

6. Data fill for paranoid mode

Close gparted, because it has done its job and cannot correctly handle encryption.

This section is only for the paranoid. Skip to Encrypt if you don't need this.

Mentally-Deranged-Smiley-Face-Silhouette.png

This fills the partition with random data.1 2

Warnings

  • Ensure that you choose the correct partition, otherwise you will destroy existing data.
  • If your partition is on an SSD (rather than a hard drive), it can be heavy work for the SSD and might not completely fill it with random data, especially if there is already an existing system (such as Windows).
  • This potentially takes a long, long time to run, depending on the size of your partition and the speed of your hardware.

Open the terminal.

Reminder: While in the terminal, replace /dev/sdA5 and /dev/sdB1 with the correct letter and digit (as described in the naming conventions).

Enter the following command to randomise your system partition.

sudo dd bs=16M if=/dev/urandom of=/dev/sdA5

If you also have a separate data partition:

sudo dd bs=16M if=/dev/urandom of=/dev/sdB1

7. Encrypt

Close gparted (if open), because it has done its job and cannot correctly handle encryption.

At this point, the physical disk is fully set up and ready for encryption.

Ensure that you know the correct partition names for your system. In our example, they are:

/dev/sda2

ESP

/dev/sda5

System partition

This will take the system passphrase

/dev/sdb1

Data partition

This will take the data passphrase, if present

You might not have a separate data partition, in which case ignore it. The other partitions don't matter (at least for now). Write down your partitions so that you have them at hand and don't get confused later.

Open the terminal.

Reminder: While in the terminal, replace /dev/sdA5 and /dev/sdB1 with the correct letter and digit (as described in the naming conventions).

7.1. Encrypt your system partition

Type the following command to encrypt your system partition.

sudo cryptsetup luksFormat --hash=sha512 --key-size=512 /dev/sdA5

This will prompt you to:

  • Type YES in uppercase

  • Enter your system passphrase. Take care to enter the correct passphrase at this point. Notice that nothing displays while you type the passphrase. If you think that you have made a mistake, press the Backspace key to rub it out and try again.

  • Enter your system passphrase again, to check that you have typed it correctly.

7.1.1. Multiple users

  • If you need more than one encryption passphrase for your system, repeat this step once for each user, each time with his own passphrase. (You can do this after the system has been installed; it doesn't have to be done now.)
  • You can have up to six extra users; that is, a total of seven users including you. (At this point, the system will allow you to add up to eight users, but you must leave one free, because it is used later in these instructions.)

7.2. Encrypt your data partition

This is only if you have a separate data partition, otherwise skip ahead to Unlock your partition below.

Type the following command to encrypt your data partition.

sudo cryptsetup luksFormat --hash=sha512 --key-size=512 /dev/sdB1

This will prompt you to:

  • Type YES in uppercase

  • Enter your data passphrase.
  • Enter your data passphrase again.

7.3. Unlock your partition

Enter the following command to unlock your system partition. It will prompt for your system passphrase.

sudo cryptsetup luksOpen /dev/sdA5 system

Only if you have a separate data partition, enter the following command to unlock your data partition. It will prompt for your data passphrase.

sudo cryptsetup luksOpen /dev/sdB1 data

8. In summary

At this point, your physical space is set up. LUKS has encrypted and unlocked the system partition and, if you have one, your data partition.

Return to the detailed process and continue from there.


  1. For the pedantic: Random data is obtained from /dev/urandom. Some people say that this is unreliable and that /dev/random is better because of entropy. This is incorrect for two reasons. (1) /dev/urandom is unpredictable, which is all that matters for this purpose. (2) If you use /dev/random, it will quickly run out of characters and take potentially years to refill for the volume of data required. (1)

  2. Again for the pedantic: Some people claim that it would be quicker to use /dev/zero and use LUKS to encrypt the partition. I find that unlikely, because LUKS needs to take the zeroes and encrypt them according to a complex algorithm, whereas /dev/random generates large volumes of random data with a simple algorithm. My tests have been inconclusive, probably because the bottleneck is the speed of writing to disk, not the CPU calculations. (2)

ManualFullSystemEncryption/DetailedProcessPartitionFormatEncrypt (last edited 2017-04-11 12:30:04 by paddy-landau)