Ubuntu Full Disk Encryption


You have a notebook. You take it with you on the road. You might lose it - either by leaving it behind or by theft. In such a case, which seems to happen to about 10% of all notebooks, all the data on that notebook will be in the hand of other people, not necessarily ones you'd trust. Login passwords won't help, because the thief can create an image of the disk (and later claim to be a generous finder of your lost property) and mount that image as a second drive to his own machine, where he has root (administrator) privileges. He can read and use every single bit that is not encrypted.

So you want to encrypt your hard disk. For Windows there is TrueCrypt. But you prefer a user friendly, reliable and free operating system. So you chose Linux. TrueCrypt for Linux does exist, but it is hard to install. Fortunately there is the well known Ubuntu distribution of Linux. The folks at Ubuntu have added an option to encrypt most of your disk (everything except a small /boot partition) during installation.

Here is how to set that up without getting upset:

Machine Preparation

You will need an entire drive that can be wiped (re-partitioned). For my daily use, I took an 8 GB SD card, inserted into an SD slot of my netbook.

Get the alternate installer ISO image of Ubuntu 9.10, e.g. from http://www.ubuntulinux.org/getubuntu/downloadmirrors#alternate. It's a bit hard to find, but it's the only version that has encryption as a menu item. - that's what this HowTo will show. Other versions may differ significantly, e.g. with Ubuntu 9.04 you had to use the alternate installer. Burn the ISO image to a CD. Insert the CD into the CD or DVD drive. Set up the BIOS of your machine to boot from the CD.

If your netbook doesn't have a CD drive, either borrow a USB CD drive (easiest option) or use another computer to create a bootable USB stick (out of scope of this HowTo).

Basic Install

Power on the target machine. Select the language you want for the installer by using the keyboard arrow keys, e.g. English. Confirm your decision by hitting Enter.

Using the arrow keys on your computer's keyboard, select "Install Ubuntu". If you prefer a keyboard layout other than US-English, hit F3 and select your preference (I did that to get a German keyboard). Hit Enter to start installing.

Select your preferred language (again) by moving the arrow keys up and down, then hit Enter.

Select your continent and your time zone, e.g. other, Europe, Germany. The installer will load a number of components.

Enter the local network host name of the new system.

The next screen is the beginning of the critical phase. You need to be very precise from here.

Select the Partitioning Scheme

partition disks

You must select "Guided - use entire disk and set up encrypted LVM". Hit Enter to continue.

Select the disk to be wiped and repartitioned:

select disk

Hit Enter to continue.

When asked whether to write the changes, you must actively select "Yes" (the default is "No") and hit Enter:

write changes: yes

Enter the passphrase:

enter passphrase

Tab, Enter makes it continue.

You'll be asked to re-enter the passphrase, just in case you mistyped it in the first dialog.

Then it'll ask for the amount of volume group to use for guided partitioning. It is safe to accept the default:

amount of volume group

Hit Enter to continue.

Again, you are asked whether to really write the changes to disk:

write changes

You must consciously move the red mark to "yes" and then hit Enter.

The partitions will be formatted:


Then the base system is being installed. This will take a long while.

Ubuntu Configuration

Then you are asked for the full name, login name and password of the first user.

You do not need to encrypt your home directory, because the entire machine is already encrypted.

Another very large amount of software is being installed. On a slow chip, this phase can last several hours.

The installer will ask for a reboot. Please make sure that you'll be booting from the hard disk, not from the CD.

Ready to go

After the reboot, you'll get to the standard graphical login prompt. Select your user name (single choice: what you entered during configuration), enter your password and you are in.

It's a good idea to check for software updates: System > Administration > Update Manager