Full disk encryption for separated hard drives [duplicate]

I have a laptop and wish to do a fresh install with full disk encryption. I would like to have my OS installed on the SSD an,d after installation, move my /home directory to the HDD.

  1. Is it possible to ask the installer to fully encrypt BOTH drives at the time of install?

    • If not, is it possible to manually encrypt the second HDD after a sucessfull install of the OS onto the SSD and then move /home to the second HDD? If so, how do I do that?
  2. Is it possible to use ONE password to decrypt both drives at boot? Would I be correct in assuming that I would have to have LUKS installed on both drives (to handle the encyption) and then stretch (or else link) a LVM across the two drives?

    This is the part that I am the most unsure of/how to do.

Thanks,


Solution 1:

HOWTO Encrypt an Ubuntu 18.04 LTS Installation with TWO Drives: OS on the primary SSD, /home on your secondary HDD

This is a guide to FULL DISK ENCRYPTION of an Ubuntu 18.04 LTS install. Not to be confused with the encryption of just the /home directory, which I believe has been removed as an option during install. These instructions are for Ubuntu 18.04 LTS, but should work with 16.04 LTS.

This guide assumes that you are familiar with Ubuntu (Linux) and can install the OS from a USB key, or at least understand how to do this procedure – if you can’t, find someone who can and the both of you go through it. This guide also assumes that you have backed up ALL your data prior to beginning this procedure as you will destroy all DATA on ALL drives during this procedure.

YOU HAVE BEEN WARNED!

This guide is largely a meld of the two procedures from here (David Yates’ blog post) (https://­davidyat.es/2015/04/03/encrypting-a-second-hard-drive-on-ubuntu-14-10-post-install/) and the Ask Ubuntu post (Move home folder to second drive).

First things first, why do we wish to do this? Because if you own a laptop, or other sensitive data on a computer and it gets stolen or lost, it is necessary to be able to protect the data. You may be legally responsible to have protected the data. Secondly, many (most) systems now come with a small SSD (fast) for the OS and larger HDD (slow) for the data. Thirdly, encrypting just the /home directory is now recognised as a bad idea as it exposes you to the potential of /home being hacked (don't ask me how to do it, I couldn't), AND partial encryption slows down the system to a large degree. FDE requires less overhead and therefore has minimal impact on the performance of the system.

PART I: Install Ubuntu 18.04 LTS on the primary drive (usually the SSD)

Install Ubuntu 18.04 LTS onto your smaller (usually the SSD) and check (i) erase the disk, (ii) encrypt the installation, and (iii) LVM management.

screenshot of install choices

This will result in an encrypted SSD, but will not touch the second (usually HDD) drive. I'm assuming that your second drive is a new, unformatted drive, but it doesn't really matter what's on the drive prior to this procedure. We are going to destroy all the data on this drive. We are going to use a software package from within Ubuntu to prep the drive (not sure whether or not this preparation is strictly necessary, but it's what I've tested). To prepare this for your soon-to-be moved /home partition (folder), you should format it using the GUI tool called gParted.

sudo apt install gparted

Open gParted and navigate to your second HDD (carefully check the /dev/sd?X) and delete any & all existing partitions, then create a new PRIMARY PARTITION using the ext4 file system. You could also label it, but that’s not necessary. Choose "Apply". One gParted is finished, close gParted and now you're ready to install the LUKS container on the second drive and then format it. In the following commands, replace sd?X with the name of your SECONDARY drive (not your primary drive), for example sda1.

sudo cryptsetup -y -v luksFormat /dev/sd?X

Then you’ll need to decrypt the new partition so that you can format it with ext4, the modern Linux file system preferred by Ubuntu.

sudo cryptsetup luksOpen /dev/sd?X sd?X_crypt
sudo mkfs.ext4 /dev/mapper/sd?X_crypt

If you want to use your second HDD as a regular, frequently accessed hard drive (as in moving your /home partition to it, which is the point of Part II), there’s a way to automatically mount and decrypt your second drive on startup, when your computer prompts you for the primary hard drive decryption password. Aside: I use the same passphrase for BOTH my drives, as I'm superstitious and envision more issues with two different passphrases.

First you’ll need to create a keyfile, which acts as a password for your secondary drive, and so that you don’t have to type in every time you start up (like your primary hard drive encryption password).

sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
sudo chmod 0400 /root/.keyfile
sudo cryptsetup luksAddKey /dev/sd?X /root/.keyfile

Once the keyfile has been created, add the following lines to /etc/crypttab using nano

sudo nano /etc/crypttab

Add this line, save & close the file (/etc/crypttab).

sd?X_crypt UUID=<device UUID> /root/.keyfile luks,discard

To get your parition’s UUID to enter into the /etc/crypttab file, use this command (you need to use sudo it so that all of your partitions show up):

sudo blkid

The value you want is the UUID of /dev/sd?X, not dev/mapper/sd?X_crypt. Also make sure to copy the UUID, not the PARTUUID.

Okay, at this point (closed & saved /etc/crypttab file), you should be able to login to your Ubuntu install (entering your primary drive decryption password) and it should decrypt BOTH your primary and secondary drives. You should check to see if this happens otherwise STOP; and solve the issue(s). If you don't have this working and you've move your /home, you will have a non-working system.

Reboot and check to see if this (daisy-chain decrypt) is in fact is the case. If the secondary drive is automatically decrypted, when you choose “Other Locations” the second drive should show up in the list and have a lock icon on it, but the icon should be unlocked.

If the second drive automatically decrypts (as it should), then move on to Part II, designating the second drive as the the default location of your /home folder (with the larger amount of space).

Part II: Move your /home partition to your secondary drive (i.e. HDD)

We need to make a mount point for the secondary drive, temporarily mount the new partition (secondary HDD) and move /home to it:

sudo mkdir /mnt/tmp
sudo mount /dev/mapper/sd?X_crypt /mnt/tmp

assuming /sd?X is the new partition for /home (as per above)

Now we copy your /home folder to the new /home location from the primary drive (SSD) to the secondary drive (HDD).

sudo rsync -avx /home/ /mnt/tmp

We then may mount the new partition as /home with

sudo mount /dev/mapper/sd?X_crypt /home

to make sure all the folders (data) are present.

ls

Now, we want to make the new /home location on the secondary drive permanent, we need edit the fstab entry to automatically mount your moved /home on the secondary decrypted HDD.

sudo nano /etc/fstab

and add the following line at the end:

/dev/mapper/sd?X_crypt /home ext4 defaults 0 2

Save & close the file.

Reboot. After a reboot, your /home should reside on the new secondary drive and you should have plenty of space for your DATA.