How to setup disk-encryption with Ubuntu?

I'm interested how you can setup disk-encryption for Ubuntu, with as few hassle as possible.


Solution 1:

I just did this last week. It is really easy if you're not dual booting or anything. I went with all default settings, and my hibernate/suspend work properly with my LUKS

If you don't mind reinstalling the OS, then it's super easy from the alternate install CD. You'll have to download the alternate install CD for whatever architecture (i386 or amd64, e.g. 32 bit or 64 bit) you want to install.

BEGIN ASIDE

If you haven't already, make sure you do so because you're about to wipe your hard drive completely. Obviously you will want to back up your home folder and all other important data! And if you want a handy list of programs you had installed, you can run the command

dpkg --get-selections

If you want to output it to a file in your home folder, you can run

dpkg --get-selections > ~/filename

Where filename is the name of your text file. I usually call it "installed packages 20090901" or something like that. Then make sure you include that in your backup. When you restore it'll be easy to reinstall all your previously installed packages, especially if you're not changing versions. Use this command:

 dpkg --set-selections < ~/filename

END ASIDE

Anyway, here's an easy method to get full disk encryption with LUKS using the alternate install CD:

  1. Download the alternate install ISO for your architecture.
  2. Burn the alternate CD and boot from it.
  3. Choose the first menu item, "install Ubuntu" and you will enter the text-based installer. It's not too different from the graphical installer - you will be prompted to give your time zone data, language/keyboard settings, etc.
  4. When it comes to the part where you need to set up your partitions, you can choose the option "use entire disk with encrypted LVM" and then go with a passphrase.
  5. Continue installing, setting user names, hostname, etc.
  6. After you install the system and restart, the boot screen will prompt for a passphrase to decrypt.
  7. Enter the correct passphrase and your system will boot normally with very little performance cost.

I have been intentionally vague with this answer because I think it's very important to understand exactly what you're aiming for, why, and how you're going to accomplish your goal if you're going to be doing full disk encryption. If you need something different (keyfile instead of passphrase, dual boot, customized partitions, etc.), we can discuss that, too.

Solution 2:

Ubuntu offers something potentially more convenient than home-partition encryption: per-user home directory encryption. You have the option during a normal install to set up an encrypted home directory for each user, which is decrypted upon login.