How do I set up Full Disk Encryption on an SSD?

ssd encryption

I have a new Lenovo Thinkpad with an Intel SSD. I want to set up full disk encryption with pre-authentication boot. From reading I see there is a Guided Setup with Encryption option on the alternate CD installer. If I select this and follow the prompts, will I be all set? Are there any specific partitions or anything I need to create? Are there any special things I need to do before, during, or after installation because I'm installing on an SSD and not on an HDD?

The Thinkpad came preinstalled with Windows 7. I will be installing Natty Narwhal on the whole disk. I will not be dual-booting.


Solution 1:

There's no special considerations at all for SSD versus spinning HDD.

And if you're comfortable using the Ubuntu Alternate Installer, it's fairly straightforward to setup full disk encryption.

Solution 2:

There are some performance considerations when using full disk encryption on an SSD. Here's an excerpt that explains the underlying issue nicely:

You write in pages (4KB) but you can only erase in blocks (128 pages or 512KB); thus SSDs don't erase data when you delete it, only when they run out of space to write internally. When that time comes, you run into a nasty situation called the read-modify-write. Here, even to just write 4KB, the controller must read an entire block (512KB), update the single page, and write the entire block back out. Instead of writing 4KB, the controller has to actually write 512KB - a much slower operation.

As discussed at great length in this masterpiece on SSD performance, SSD performance drops over time as the disk fills up. As explained above. Typically, when setting up full disk encryption, the entire disk is filled with random data so as to obscure the encrypted data from the free space. This, as I understand it (and I'm certainly no expert) means that using full disk encryption one immediately goes to the worst case performance of the drive.

So, understand that the performance hit of encryption on an SSD will be far more potent than on a regular spinning drive.

Second, because of the way data is read / written, again as above, the standard methods for securely deleting files (like the shred utility) don't apply to SSDs. If you're using full disk encryption from the beginning, no problem. But if you already have unencrypted data on the drive, you need to be careful to ensure you fully zero the drive first. I'm not sure how that is done, but I think it's discussed in the masterpiece.

Fundamentally, SSDs function in a totally different way to traditional spinning disks. The bulk of encryption software, secure deletion tools, and guidelines, assume that disks are made of spinning platters. That doesn't apply to the world of SSDs.

My advice to somebody starting out with full disk encryption on an SSD would be two-fold.

First, either start with a clean drive, or carefully zero it before you begin.

Second, under partition the drive. So partition 80%, or as little of the drive as you can get away with. The additional free space can help to maintain drive performance. It does depend on the specific drive, so you could research the details for the exact drive you have and so on, but as a general principle, it can dramatically extend the life of the drive.

Thirdly, and I realise I said two-fold, understand that full disk encryption will simply massacre SSD performance. Personally, that's a trade off I'm willing to make for the security that full disk encryption affords me, but there are alternatives, such as an encrypted home directory in Ubuntu. That type of encryption will likely perform much better on an SSD, although it does have other issues worth considering.

Related

Dual boot Windows 10 & Ubuntu 18.04 - How to tell grub not to show and boot directly to Windows 10 [duplicate]
Will Ubuntu 14.04 offer direct upgrade from 13.04 [duplicate]
Ubuntu kyocera printers
How to recover missing folders in a Windows-Ubuntu dual-boot system?
Ubuntu 12.04 Install Problems.. Installation Type screen. No options [duplicate]
How can I install lightdm-webkit2-greeter?
Mounting disk drives among different users
Blocking popups and ads
Does removing an application from Software Center do a remove or a purge
16.04 - system hangs at boot time at "Started Update UTMP about System Runlevel Changes"
UI feels zoom/magnified after recent UBUNTU 20.04 installation
How to overcome an HTMLUnit ScriptException?