How secure is an encrypted partition?

partitioning encryption 16.04

When installing Ubuntu 16.04 I chose to encrypt the file system, and I'm now prompted for a password before Ubuntu will boot.

I'm wondering how secure that makes my content? Specifically:

  • Is everything on the drive encrypted (including my data)?

  • How strong is this encryption? (I know, it's a question of time and resources and what password I chose, but I mean in a practical sense ... anyone could bulldoze through my front door, but the average thief doesn't have the resources or inclination to ramraid a house). For example, if I send my laptop for repairs, or if my laptop is lost or stolen, do I need to worry about someone with no really pressing reason to try and decrypt it getting easy access? (I know a similar question was asked here, but that was quite a while ago so perhaps things have changed?)

  • Also, does the encryption prevent me from either (a) installing the SSD with the encrypted file system into a different device or (b) making a complete backup of the drive (using an live version of Ubuntu, for example) and at some point restoring that backup?

  • Also, if the entire filesystem is encrypted is there any value in also encrypting my home folder in Ubuntu?


Solution 1:

  • If you chose to encrypt the new system via LUKS, the whole system is encrypted. This includes your system files, home folder (and thus your data), as well as the swap partition. This means that you can use suspend-to-disk (a.k.a. hibernate) and still have all benefits of full disk encryption. As pointed out in the comments, Ubuntu uses suspend-to-RAM by default. For Ubuntu to use suspend-to-disk instead, you have to follow the instructions on help.ubuntu.com which apparently only work for a limited number of machines.
  • 256 bit AES encryption is likely strong enough for the foreseeable future. As was discussed here on Cryptography Stack Exchange, brute forcing AES-256 would cost about 100 tredicillion times the world GDP - the closest thing to impossible you can imagine. Even brute forcing 128 bit AES encryption takes about a thousand times the world's GDP.
  • The LUKS key is not locked by anything but the LUKS header (which is one the HDD/SSD) and your passphrase (which is in your head). This allows you to (a) use it in any other machine, as long as that is also possible with an unencrypted system disk, i.e. for common systems should work flawlessly. As for (b), yes, you can make whole disk backups with dd, but be aware that these images will not compress to any significant amount. This is due to the nature of encrypted data being indistinguishable from random data without the passphrase.
  • There is only academic benefit to this, i.e. after consuming the first tredecillion world GDPs for breaking you full disk encryption, an attacker would need another tredecillion world GDPs to also get into your encrypted home folder (assuming different passphrases/keys). So it actually strengthens your encryption from 256 bits to 257 bits key length. On a personal note, I even use automatic login on full disk encryption machines, as I consider the disk encryption safe enough to not require the password to be entered again after booting.

Solution 2:

  • Not everything on your drive is encrypted, but your data is.

    The part that is not encrypted is your /boot area, as it is used during startup. Some interesting consequences that flow from that can be found here.

  • You can find out your specific installation's cypher strength by running 

    ls /dev/mapper/ |grep crypt

    The output will be YOUR_CRYPT

    cryptsetup status YOUR_CRYPT

    Example: 

    ls /dev/mapper/ |grep crypt
nvme0n1p4_crypt
sudo cryptsetup status nvme0n1p4_crypt

/dev/mapper/nvme0n1p4_crypt is active and is in use.   
type:    LUKS1    
cipher:  aes-xts-plain64   
keysize: 512 bits   
device:  /dev/nvme0n1p4     
offset:  4096 sectors   
size:    499410944 sectors   
mode:   read/write   
flags:   discards

    Your encryption grade will vary based on when you installed on Ubuntu and which version you are using, but even older setup will be fairly strong, and likely hold up against casual cracking. A good discussion on Ubuntu block-level encryption: How secure is Ubuntu's default full-disk encryption?

  • Booting your encrypted drive on different hardware will not be an issue. If you do a bit-for-bit copy of your encrypted drive, you can still boot that as normal, and log into it using your password. The copy operation should be done while "offline" (with the drive unmounted, after a shut down). An on-line data grab is unlikely to work, but I'm not 100% certain.

  • "Home Folder" encryption is based around the "homefolder-in-a-file" idea. If the system was not encrypted, and the file system would be mounted, the encrypted home directory would be a single large file,encrypted using cryptsetup. As such encrypting your home folder within an encrypted system would increase the difficulty of obtaining your personal files. There may be a performance trade-off however. More on encrypted home.

Related

Python3 pip3 install broken on Ubuntu
Missing AMD GPU firmware issue on Ubuntu 17.10
How to run an Application as another user?
Why does Unity hide the menubar?
How to skip the evaluation of ampersand in command line?
How can I figure out why Suspend sometimes fails?
How can I list the files in other (non-current) directory?
How to check installed program version? [duplicate]
Unable to locate package pthread
build command by concatenating string in bash
Minimal terminal editor alternative to vi and nano
How can I exclude all subdirectories but include files of a directory in rsync?