Encrypting Your Disk on Ubuntu
In the realm of digital advancement, the utmost priority lies in safeguarding data security. It is imperative to shield sensitive information by encoding it into encrypted form.
By embracing the practice of encrypting the disk in Ubuntu, one can ensure the preservation of vital data even in the face of storage failure or theft. To fortify the security of Linux devices, there exist various measures that can be undertaken.
Among these, enabling full disk encryption in Ubuntu stands as a formidable defense.
Ubuntu, being a staunch supporter of whole disk encryption, empowers users to encrypt their disks seamlessly, both during the installation process and even after it is completed.
IT professionals and developers need to address the growing threat of cyber attacks.
Default configurations upon installation are inadequate for device security. Using outdated software and leaving Linux systems unpatched significantly increases the risk of a breach. Despite arguments about Linux being the most reliable OS, misconfiguration remains a constant risk.
Prerequisites for Disk Encryption on Ubuntu
A Server running Ubuntu VPS.
A non-root user with
Ubuntu Full Disk Encryption Ideas
Encryption is the act of transforming plain text data into ciphertext, an unintelligible format. Deciphering ciphertext is only possible with the encryption key. Encryption forms the cornerstone of data security. Ubuntu includes pre-installed disk encryption as one of its features.
The process involves applying a unique algorithm to encrypt a single disk partition, multiple partitions, or the entire physical drive. Accessing the drive is impossible without the secret key used for encryption or the correct password.
Full disk encryption (FDE) protects your data privacy by keeping hackers and other bad actors from accessing your hard drive while it’s inactive.
Encrypt disk in Ubuntu becomes a crucial security setup as more workers choose to work remotely, whether permanently or through a hybrid workplace. You never know when an employee’s equipment might be lost, stolen, or attempted to be accessed using a bootable live medium.
Physically hacking Ubuntu Linux is straightforward. Despite users having the option to password-protect the Grub boot menu, a live system like a bootable USB installer can still gain access to the file system.
Transitioning to a more robust defense, password-protecting the entire disk during the Ubuntu installation process might be the most effective measure against physical hacking of your system.
Ubuntu Encryption Features
Encrypting your Ubuntu hard disk boosts security and limits access to the operating system and files to those with the encryption key, safeguarding against monitoring by hackers or governments and protecting your privacy.
How to Encrypt Disk During Installing Ubuntu
Ubuntu provides LUKS-based whole drive encryption throughout the installation process. Almost every Linux distribution supports the LUKS standard disk encryption specification. The entire block device is encrypted. When choosing a partition scheme during the Ubuntu installation, you have the option to encrypt the drive.
Let’s see how to enable full disk encryption while installing Ubuntu:
- Select “Advanced features” from this menu.
- Select the Use LVM with the new Ubuntu installation from the next window. Then, select Encrypt the new Ubuntu installation for security option.
- In the next step, you’ll need to input a security key. The recovery key can be entered manually or is automatically generated by default. If you forget your security key and need to access the encrypted disk, you can use the recovery key.
- The new partition scheme will be shown to you by the Ubuntu installer. As you see below, we chose LVM (Logical Volume Management), hence LVM partitions will be included in the list:
- Restart the computer after completing the remaining installation. You will be asked for the security key on the boot.
How to Encrypt Disk in Ubuntu After Installation
For the second method of disk encryption in Ubuntu. This option is suitable for users who run an existing Ubuntu system and prefer to avoid a reinstall.
The home directory usually contains user-specific sensitive information. The operating system regularly transfers data between RAM and swap space. Exploiting an unencrypted swap space can expose sensitive information. To encrypt the disk after Ubuntu installation, encrypt both the home directory and the swap space.
- First, you need to install the required packages. Run the following command to install the necessary tools and start the encryption:
$ sudo apt install ecryptfs-utils cryptsetup
- Since you need to access another privileged user to encrypt the home directory, you can run the command below and create a temporary user with Sudo Privileges:
$ sudo adduser encrypt-temp
- To assign a sudo privileges to the user, type:
$ sudo usermod -aG sudo encrypt-temp
- Now, prepare to encrypt the home directory. To do this, log out of the current user and log in to the temporary privileged user by executing:
- Use the command below to encrypt the home directory of the created user:
$ sudo ecryptfs-migrate-home -u <username>
How to Get the Passphrase
Optionally, you can document the passphrase by executing:
When prompted for a passphrase, provide the login password. The tool will then display the recovery passphrase.
How to Encrypt the Swap Space
To fortify against potential leaks of private information, it is recommended to encrypt the swap space. However, this action hinders the operating system’s ability to suspend and restart.
Execute the following command to view all available swap spaces.
$ swapon -s
If you opt for the auto partition feature during Ubuntu installation, a dedicated swap partition should exist. Determine the swap space size using the following command.
$ free -h
Then, encrypt the swap space by running the command below:
$ sudo ecryptfs-setup-swap
Delete Unnecessary Items
Upon successfully encrypting the disk, tidy up by executing the following command to remove the temporary user:
$ sudo deluser –remove-home encrypt-temp
To let the encryption tool provide a backup copy of the home directory of the created user, type:
$ ls -lh /home
Also, you can delete the backup by running the following command:
$ sudo rm -r <backup_home_dir>
That’s it! Ubuntu will no longer be accessible without the decryption key upon system boot.
Explore More; A Comprehensive Guide to Setting Up Java on Ubuntu