disk encryption for Ubuntu 20 LTS
Gilles Gravier
ggravier at fsfe.org
Fri May 21 13:19:53 UTC 2021
Hi!
On 21/05/2021 12:39, Liam Proven wrote:
> On Fri, 21 May 2021 at 05:20, Eric Demer via ubuntu-users
> <ubuntu-users at lists.ubuntu.com> wrote:
>> I am now trying to set up encryption for it.
> Suggestions:
>
> [1] Don't. IMHO it's a massive pain in the backside and it reduces
> performance. I am a 30Y Unix veteran and 25Y on Linux. It took me 3
> days to get full-disk encryption working well and I'll never do it
> again.
I configured full disk encryption on my HP EliteBook 830-GS. Runs fine.
I basically enabled it at installation. And it's transparent. I don't
have to worry about this. I also have it enabled on a super old Fujitsu
tablet prototype dated 2011... It's definitely not slow. One old Core i7
in that machine...
Both of these machines are using SSDs... that helps.
> [2] If you are determined not to listen to point #1, then install
> VirtualBox and get thoroughly used to installing Ubuntu on virtual
> machines before you try on a real computer.
Because my work mandates that I use Windows, I have VBox on top of my
encrypted disk on the EliteBook 830-GS. And my work automatically
enabled bitlocker (I have no option to turn it of appart from getting
layed off for violating policies)... So encryption on top of encryption.
It's starting to be a bit slow. But this mostly because they've enabled
ZScaler, an antivirus, and god knows what other stuff that keeps
scanning every bloody file my machine opens in Windows...
> First, install it with defaults.
> Second, nuke it, reinstall with a separate /home partition. Get used
> to doing this. Install 18.04 and upgrade it to 20.04. Get familiar
> with this stuff. Learn about disk sizes and what you'll need.
> Third, reinstall with LVM and a separate home partition. And again
> with separate /boot, /, /home and swap.
I had done my install with 19.10, upgraded to 20.04, 20.10, and now
21.04. Never a problem. Encrypted disk works like a charm.
> [3] If you *must* use encryption, consider just having /home encrypted
> and leave / and swap unencrypted. This minimizes the performance
> impact, makes installation and troubleshooting easier, and most
> importantly, makes data recovery in the event of a disaster *much*
> easier.
The only time I lost my data is when I messed up with GParted and
deleted the disk partition instead of a USB key partition (of comparable
size, so the mistake was relatively easy). I had backed up my data. I
got the machine (including the VBox Windows VM on top) back up and
running in a total of 3 hours, reinstalling Ubuntu (again full disk
encryption), my backed up data - including the VBox vmdk, and
reinstalling VBox...
> [4] Make very sure you have a *very* good, solid, *TESTED* backup AND
> RECOVERY plan in place. You want to have a minimum of THREE (3)
> offline backups on different media at all times. If you use crypto
> without good backups, you are 100% going to lose all your data at some
> point.
Valid regardless of encryption or not... (as you can see from my example
above, even without encryption I would have had to spend similar time
getting my stuff off the disk once I had deleted and reformated the main
partition).
> I know a lot of the Linux nerds love encryption, but in my expert
> professional opinion it's a huge waste of time, effort and
> performance.
>
> This is why:
> https://xkcd.com/538/
Depends what your attack profile is... If laptop is stolen in the
street, that doesn't apply. If it's stolen by law inforcement in a
country with some "no self incrimination law" (US 5th amendment, for
example) it's not a problem either. In France (where I live) law
enforcement can't force me to divulge my encryption keys. Even if they
did... hidden volumes inside encrypted disks make it really hard... Just
saying.
Good encryption, if done well, it REALLY useful.
Gilles
More information about the ubuntu-users
mailing list