This project has moved. For the latest updates, please go here.

Ubuntu Full Disk

Topics: Users Discussion
Jul 5, 2016 at 4:25 PM
Hi there! I was curious if it's possible to full disk encrypt ubuntu, I know you can do it on windows and was wanting to use it but I could not install windows 10 on a MBR fomatted disk. Ubuntu does use LUKS by default by I wanted to try to do it with Veracrypt. Veracrypt has had many victories on protecting people's data. Thanks!
Jul 11, 2016 at 12:56 AM
No. Nor with LUKS either. LUKS is used merely to encrypt the ~ directory ASFAIK.
I'm open to correction, but I don't believe anyone as achieved "full disk encryption"
("nearly full" would be more accurate) on any 'nix.
Jul 15, 2016 at 8:24 AM
socksyfox001 wrote:
...but I could not install windows 10 on a MBR fomatted disk.
Why? Windows 10 are working perfectly fine on a MBR formatted disk.

I don't know how ubuntu, but I've seen something like encrypt the whole installation when installing mint. Mint is about the same as ubuntu, but minter, try it ;-) I switched ubuntu because of that left bar, how was that crap called...? On linux I particularly dislike the traces of every activity spread across the whole drive, hidden in home directory, in /etc and in /var, who knows where else. On my headless linux seedbox I have symbolic links to veracrypt container everywhere, but I have no idea if I catched all the traces.
Aug 7, 2016 at 5:44 AM
I made a point of coming back to this thread because I suspect my post above
is incorrect. I've since read the assertion that you can have a normal, old school
boot partition and put everything else in a crypt. The context was about Lux, but,
assuming this is true at all, I suspect if we tinker enough we might could make
VC work too. Boot partitions classically were usually very small, say 200 mb, tops,
although I see some people recommending 2 gb now. But I'm pretty sure they can
still be made pretty tiny.

If anybody can point me to something worth reading on the subject, I'd like to play
with it at some point.

And, yes Testoslav, the flagship Mint began as a tweaked Ubuntu, though they
have diverged some. I've read they are "shipping" (funny how we use that word)
a dumbed-down Synaptic that upset some people. There is also Debian-Mint,
which is still a close cousin, since the 'buntus themselves are descended from
Debian. If you can tell me exactly which Mint flavor you saw that on, I'd like to
download the installer and give it a look.
Aug 23, 2016 at 12:35 AM
I'm thinking that, if there isn't a better way, at the very least it should be
possible to have a very minimal system - it shouldn't even need X, or any
of the programs like it, on a filesystem mounted read only, and chroot into
the encrypted system. As for installing the encrypted system in the first place,
couldn't we make a model and then use something like fsarchiver, clonezilla, or
ubiquity to clone it into the crypt? This idea may be nonsense - I'm at
the ragged edge of my competency here, but I'll try it as soon as I can get
around to it unless somebody comes up with a better approach in the mean
time.

If anyone has thoughts on this, I'd love to hear them.
Sep 7, 2016 at 3:11 PM
Edited Sep 7, 2016 at 3:14 PM
I've done nothing more on this but a little preliminary reading. It looks totally workable. For
anyone interested in pursuing this (as I indicated earlier - I'll get around to it when I get around
to it, provided civilization doesn't fall, entropy doesn't kill the universe, and the creek don't rise
in the mean time) some things I've stumbled over so far, that somebody might want to pursue:

-- Alternatives to chroot:

systemd-nspawn looks like it might do the job easier and better - not certain, but that's my
impression ATM.

There are a bunch of other programs that MIGHT be suitable: lxm, jchroot, coffer, docker, etc,
etc. I haven't looked at any of them and that is almost certainly not an exhaustive list.

If we can look beyond linuxes in the strict sense, and consider some other Unix-like OSs, at
least some of the BSDs have approaches to changing root to a jailed OS that are claimed to
be superiour to anything native to, or that has been ported to, linuxes in the strict sense. I
haven't tried to use VC in a BSD, but BSDs are so similar to linuxes, it wouldn't surprise me if
it worked.

Again, if anyone is able to shed light on any of these points, or other aspects of the idea, I'd
be interested.
Developer
Sep 8, 2016 at 8:28 PM
VeraCrypt DCS EFI loader has possibility to execute linux kernel and load ram disk from partition encrypted.

The only problem is to pass password to mount root volume to linux. It is necessary to program it in linux.
Sep 9, 2016 at 8:27 PM
Thank you, Kavsrf. I presume the loader you refer to won't work with a
traditional MBR/BIOS setup. Since that's the only kind of hardware I have
to play with at the moment, I'd have to let that pass for now, even it I totally
understood it, which I don't.

I have just installed Ubuntu 16.04 with the 4 series kernel and systemd that
should support systemd-nspawn, so I may try to tinker with that approach soon.
I will post results when and if I have any.