May 2, 2010

Encrypted Ubuntu 10.4 on a Dual Boot System

The aim of this post is to discuss how to encrypt your Linux installation on a disk drive that boots MS Windows 7/Vista and Ubuntu Linux 10.4 (should be applicable to previous versions of Ubuntu as well).

Note: A later post will be added to discuss how to encrypt your MS Windows in order to have both systems encrypted.

Why would you want to encrypt your hard disk? One reason would be to protect your data against theft, etc. Other reasons will be left to your vivid imagination.

There are two cases:

Case 1 (GNU/Linux uses the whole hard disk):
In case 1 you only have a Debian GNU/Linux or one of its derivatives such as Ubuntu 10.4 alone with any MS Windows systems. If this is the case, you can easily download Ubuntu Text-based installer and when you reach the "Partition disks" step, all you have to do is to choose the "Guided - user entire disk and set up encrypted LVM." This option should be easy and therefore it will not be further discussed in this post.

Case 2 (GNU/Linux is installed next to a previous MS Windows installation):
You use MS Windows 7/Vista and Ubuntu 10.4; this is a more complicated option. Of course, I advise against using MS Windows products; however, if for some reason you must keep it on your desktop/laptop, then you can follow the steps below.

1. Get Ubuntu 10.4 Text-based Installer.
2. Make sure that you have unallocated (unpartitioned) space for Linux. You can shrink your MS Windows 7 using the Ubuntu installation disk.
3. To create an encrypted installation of Ubuntu, I suggest following Installing Ubuntu with full disk encryption at Learning Linux blog.

I am writing the steps of the Learning Linux post in my own words with few small changes:

1. Boot Ubuntu Text-based Installer disk.
2. When you reach the "Partition disks" step, choose "Manual".

3. Create a non-encrypted /boot partition. Default option is 254.8 MB Ext2 file system. You should specify the mount point as /boot.

4. You need to choose "Configure encrypted volumes" which gives you the option to "Create encrypted volumes" in the free unallocated space.

5. Once done you will be asked to create more encrypted volumes, choose "Finish" to exit this process. After you click "Finish" you will be asked for the encryption password. Make sure that your password is long, complicated, difficult to guess, etc.
6. Next you need to "Configure the Logical Volume Manager" and you should use the previously encrypted partition as the "new volume group".

7. Create two "Logical Volumes": The first will later serve as your root partition the second will be your swap partition (hence it should be roughly twice the size of your RAM.)

8. Configure the first encrypted Logical Volume as Ext4 and mounted as /.

9. Configure the second encrypted Logical Volume as Swap.

10. Your final table should be as shown below.

Next you can proceed with the installation normally and you will have 2 options regarding GRUB:
1. If you don't want to encrypt your MS Windows, then install GRUB on your MBR. In this case, you should be able to boot both MS Windows and your encrypted GNU/Linux installation.
2. If you also want to encrypt your MS Windows, then install GRUB on your /boot partition (usually /dev/sda2 or /dev/sda3 depending on your Windows installation.) In this case, you will continue to be able to boot Windows normally; however, you will not be able to boot GNU/Linux yet. Following the next post How to Encrypt Windows 7/Vista on a Dual Boot System, you will be able to encrypt your MS Windows using TrueCrypt and then you will be able to use your TrueCrypt Boot Loader to reach GRUB and boot your encrypted GNU/Linux installation.