Created: Nov, 2015; Last modified: Nov, 2015
This post shows how to do full disk encryption in Linux, and how to decrypt on boot. It works on Ubuntu 14.04 (Linux Mint 13), but should be applicable to other Linux flavors with no or minor modifications.
The “dm_crypt” tool is used here by default. The basic idea is “dm_crypt” decrypts disk partitions before mounting them. Therefore the configuration file “/etc/crypttab” is read before “/etc/fstab”. In this process, the encrypted partition will first be decrypted to file “/dev/mapper/XXXX”, which will be subsequently mounted.
Before getting started, first check if “dm_crypt” tools are installed and the kernel module is loaded:
sudo apt-get install cryptsetup sudo modprobe dm_crypt
I usually make root and home in a single partition during installation. Therefore this part of encryption has already been taken care of by checking encrypting home partition option during the installation of Ubuntu. This partition will be automatically decrypted on boot.
Swap partition will also be automatically encrypted if home partition encryption option is checked during installation. It should work out of box except that it does not in my cases most of the time. The error is related to the non-existing UUID of the swap partition for some reason. The issue can be circumvented by replacing the UUID with disk file in “/etc/crypttab” like:
cryptswap1 /dev/sda1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
where “/dev/sda1” used to be a UUID. This will decrypt the swap partition at /dev/sda1 to /dev/mapper/cryptswap1. In “/etc/fstab” the related (default) entry is:
/dev/mapper/cryptswap1 none swap sw 0 0
Finally, enable swap if it is not active yet:
sudo swapon -a
For the first-time set-up, the following procedure will erase the existing data on the partition. Assume /dev/sda3 is the non-root partition to be encrypted.
First wipe the partition securely.
After that, set up the LUKS header on the partition with default options
sudo cryptsetup -v luksFormat /dev/sda3
See this link for a full list of options. During this operation, a passphrase is created to encrypt and decrypt the partition.
Now open the partition by
sudo cryptsetup open device nonroot
This will decrypt the partition to /dev/mapper/nonroot. There is still no file system on this partition it yet. Create it by
sudo mkfs.ext4 /dev/mapper/nonroot
and then mount it
sudo mount -t ext4 /dev/mapper/nonroot /mnt/mypart
Optionally, to close and un-mount this partition, do
sudo umount /mnt/mypart sudo cryptsetup close nonroot
The idea is very similar to swap partition. First add a record to “/etc/crypttab”:
nonroot /dev/sda3 none luks,timeout=60
This means to prompt for passphrase (“none” option) and decrypt /dev/sda3 to /dev/mapper/nonroot with the timeout of 60 seconds. Correspondingly, in “/etc/fstab”, add an entry like
/dev/mapper/nonroot /mnt/mypart ext4 defaults,errors=remount-ro 0 2
TRIM is not enabled by default here. One way to enable TRIM is to add “discard” option to each abstraction layer of file system (meaning need to apply it to both “/etc/crypttab” and “/etc/fstab”). However, that may bring non-negligible file system overhead since the defrag is carried out right after each flash erase. Probably not the best option.
A more recent tweak introduced in Ubuntu 14.04 by default is that the system runs a cron job doing “fstrim” weekly (weekly seems to be a reasonable interval after some discussion). This approach can make the file system configuration fields “discard”-free since the job is already being done by “fstrim” on the background.
Another caveat is “fstrim” cron job is configured for Samsung and Intel SSD by default. To enable for SSDs from other vendors, add “–no-model-check” flag to fstrim in “/etc/cron.weekly/fstrim”
exec fstrim-all --no-model-check