How secure is an encrypted partition?
- If you chose to encrypt the new system via LUKS, the whole system is encrypted. This includes your system files, home folder (and thus your data), as well as the swap partition. This means that you can use suspend-to-disk (a.k.a. hibernate) and still have all benefits of full disk encryption. As pointed out in the comments, Ubuntu uses suspend-to-RAM by default. For Ubuntu to use suspend-to-disk instead, you have to follow the instructions on help.ubuntu.com which apparently only work for a limited number of machines.
- 256 bit AES encryption is likely strong enough for the foreseeable future. As was discussed here on Cryptography Stack Exchange, brute forcing AES-256 would cost about 100 tredicillion times the world GDP - the closest thing to impossible you can imagine. Even brute forcing 128 bit AES encryption takes about a thousand times the world's GDP.
- The LUKS key is not locked by anything but the LUKS header (which is one the HDD/SSD) and your passphrase (which is in your head). This allows you to (a) use it in any other machine, as long as that is also possible with an unencrypted system disk, i.e. for common systems should work flawlessly. As for (b), yes, you can make whole disk backups with
dd
, but be aware that these images will not compress to any significant amount. This is due to the nature of encrypted data being indistinguishable from random data without the passphrase. - There is only academic benefit to this, i.e. after consuming the first tredecillion world GDPs for breaking you full disk encryption, an attacker would need another tredecillion world GDPs to also get into your encrypted home folder (assuming different passphrases/keys). So it actually strengthens your encryption from 256 bits to 257 bits key length. On a personal note, I even use automatic login on full disk encryption machines, as I consider the disk encryption safe enough to not require the password to be entered again after booting.
Not everything on your drive is encrypted, but your data is.
The part that is not encrypted is your
/boot
area, as it is used during startup. Some interesting consequences that flow from that can be found here.You can find out your specific installation's cypher strength by running
ls /dev/mapper/ |grep crypt
The output will be YOUR_CRYPT
cryptsetup status YOUR_CRYPT
Example:
ls /dev/mapper/ |grep crypt nvme0n1p4_crypt sudo cryptsetup status nvme0n1p4_crypt /dev/mapper/nvme0n1p4_crypt is active and is in use. type: LUKS1 cipher: aes-xts-plain64 keysize: 512 bits device: /dev/nvme0n1p4 offset: 4096 sectors size: 499410944 sectors mode: read/write flags: discards
Your encryption grade will vary based on when you installed on Ubuntu and which version you are using, but even older setup will be fairly strong, and likely hold up against casual cracking. A good discussion on Ubuntu block-level encryption: How secure is Ubuntu's default full-disk encryption?
Booting your encrypted drive on different hardware will not be an issue. If you do a bit-for-bit copy of your encrypted drive, you can still boot that as normal, and log into it using your password. The copy operation should be done while "offline" (with the drive unmounted, after a shut down). An on-line data grab is unlikely to work, but I'm not 100% certain.
"Home Folder" encryption is based around the "homefolder-in-a-file" idea. If the system was not encrypted, and the file system would be mounted, the encrypted home directory would be a single large file,encrypted using cryptsetup. As such encrypting your home folder within an encrypted system would increase the difficulty of obtaining your personal files. There may be a performance trade-off however. More on encrypted home.
Short simple answers:
Is everything on the drive encrypted (including my data)?:
- Yes all is encrypted
How strong is this encryption?:
- Quit strong as strong as the weakest link you.
Also, does the encryption prevent me from either (a) installing the SSD with the encrypted file system into a different device or (b) making a complete backup of the drive (using an live version of Ubuntu, for example) and at some point restoring that backup?:
- You have to try it to convince yourself. Forget the password and you data are all gone, if you know one who has been able to crack it after such a situation please let me know.
Also, if the entire filesystem is encrypted is there any value in also encrypting my home folder in Ubuntu?:
- Waste of time, no need to. But if you need to OK!
More information:
From that link you shared I quote a link I followed:
The moral of this story? If you have a mounted LUKS partition on your phone, it is very easy for someone to get the master encryption key. cryptsetup does delete the key from ram during a luksClose operation, so my recommendation is to only mount your LUKS drive when you are using it and then unmount and luksClose it when you are done. Otherwise, it becomes a huge security hole. Almost like your drive wasn't encrypted in the first place.
Its probably appropriate to mention here that LUKS on Android isn't the only system susceptible to this kind of attack. Virtually all disk-encryption systems store the encryption key in ram. The Princeton CITP group identified this fact a long time ago. My point here is only that an attack like this is very easy to do!
Note the bold section the more information. Like I said If your weak or careless in the way you handle your stuff then expect trouble. He gave advice always unmount or close when you not using it.