Enable disk encryption after installation

If you want to enable encryption of your home folder you will need to install and use these packages: ecryptfs-utils and cryptsetup. Also you will need another user account with administrator (sudo) privileges. The full documentation is here:

  • How to Encrypt Your Home Folder After Installing Ubuntu

If you want to enable full disk encryption after installation, the short answer for now is probably: no, you can't. Anyway, if you are interested about this, your question is duplicate of:

  • Is there a way to do full disk encryption after the install?
  • Full disk encryption

Follow up question: what are up and downsides of full disk vs. just /home?

Encryption in /home is done using a user space filesystem called ecryptfs. It is very well done and tightly knitted into the default auth system so that you'll have zero usability drawbacks: when you enter your account (either from a remote shell or from the default login screen) your password is used to unwrap a secure key, which is then used to encrypt/decrypt your files in your home directory on the fly(The mounted filesystem will reside directly in /home/username). When you log out /home/username is unmounted and only the encrypted files remain visible in the system (usually in /home/.ecryptfs/username/.Private/). They look like a bunch of scrabbled/random files since filenames are encrypted as well. The only information leak is: filesize, timestamps and number of files (with full disk encryption these are hidden as well).

If your system is to be shared between multiple users, this is a very nice feature to have even if you decide to add full disk encryption along with this: the safety of Full disk encryption is off when the machine is up and running while home (ecryptfs) encryption is On as long as you're logged out.

So, full disk encryption and home encryption are not necessarily mutually exclusive.

Here's a list of possible set-ups, depending on different security needs:

  • FULL DISK ENCRYPTION ONLY: If you're the only one using your computer and your machine can handle the overhead of full disk encryption (all modern desktops can do that without the user noticing, netbooks and old laptops not so much) you can use full disk encryption and put home in the same partition as your OS(/).
  • FULL DISK ENCRYPTION AND HOME ECRYPTFS ENCRYPTION: If you're worried about your private data being read while your pc is on or you share your computer with other users, then you could have home in a different partition from / and use ecryptfs along full disk encryption(that is encryption of / through LUKS)
  • HOME ECRYPTFS ENCRYPTION ONLY: If you're not too worried about someone tampering your system while you're away but you still like to keep your private data safe then skip the full disk encryption and just use ecryptfs (encryption of home). An added bonus of this scenario is that this is quite easy to set up even after you've installed Ubuntu, by just using ecryptfs-migrate-home. Also, this has been the default Ubuntu setup before it changed a few releases back, adding the possibility of full disk encryption. Since most modern desktops can handle full disk encryption without a sweat and it adds a thin layer of security against off-line code injection, full disk encryption was added into the installer. Notice though that for most users just encrypting their home with ecryptfs will be enough for their needs: keeping their friends and the common laptop thieves off their private data. Besides, if you've been singularly targeted by an organization with the right means, having full disk encryption or just home encryption will not make much of a difference unless you've also established a lot of other paranoid behaviors (like: keeping the kernel in a separate pen-drive which is always on you; constantly checking for hardware tampering/keyloggers and so on)

If I didn't enable disk encryption during installation, is there any way to enable it post facto?

Yes and it's going to be easier if you're currently using LVM and have enough space on your system to copy all of your unencrypted system files into an encrypted LUKS partition. I'm not going into the details at the moment because I don't know if you're using LVM and if you'd rather not just use ecrypfs for now and skip the hassle of full disk encryption until the next fresh installation.


As this is still the top result on google, I want to update it with some new information. As user Frederick Nord mentioned on: Is there a way to do full disk encryption after the install?

There is a tool called luksipc(Luks in place encryption) after further research I found the most recent documentation and a warning from the author of that tool:

luksipc was created before any alternative from dm-crypt/cryptsetup/LUKS side was available. This is not the case anymore. Therefore I recommend switching to cryptsetup-reencrypt, which is properly maintained and tested upstream even when the format of the LUKS header changes (to my knowledge, this has at least happened twice and can cause luksipc to catastrophically fail, i.e., destroy all your data in the worst case).

So cryptsetup-reencrypt seems to be the recommended way.

High Level Overview:

  1. The tool suggested can only work on partitions which aren't in use so use a live cd/usb
  2. Manipulate the partitions so there is enough space at the right location for the LUKS Headers
  3. Use cryptsetup-reencrypt to encrypt the partition
  4. Repeat for every partition (except for boot)

Short guide taken from Ubuntu Documentation :

   Add LUKS encryption to not yet encrypted device 

          First, be sure you have space added to disk.  Or alternatively shrink filesystem in
          advance.
          Here we need 4096 512-bytes sectors (enough for 2x128 bit key).
          fdisk -u /dev/sdb # move sdb1 partition end + 4096 sectors

          cryptsetup-reencrypt /dev/sdb1 --new --reduce-device-size 4096

Detailed guide taken from Arch Wiki - Encrypt an unencrypted filesystem :

umount /mnt # As mentioned this only works on partitions/devices which aren't mounted. You can skip this if you used a live cd and didn't mount this partition yet - but be sure to check
e2fsck -f /dev/sdaX # check that the file system is ok -f == force validation even if it looks ok
resize2fs -M /dev/sdaX # Shrink the filesystem to the minimum size.
cryptsetup-reencrypt /dev/sdaX --new  --reduce-device-size 16M # Encrypt the unencrypted partition
cryptsetup open /dev/sdaX recrypt # Open the encrypted partition so we can give it back the disk space we removed by using the -M option on resize2fs
resize2fs /dev/mapper/recrypt # enlarge partition again
mount /dev/mapper/recrypt /mnt # Mount if you want to access data

Question: Why shrink to Minimum Size ?

Answer: Assumption - this is done because the size of the LUKS header can change in the future so this steps are generic and won't get out of date. The Header Size changed from LUKSv1 = 2MB to Luksv2 = 16MB in the past

Troubleshooting Guide - /boot is encrypted and I can't boot

Update 12/2020

So for me it happened that I only had 1 partition which included /boot. Afterwards I couldn't boot into my system anymore. If you experience the same issues, this guide might help getting back a working system.

High Level Overview

  1. Make sure you have the necessary software for decryption in grub and in initramfs.
  2. Know how to boot

Grub

  1. Boot into a "live cd" ubuntu
  2. Decrypt the partition
  3. Chroot switch into the decrypted system (if you don't know how this might help: https://superuser.com/questions/111152/whats-the-proper-way-to-prepare-chroot-to-recover-a-broken-linux-installation)
  4. In the chroot environment
root@ubuntu:~# echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
root@ubuntu:~# update-grub
root@ubuntu:~# grub-install /dev/sda???
  1. Stay in the chroot !

Initramfs

  1. Create a initramfs hoock script which copies cryptestup via copy-exec
  2. update-initramfs -u -k all

How to boot

  1. You get an empty grub menu hit "c" to get a command line.
  2. Execute the following:
insmod luks # load kernel module
cryptomount hd0,gpt6 # decrypt your encrypted partition
configfile (crypto0)/boot/grub/grub.cfg # tell grub the path to the now unecrypted config file
  1. Now you should get grub menu with the appropriate boot entries.
  2. After selecting "Ubuntu" you should get into initramfs.
  3. Now execute the following
cryptsetup luksOpen /dev/sda6 system
exit

Alternative

Maybe consider using this guide below instead . It seems to deal with the issues mentioned above. Though i haven't tried so I can't be sure it works. But might be worth looking into. https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

P.S The troubleshooting guide was written from memory, so there might be some missing pieces. But i wanted to write it anyways as it still might help some people. However if you find something which is missing/inaccurate please tell me in the comments so i can update the guide thx.

Tags:

Encryption