How to Encrypt Your Hard Disk in Ubuntu

Encrypting your disk is one way to keep your sensitive information secure. Without encryption, even a strong system password isn’t enough to prevent someone from accessing your files using another operating system.

Encryption transforms readable information into unreadable data, known as ciphertext, which can only be decoded with a key. In Linux, most distribution makes it easy to allow full disk encryption, either during installation or afterwards.

In this guide, we’ll walk you through encrypting your drive in Ubuntu, whether you’re setting it up for the first time or adding encryption to an existing system.

Content

What Is Full Disk Encryption?

Full Disk Encryption or FDE protects the entire drive, including all files and system data. For example, during startup, you must enter a passphrase or key to unlock the drive before logging in to your user account.

For optimal security, encrypt your entire disk during the Linux installation. This will encrypt both system partitions and swap space, ensuring that the encryption process runs smoothly without errors. However, encrypting the full disk may result in a small performance drop, particularly on older hardware.

Pros and Cons of Encryption

Though encrypting an entire hard drive sounds like a flawless idea, there are some issues in doing it. Let’s go over the pros and cons.

Benefits of encryption

Increased privacy
Only those with the encryption key can access the operating system and all the files on it
No state governments or hackers can spy on your machine and invade your privacy

Downsides of encryption

Accessing and mounting Linux file systems on other Linux operating systems will be difficult if not practically impossible
Recovering data from these partitions is impossible
If a user loses the decryption key, they are out of luck

Preparing Installation

Encrypting with Ubuntu is best done at the OS level right when the installation starts. It isn’t feasible to encrypt an active Ubuntu installation, so back up all your important files to Dropbox, or Google Drive (or even to extra hard drives) and prepare to reinstall Ubuntu.

Start out by downloading the latest version of Ubuntu, and get a USB flash drive (of at least 2GBs in size) ready.

A program is needed in order to make a live USB disk. Download the Etcher tool. Extract it from the zip archive, and right-click (or highlight with the mouse and press the Enter key) on the extracted file to run it.

Note: Etcher will ask to create an icon – select yes.

Inside Etcher, click the Select Image button, and navigate towards the Ubuntu ISO image downloaded earlier. Then, plug in the USB flash drive. Etcher will automatically detect it and select it for you. Finally, select the Flash! button to start the creation process.

Once completed, reboot the computer with the flash drive still plugged in, load the computer’s BIOS and select the option to boot from USB.

Note: If your machine does not support booting from USB, download the 32-bit version of Ubuntu and burn the ISO to a DVD using the burning software on your computer.

Encrypting a Full Disk During Ubuntu Installation

Ubuntu Linux offers a straightforward full-disk encryption feature that can be enabled during the installation process. This feature simplifies encryption by integrating LUKS (Linux Unified Key Setup), a widely supported disk encryption standard, directly into its installation workflow. Once enabled, you can not disable the encryption without reformatting the disk.

Begin the installation process by booting from your Ubuntu installation media. When you start the partitioning operation, select the Advanced Features option to configure encryption.

Next, choose Use LVM and encryption option. LVM (Logical Volume Management) provides flexibility in managing disk space, making it easier to resize partitions or manage multiple logical volumes.

You’ll then create a security key (password), which you will use every time you boot the system to decrypt the drive.

In the end, the installer will display the new partition layout, including LVM partitions. With encryption enabled, these partitions will be securely encrypted. Review and confirm the changes before proceeding.

Once the setup is complete, finish the installation and reboot your machine. Now, every time during boot, you’ll need to enter the security key to unlock the encrypted drive. Without this key, the data on the drive will remain inaccessible.

Unfortunately, full-disk encryption cannot be added to an existing Ubuntu installation. However, you can still encrypt individual directories or partitions using LUKS or similar tools.

Encrypting Your Disk After Installation

If you’ve already installed Ubuntu and don’t want to start fresh with a full reinstallation, you can still improve your system’s security by encrypting specific areas like the home directory and swap space. For example, the home directory stores user-specific sensitive data, while the operating system uses swap space to temporarily store data from RAM.

Encrypting your home directory and swap space after installation provides an additional layer of security, safeguarding your data without requiring a full system reinstall. While this process is relatively straightforward, always keep your recovery passphrase secure to prevent data loss.

To get started, install the Ecryptfs-utils and Cryptsetup package for partial encryption:

sudo apt install ecryptfs-utils cryptsetup

You cannot encrypt your active home folder while logged in. To proceed, create a temporary user:

sudo adduser new-temp

Follow the prompts to set a password and user details. Next, grant sudo privileges to the new user:

sudo usermod -aG sudo encrypt-temp

Log out and switch to the temporary user from the power menu:

Now, encrypt the target user’s home directory:

sudo ecryptfs-migrate-home -u

Replace with the primary user’s name. You’ll be prompted to enter the primary user’s password. This process may take some time depending on the size of the directory.

After encryption, log out of the temporary user and return to your original account. Verify the encryption by creating and reading a test file:

echo "Your Text" > test.txt && cat test.txt

If you successfully write and read files, you have correctly applied the encryption.

Additionally, to ensure you don’t lose access to your data, it’s a good idea to note the recovery passphrase by running this:

sudo ecryptfs-unwrap-passphrase

Enter your login password when prompted.

Encrypt the swap space

Swap space extends physical memory (RAM) onto disk storage. However, encrypting swap space ensures that sensitive information stays out of unencrypted virtual memory. Note that this may affect the systems’ suspend/resume functionality.

To create swap space on a Linux system, you can either create a swap file or a swap partition. If you have a swap file created, you can check current swap spaces by running:

swapon -s

You can also check the swap size by executing this:

free -h

Now, to encrypt swap space, run:

sudo ecryptfs-setup-swap

Once encryption is complete, remove the temporary user:

sudo deluser --remove-home new-temp

Additionally, a backup of the home directory is created during the encryption process. You can find it in “/home” using the ls -lh /home command.

If everything is working fine, you can safely delete the backup with the following rm command:

sudo rm -r <backup_home_directory>

Wrapping up

Whether you’re building up a new system or securing an older one, disk encryption provides a solid layer of protection. Additionally, you can also encrypt a drive or partition using Cryptsetup with LUKS, or you can use a user-friendly alternative like VeraCrypt.

Remember, encryption is just one part of a comprehensive security strategy. You can further enhance the privacy of your Linux laptop by combining it with other measures, such as firewalls and multi-factor authentication, for robust data protection.

Image credit: Lock on hdd or harddrive by DepositPhotos. All alterations and screenshots by Haroon Javed.

Haroon Javed –
Contributor

Haroon is a lifelong tech enthusiast with over five years of experience writing thousands of articles about Linux, programming languages, and more. He loves exploring new technologies and experimenting with them to find innovative ways to use them. Haroon’s work has been featured on various online platforms, including HTG, Baeldung, and LinuxHint.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe