Ubuntu

How to Encrypt a Drive in Ubutu 22.04

In this guide, we will demonstrate how to encrypt a drive on Ubuntu 22.04.

Prerequisites:

To perform the steps that are demonstrated in this guide, you need the following components:

Drive Encryption on Ubuntu

Encryption refers to the process of encoding the plaintext (original representation of the data) into ciphertext (encrypted form). The ciphertext can only be read if one has the encryption key. Encryption is the foundation of data security in this day and age.

Ubuntu supports encrypting an entire drive. It can help prevent data theft in case the physical storage is lost or stolen. With the help of tools like VeraCrypt, it’s also possible to create a virtual encrypted disk to store the data.

Encrypting the Drive During Ubuntu Installation

During the installation process, Ubuntu offers full drive encryption using LUKS. LUKS is a standard disk encryption specification that’s supported by nearly all Linux distros. It encrypts the entire block device.

During Ubuntu installation, the option to encrypt the drive is available when you’re asked to decide on the partition scheme. Here, click on “Advanced features”.

From the new window, select the “Use LVM with the new Ubuntu installation” and “Encrypt the new Ubuntu installation for security” options.

In the next step, you’ll be asked to provide a security key. By default, the recovery key is generated automatically but can be specified manually. The recovery key is useful if the user wants to access the encrypted disk and forgot the security key.

The Ubuntu installer will present you with the new partition scheme. Since we opted for LVM (Logical Volume Management), there will be LVM partitions on the list:

Complete the rest of the installation and reboot the machine. During boot, you’ll be prompted for the security key.

Encrypting the Drive after Ubuntu Installation

If you are already running an Ubuntu system and are not willing to reinstall the operating system from scratch, encryption using LUKS is not an option. However, with the help of certain tools, we can encrypt the home directory (of a specific user) and the swap space. Why encrypt these two places?

  • For the most part, user-specific sensitive info is stored in the home directory.
  • The operating system periodically moves the data between the RAM and the swap space. An unencrypted swap space can be exploited to reveal sensitive data.

Installing the Necessary Packages

We need the following tools installed to perform the partial encryption:

$ sudo apt install ecryptfs-utils cryptsetup

Creating a Temporary User with Sudo Privilege

The encryption of the home directory requires access to another privileged user. Create a new user using the following command:

$ sudo adduser encrypt-temp

Finally, assign a sudo privilege to the user:

$ sudo usermod -aG sudo encrypt-temp

Encrypting the Home Directory

Log out of the current user and log in to the temporary privileged user:

$ whoami

The next command encrypts the home directory of the target user:

$ sudo ecryptfs-migrate-home -u <username>

Depending on the size and disk usage of the directory, it can take some time. After the process finishes, it shows some instructions on what to do next.

Confirming Encryption

Now, log out of the temporary user and log back into the original account:

$ whoami

We are going to confirm that we can successfully perform the read/write actions on the home directory. Run the following commands:

$ echo "the quick brown fox jumps over the lazy dog" > test.txt

$ cat test.txt

If you are able to read and write the data, the encryption process finishes successfully. Upon login, the passphrase to decrypt the home directory is applied successfully.

Recording the Passphrase (Optional)

To get the passphrase, run the following command:

$ ecryptfs-unwrap-passphrase

When it asks for a passphrase, provide the login password. The tool should display the recovery passphrase.

Encrypting the Swap Space

To prevent any sensitive info leaks, it’s recommended to encrypt the swap space as well. However, this breaks the suspension/resumption of the operating system.

The following command displays all the swap spaces:

$ swapon -s

If you decide to use the auto partition during Ubuntu installation, there should be a dedicated swap partition. We can check the size of the swap space using the following command:

$ free -h

To encrypt the swap space, run the following command:

$ sudo ecryptfs-setup-swap

Cleanup

If the encryption process is successful, we can safely remove the residuals. First, delete the temporary user:

$ sudo deluser --remove-home encrypt-temp

In case something goes south, the encryption tool makes a backup copy of the home directory of the target user:

$ ls -lh /home

To delete the backup, run the following command:

$ sudo rm -r <backup_home_dir>

Virtual Encrypted Drive

The methods that are demonstrated so far handles the local storage encryption. What if you want to transfer the data securely? You could create the password-protected archives. However, the manual process can become tedious over time.

This is where the tools like VeraCrypt come in. VeraCrypt is an open-source software that allows creating and managing of virtual encryption drives. Moreover, it can also encrypt the entire partitions/devices (a USB stick, for example). VeraCrypt is based on the now-discontinued TrueCrypt project and is audited for security.

Check out how to install and use the VeraCrypt to store the data in an encrypted volume.

Conclusion

We demonstrated how to encrypt an entire drive on Ubuntu. We also showcased how to encrypt the home directory and swap partition.

Interested in learning more about encryption? Check out these guides on Linux file encryption and third-party encryption tools.

About the author

Sidratul Muntaha

Student of CSE. I love Linux and playing with tech and gadgets. I use both Ubuntu and Linux Mint.