LUKS Full Disk Encryption

LUKS Full Disk Encryption

If you are a Linux user, you probably already know that you have excellent full disk encryption built-in. This is offered through the “Linux Unified Key Setup” or LUKS. Enabling LUKS full disk encryption when setting up a new machine is incredibly simple.

LUKS Full Disk Encryption

This tutorial assumes a new installation of Linux. In this instance I used Ubuntu, and most Linux distributions should behave similarly in regards to setup and setting up encryption. When you begin the installation of Ubuntu you are asked to “Try” or “Install” the operating system. This tutorial also assumes that you wish to permanently install it.

LUKS Full Disk EncryptionOn the next screen, “Installation type”, you will be given the option to encrypt the new installation.  Check the box to indicate you would like the installation to be encrypted and click “Install Now”.

LUKS Full Disk EncryptionOn the next screen you will be prompted to choose your security key. You should choose a very strong password as this protects all the files on your computer. This must be a password that you can remember and manually type, as you will have to enter it before the machine boots. A diceware password would be an excellent option for this application.

This screen also gives you the option to overwrite empty disk space. If you are installing Ubuntu on a brand new computer, there is no reason at all to do this. If, however, you are installing on a used machine and want to be absolutely sure nothing is left behind, this is a good option. It will overwrite all disk space with pseudorandom data, but this process can cause the installation to take significantly longer.

LUKS Full Disk EncryptionAfter you have chose and confirmed your security key click “Install Now”. There are several other screens to navigate during the installation, but these are the ones that deal with enabling LUKS full disk encryption.  The next time you boot the computer you will be greeted with a prompt to “Please unlock disk sda5_crypt:_”. The computer will not start until you have entered the correct decryption key.

LUKS Full Disk EncryptionHere’s the rub (and there’s always a rub, right?): setting up LUKS is insanely easy when you are first installing Linux. Setting it up afterward…not so much and requires some tinkering inside the Terminal. If you are interested in a post-installation setup tutorial let me know and I’ll do my best to get one out to you.

I don’t want to turn this into a sales-pitch for Linux. But I will say that Linux is generally a far more secure computing environment than commercially available options. And distros like Ubuntu are fairly user-friendly for those migrating from these options. And because they are generally pretty lightweight, they can make an older computer run (almost) like new again. If you are thinking about switching partially or fully to Linux, be sure to enable LUKS full disk encryption.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Leave a Reply