cryptsetup - How to encrypt full-disk while installation

Cryptsetup is the command line tool to interface with dm-crypt for creating, accessing and managing encrypted devices. cryptsetup is used to conveniently setup dm-crypt managed device-mapper mappings.

This guideline shows steps to encrypt your disk with this tool during installing Ubuntu process. We recommend you to practice this on a virtual machine . Note: demonstrated below steps are done on a VM

Step 1: Initiate Ubuntu installation

1.1. Boot your VM with either your computer's DVD drive or a USB flash drive or an Ubuntu image

images/download/attachments/4344441/image-20200103-075412.png

1.2. Click Install Ubuntu to start installing Ubuntu

images/download/attachments/4344441/image-20200103-075431.png

1.3. Choose your preferred Keyboard layout and click Continue.

images/download/attachments/4344441/image-20200103-075440.png

1.4. Select how you would like to install Ubuntu at the Update and other Software option step.

  • Normal installation: where all the features will be installed.

  • Minimally installation: only the basic components will be installed and you will have to install software when required.

  • Download updated while installing Ubuntu: select this option to auto-download updates while installing if you are on a high internet connection.

  • Install third-party software for graphics and Wi-Fi hardware and additional media formats: if you have licensed software for graphics, Wi-Fi and additional media formats. You can install these multimedia packages later.

images/download/attachments/4344441/image-20200103-075449.png

Click “Continue“ to proceed.

Step 2. Encrypt your disk while installing

2.1. Select Installation type to encrypt your disk while installing: select “Erase disk and install Ubuntu“ and check “Encrypt the new Ubuntu installation for Security“ box. This will automatically select LVM as well. Both boxes must be checked. After selecting the encryption options, click “Install Now“ to begin the installation.

images/download/attachments/4344441/image-20200103-075459.png

2.2. Clicking “Install Now“ with the encryption options selected will bring up a configuration step. You need to set a security key for an encryption process. You need to remember this key to re-enter it each time the computer starts up.

images/download/attachments/4344441/image-20200109-040212.png

For more secure, you can enable “Overwrite empty disk space.”. With this option selected, unused disk space will be overwritten by the filesystem with either random content or zeros. This will make it more difficult to recover if unauthorized access is gained to the encrypted disk.

Click “Install Now“ to proceed.

images/download/attachments/4344441/image-20200103-075526.png

Click “Continue“ to proceed.

Step 3: Finish the installation.

The following steps are typical Ubuntu installation configurations.

3.1. Select the time zone you prefer

images/download/attachments/4344441/image-20200103-075539.png

3.2. Create an account to log into the computer and set a hostname for your computer

images/download/attachments/4344441/image-20200109-044356.png

To add another security layer, you should select "Require my password to log in". The system will show a login screen for you to enter your credentials instead of automatically log into your account when your device boots up.

The option "Encrypt my home folder" tells the system encrypts your home folder. This will add another layer of encryption for your data on the system.

Click Continue to start the installation.

3.3. Click Restart Now to restart the system to complete the installation

images/download/attachments/4344441/image-20200103-075607.png

Once the system starts, you will have to enter the security key you set in step 2.2 for the encrypted drive. Without the passkey, the system won’t boot either. There’s literally no way to bypass it.

images/download/attachments/4344441/image-20200103-075616.png

Step 4: Verify if the disk is encrypted

4.1. Log into the system with the credentials you set at step 3.2.

images/download/attachments/4344441/image-20200103-075639.png

4.2. Open a terminal and run the below command to check encryption status:

$lsblk -o NAME,MOUNTPOINT,TYPE,FSTYPE

Check the file system type of a partition, if it’s "crypto_LUKS" for the FSTYPE , it means the partition is encrypted.

images/download/attachments/4344441/image-20200109-063045.png

Reference: