You say it is possible to encrypt /boot? Karmic uses Grub2 correct? How would I go about encrypting /boot this way? Is it an obvious choice when I'm encrypting? Or is there some sneaky method to it?
You say it is possible to encrypt /boot? Karmic uses Grub2 correct? How would I go about encrypting /boot this way? Is it an obvious choice when I'm encrypting? Or is there some sneaky method to it?
Blog | Ubuntu User #15350 | Zsh FTW | Ubuntu Security | Nothing to hide?
AMD Phenom II X6 1075T @ 3GHz, Nvidia GTX 650, 8GB DDR3 RAM, 1 X 1TB, 2 X 3TB HDD
Please don't request support via PM
Oh, haha, I'm only on my 6th month using Ubuntu, no Grub hacking for me yet. So to make sure I have things right, 1) download-->burn-->boot Alternate CD, 2) install as normal use encryption option (which will encrypt everything except /boot)? And then just finish the installation process as I normally would if I was using the Desktop CD?
No you have to do the whole thing from the alternate CD. I forget what the option says exactly but it should be something like "Set up encrypted LVM". It may still ask you if you want to encrypt your home directory later in the process but that's not necessary since you've encrypted the entire disk already.
Blog | Ubuntu User #15350 | Zsh FTW | Ubuntu Security | Nothing to hide?
AMD Phenom II X6 1075T @ 3GHz, Nvidia GTX 650, 8GB DDR3 RAM, 1 X 1TB, 2 X 3TB HDD
Please don't request support via PM
Alright, thanks. I'll post if I have problems with it.
Interesting. I wasn't aware of these patches but I guess it is logical that GRUB could be hacked to do this.
I suppose it depends on what the OP meant when he said on-the-fly. I think he was referring to having an encrypted container (not a whole partition) that one is able to unlock after the machine has booted. This is sort of like many people do with Truecrypt; instead of encrypting the whole drive, they encrypt a large container on the drive that can remain locked even after boot. Once they open the container, data can be removed to and from the container and encrypted/decrypted "on-the-fly." Very similar to encryptfs, except without having to encrypt the entire /home parition.No, LUKS is a form of on-the-fly encryption.
http://en.wikipedia.org/wiki/On-the-fly_encryption
Basically anything that presents the data to the end user transparently is on-the-fly. This would include things like TrueCrypt, Ecryptfs, and Encfs in addition to LUKS. GPG would be an example of the opposite of on-the-fly encryption.
So, if the OP is asking whether LUKS can create an encrypted container on a drive (that is, a container that can be a single directory and not a whole partition), the answer is no (if it can be done, I am not aware of it). If he simply meant does LUKS use an on-the-fly method of operation in general, then the answer is obviously yes. As you pointed out, technically, WDE constitutes "on-the-fly" encryption.
OP, here is a nice guide for accomplishing WDE with the alternate CD. The guide is for 8.04 but it works the same for 10.04.
Last edited by rookcifer; June 11th, 2010 at 04:34 AM.
Blog | Ubuntu User #15350 | Zsh FTW | Ubuntu Security | Nothing to hide?
AMD Phenom II X6 1075T @ 3GHz, Nvidia GTX 650, 8GB DDR3 RAM, 1 X 1TB, 2 X 3TB HDD
Please don't request support via PM
Actually, rookcifer, I was talking about the encrypting the entire drive, including everything I can, not just encrypting a specific directory. Will encryptfs allow me to do that without having to reinstall Ubuntu? I don't want just a directory or container encrypted, I want everything except /boot encrypted.
I guess the confusion came after I explained that LUKS encrypts your whole drive (except /boot) and then you asked whether it also did "on-the-fly." From that I assumed you must have a different definition of "on-the-fly" than that of WDE.
At any rate, if you want everything encrypted you will have to reinstall with the alternate CD using the directions I posted in one of my previous posts.
I understood that "on-the-fly-encryption" (OFTE) meant data was encrypted first, then written to your system. So basically it's encrypting everything in real time while it's being written to your system, so that nothing is ever temporarily unencrypted. Whereas other methods decrypt your drive when you input the password or key file, and then system is unencrypted until you power-down your computer? Am I wrong?
Bookmarks