How do I encrypt Ubuntu system partitions without encrypting the whole drive?

[HermanAB]

Howdy,

With Linux, any configuration that you can think of is possible. However, there are a few things to think about though:
The reason for encrypting a disk is to protect data at rest - when the computer is switched off - it provides no security while the computer is running.
The reason for protecting data at rest, is to protect your data after the machine was stolen and the disk is flogged off on Ebay.
That happened to me once already. Fortunately the machine was encrypted.

Leaving parts of the disk unencrypted, makes it easier to attack the machine, by providing space where an Evil Maid can gain a foot hold and install programs to subvert it. It also provides space where important information can leak to inadvertently and that information then has no protection.

Attacks only get better over time and there is little you can do to plan for attacks that were not invented yet. In general, the more encryption you use and the longer your passwords, the better your system security will be. Also bear in mind that encryption doesn't slow the machine down (about 3% only), since the processor has special instructions to make encryption efficient.

If you are thinking: "There is only $100 in my bank account, so it doesn't matter":
An evil comp sci student can get a credit card in your name, buy a car, sell your house and run away with the money while you are on holiday, etc...

These are all real problems that people have run into, so you really cannot be paranoid enough.

[Paddy Landau]

I sent a private message similar to this to Paddy Landau…

And here I am!

… after the machine was stolen and the disk is flogged off on Ebay. That happened to me once already.

Gah, that sounds awful!

I tend to agree — you should leave your partition unencrypted only if you have to. If you're using NTFS, it probably means that you need to connect to Windows. I recommend VeraCrypt to encrypt the NTFS partition, because VeraCrypt is open source, independently verified, cross-platform, and easy to use once you've learned it. If you choose to use VeraCrypt, please consider donating to the project.

So, to the next point:

The instructions are currently in a state of flux as I rewrite them for some of Ubuntu 18.04's new functions. I hope to finish it soon, but long-term illness is slowing me down. Right at the top of the instructions is a message that says, "This message will be removed once the changes are complete." Please wait until then.

Once they are finished, simply follow the instructions. Here are some specific points for you.

• Running from an external drive means that you will be able to boot onto any computer (unless it has been locked down), not just your own — although it would have to be UEFI-compatible. Nice and portable!
• If you have an older computer, consider using Lubuntu instead of Ubuntu.
• As you will be booting from both your internal disk and your external disk, you'll actually need two ESPs (EFI System Partitions).
  
  • The first ESP already exists on your hard drive — leave it alone!
  • The second ESP will go onto your external hard drive. When you follow the instructions, create an ESP on the external drive. If you have enough space, make it the full 550MiB.
  
  
• Create the second partition being enough to fit your boot and system. Unless you want to hibernate your external drive (which might not work!), you don't have to worry about swap.
• Create and format the third partition for your NTFS (while using GPartEd), but don't include it when you encrypt the drive.
• When you follow the instructions to install Ubuntu (or Lubuntu), when you select the bootloader, be sure to choose your external drive and not your internal drive. Your external drive will probably be /dev/sdb, but you'll have to check.
• Once everything is working properly, install VeraCrypt on both your Ubuntu system and your Windows system. Once installed, encrypt the NTFS partition with VeraCrypt.
• Finally, test that you can read and write files on the encrypted NTFS in both Windows and Ubuntu.

I hope that this helps!

Thank you for your patience while I update the documentation.

[mikeubu2]

No worries, take the time that you need. The following point above clarified a good bit given my scenario is a little different...

As you will be booting from both your internal disk and your external disk, you'll actually need two ESPs (EFI System Partitions).
The first ESP already exists on your hard drive — leave it alone!
The second ESP will go onto your external hard drive. When you follow the instructions, create an ESP on the external drive. If you have enough space, make it the full 550MiB.

Having everything on the external drive will certainly help me, being able to boot Linux wherever I go is one of the reasons I'm going with having everything on the external drive.

I'm happy to wait for the tutorial, the one thing I'd want to do now if I need to hold off on the OS encryption/installation is to be able to go forward with creating the large NTFS partition at the end of the external drive now so that I can start to use it. With the moving preparations I have coming up in about a week I've been wanting to get at least that part out of the way because I have a lot to copy to it due to only having one copy of all my family photos, videos, music, movies, and writings. I always keep two or more copies of all of my data but only have the money to have the bulk of it copied twice. One of those external hard drives for my second backup recently failed completely which is why I have a new external 5tb drive ready to use. Assuming my other external hard drive fails I'd lose the only remaining copy of most of my data which is why it's important I create the very large NTFS partition at the end of the new drive soon. As long as that won't interfere with the installation and encryption of Ubuntu down the road.

I'm planning on wiping the clean installation I have on the new drive now so I can leave about 100 to 150GB of free space at the beginning of the external drive, which is a little more space than how I set up unencrypted Ubuntu initially to test out the full version. If anybody knows if that'd be okay and not interfere with the installation it would help a great deal.

As far as encrypting the NTFS partition goes, I always just created an encrypted image on the unencrypted partition with Veracrypt for any important information, then I would encrypt the OS, but I suppose I could consider just encrypting the whole NTFS partition as well so that nothing is unencrypted. The lazy part of me didn't want to have to type in an additional password to deal with general data but change isn't a bad thing either.

Hope you get feeling better Paddy, that sounds rough man, thanks for your help and down the road when you're in a better spot and have wrapped up what you're doing, check in here again if you want, no worries if not though. I'm hoping enough of what you're writing in your tutorial applies to this scenario not to have to do guesswork. What I'll likely do if I can't get it done or need help is come back here and make a list of everything I did step by step to see if anyone can point out where I'm messing up.

[Paddy Landau]

… go forward with creating the large NTFS partition at the end of the external drive now so that I can start to use it.

You can absolutely create the NTFS partition right now, and it doesn't matter whether it's at the front or back of the physical disk. Just be sure to leave enough space for the following:

• You won't need swap as you won't want to hibernate from your external drive.
• The ESP (½Gb)
• System partition: 30Gb recommended to fit everything apart from things like video collections, so make it big enough to fit everything that you want.

I don't think that you should have a separate data partition.

Remember that the NTFS partition won't be encrypted unless you use something like VeraCrypt.

[mikeubu2]

You can absolutely create the NTFS partition right now, and it doesn't matter whether it's at the front or back of the physical disk. Just be sure to leave enough space for the following:

• You won't need swap as you won't want to hibernate from your external drive.
• The ESP (½Gb)
• System partition: 30Gb recommended to fit everything apart from things like video collections, so make it big enough to fit everything that you want.

I don't think that you should have a separate data partition.

Remember that the NTFS partition won't be encrypted unless you use something like VeraCrypt.

Got it, thanks again, Paddy. Funny thing is that I used to be very tech savvy. I still can be but years back I dabbled in game design and created my own 3D worlds and knew enough about scripting and animation to make an environment the user could interact with. Granted I was using open source graphical engines I didn't create and photoshop but that stuff got complicated. It's just that things change fast and I can be slow to catch on. Windows command prompt, and originally DOS, I understood enough to do a number of things but technology is always evolving, being out of the loop for a while will leave some people in the dust if they let it.

I'll be seeing what I can do to get Linux familiarized some though.

[Paddy Landau]

Thank you for your patience. It's all ready now, so please check the new MFSE thread.