Full-Disk Encryption On Non-Standard Builds

Everyone should be aware that laptops (at the very least) should be setup for full-disk encryption. This is to ensure that any laptops that go missing – stolen or lost – are not causes for potential leakage of restricted data. Or indeed that nobody can steal your invaluable research data – whether it is formally restricted data or not.

If any doubt, then encrypt.

Standard laptops are supplied with a standard build with full-disk encryption enabled, but there are always some who have a need for non-standard builds. Either Linux or OSX users in particular.

As I happen to have both available, I thought I would describe how to go about enabling full-disk encryption and what the experience is like.

The first thing to overcome is the belief that encryption will make a laptop unusable in terms of performance. It is true that encryption slows down performance, but modern laptops are sufficiently fast that unless you are performing benchmarks, you are unlikely to notice the difference.

OSX

This section applies to supported versions of OSX – 10.8 and 10.7; if you are using another version it is time to upgrade as you are not supposed to connect unsupported operating system releases to our network.

The process of enabling encryption :-

  1. Can be used to encrypt a disk already in use.
  2. Is easy to start.
  3. Carries on in the background.

The only “gotcha” is that you need to restart the machine to start the process, so it may be best to start first thing in the morning. It is also worth bearing in mind that it is not safe to leave your laptop behind on the train until the encryption process has finished!

The process is started by starting the “System Preferences” application (which is usually found in the Dock). Once that has started and is showing the usual array of icons, click the padlock button so that you can make changes. You will be asked for your account password, and once activated additional options will be available.

Select “Security & Privacy” which is usually in the top row. Once the screen changes, select the “FileVault” tab. This then gives you the option to encrypt your disk (labelled “Turn On”).

Linux

Unfortunately with Linux (or rather Ubuntu), the only option without going to extremes seems to be to setup encryption during the installation process, although this suggestion looks to be feasible. Both that suggestion, and the default Ubuntu installation process give you the option of encrypting your “home” folder.

Whilst this is certainly better than nothing, it is not total protection. Whilst most of your personal data will be encrypted, some may “leak” into other places – such as the /var/tmp/ directory. To be cautious it is best to rely on pseudo full-disk encryption, which has the bonus that it seems to work better!

If you can re-install Linux (and if you cannot, you may wish to investigate as to why and resolve the issue), then that is the recommended approach. The first step is to download an appropriate CD/USB-stick to install. The default graphical installer does not have the option to create an encrypted install, so you will have to resort to the alternate text-based installer.

Ubuntu encourages you to download the standard installer by making it less obvious that there is an alternate installer. The trick is to go directly to the right download page (here), select the release you want, and finally select the type of installer you want – here you want “alternative”. Despite being text-based, the alternate installer is almost as easy as the main installer, and offers additional options.

The installer is fairly simple to follow, and this is not the place to detail how to install Ubuntu using the alternate installer. A guide is available here, but it may be going a little too far for those who are not “Rationally Paranoid” (which is the name of the site). The key questions to answer with appropriate answers are :-

  1. “Encrypt your home directory”: No. As we are going to select an alternative method of encryption, this is unnecessary.
  2. In the partitioning section, select “Guided – use entire disk and set up encrypted LVM”. This will erase your entire hard disk including any Windows partitions. If you wish to retain your Windows partitions, then you will need to try partitioning method.

Shortly after configuring the partitioning, you will be asked for the encryption passphrase. This should be written down in a safe location.

If this all sounds a bit technical, it is worth trying out the installation with a virtual machine (such as VirtualBox); which is of course how I wrote this section.

Don’t Forget Your Manager!

Finally if the laptop is a University laptop, you should really let your line manager have a copy of the encryption passphrase so that any information belonging to the University can be obtained from your laptop in case you go missing – hopefully a lottery win disaster!

This entry was posted in Uncategorized. Bookmark the permalink.