A reinstallation of my laptop at the weekend allowed me to test out an encrypted installation. The point of an encrypted installation is to require a passphrase to be entered at boot-up in order to transparently decrypt the rest of the system. This means that if the laptop is lost or stolen, none of my information or personal details will be at risk. Note that this is not the same as simply requiring a password to login: the whole filesystem (except for a small unencrypted boot partition) is actively encrypted.
Using the Alternate Install CD of a pre-release of Ubuntu 8.04 (“Hardy Heron”), an “encrypted LVM” configuration is available directly as part of the installation. This creates two partitions: a boot partition which will be unencrypted, allowing the system to actually start and prompt for a passphrase; the second partition is encrypted and contains the rest of the system. The passphrase that is prompted-for is used to decrypt the second partition. It seems to work cleanly enough. I’ve heard some express concern that an encrypted system would perform sluggishly because of the continual encryption and decryption: I’ve not seen that at all. In fact, I’ve found the opposite: performance seems somewhat better than before. This may simply be the Brand New Clean System Effect (i.e. it’s running smoothly because the system hasn’t had a chance to get cluttered yet) or perhaps there’s some cunning caching or compression in place. The laptop has a dual-core CPU, which may help, of course.
The only drawback with the Install Encrypted LVM From The Alternate Ubuntu Install CD approach is that it uses an encryption key based directly on the passphrase you provide. This means that you cannot change the passphrase without a complete reinstall. A different approach would encrypt the partition using a stored key, and that stored key is protected by a passphrase: this allows one to have more flexible passphrase management, such as changing it or adding additional passphrases without needing to reinstall. This second approach can be done using LUKS, but the Ubuntu Install doesn’t use that. I found a HOWTO guide explaining how to hack this together, but it didn’t seem to work, which is a shame.
All done, all sorted. 🙂