SEARCH

How-To Geek

How to Secure Your Linux PC by Encrypting Your Hard Drive

image

There’s bound to be data on your computer that you want to protect from hackers, nosy friends, or curious colleagues. Encrypting your computer drive protects you from intruders, and here’s a couple of different ways to secure your data.

For today’s lesson we’ll show you how to secure data by encryption a partition, a folder, and also how to create a hidden volume with TrueCrypt.

Image by xkcd, obviously.

Encrypting a Partition

Ubuntu’s alternate CD installation wizard gives us an option to encrypt our Ubuntu installation partition, so you’ll want to burn the ISO file into a live disk or create a bootable USB drive and install Ubuntu with it.

Ubuntu’s alternate installation menu is very similar to your standard Ubuntu installation menu. The installation wizard will ask you to choose your language, keyboard, network, and the most important step is the partitioning method where we need to choose the ‘Guided – use entire disk and set up encrypted LVM’ option to encrypt our entire hard disk.

Please note that we have to provide a ‘Master’ and not ‘Slave’ empty hard drive for the installation.

The installation wizard will ask you to specify a passphrase that you will use to decrypt your hard drive when you login to Ubuntu.

The encryption wizard will encrypt your ‘home’ folder, just in case if we place our ‘home’ folder outside your Ubuntu installation partition.

That’s it ! Follow the rest of the installation steps and the wizard will install Ubuntu on top of an encrypted partition.

Encrypting a Folder

eCryptfs is a cryptographic file system based on PGP created by Philip Zimmerman on 1991. The great thing about eCryptfs compare to other encryption file system, such as TrueCrypt, is that we do not need to pre-allocate a certain amount of disk space that we want to encrypt.

We can easily install eCryptfs by executing the following command in the console

sudo aptitude install ecryptfs-utils

eCryptfs create a ‘private’ directory in your local drive where eCryptfs encrypts any files that we store in it.

ecryptfs-setup-private

Note: this will setup a hidden private directory: ~/.Private

We should store our sensitive data into the ‘private’ directory to make sure that attackers will not be able to get our data easily. ecryptfs will hide any files that we store in the private folder when it is not mounted.

The private directory will be automatically mounted when we log in to our account. This creates an opportunity for another person to gain access to this private folder when the user leaves the computer. A way to mitigate this problem is to prevent ecryptfs unlocking the private folder when we login by removing the empty file auto-mount which is located in ~/.ecryptfs/ and unmount the directory when we’re not using our computer.

ecryptfs-umount-private

Creating a Hidden Encrypted Volume

TrueCrypt is a free Open Source disk encryption utility that works with Windows, Mac, and Linux. It provides on-the-fly encryption and after the drive is encrypted you can continue to use everything like you normally would.

You can download TrueCrypt as Ubuntu deb file from its website. Once downloaded, unpack the archive and double-click on the installer to run the setup. After installation, you will find TrueCrypt from the menu location: Applications > Accessories > TrueCrypt.

Start by creating a volume that we want to encrypt.

A TrueCrypt volume can reside in a file, which is also called container, in a partition or drive.

TrueCrypt gives us an option to create a hidden encrypted volume inside another TrueCrypt encrypted volume.

You should copy sensitive looking files that you do not want to hide to the outer volume. These files act as a decoy when people force you to reveal the outer volume password. You should files that you REALLY want to hide inside the hidden volume, and you should never reveal the encrypted hidden volume.

Image By TrueCrypt

Now you have to choose the name of the volume file and the location where you want to store the volume file. A new file will be created. If you choose an existing file, it will be overwritten. So give a unique name for your TrueCrypt volume file.

You can choose different levels of encryption. There are several types to choose from and each has its unique qualities…but for most users you will be fine with AES.

set the volume size and make sure you provide enough space for non-encrypted volume space.

TrueCrypt advise us to use at least 20 characters for our password. Choose a password that is easy to remember and not easy to guess.

Move your mouse as randomly as possible within the Volume Creation Wizard window at least for 30 seconds. The longer you move the mouse, the better. This significantly increases the cryptographic strength of the encryption keys (which increases security).

TrueCrypt will automatically mount the encrypted drive as a virtual encrypted disk.

Now we shall setup the hidden volume.

Choose a suitable hard drive format for the hidden volume.

We have the option to make this hidden volume to be compatible with other platforms.

Encryption is just one level of securing our data in our PC, we also need to consider to install other security software such as virus scanner or firewall to protect us from viruses and intruders when we’re online.

Zainul spends his time trying to make technology more productive, whether it’s Microsoft Office applications, or learning to use web applications to save time.

  • Published 10/28/10

Comments (6)

  1. Abhishek K. Pandey

    Which Truecrypt Version areyou using, that looks completely different from mine. i think its either a skin ( I don’t know they have o not) or Truecrypt for Ubuntu.
    I am using Truecrypt for over one year now. And, will say that its actually amazing. And it also has a solution if someone want to get your password forcefully, as seen in cartoon above. ;-)

  2. at0mic

    the newest version of truecrypt seems a little more stable. i use to have to use the repair disk sometimes get the password working again. i encrypt all my hard drives just in case any of my computers get stolen. anyone with a notebook should use this. you don’t have to over do the encryption process or you could be waiting a few days for the process to complete depending on the size of the hard drive.

  3. asdf-chan

    @OP
    - we also need to consider to install other security software such as virus scanner or firewall to protect us from viruses and intruders when we’re online. -

    Virus scanners are not needed when you know what you do, how to solve stuff and where to browse. Also you do not install simple firewalls on some desktop computers, you get a hardware firewall (mostly a router) and have your own minimal machine to keep intruders and bad packages away.

    It would be nice to talk about dmcrypt/cryptsetup/luks and posting some benchmarks of which algorithm is faster and/or is “more” secure (AES vs Serpent vs Twofish) and using kernel options for TPM. Just a suggestion

  4. Zainul Franciscus

    @asdf-chan thank you for the comment. We are working on an encryption article : “What is Encryption and How Does It Work?” =) So keep an eye out for our news feed

  5. Danny

    @How-To-Geek

    I’ve had problems mounting/dismounting Truecrypt encrypted volumes in Linux (Mint). Sometimes TC would refuse to dismount a volume, other times it would refuse to mount (and claim that it is already mounted). I’ve read temporary fixes via google but the problems still show up now and then. By contrast, TC in Windows is much more pleasant experience, and I’ve been using it since v4.1.

    @asdf-chan

    You can install Truecrypt in Linux and use its built-in benchmarking tool. In general, AES would be slightly faster than Twofish, and both are much faster than Serpent. I use AES in all my external drives, but Twofish in my Acer netbook (which for some reason benchmarked better than AES).

    As to which is more secure, it depends on your threat model. As the cartoon above shows, it is much easier for a bad guy to break your kneecaps to force a password confession than it is to break any of the modern ciphers. Even an older cipher like 3DES or Blowfish would give adequate protection, as long as you know their limitations (e.g. 64bit-block ciphers must not encrypt containers more than 32GB or it will be susceptible to birthday attacks). Plus, they would rather crack the password than the cipher itself.

    If you’re just hiding stuff from your spouse, room mate, nosy office mates, etc., then a hidden folder or a ROT13 encryption would be adequate protection. :p

  6. asdf-chan

    @Danny

    ROT13 in my office? *lol* If anybody get’s on my company computer they would crack ROT13 pretty fast (working in a IT-company).
    Twofish < AES < Serpent, also in general benchmark testing, i just wanted to point that out if anyone of the htg's might write an other more specific article about encryption, which they seem to be doing in future :)

    I am not a fan of installing x86~ test branch (Truecrypt as an example) on Gentoo, i rather stick to luks since it is compatible with TPM while Truecrypt is still not.

Enter Your Email Here to Get Access for Free:

Go check your email!