Linux full system encryption
- The first step is to choose the manual way of partitioning the hard disk
- Here the first partition to create is “/boot”, using a normal unencrypted file system like ext3
- The whole rest of the hard disk is used for the second partition. Here not e.g. ext3, but “physical volume for encryption” is the preferred option to choose.
- Now, in the main menu of the partitioner the new option “Configure encrypted volumes” is selected. Here the password of the 2nd partition is defined, and the partition is formatted (encrypted in this case)
- By default the new encrypted partition appears as ext3 in the main partitioning menu. This has to be changed from ext3 to use it as “physical volume for LVM” – the Linux Volume Manager
- Another new menu entry in the main window of the partition manager appears: “Configure the Logical Volume Manager”.
- Here a new volume group has to be created using the encrypted 2nd partition which was set up just before. Within this volume group different logical volumes can be created. For example the Linux root volume “/”, “/home” and “swap”.
- It is important that the volume groups are created in decreasing order of the size. (first the biggest, the smallest as the last) If not an error will show up.
- After creating the volume groups, they appear in the main menu of the partitioner and can be formated with the preferred file system format (e.g. ext3 or swap)
From here on the installation of the Linux system is “business as usual”..
In addition to all the advantages of a Logical Volume, a possible attacker even cannot see the partition table of the system, because it is encrypted within the LV.
In general Truecrypt and Luks are software based encryption methods which are not immune against attacks. The best solution is hardware encryption where the ciphering and storing of the keys is made within a special designated chip.