Let’s have a look at whole disk encryption
Why Encrypt you drive? See this previous article on encrypting your laptop
The easiest time to set drive encryption, is when you are installing your Linux Operating System. I am not going into the whole Linux installation process and options here, I am just looking at the part of the process regarding whole drive encryption, and specifically on Ubuntu 20.04
Encrypting The Drive at Installation
When you are installing your Linux distribution, you need to answer various questions. These questions vary with the distribution and the installer used. This is an example of when and how you can encrypt your whole drive when installing Ubuntu 20.04.
Encrypting the drive at this stage is simple, just a couple of clicks and a passphrase.
Erase Everything & Advanced Features
When you get to the part of the installation that asks you how you want to format and split up your drive, tell it that you want to erase everything and install Linux.
Caution This really will wipe out everything on your drive, if you are dual booting, do not do this - seriously don’t, as it will destroy “Everything” that exists on the drive.
Then click on the “Advanced Features” button.
Advanced Features - LVM & Encrypt
When the Advanced Features window pops up, select “Use LVM” and “Encrypt”
You are telling the installer that you want to use the entire drive for this installation and to use LVM (Logical Volume Management). LVM means that you don’t have to think about partitions, it will work it out for you. Actually LVM has some other nice features too, but that is not for this article. Plus you want the entire disk to be encrypted.
Once you have done that, click the ‘OK’ button and then ‘Install Now’.
You will then be asked to choose a security key. Don’t panic, this isn’t complicated. They mean, tell the installed what Passphrase you want to use. None of those silly passwords like your daughter’s name and year of birth, it needs to be strong. In fact, you will be told if it is strong or not when you type it in.
Strong Passphrases will be long, have upper and lower case letters, numbers and special characters, oh and you must be able to remember it. No computer show will be able to get you in if you forget this, that’s the point of this sort of encryption.
Type it twice just to be sure you typed it correctly - do not try to copy and paste!
The installation will proceed as usual now. You won’t notice any difference until you re-boot, then you will be asked for the security passphrase - if you don’t know it, then the drive will stay encrypted and you won’t be able to do anything other than format everything and start again.
Oh, and don’t use the same phrase for encryption as you use to log in to your account - these things are supposed to be secure you know!
But, Are You Secure?
As I mentioned in a previous article, whole disk encryption is only secure if you power off your computer each time you are finished a session. The encryption is unlocked early in the boot process, so if you just close the laptop lid when you are finished, that doesn’t power off the machine, and the drive is still unlocked. All that is needed is your login password - not so secure.
Too Much Trouble?
If this is too much bother for you and you only need to keep a certain number of files secure, then there is an alternative - encrypt a directory and put your sensitive files in there. Some distributions have this facility already built-in, for everyone else, it is still possible.
Personally, I have full drive encryption on my laptop, not my desktop. Though all sensitive files anywhere on my computers are in an encrypted directory. It doesn’t matter if they are on my laptop, desktop pc or back-up storage - they are encrypted.