Join Log in
Score:1
Tim50001 avatar Ubuntu

Encrypting a partition that shouldn't be accessible on live boot

ai flag
Tim50001

I am not sure what keywords I need in googling, but this article gave me some hope on doing what I want. I'd like to give a run down of my current state, and what my goal state is, and see if this article is what I need to follow to get there. Involving disk formatting and encryption, I don't want to just jump into it blindly and end up losing all my files.

https://computingforgeeks.com/encrypt-ubuntu-debian-disk-partition-using-cryptsetup/

Background is I am a long time Windows user. I had assumed with their use of a password and bitlocker and such that this meant a password was needed to access files. Sounds reasonable, right?

Well, I now have a system with dual boot. Ubuntu 22.04 LTS and Win 11. I have partitions set up to have A) shared volumes for Windows and Ubuntu, B) Ubuntu only volume (using simply ext4 formatting to prevent Windows reading it), and C) Windows "only" volume (which Ubuntu can read just fine).

I casually came across some article that mention a live disk of Ubuntu can reveal all your files. I tested it, and yep, I can dig into stuff like firefox browsing history and all my media taken from the high seas. No need to provide a password to log in to my permanent Ubuntu profile and see all its files.

Going through full disk encryption for a dual boot set up sounds tricky, but still all the same what I should have done from the getgo. Amazed no articles mentioned it in beginner tutorials. So rather than start from scratch, I want to at least get one partition encrypted to put my more sensitive media.

Will the aforementioned article work if I want to say format and split the shared partition into two partitions; one maintaining the original purpose of shared media and the other becoming encrypted and requiring a password to mount and access?

Are there any steps I need to skip because those steps would overwrite any other partition?

And will that in essence prevent a liveboot USB of Ubuntu from accessing that partition (unless it downloads cryptsetup and then provide a password to decrypt the partition)?

82
1 + 2
sudodus avatar
jp flag
sudodus
Maybe the easiest and safest method is to use Ubuntu's installer's standard method to create a system using LVM with LUKS encryption. In the basic case this grabs the whole drive which is not what you want. But you can use it if you let one system be host and one system guest in a virtual machine. You can let either Ubuntu or Windows be the host and let the other system be the guest or the other way around. It is a good idea to let the system you intend to use most of the time be host (the main system).
0
Reply
user535733 avatar
cn flag
user535733
"*Amazed no articles mentioned it in beginner tutorials*" dual-boot encryption seems an advanced (not beginner) topic. The risk of data loss is high, and the learning concepts are not exactly intuitive for beginners.
2
Reply
Score:3
avatar Ubuntu
ar flag
user68186

Backup! Backup!! Backup!!!

Make 3 backups if all your important data, photos, tax information etc. Before you do anything. Selecting the wrong partition by mistake will delete everything in it.

Answers

Will the aforementioned article work if I want to say format and split the shared partition into two partitions; one maintaining the original purpose of shared media and the other becoming encrypted and requiring a password to mount and access?

Yes. It should work.

Are there any steps I need to skip because those steps would overwrite any other partitionion

Note, Step 2 Format Disk Partition as LUKS uses the whole disk /dev/sda. If you do that, you will lose all the the partitions and the data in that disks. That is you will lose the Windows, Ubuntu and the shared partition as well as any system and recovery partitions.

You have to determine which one is is your newly created partition. Say your shared partition is /dev/sda7. You shrink it and create a new ext4 partition. I will call this new partition /dev/sda11. Your new partition will be numbered differently. You have to make sure you use the correct partition number. I would use:

sudo cryptsetup luksFormat /dev/sda11

A mistake will overwrite the wrong partition. See above about backing up your data.

If you have a NVME SSD your partitions will have names something like /dev/nvme0n1p11.

I recommend you just complete steps 1, 2, and 3. Skip the rest. That way the encrypted drive will not be auto mounted. You will be able to mount it when you need with a click of an icon and by entering the passphrase when prompted.

You should see something like this on your desktop:

enter image description here

When you click on it, you will prompted for the passphrase:

enter image description here

Step 6 creates and saves a key file to decrypt the partition. This key file, called the volume-key in the tutorial will be stored in the /boot/ folder of your Ubuntu system partition. Someone with skills may be able to get the key using a live USB and get into your partition.

And will that in essence prevent a liveboot USB of Ubuntu from accessing that partition?

Yes. The data in the encrypted partition will be safe.

Hope this helps

+ 3
Tim50001 avatar
ai flag
Tim50001
This is wonderfully helpful. I followed advice on backups and all. But I managed to go off script at some point - the icon for the partition with the lock icon disappeared from the taskbar at some point. So I tried to take things from the top and just format the partition again. I noticed I could set a password protection from the Disks utility when creating the new partition. This is throwing the same PW prompt your reply says is the end result. Disks says it's encrypted volume. Did I manage to do what I needed via Disks GUI? I didn't notice the option for PW before installing cryptsetup.
0
Reply
ar flag
user68186
@Tim50001 Thanks. You are about using Disks to encrypt the partition. It uses the same LUKS. See [this how to](https://www.neowin.net/guides/how-to-create-encrypted-partitions-on-linux-with-gnome-disks/) for more. The linked site shows how to encrypt an USB drive, but it should work for internal partitions as well.
0
Reply
ar flag
user68186
* You are *right* about using Disks to... I could use Disks to encrypt on a fresh install of Ubuntu 22.04.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.