Disk encryption

The information in this article is specific to Ultima Linux 8.4 Beta 1 and newer, and may not be valid for other versions.

Disk encryption is supported in recent Ultima Linux releases through the use of the cryptsetup utility. Basic support for encryption – currently, only the /home directory – is built in to the Wolvix Control Panel installer; more advanced encryption is possible, including fully-encrypted root and swap partitions, but requires some manual configuration.

1 Overview
- 1.1 Important Warning
2 LiveCD installer method
3 Manual configuration
4 External links

Overview

The cryptsetup utility uses a system called LUKS, or Linux Unified Key Setup, which provides a standard method of configuring and accessing encrypted partitions in Linux and, to some extent, other operating systems. When you first encrypt your disk, you will provide a passphrase to access the encrypted data; this passphrase is not limited to a single word – it can, and should, include spaces and punctuation marks along with alphanumeric characters.

(A full description of the encryption technology is beyond the scope of this article, but it is worth mentioning that cryptsetup never uses your passphrase directly – rather, it uses what you enter to encrypt another, randomly-generated passphrase, and then uses this phrase to perform the actual encryption and decryption.)

Note that you cannot convert a standard partition directly to an encrypted one: You must re-format it, first through cryptsetup, then with a standard filesystem utility such as mkfs.xfs.

Important Warning

DO NOT LOSE YOUR LUKS PASSPHRASE. If necessary, write it down and store it in a secure location. If your passphrase is lost, it cannot be recovered, and you will be unable to access your encrypted data.

The cryptsetup program can be used to create additional passphrases to access your data, without needing to re-format your partition; see below for more information. This can be useful, for example, to provide a “backup” password in case you forget the primary one, or to allow others to access the system without needing your passphrase.

LiveCD installer method

The “Encrypted /home” option in the LiveCD installer.

The easiest way to configure disk encryption is during installation. The LiveCD installer currently includes an “Encrypted /home” option, which provides basic encryption for your documents and other personal data stored in /home. Checking this option during installation is all that is necessary; the only other difference in installation is that, when you format the /home partition, you will be prompted for your passphrase (see above) to encrypt the data.

(You should be prompted for the passphrase a total of four times: Once when choosing the passphrase, then again for verification; and once each when creating and mounting the filesystem. The title bar of each prompt will identify exactly what action the passphrase is required to perform. Note that if you are using an existing encrypted partition, you will only be asked once, to unlock the partition.)

The LiveCD installer encrypts your data using a 256-bit AES cipher; this is generally considered among the strongest widely-available security schemes, and provides roughly the same level of security as that used in other electronic activities such as shopping online. However, if more advanced security is necessary, it is recommended to perform encryption manually.

Be warned: Your root filesystem, including temporary files in /tmp and various types of records in /var, are not encrypted using the LiveCD installer method. Also note that your swap partition is not encrypted, which may have security implications, particularly if you use your system’s suspend-to-disk feature (which stores its running state, including any programs or documents you may have open, on the swap partition).