Linux Disk Encryption
This page describes some methods for encrypting the disks on a Linux system. For an overview of CS Department disk encryption recommendations, please see Disk Encryption. Windows and OSX instructions are coming soon.
The short version of the rest of this page is: Choose a good passphrase and enable disk encryption when you install Linux. If you're already running Linux, back up your data, reinstall Linux (enabling disk encryption when you do so), and then restore your data from the backups.
Choose a Good Passphrase
Effective disk encryption requires a good passphrase. Please see the Disk Encryption Passphrases section of our overview page for appropriate recommendations.
Disk Encrypton During System Installation
Linux has built-in disk encryption known as LUKS (Linux Unified Key Setup). Unfortunately, there aren't really any good ways to add encryption to an existing system without reinstalling everything. We recommend making a copy of your /home directory (and possibly /etc, if you've altered your system configuration significantly) onto an external disk or another computer, reinstalling Linux, enabling encryption during the installation, copying your data back onto the system, and wiping the external disk (unless it was also encrypted).
The methods for enabling encryption vary with each Linux distribution. We do not have the resources to support all of them, but we have some guidance on several of the more popular distributions at the time of this document's writing.
Ubuntu 18.04 LTS
In the "Installation type" screen, make sure you have checked "Encrypt the new Ubuntu installation for security".
On the next screen, enter your disk passphrase and check "Overwrite empty disk space".
When you create an account, you do not need to check "Encrypt my home folder".
Debian 9 (stretch)
In the "Partition disks" screen, select "Guided - use entire disk and set up encrypted LVM". If you prefer to use manual partitioning, create your boot and main partitions, use the main partition as an encryption partition, use the new encrypted device as an LVM physical volume, and proceed from there as usual.
Fedora 31, RHEL 8, CentOS 8
(As of February 2020, the latest Fedora, RHEL, and CentOS releases all work the same with respect to disk encryption.)
Go into the "Installation Destination" section of the installer. Under "Encryption", check the box next to "Encrypt my data".
On the "Suggested Partitioning" screen, click the "Edit Proposal Settings" button. Check both "Create LVM-based Proposal" and "Encrypt Volume Group".
Disk Encryption After Installation
Linux doesn't have great support for encrypting an existing filesystem. There are a few possibilities for that, but we don't have the resources to provide support for them.
The follow information is provided for reference, but our recommendation is to perform a complete reinstallation and enable full-disk encryption during the installation process.
If you're running Ubuntu, you might be able to encrypt your home directory on the fly by installing ecryptfs and then running ecryptfs-migrate-home -u account-name. Note that the migration command must be run as root without the affected account being logged in (so you'll have to log out, switch to a text console, log in as root, and then run it).
This is not as good as full disk encryption. Although your home directory will be protected, information can still leak to unencrypted places such as system logfiles and swapspace. You should perform a reinstall and enable full disk encryption during the installation process.
There is a program named luksipc (LUKS in-place conversion) that was created to convert existing partitions to encrypted partitions. It is a very low-level program that comes with the strong possibility of erasing all of your data. We do not support its use; it's mentioned here for completeness.
luksipc can delete all of your data if you're not extremely careful (and possibly even if you are). We recommend reinstalling Linux and enabling full disk encryption during the installation process.