4

I run Ubuntu 12.04 on my laptop, with an encrypted home folder + swap partition. Before I had this encrypted setup, I used to have my hibernation enabled. I found this documentation on how to enable hibernation with an encrypted swap.

Now the thing that bothers me by using the solution as given in the documentation, is that apart from having to type my password to login to my user account, I have to type separately a password to mount my swap partition.

A possible solution to this is (is it?) to enable my user account to automatically login (so as to skip the login screen) and view the mounting of the swap partition as an alternative login screen. Note that I am the only user of my laptop.

The only drawback to this method is that after 3 password attempts the system anyway continues booting, though without mounting the swap partition. Leaving my desktop freely available to anybody.

As I would like to use hibernation while having only to type my password once at startup, my question thus is whether it be possible to:

  1. Or make the password-attempt count infinite
  2. or alternatively let the system reboot itself after three attempts (starting the cycle over again)

and if this is possible

  1. whether it would pose a security breach not thought of by me

and if not possible: Whether there would be another creative alternative allowing me and other users to use hibernate in combination with encryption without having to type two pass phrases at boot.

Thank you very much for any help!

Marcin Kaminski
  • 4,901
Willem van Gerven
  • 423

1 Answers1

7

The suggestion:

You could just create 2 partitions on your disk.

  1. a small partition to hold /boot (unencrypted)
  2. the rest of the disk, to be used as a physical volume for encryption.

I'd then configure encryption on the second partition and use LVM to created 2 volumes: /dev/vg0/root and /dev/vg0/swap

Advantages:

  1. You don't have to worry about encrypting individual partitions.
  2. Apart from /boot which holds your kernel, everything else is encrypted. Which protects you from someone rebooting your machine, entering a single user mode and modifying your OS to allow them to easily get your data from your encrypted home anyway.
  3. You only enter the encryption key once per boot.
  4. I know you said you're the only user but you could add separate passphrases (key slots) for other users if you had to.

As to the other part of your question: I don't remember if this method asks repeatedly for the password and I don't think this by itself would be a security risk, as long as there's a delay after an incorrect password is given (to thwart brute-force attacks).

How it's done:

I never use the GUI for installation and apparently you cannot use it to create an LVM on top of LUKS-encrypted block device.

The workaround I've tested:

  1. Download the netboot ISO image for amd64 or i386 and burn it onto a CD.
  2. When you boot from it, choose 'Install' from the menu
  3. Answer a few basic questions, create a non-root user, and choose NOT to encrypt the home directory. This isn't what we want here.
  4. When you get to the 'Partition disks' dialog, choose 'Manual'.
  5. Create an empty partition table on the disk if you need to and then 2 primary partitions.
    • first primary partition for /boot and make it 512MB. This is where your kernel and initrd images will reside and will remain unencrypted.
    • second primary partition to cover the remaining space and choose its type as 'physical volume for encryption'.
    figure 1
  6. Proceed to Configure encrypted volumes, save the changes and encrypt /dev/sda2, choose a password and finish. At this point you'll have an encrypted volume sda2_crypt
  7. Choose to use it as a physical volume for LVM figure 2
  8. Proceed to configure the Logical Volume Manager. Create a volume group vg0 on /dev/mapper/sda2_crypt
  9. Create 2 logical volumes within that group.
    • swap - however large you need it to be (I chose 1GB)
    • root - use the remaining space
  10. At this stage, you should see the following configuration: figure 3
  11. Choose an FS for your root logical volume and configure it to be mounted as / and the swap LV to be used as swap space: figure 4
  12. Write changes to disk and proceed with the installation.
  13. Later on you'll be asked which packages to install (tasksel) and you can safely go with ubuntu-desktop
  14. When asked where to install Grub to, I chose MBR since I don't have any other OSes on my machine.

And that's really one of the few reasons I always choose the netboot images. I don't want to be held back until the developers port the functionality that works perfectly well in a way that's pretty enough to be included in the GUI installer.

Marcin Kaminski
  • 4,901
  • Hi Martin, thank you very much for your proposed alternative! I will look into it. – Willem van Gerven Oct 18 '12 at 18:48
  • Hello Martin, I was looking into your proposed method, and I reckon that I will have to use the alternate installer to use the LVM tool at install (?). I was wondering though how to keep my machine dual-bootable with windows as I currently have.. I saw here: https://help.ubuntu.com/community/GraphicalInstall that it offers the LVM tool only when selecting to erase the whole disk (pic 3). What would you propose to do after setting up the 2 partitions and how big should I assume the /boot partition to be? I am a "moderately experienced" user, with some skills, but not that much insight yet.. – Willem van Gerven Oct 21 '12 at 19:22
  • Hi Willem, I'm won't be able to elaborate on this before the weekend but one thing I can suggest is using the text-based installer (not because I think the GUI based one doesn't work, but I've never used it myself). If you can wait until then, I'll be able to let you know the steps to configure it the way I suggested. – Marcin Kaminski Oct 24 '12 at 23:09
  • Hello Martin, thank you for your reply. I appreciate your help very much! I am not in a hurry with this, so I can definitely wait for your answer later. I look forward to it and thanks again. – Willem van Gerven Oct 25 '12 at 10:15
  • Hello again Willem - I'm sorry I didn't get a chance to do this earlier but here it goes - I hope you find it useful. – Marcin Kaminski Oct 31 '12 at 19:00
  • Hello Martin, thank you very much for such an elaborate help! It's very instructive. I repeated all your steps in virtual box and it seems to be doing exactly what it needs to. However, I was not able yet to test in real when also dual booting. Also, now that I am asked at boot for a pass phrase to mount /dev/sda2, can I safely consider this my new "alternate" user login screen, and set my account to login automatically, as such having to only type my pass phrase once at boot? (As that was the whole reason behind my question, not to have to type it twice: once to mount and once to login.) Thx! – Willem van Gerven Nov 02 '12 at 19:33
  • The decryption password (once per boot) and account password serve completely different purposes. The former is to protect your storage from being mounted by someone and stealing/modifying/etc your data. The latter (account password) is to prevent others to access your machine while the storage is already decrypted.

    If after you boot, you log in automatically - what's going to prevent others to come by and do whatever they want with your machine? Unless I misunderstood you, this is a really, really bad idea. This way you'd give up all the security you gained by encrypting your storage :)

     – Marcin Kaminski Nov 02 '12 at 20:29
  • Hi Martin, perhaps I see what you mean. But then what is the purpose of this encryption scheme, for instance when sharing sda2 with multiple users? Or when even having a guest account? As I understand it now, after sda2 is mounted one could login as guest (or as another user if existent) and navigate to my home folder? So my logic is kind of that I should anyway be the only one to know the pass phrase to mount sda2 for it be completely safe (while disabling the guest account). Then whether to have auto login or not, I would just be able to lock my screen when going away from my machine.Right? – Willem van Gerven Nov 03 '12 at 16:40
  • Hi Willem, I'm feel like you're trying to solve a problem which I'm not sure exists ;) If someone knows the sda2 encryption password they'll be able to run the machine in single mode anyway and get what they want. If you don't trust the users you share your machine with, then this solution isn't for you. Also there are filesystem permissions, if set up correctly why would guest be able to access your home directory? I don't mean to offend, but I think you might need to reasearch the information about the way Linux/Unix permissions/security is implemented in practice. – Marcin Kaminski Nov 03 '12 at 19:28