0

As a noob to Linux I do not know if it is possible to encrypt whole drive with current calamares installer

I did a fresh install of Lubuntu with these options in calamares 

erase disk +encrypt system

When rebooting it asks : 

Welcome to GRUB! Attempting to decrypt master key...  
Enter passphrase for hd0

After decrypting I have only to log in as user

Normally we have to put password under Lubuntu logon

Is in this case the complete system encrypted ? Is the grub prompt normal ?

Here is the output of lsblk

sda                                8:0    0 238,5G  0 disk  
├─sda1                             8:1    0   300M  0 part  /boot/efi
└─sda2                             8:2    0 238,2G  0 part  
  └─luks-5fc-xx-xxx-xxxx-xxx
                                 253:0    0 238,2G  0 crypt /
sr0                               11:0    1   3,7M  0 rom   /media/

enter image description here

zayers
  • 9

1 Answers1

2

Everything but /boot/efi is encrypted, yes.

This is indicated by the fact that sda2 only holds a Luks volume (which is the encryption feature used by Ubuntu and many other Linux distros), which is in turn mounted on /.

The grub prompt is perfectly normal, given that the kernels reside on an encrypted partition, and /boot/efi only contains the bootloader itself. It has to ask for passphrase to read the kernel it has to load.

vidarlo
  • 22,691
  • but when i open disk utility i see 2 free space areas . why are they created and why unencrypted ? i have added picture in question. can you take a look. and how about lvm .ist it better to use lvm with full disk encryption? – zayers Jun 18 '19 at 18:00
  • What free space to you see? The partitions adds up to the size of the disk. And LVM+LUKS is no more safe than only LUKS. LVM is a management layer, and doesn't really impact security. With your setup, you only have one partition for everything anyway, so LVM doesn't make a lot of sense. – vidarlo Jun 18 '19 at 18:04
  • i have edited question. look at foto. there are 2 small space areas created automatically . i dont think encrypted – zayers Jun 18 '19 at 18:08
  • There's a tiny free space in front and at the end, which is not used for anything nor encrypted. – vidarlo Jun 18 '19 at 18:11
  • in debian installer i always used entire disk and setup encrypted lvm to encrypt whole disk ...was my setup with calamares above as whole drive encryption ? – zayers Jun 18 '19 at 18:18
  • Yes, it is whole disk encryption. The unused space is there to align the boundaries of partitions to physical boundaries of the disk device. – vidarlo Jun 18 '19 at 18:29
  • are you sure boot also encrypted . why it is not under sda2 on lsblsk output? – zayers Jun 18 '19 at 18:33
  • /boot is encrypted, yes. It's part of /. From what you have posted you don't have a separate boot partition. You have a efi partition, which has to be unencrypted. – vidarlo Jun 18 '19 at 18:34
  • yes i have only one hdd partition as efi . you mean i have to decrypt boot ? i prefer to encrypt boot loader. i think it is or not ? just to be sure – zayers Jun 18 '19 at 18:38
  • You *can't* encrypt the bootloader. You can sign it, and use trusted boot. /boot/efi *has* to be unencrypted. You currently have no separate /boot partition. – vidarlo Jun 18 '19 at 18:49
  • i used g parted and i see lock symbol on boot/efi like in sda2 they have same lock symbol – zayers Jun 18 '19 at 18:52
  • I can't see the lock symbol in your screenshot. – vidarlo Jun 18 '19 at 18:53
  • i will post hold on – zayers Jun 18 '19 at 18:58
  • I get what you ask. It's a key symbol. See this answer. In short: the partition is in use. It's not encrypted. – vidarlo Jun 18 '19 at 19:03
  • If you have further comments, I suggest you use [chat]. – vidarlo Jun 18 '19 at 19:04