EncryptedFilesystemsInstaller - Ubuntu Wiki
The installer only offers one default partitioning schema (swap and a single The manual partitioner should offer both LUKS and plain dm-crypt (with The main inclusion report for cryptsetup needs to be revisited to meet the. Cryptsetup and LUKS - open-source disk encryption. number after '-i' is the iteration time in milliseconds) until your requirements are met. . Another is to encapsulate the swap partition (by making it a 1-disk RAID1 or by. Red Hat Enterprise Linux 6 natively supports LUKS Encryption. LUKS bulk encrypts your This makes it useful for encrypting swap devices. This can also be.
SDB:Encrypted root file system (deprecated) - openSUSE Wiki
This enables them to ship a generic kernel, then use loadable kernel modules to configure the kernel for specific user needs. While one can in principle create the initrd by hand  this is an error prone procedure requiring regeneration whenever the hardware configuration or kernel changes.
It is also not necessary since SUSE provides the mkinitrd package  for automatically generating the initrd. The approach taken here is to modify the driving script, mkinitrd, to automatically create the necessary initrd required for an encrypted root file system. The best approach would be to copy it to another file e. To use mkinitrd type: Once the system is using the encrypted root partion, this option is no longer necessary.
The option '-f "dm luks"' tells mkinitrd to enable the luks feature. It then adds a small section to the init script to query the password during the initial boot phase and decrypt all the file systems.
I had to use: Maybe you also need the "lrw" module, if you wanna use a cipher like aes-lrw-benbi. Create an entry in the bootloader menu for the new root file system The final step is to create a new entry in the Grub menu for the encrypted partition. Edit the boot menu and create a NEW entry which contains the new parameters.
It might look something like this: One needs to modify the old entries to use the old initrd which was saved for exactly this purpose. Now, close all open files and try to boot using the encrypted partition. You will have to type in your password once for each encrypted partition.
If you are using a docking station, you may have to use the laptop keyboard to enter the decryption password.
Erase the original root partition and replace it by another encrypted file system After checking that everything is working, proceed to erase the original root partition and replace it by another encrypted file system: This saves entering an additional password. The user account should still have a password, but a convenience auto-login can be enabled. Summary of commands for openSUSE The modifications made in  for mkinitrd 2.
Encrypted root title openSUSE The procedure described herein can protect a laptop or other computer against the following attacks. A laptop is the subject of a random theft followed by serendipitous profiteering.
Generally, the thief has not targeted the laptop specifically, but simply stole a laptop thought to be of some value. Such a thief would typically sell the laptop to a fence who might have the expertise to search an unprotected laptop for valuable data as well as the contacts necessary to profit from any such data. A second common attack is where the thief has specifically targeted the laptop because they suspect it contains valuable data.
Just as long as you don't have the magic sysreq key enabled or are logged into one of the consoles then I expect you can be reasonably secure. If the attacker had a big enough budget or a government type then that could lead to some james bond stuff.
It is possible to tear apart a laptop while it's still running.
I know for PCs and servers some people will have ways to splice in mobile power supplies any half decent electrition can do it to keep those machines running until they can get them into a some workshop or whatnot.
So with laptops it would be that much easier. I wouldn't be surprised if something like that worked on a Linux machine. RAM is funny also. We all know that you need to keep power to keep RAM in good shape and useful. This kind of metadata is provided by the LUKS headers, implemented in our cryptsetup. With this format, we retain the correct handling of such partitions with udev, hal, gnome-mount, etc.
Partitioning schema in the installer The installer only offers one default partitioning schema swap and a single large partition for everything. It is impossible to anticipate reasonable sizes of several partitions, since that depends on what the computer will be used for.
full disk encryption on debian 9
For the same reason we will only offer a similar default scheme Use entire disk with encryption with the following layout: These can be set up in the manual partitioner. Debian's current partman already offers everything we need for that. At boot, the user is asked for the passphrase to set up the decrypted dm device, and booting continues without any further system part needing to care about encrypted partitions.
Implementation Installer changes The alternate installer already supports LVM and Debian's current partman supports setting up encrypted devices and even has a default 'use entire disk' mode which sets up the layout proposed above. Both cryptsetup and partman-crypto need to be promoted to main and shippped by default.
Either usplash stays active on one VT or cryptsetup transparently falls back to console passphrase input when switching VTs and quitting usplash.