How to Encrypt a Drive on Ubuntu 22.04

2 Best Ways to Encrypt a Drive on Ubuntu 22.04

Looking to encrypt a full drive on Ubuntu? You’re in the right place.

As with other Linux distros, Ubuntu allows full disk encryption to secure your data from unwanted access. One catch is that the easier way to encrypt a drive is when you’re about to install Ubuntu. So if you have it already installed, you’ll need to re-install.

However, don’t worry because I’ll also show you a method you can use to encrypt a drive on a device where Ubuntu is already installed. It’ll only be a partial encryption though.

Let’s get started.

What You’ll Need

Before diving into the guide, here are the requirements you must fulfill:

  • A medium for installing Ubuntu (USB stick or Virtual Machine) (see guide)
  • Familiarity with the Linux terminal and Linux commands (see guide)
  • Root account or sudo privileges (see guide)
  • A stable internet connection

Method 1: Encrypting the Drive During Ubuntu Installation

For this method, I will be using VirtualBox on Windows 11 to demonstrate the whole thing. 

Step 1: Create an Ubuntu Virtual Machine

  1. If you don’t know how to set up VirtualBox, follow the official documentation to get started. 
  2. Then get a hold of the disk image file of Ubuntu 22.04 from here.
  3. Open VirtualBox and click New.
Virtualbox interface
  1. Give a name to your VM. Select a folder to place the VM. From the ISO Image dropdown, select the disk image file of Ubuntu. Then press Next.
Creating a virtual machine in Virtualbox
  1. Next, allocate memory and processor for your VM. I’ll go with the default ones. Press Next.
Creating a virtual machine in Virtualbox
  1. In the next window, allocate virtual disk space for the VM and press Next.
Creating a virtual machine in Virtualbox
  1. If everything is okay, press Finish.
Creating a virtual machine in Virtualbox
  1. Now start the Ubuntu virtual machine.
Running the Ubuntu virtual machine in Virtualbox

Step 2: Encrypt the Drive During Installation

With your virtual machine created, let’s move on to encrypting the disk while installing Ubuntu.

  1. In the GRUB menu, select the Try or Install Ubuntu option and press Enter.
Installing Ubuntu using Virtualbox
  1. In the next menu, select the installation language and press Install Ubuntu.
Installing Ubuntu using Virtualbox
  1. Then choose your preferred keyboard language and layout and press Continue.
  2. The next window is about the software you want with your Ubuntu installation. Keep it as it is and press Continue.
  3. Now you’ll arrive at the installation type window. From here, select Erase disk and install Ubuntu. Then press Advanced Features.
Erase disk and install Ubuntu
  1. You should see a new window popup. First, select Use LVM with the new Ubuntu installation and then tick the box that says Encrypt the new Ubuntu installation for security. Press OK.
Encrypt the new Ubuntu installation for security
  1. Press Install Now.
  2. In the next window, create a security key and fill up the two fields. Optionally, you can create a recovery key as well by checking the corresponding box. Click on Install Now.
Creating security key for Ubuntu encryption

Note: You must remember your security key or else you’ll lose all the data. Keep your security key somewhere safe.

  1. You’ll be asked for a final confirmation. If you’re okay with it, press Continue.
Confirm disk changes while installing Ubuntu
  1. Continue with the rest of the installation steps as they are straightforward.
  2. When booting into Ubuntu, the system will ask you for the security key. Enter the key to proceed.
Using security key when logging into Ubuntu

Method 2: Encrypting the Drive after Ubuntu Installation

Using this method, you can’t do a full encryption of a drive. However, you can encrypt the home directory of a user and the swap space which is still useful.

Step 1: Instal the Necessary Packages

I’ll first show you the packages you’ll need for this encryption process.

  1. Before downloading the packages, make that your system is up to date. This ensures that any packages you install are also in their latest version. Update your software repository cache with this command:
sudo apt update
sudo apt update
  1. Then install ecryptfs-utils and cryptsetup with this command:
sudo apt install ecryptfs-utils cryptsetup
Installing Cryptsetup on Ubuntu

Step 2: Create a Temporary User with Sudo Privileges

Since we’re going to encrypt the home directory of a user, I’ll create a new user for demonstration purposes. If you’ve already decided which user’s home directory you want to encrypt then you may skip this step.

  1. Create a new user by running this command:
sudo adduser demo-enc
  1. You’ll be asked to create a password. Enter a password and re-enter it to confirm it.
  2. Then enter your details including your full name, phone numbers, and others.
  3. Once done, press Y to confirm your information.
Creating a new user on Ubuntu
  1. Then I will grant this new user sudo privileges. For that, use the below command:
sudo usermod -aG sudo demo-enc
Granting sudo privileges to the new user

Step 3: Encrypt the Home Directory

In this step, you’ll encrypt the home directory of this new user. But first, you need to log out from your current session and log into that user.

  1. Go to the menu on the top right corner of the screen. Now click the Power Off / Log Out button. Then click Log Out.
Log out from Ubuntu
  1. Log in as the new user.
Logging in as the temporary user in Ubuntu
  1. After logging in, run this command to encrypt the home directory of a particular user:
sudo ecryptfs-migrate-home -u <user>

So in my case, I’d run this command:

sudo ecryptfs-migrate-home -u zunaid

In your case, switch the last argument to the username whose home directory you want to encrypt.

  1. When asked to enter your login passphrase, enter your account password.
Encrypting the home directory of a user

This may take from a few seconds to a couple of minutes depending on your system. You’ll also receive some instructions at the end of the output.

Step 4: Confirm the Encryption

According to the instructions, the user of the encrypted home directory should be able to read and write files in case the migration was successful. So that’s what I’ll test now.

  1. Log out from the temporary user account and log into the encrypted home directory’s owner account.
  2. Create a file and add some text to it. Use this command:
echo “Writing to a file” > demo.txt

This confirms that you can write to a file properly. Now let’s see the reading operation.

  1. Use the command below to read the file you created just now:
cat demo.txt
Reading and writing a file in Ubuntu

Now the reading operation has been confirmed as well. This proves that the migration was indeed successful.

Step 5: Record the Passphrase

Another important instruction was to retrieve the randomly generated passphrase and record it somewhere safe. So let’s do that now.

  1. To get the passphrase, run this command:
ecryptfs-unwrap-passphrase
  1. When you’re asked to enter a passphrase, enter your login password. That should reveal the random passphrase.
Creating a passphrase in Ubuntu for encryption
  1. Save the passphrase in a notepad or where you usually save passwords.

Step 6: Encrypt the Swap Space

Next, I’m going to encrypt the swap space as well to protect sensitive information.

  1. First, display the swap spaces with this command:
swapon -s
swapon command to display the swap spaces
  1. You can check the size of the swap partition with this command:
free -h
Displaying the size of the swap partitions
  1. Finally, encrypt the swap space with the below command:
sudo ecryptfs-setup-swap
  1. Read the warnings and other displayed information. When done, press y and then the Enter button to confirm.
Encrypting the swap space in Ubuntu

Step 7: Removing the Unnecessary Things

In the final step, you’ll do some cleanup.

  1. First, let’s delete the temporary user you created earlier. Delete that user using this command:
sudo deluser --remove-home demo-enc
Deleting a user from Ubuntu
  1. Check the directory of the backup directory with this command:
ls -lh /home
  1. Next, delete the backup that your encryption tool created during the process. Use this command:
sudo rm -r /home/zunaid.zJLzQkm3/
Removing the backup home directory in Ubuntu

Conclusion

Hope you’ve successfully encrypted the disk on your Ubuntu system. If you require full disk encryption, just follow the first method. If you’re fine with encrypting the home directory and the swap file only, then the second method will be enough for you.

If you’re interested in learning how to encrypt disk partitions using Cryptsetup in Debian, check out this guide.

If this guide helped you, please share it.

Related Posts