Linux GUI full disk encryption including /boot

[postcd]

Hello,

im using Windows OS and i wish to switch to Linux with GUI, i dont have any distribution in mind (i know Ubuntu has huge community, so maybe xubuntu). Before i do the Win/Linux switch, i want to ask for a link to tutorial or advice regarding HDD encryption.

Im looking for quick & secure way to encrypt whole filesystem (including /boot) so i have peace of mind that nobody will read any data. I also want easy of use, im linux noob in command line so i prefer GUI tool. Can you please give an advice on solution?

 

[Darren Hale]

Welcome to this community I don't know a lot about this but hope this helps........

http://www.makeuseof.com/tag/4-reasons-encrypt-linux-partitions/
http://www.linuxquestions.org/quest...ll-disk-encryption-including-boot-4175523239/

My Search: https://www.google.co.nz/search?q=h...annel=sb&q=hdd+encryption+and+linux+using+gui

 

[WharfRat]

postcd,

You really can't have /boot encrypted. Grub needs to have access to the partition before the OS boots.

Linux will setup a LUKS (Linux Unified Key Setup) encrypted linear logical volume. Both are container/abstraction layers so boot files need to be outside of the containers in oder to be read.

No one can gain any information from your /boot partition and your root filesystem cannot be accessed without first opening the LUKS container and then assembling the physical device, volume group and logical volumes.

 

[postcd]

WharfRat: yes, thank you for nice explanation, only problem is i think if some hacker access my computer physically, modiffy grub to somehow login my credentials (here is explained how)

 

[WharfRat]

I've seen that before.

It assumes that you have lost or were rendered unconscious somehow leaving a terminal open after entering sudo -i or su - to gain escalated privileges at which time this evil individual gets the initrd.img file from the boot partition, extracts it, copies root/sbin/cryptsetup to initrd/sbin/cryptsetup, copies root/initramfs-tools/scripts/* to initrd/scripts/, and then recompress the initrd.img file and replaces it.

Then you are revived to reboot and enter your password so the new plaintext file can be saved in /boot/.cryptopass and you have no idea that anything fishy just happened. Oh yea and the file hasn't been viewed yet.

Sounds like a mission impossible plot to me.

If someone infiltrated your residence and demanded your computer's LUKS password at gunpoint I suspect you would probably quickly oblige.

What the author wrote is very possible, but lets get real here.

If you suspect a linux guru friend would do that to you I would suggest new friends