Full Disk Encryption Using Ubuntu In Most Secure Mode With AES-XTS-PLAIN64

Full Disk Encryption (FDE) is one of the best ways you can ensure all of the private information on your laptop stays private in case it’s lost, seized, stolen, or if you choose to sell or give away your computer in the future. This feature has been built-in to many GNU/Linux distributions, including Ubuntu, for many years. But until the recent release of Ubuntu 12.10, it was hidden away in the “alternate” text-mode installer of Ubuntu that many non-technical users don’t even know exists.

938430_55159550-hard-drive

Unlike passwords, full disk encryption can make the contents of a drive inaccessible to a powerful attacker who has possession of your computer. FDE provides the opportunity to protect your data with military-grade encryption that can’t be compromised on a reasonable timeframe. At least, not by any currently-known means. The only way to access the files protected by full disk encryption is to obtain the encryption key.

AES-XTS provides the most secure mode of full disk encryption. Unfortunately, it’s not available by default in many Linux installation packages. Ubuntu’s “alternate” installation image provides other implementations like AES-CBC, but not aes-xts-plain or aes-xts-plain64. If aes-cbc is good enough for you, it’s been available in the Ubuntu alternate installer for quite some time. A thorough but dated guide outlining the process is available here.

By downloading an Ubuntu desktop installation image and doing a little initial setup, you can use aes-xts-plain64 on your system. Aes-xts-plain and aes-xts-plain64 both provide the same mode of operation, but you’ll need to use aes-xts-plain64 if you want to format a partition larger than 2TB. Also, it’s important to note that using very large block sizes for XTS mode could lead to security issues. Using 512 byte block sizes mitigates this issue.

Continue reading “Full Disk Encryption Using Ubuntu In Most Secure Mode With AES-XTS-PLAIN64”