Ceci est une ancienne révision du document !
Encryption
Your last edition (FCM#131) gave instructions on how to fully encrypt the entire drive rather than just the home partition, by using VeraCrypt.
Last year, I wondered whether one could replace VeraCrypt with LUKS, bearing in mind that Linux appears to natively support LUKS.
I attempted to do just this. After much help from others, I succeeded. This process encrypts both Linux and Grub — but not the very initial boot, for obvious reasons. (This unavoidable unencrypted initial point leaves open a tiny vulnerability.) The process requires UEFI on the machine.
For those who might find this interesting, I created the documentation on Ubuntu's Community Help: https://help.ubuntu.com/community/ManualFullSystemEncryption
Unfortunately, some issues make the process unsuitable for any but the most determined, and certainly not for the newbie. The most important follow. • Grub and Ubuntu don't support this natively, making the installation process lengthy and manual. Easy, but long and fiddly. • After a kernel update, you need to redo a small part of the installation (as documented in the Troubleshooting guide). Quick and easy, true, but irritating and easy to forget to do. • Being unsupported, the instructions for new versions of Ubuntu might need revamping. It also means that the process for Ubuntu variants, such as Lubuntu, has some (minor) differences. • The process encrypts only Linux, not Windows or any other distribution.
It might work far better (only on a modern machine because of extra required resources) to use a hypervisor such as Xen or KVM (so I understand), which in turn contains Windows, Ubuntu, Mac, and whatever other operating system you might need. By encrypting the hypervisor rather than the contained operating systems, this would simplify the encryption process dramatically. Unfortunately, I do not have the knowledge to do such a thing. (I hope that some enterprising reader has the skills to do this and to document it, thereby rendering my own discoveries excitingly redundant!)
I feel that Ubuntu should support full-disk encryption out of the box, especially given all the security concerns these days.
Even better than that, the computer manufacturer should support hardware-level encryption, eliminating the need to do this at all via software. It would also eliminate the initial unencrypted point that the software method requires. I hope that this happens soon.
In the meantime, I guess that VeraCrypt provides the only sensible method, especially with its cross-platform support. Let's hope that the developers support VeraCrypt for a long time.
And, now that I'm writing this, I've just realised how to include Windows and other operating systems in the encryption, again except for the UEFI partition.
Paddy Landau
Containers
Could be that you have already covered this and I have missed it (mea culpa, if so), but may I suggest you cover using containers to create flexible applications on Linux, in particular Web stacks? I got very tired of re-installing Ubuntu while building directly installed LAMP stacks as nearly identical as possible to those on various deployment hosts. I had to reinstall Ubuntu because I could not count on removing side effects left behind in the file system as I replaced one stack configuration with another. Encapsulating the LAMP components in containers prevented the problem, albeit at the cost of some added complication.
I thought I would have to work this out for myself, but I found that someone had beaten me to it with an excellent free-software solution. See devilbox.org for details.
Putting this into the form of a leading question, please ask readers how often they need to reinstall Linux because they have broken something that they do not know how to fix.
Jeff Wilson