11 September 2014

Installing Lubuntu 14.04 LTS with Full Disk Encryption

I'm going to walk through, complete with screenshots, my installing Lubuntu 14.04 LTS, a modified distribution of Ubuntu Linux that uses the lightweight LXDE desktop environment and OpenBox window manager.

The last time I installed a fresh copy of Ubuntu was probably when I wrote up Installing Windows 7 & Ubuntu UNR side-by-side on Dell Mini more than four years ago.  Before that, I installed Ubuntu on a desktop, which I upgraded to Lubuntu by installing the required packages but without uninstalling any of the Unity shell items from Ubuntu.

With the new LTS release of Lubuntu, I felt it's ready for conservative users like myself to install.  LTS means it has three years of long term support, which means I don't have to do any major upgrades for at least that long (of course, normal minor upgrades from week to week is still necessary).

A fresh install gives us a chance to clear out the cobwebs, idle packages that were installed but is no longer needed by us, etc.  It also gives us a chance to install it with full disk encryption (FDE), which was available before, but didn't seem quite ready for prime time for conservative users.

Let's begin!


1. Download it
Lubuntu can be downloaded for various CPU architectures as an ISO disc image file.  If you're installing on a virtual machine, that ISO can be mounted as a virtual DVD.  I'm installing on real hardware, so I have to either burn the ISO to a real DVD-R disc, or write it into a bootable USB drive.

2. Burn it
As I recall, I've tried the bootable USB method when I wrote up Installing Windows 7 & Ubuntu UNR side-by-side on Dell Mini, and that works fine.  I had some DVD+R discs to spare so I tried burning it to a real DVD disc instead using the Brasero software that was pre-installed with my old Ubuntu OS.

Next, I booted up my PC using the DVD.  This required my going into my BIOS during startup to choose the correct startup device.  You'll have to fiddle around with how it works with your PC's BIOS.  Macs, as I recall, require pushing the "c" key during startup with the disc already inserted, or else hold the mouse left button down to let you choose the startup disk (if I recall --- it's been so long ago on Macs for me).

Once the PC starts up, it'll ask you which language to use:


It'll next give you some menu options.  Choose "Check disc for defects" to make sure your burn of the ISO made it intact to the DVD-R disc.


3. Figure out a disk to install it on
Alright, decision time.  Which disk will you install Lubuntu on and thus become your startup disk?

If you already have Ubuntu installed on a disk somewhere, the Lubuntu installer will eventually give you choices to upgrade your existing Ubuntu installation, install Lubuntu side-by-side with your existing Ubuntu installation, etc.

Upgrading an existing install is probably the easiest, but in my opinion, the most dangerous if you have valuable data on your system and you value uptime.  What if the install screws up and now you don't have a bootable system?  What if it (or you) mess up and deletes all your data?  Recovery is just so painful an exercise.  Installing side-by-side has similar concerns.

As a conservative user, I'd rather do a clean install on an empty disk and not touch my existing disk if at all possible.  Not just an empty volume of the same physical disk, mind you, as even though that's a bit safer, you're still touching (and thus risking) that same physical disk.

Also, since we're installing with Full Disk Encryption, you'll want to start with a empty new disk anyway that is safe to delete and wipe clean.  It's always tricky to really delete everything from a file system currently being used, if security is a concern (and it is, if you're using FDE).

So instead, buy a new hard drive.  New drives are cheap and big, and a worthy upgrade maybe even for the price of less than Microsoft Windows professional (if I recall correctly what I paid last time).

Having made that decision, backup your data anyway.  Don't ask; just do it.

I opened my PC tower up, unplugged my old drive, and popped in the fresh new one.  We can migrate the old data afterwards.

4. Boot and Install it
Again, boot up the PC using the Lubuntu installation DVD.  Choose your language, and end up on the five items main menu as above.  This time, choose to "Try Lubuntu without installing".

Because we're about to install with full disk encryption.  There's an extra step we'll have to do due to a bug in the installer.

Once Lubuntu starts up, press Control+Alt+T to bring up a terminal.  Run the command sudo swapoff --all.  This will turn off the swap space, bypassing a bug in the installer.

Next, find on the desktop the lone install Lubuntu icon and open it.  You'll now face this:


Once again, choose your language.  Next, it'll perform some checks to see if your PC is okay for installing Lubuntu:


Notice the options to "Download updates while installing" and "Install this third-party software".  I checked them off to reduce the installation time by getting updates, and getting mainly MP3 music related software, while installing.

You'll need to have internet connection, of course.  If you need to log-in to you Wi-Fi, you'll need to click on the Wi-Fi logo in the "dock" menu bar to select the network you wish to log into:


Next up, it'll ask what you'll want to do to the disk you'll later choose to install on.  As far as I can tell, you choose what to do first, before choosing which disk to do it to (which in my mind is kind of backwards, but whatever):


The choice to do "something else" is daunting as it means you'll need to how to set up the disk, volumes, and partitions yourself.  But since we have a fresh empty disk to install to, we can just select the easy "Erase disk and install Lubuntu" option.

Also choose the "Encrypt the new Lubuntu installation for security" for Full Disk Encryption.  It'll automatically choose the other option to use LVM, the Linux Logical Volume Manager.

5. A word about FDE and LVM
You can use LVM without using FDE, but you cannot use FDE without LVM.  FDE in Lubuntu is done through the LUKS system, which is layered into your drive (to give the appearance of transparent encryption of the underlying disk) along with the LVM system.

If you're like me, and you grew up on learning to "low level" format disks and partition volumes on top of that, LVM is a bit of a layer cake.  In comparison, Apple's HFS+ is just an ingenious hack to extend on top of HFS on top of the regular formatting and partitioning going on underneath.  LVM takes that layering to the logical extreme, and you'll see it looks different when you open up the Disks utility in Lubuntu after installation is complete.

Basically, LVM lets you take some physical disks, format them, lay on top of the physical discs some physical partitions, group some physical partitions together into a physical volume, then group some physical volumes together into a volume group to be managed as though it were a disk in its own right.  You can then lay on top of the volume group some logical volumes, which can span more than one physical disk now, and each logical volume gets a filesystem that can be mounted at a mount point which the ordinary user sees as "a disk icon to store stuff".

LUKS inserts into the above layer cake a layer of encryption, somewhere between the physical partition and the volume group.  I'm not exactly sure what Lubuntu is using (I believe it is  LUKS on LVM), but either LUKS on LVM or LVM on LUKS are possible, if you're willing to do the hard work of formatting it yourself.

The other possibility is to encrypt only the home directory of individual users, rather than the whole disk.  This does not require LVM (although you can have LVM used if you like) and does not use LUKS.  Instead, this uses eCryptfs instead.

Either way, there are performance implications of about 20% (and up to 50% depending on the setup and tests involved).  If you do disk intensive operations (maybe video production?), this is quite a big hit, but for everyday usage, it's acceptable loss given the security and peace of mind you gain.

Note also that FDE vs Home Directory encryption protects against overlapping but ultimately different threats.  FDE will require that you type in a password to decrypt the disk to even boot up the PC, but once booted up, local users can see each other's files unless standard UNIX permissions are set correctly!

On the other hand, Home Directory encryption will let anyone boot up the PC (unless an easily bypassed BIOS password is set), but local users cannot see each other's files even if the UNIX permissions are set horribly wrong: because each user's files are encrypted separately by their own password.  However, if a user uses an application that is set up to store temporary files in the wrong (i.e. unencrypted) location, then sensitive data can leak out to temporary file storage, to outside the user's home directory, etc.

I suppose the very paranoid would use both, plus a TrueCrypt disk image to store extra sensitive files within sections of the home directory, but the hit on performance would be crazy.  So decide which threat you're more concerned about and just use the one that makes the most sense to you.

6. Finish the Install
After the last screen where we chose to use Full Disk Encryption, the next screen lets you choose which disk to use:


I only have one choice as I purposely physically unplugged all unrelated disks to safeguard them against the risk of accidental deletion.

The next screen just asks you to enter a long password or passphrase to encrypt the hard disk with.  Sorry, I forgot to take a screenshot.  Make sure you use a password that you can remember and is long enough to actually be secure.  If you lose this password, all your data is permanently lost.

There is also an option to erase the disk securely first before installing.  I presume it'll overwrite the disk with zeros to ensure old data are really deleted.  This will significantly increase installation time as writing out even just zeros can take forever when there are hundreds of gigabytes of them!  I did not select that option as the disk had no data of value.  Plus, you can always wipe the free space after the installation is done.

If you turned off the swap space as I said to do before, you'd bypass a bug in the installer that may bite us when you click on "install now".  If you didn't, and the bug bites, it'll say that "An unsafe swap space has been detected" and it's fatal error.  You'll have to go back to the beginning, turn off swap, and redo the steps above to set up the install again.

The next few screens are self-explanatory:




Here you got to make your first user account.  Again, make sure to use a secure password or passphrase.  Note you can encrypt the home folder, but of course we won't as that seems overly paranoid.

7. Coffee break time!
You've made it to the screen where the installer is actually going to do some real work installing, downloading updates, etc.  Feel free to walk away for a coffee.


But don't go too far, because if your internet is fairly fast, this will be done in no time at all.

8. Done. Let's test it.
When it's done, it'll ask you to restart the machine:


Go ahead, restart and test it out.  That's it!


9.1 Bug: Web browser icon crash
Try to click on the web browser icon in the "dock" menu bar area and see if it crashes.  It crashed my PC consistently.  No idea why.  The shortcut (x-www-browser) that the icon is for works just fine in the terminal.  I removed the icon and put in its place the Firefox shortcut icon instead, which works perfectly.


9.2 Bug: MAC address cloning fail
If you try to clone a MAC address, your system may not connect to the Wi-Fi network.  It's a known bug with some discussion of potential workarounds.

9.3 Bug: Wi-Fi icon missing
This bug is bothersome.  Try connecting to a Wi-Fi network and there's no network connectivity icon in or around the system tray, no icon to let you control whether to connect or not, etc.

If you use the "Manage networks" panel applet (as a workaround), you'll be very disappointed by how poorly designed the GUI is for that, and what little control you have over your Wi-Fi network.

The better solution is use nm-applet, which really should auto-start, but there's a known bug preventing that.  There's a discussion of a workaround, and there's another page with instructions and pretty pictures illustrating what to do.  Basically, just go to the "Default applications for LXSession" utility to manually set nm-applet to auto-start.

(Note: It would appear this bug has been patched and all you need to do after installing Lubuntu successfully is to update the software using the regular Software Updater.)

No comments: