Does LUKS also encrypt free space

disk-encryptionluks

I have moved to Ubuntu 12 and chosen to use full disk encryption (encrypted LVM).

So now I'm wondering: should I shred (eg: with secure-delete package, srm) the free disk space to remove any remnant windows might have left?

Is free disk space treated any different?

Best Answer

The standard recommendation, is that you over-write a disk/volume with random data before you setup luks. The Ubuntu installer will even offer to do this for you if you select the Expert mode. I don't believe the latest version will do this by default though, but I haven't actually tried it. This is often skipped/ignored because the process will take a long time.

But no, luks does not automatically fill or over-write blocks when it is setup.

Using the psuedo random generator in badblocks (badblocks -c 10240 -wsvt random /dev/<device>)is usually considered good enough and suggested as a good method to wipe a volume by most LUKS guides and HOWTOs.

Related Solutions

Ubuntu – Clarifications on encrypted LVM in Ubuntu, RAID1, and headless server

1 - When using encrypted LVM on Debian/Ubuntu a partition is created. DM-CRYPT is setup on that partition, and then a LVM volume is created within the encrypted DM-CRYPT volume. If you use it for all your partitions, then it basically is full disk encryption.
2 - Using the encrypted LVM, once the system is booted and the volumes are mounted everything after that is transparent. This does mean that if someone is able to remotely compromise your system while it is turned on and the drives are mounted, then they simply don't know or care about the encryption.
3 - Using software RAID with DM-CRYPT and LVM is easy. I have it setup on half a dozen boxes. Setup the RAID, then Setup an Encrypted volume on the RAID, then Setup LVM on the Encrypted Volume.
4 - I haven't found a good solution to this. I guess one thing you could do is come up with a IP-based KVM. That early SSH tool does look like it should work.
5
- Yes you can add them, it is pretty easy.
- Setup the RAID, run cryptsetup, create the LVM volume group. Update crypttab/fstab if you want things automatically mounted
- Moving a volume to another system is Linux system should be as easy as moving the physical drives and mounting them.

Just take some time to read the following docs. It is all pretty easy.

Ubuntu 13.10 – How to disable LVM and cryptsetup? cryptsetup: evms_activate is not available

I had the same problem and finally solved

The problem seems to be in update-initramfs that doesn't generate the initrd properly.

"evms_activate not found" means that the /sbin/evms_activate file is not created inside the initrd file by update-initramfs

So, my workaround consists in unpacking the not working initrd, and copy the evms_activate executable into /sbin/ from a working initrd file (probably getting one from a deb file of debian/ubuntu repositories), and packing initrd again.

In my case, I made the following steps.

We create two folders:

mkdir NOT_WORKING
mkdir WORKING

We copy the corrupted initrd to NOT_WORKING folder (in my case "initrd.img-3.4.94") and the working to WORKING (in my case "initrd.img-3.8.0-31-generic").

cp /boot/initrd.img-3.4.94 NOT_WORKING
cp initrd.img-3.8.0-31-generic WORKING

Unpack both initrd:

cd NOT_WORKING
mv initrd.img-3.4.94 initrd.img-3.4.94.gz
gzip -d initrd.img-3.4.94.gz
cpio -id < initrd.img-3.4.94
cd ..
cd WORKING
mv initrd.img-3.8.0-29-generic initrd.img-3.8.0-29-generic.gz
gzip -d initrd.img-3.8.0-29-generic.gz
cpio -id < initrd.img-3.8.0-29-generic
cd ..

We copy evms_activate

cp WORKING/sbin/evms_activate NOT_WORKING/sbin/evms_activate

And we pack initrd again

cd NOT_WORKING
mv initrd.img-3.4.94 .. #We don't want to pack an older initrd into the newer :p
find . | cpio --quiet -H newc -o | gzip -9 -n > /boot/initrd.img-3.4.94

Now the evms_active error should dissappear :)

Best Answer

Related Solutions

Ubuntu – Clarifications on encrypted LVM in Ubuntu, RAID1, and headless server

Ubuntu 13.10 – How to disable LVM and cryptsetup? cryptsetup: evms_activate is not available

Related Topic