Ubuntu 10.4 Full Disk Encryption

the only way you could accomplish this is with lots of spare disk space, or two separate drives. with spare disk space, you could make a new partition large enough to hold what is currently used with some partitioning software, use rsync to copy all your data to the new partition, and then format/wipe/encrypt the old partition, and copy everything back.

if policy allows you to back up all your data to another hard drive, you could wipe/format/encrypt your disk, and then basically copy everything back.

that is a kind of dirty way of doing it. the /better/ way to do it would be to back up your home directory, the contents of /etc/ and any other place you might have custom configurations and so on, dump a list of packages installed on your system dpkg -l > packages.txt and install the packages on your newly encrypted system, copy over your home directory, and move the configuration files where they need to go.

it's really not that time consuming to restore a linux system to a previous state, as long as you prepare.

copying everything from an old system, system files, packages you have installed, etc is not recommended, because there's bound to be breakages somewhere, in symlinks, hardlinks, and the /dev, /sys/ and /proc/ filesystems, not to mention all the ancillary logs and issues that might occur there, from a running system.

The first thing to remember is that the consultant isn't the one bearing the burden here in terms of both performance and bother. Unattended reboots will no longer be possible, and to avoid security compromises, there should be very few users who have the encryption password that allows the reboot. Blanket recommendations for encryption are often misplaced.

Data encryption protects against one specific attack scenario, and it's probably not the most likely vulnerability. Data encryption protects you against an attacker who physically walks out with your data drives. If you're concerned about this scenario, consider better physical safeguards - locking panels on the front of the rack, for instance.

Data Encryption does not usually provide much protection against an attacker who compromises your web app over the wire. An attacker is most likely to have at least the same privileges as your web app, which include reading and writing to the database, even if it is encrypted on the disk.

Don't forget to account for the performance hit this is going to cause to your MySQL database. Reading and writing to the encrypted disks will be significantly slower. If you are already running into performance issues, this is likely to break things horribly.

MadHatter and JanC have given you good advice. As JanC said, it is possible to do this without wiping the machine, but for your purposes it doesn't sound necessary.

One other thing you need to remember to do is to encrypt your swap partition. To do that, you'll need to disable swap, reboot to make it go away, securely delete the swap partition, encrypt it, re-enable swap, and then restart the machine. I'm not quite sure how to set this up in Debian, but you'll need to enter the password fairly early in the boot process.

If you fail to encrypt the swap partition (and your /tmp dir and any other locations to which your apps may write), portions of your sensitive data will get written unencrypted to disk.