This is an excerpt from an install log notebook I kept when reinstalling my system that includes just the parts relevent to Dropbox.
This whole OS installation was precipitated by the fact that Dropbox dropped support for all Linux filesystems except for plain ext4, so it wasn't working with ecryptfs and LVM and all the default ways Ubuntu sets up the filesystem.
However, Dropbox does work with full-disk encryption and an ext4 filesystem. The technology for full disk encryption under Linux is LUKS.
The key things I need to make sure happen when setting up my partitions and installing the system are:
- Boot with UEFI
- Keep my Windows partitions
- Encrypt the disk
- Don't use LVM
Some reading helped me understand the pieces, but I didn't end up following these because they either had you use LVM or did the partitioning outside the installer:
- How can I install Ubuntu encrypted with LUKS with dual-boot?
- ManualFullSystemEncryption/DetailedProcess
It took me a little while to get my computer to boot from the USB drive. An Asus FAQ, Windows 10 - How to boot the system from USB drive/CD-ROM? ultimately helped me boot my system.
I had to make sure I was booting from the USB in UEFI mode. Otherwise, the Ubuntu installer wouldn't install the bootloader in the EFI partition.
When it got to the point of the installer where it asked me how I wanted to install Ubuntu, I selected the "do something else" option, which let me set up my partitions.
I deleted my old Ubuntu and swap partitions. Then I created three new partitions:
- Plain ext4 partition mounted as
/boot
. - Encrypted partition
- Left empty space for swap - I'll have to set up swap later because otherwise the installer complains about swap not being encrypted
I then had to configure the ext4 partition in the encrypted disk to be mounted as /
.
The partition table, which you can see with sudo fdisk -l
looks like this:
Disk /dev/sda: 238.5 GiB, 256060514304 bytes, 500118192 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: gpt
Disk identifier: 04DD511D-51D3-4C7F-8F52-E7C84D74563D
Device Start End Sectors Size Type
/dev/sda1 2048 534527 532480 260M EFI System
/dev/sda2 534528 567295 32768 16M Microsoft reserved
/dev/sda3 567296 194204592 193637297 92.3G Microsoft basic data
/dev/sda4 194205696 195899391 1693696 827M Windows recovery environment
/dev/sda5 195899392 196429823 530432 259M Linux filesystem
/dev/sda6 196429824 484116479 287686656 137.2G Linux filesystem
Disk /dev/mapper/sda6_crypt: 137.2 GiB, 147293470720 bytes, 287682560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
The mounted drives look like this:
mount | grep sda
/dev/mapper/sda6_crypt on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/sda5 on /boot type ext4 (rw,relatime,stripe=4,data=ordered)
/dev/sda1 on /boot/efi type vfat (rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
The Ubuntu installer doesn't let you create an encrypted swap partition, so I'm going to do it now. Maybe nowadays it's fine to not even have a swap partition, especially since I never use hibernate-to-disk and it's hard to set that up with encrypted swap. The Ubuntu Swap FAQ even says that swap files are just as fast as swap partitions. However, I left space for a swap partition, so I might as well use it.
After booting the system, I used gnome-disk-utility
(this shows up as just "Disks" in Gnome) to create a swap partition on the remaining space.
This is what the partition table looks like after creating this partition, via fdisk -l
Device Start End Sectors Size Type
/dev/sda1 2048 534527 532480 260M EFI System
/dev/sda2 534528 567295 32768 16M Microsoft reserved
/dev/sda3 567296 194204592 193637297 92.3G Microsoft basic data
/dev/sda4 194205696 195899391 1693696 827M Windows recovery environment
/dev/sda5 195899392 196429823 530432 259M Linux filesystem
/dev/sda6 196429824 484116479 287686656 137.2G Linux filesystem
/dev/sda7 484116480 500117503 16001024 7.6G Linux swap
I installed ecryptfs-utils in order to be able to run the ecryptfs-setup-swap
command:
sudo apt install ecryptfs-utils
I then ran these commands:
sudo swapon /dev/sda7
sudo ecryptfs-setup-swap
When running ecryptfs-setup-swap
I got the following warning:
swapon: cannot open /dev/mapper/cryptswap1: No such file or directory
swapon: stat of /dev/mapper/cryptswap1 failed: No such file or directory was pretty helpful in guiding me about what I should try next.
I rebooted and based on running swapon -s
. it seemed like the system was still using a swapfile.
I looked at /etc/crypttab
and noticed that there were both lines a swapfile and for the swap partition. The line for the swapfile was first, so maybe that clobbered the other one. I deleted this line from /etc/crypttab
:
cryptswap1 /swapfile /dev/urandom swap,offset=1024,cipher=aes-xts-plain64
After rebooting again, I ran swapon -s
to confirm that the swap partition was being used.
I then deleted the old swapfile:
sudo rm /swapfile