- Last update:

Yes, Privacy Matters

Regarding privacy, get the right tools and build a powerful computer, with a Linux-based OS

🕒 7 min read

Category: Linux

Tags: privacy, security, linux, gnu, ssh, free software, open source, ubuntu, exerbo, xubuntu

"Si ! vous avez quelque chose à cacher"

"La surveillance sur Internet - Fabrice Epelboin - Web2day 2014"

If you do care about your privacy, you'd better read what follows carefully ;). Basically, some rules of thumb to avoid common pitfalls and a few tricks to take care of your privacy as much as possible.

Before starting reading this article, you might be interested in this webpage, a full documentation about how encryption works with Linux.

Secure your computer and encrypt (part of) your local hard disk drive

First, set all possible BIOS passwords (usually one for the administrator and one for user(s); each password will give different rights for the BIOS, for example sensitive settings will be accessible to the administrator only).

Secondly, set HDD passwords from the BIOS panel (again, one for admins, one for user, both have the same purpose and rights: they kind of unlock the HDD, allowing it to be read and written).

Full disk encryption

Then, to encrypt your whole disk, you have 3 options:

  1. Use the *Ubuntu built-in installer to encrypt the whole disk, erasing EVERYTHING on the disk.
  2. Use the *Ubuntu built-in installer with Gparted to encrypt the whole disk, more flexible (select something else).
  3. DIY. It allows you to keep a dual boot installation.

I would recommend going with the 1., but if you're interested, have a deeper look at thoses 3 options. Here is another tutorial to do it with Debian (not a *Ubuntu disto).

In any case, here is how to write a new Xubuntu image on a USB stick:

lsblk # To identify the USB stick
sudo dd if=/home/user/Downloads/xubuntu-15.10-desktop-amd64.iso of=/dev/sdb \
    bs=1M && sudo sync

Please notice that with LUKS encryption, your computer is still vulnerable as long as you have a boot partition unencrypted.

/home encryption (using the filesystem called eCryptfs)

Do it while installing your fresh new *Ubuntu. Otherwise, you can still do it later using ecryptfs-migrate-home.

Encrypt external HDD with dm-crypt and LUKS

  1. Find the correct device (eg. /dev/sdb1 as a second internal SATA-HDD) and umount it:

    sudo aptitude update ; sudo aptitude install cryptsetup
    sudo modprobe dm-crypt sha256 aes # Enable modules, might be already done
    sudo umount /dev/sdb1
    sudo dd if=/dev/urandom of=/dev/sdb bs=4K # Optional, add obfuscation
  2. Create one big partition using the whole space (system must be Linux):

    sudo fdisk /dev/sdb
  3. Encrypt the partition using LUKS:

    sudo cryptsetup --verify-passphrase -c aes-xts-plain64 -s 512 \
         -h sha256 luksFormat /dev/sdb1 # 512-bit AES encryption
         # with 256-bit SHA hashing algorithm
  4. Create the filesystem:

    sudo cryptsetup luksOpen /dev/sdb1 myhdd
  5. Format it and test mounting:

    sudo mkfs.ext4 /dev/mapper/myhdd -L <LABEL> -m 1
    # -m specifies the percentage of the filesystem blocks reserved
    # for the super-user
    mkdir /mnt/hdd
    mount /dev/mapper/myhdd /mnt/hdd
    df -H
    umount /mnt/hdd
  6. Close container:

    sudo cryptsetup luksClose /dev/mapper/myhdd
    sudo eject /dev/sdb
  7. Optional step, after disconnecting and reconnecting the device:

    sudo chown user:user /media/disk

You can check the partition using

fsck -vy /dev/mapper/myhdd

Finally, you might want to backup the LUKS headers or add or change keys (passwords), if so look some keywords up on the Internet, like cryptsetup plus luksHeaderBackup or luksHeaderRestore or isLuks or luksDump or luksAddKey or luksRemoveKey.

Automount encrypted HDDs with LUKS on bootup

In /etc/crypttab, add:

mycryptedhdd    UUID=00000000-0000-0000-0000-000000000000   none    luks,tries=3

You can find the UUID using blkid /dev/sdb. You can also directly enter the path /dev/sdb. none means there's no keyfile, you'll have to type the password. tries is the number or tries you have.

Then, in /etc/fstab, add:

/dev/mapper/mycryptedhdd     /mnt/mounteddirectory    ext4      defaults    0   0

mycryptedhdd must be the same name used as before. /mnt/mounteddirectory is where the encrypted disk will be available. ext4 is the filesystem used on the disk (see step 5). First 0 means the device will not be backed up by the dump utility, second 0 means the device will never be automatically checked by the fsck utility.

You're good!

Encrypt what you put on Cloud Storages

This part is inspired from this blog post. I highly recommend encrypting content put online, should it be on proprietary platforms such as Google Drive ou Dropbox, or even on ownCloud.

sudo apt-get install ecryptfs-utils
sudo modprobe cryptfs # Optional
mkdir ~/Dropbox/Encrypted # This directory will be put online; its content is encrypted
mkdir ~/SecureDropbox # You'll put your unencrypted files here
sudo mount -t ecryptfs ~/Dropbox/Encrypted ~/SecureDropbox
# Choose a passphrase (which will act as a password), aes 32 bytes.
# Disable plaintext passthrough. Filename encryption might be useful. I would enable it.

Filename encryption might require another last command to be run, if your content is shared on more than one computer:

ecryptfs-add-passphrase --fnek

Encrypt one single file


openssl aes-256-cbc -in yourfile.txt -out file.enc
# OR
gpg -c filename


openssl aes-256-cbc -d -in file.enc -out yourfile.txt
# OR
gpg filename.gpg

Free alternatives to proprietary software


Web browser

Text editor

Video editing

Graphics editor

Further reading