*** This bug is a security vulnerability *** Public security bug reported:
Hi, as far as I understand, the "Encrypt the new Ubuntu installation for security" option in the Ubuntu installer is meant to provide full disk encryption. However, when using that option, it seems like as if the encryption would finish instantly, it literally does not seem to take any time at all. When using BitLocker on Windows to encrypt the entire disk, it can take hours to fully encrypt the disk, even on SSDs. With BitLocker and other encryption tools like DiskCryptor or TrueCrypt for example, there's also a progress indicator, which shows how much of the disk is encrypted already. Why is that not the case with the "Encrypt the new Ubuntu installation for security" option in the Ubuntu installer? Even on my 1 TB SSD the encryption seems to be set up instantly and there's no progress indicator whatsoever. How's that possible? Someone on the forum said: > http://ubuntuforums.org/showthread.php?t=2330425&p=13516293#post13516293 > > Data doesn't become encrypted until written But if that would be true, then the "Encrypt the new Ubuntu installation for security" option in the installer is not full disk encryption at all. If he is correct, then it does not encrypt the entire disk then. It only encrypts used disk space. The empty space is not encrypted then. At least with BitLocker you have the option to choose between encrypting used disk space only or encrypting the entire disk, see following screenshot for example: https://i-technet.sec.s-msft.com/en-us/windows/jj983729.bitlocker-screen (en-us,MSDN.10).jpg On the forum it was also mentioned that: > http://ubuntuforums.org/showthread.php?t=2330425&p=13516293#post13516293 > > If you want to randomly initialize the storage areas PRIOR to writing > anything, > that will take some. I seem to recall it being an optional checkbox for the > installation. And, indeed, there is a "For more security: Overwrite empty disk space (The installation might take much longer.)" option on the next screen after the screen which has the "Encrypt the new Ubuntu installation for security" option. Now, the question is: If that option is checked, does it just overwrite the empty disk space? Or does it also encrypt it? I was assuming that it only overwrites it with zeros before encrypting it. I was assuming that the entire disk would be encrypted anyway using the Encrypt the new Ubuntu installation for security" option, regardless of the "For more security: Overwrite empty disk space (The installation might take much longer.)" option. Regards ** Affects: ubiquity (Ubuntu) Importance: Undecided Status: New ** Information type changed from Public to Public Security ** Description changed: Hi, as far as I understand, the "Encrypt the new Ubuntu installation for security" option in the Ubuntu installer is meant to provide full disk encryption. However, when using that option, it seems like as if the encryption would finish instantly, it literally does not seem to take any time at all. When using BitLocker on Windows to encrypt the entire disk, it can take hours to fully encrypt the disk, even on SSDs. With BitLocker and other encryption tools like DiskCryptor or TrueCrypt for example, there's also a progress indicator, which shows how much of the disk is encrypted already. Why is that not the case with the "Encrypt the new Ubuntu installation for security" option in the Ubuntu installer? Even on my 1 TB SSD the encryption seems to be set up instantly and there's no progress indicator whatsoever. How's that possible? Someone on the forum said: > http://ubuntuforums.org/showthread.php?t=2330425&p=13516293#post13516293 - > + > > Data doesn't become encrypted until written But if that would be true, then the "Encrypt the new Ubuntu installation for security" option in the installer is not full disk encryption at all. If he is correct, then it does not encrypt the entire disk then. It only encrypts used disk space. The empty space is not encrypted then. At least with BitLocker you have the option to choose between encrypting used disk space only or encrypting the entire disk, see following screenshot for example: - https://i-technet.sec.s-msft.com/en-...s,MSDN.10).jpg + https://i-technet.sec.s-msft.com/en-us/windows/jj983729.bitlocker-screen + (en-us,MSDN.10).jpg On the forum it was also mentioned that: > http://ubuntuforums.org/showthread.php?t=2330425&p=13516293#post13516293 - > - > If you want to randomly initialize the storage areas PRIOR to writing anything, + > + > If you want to randomly initialize the storage areas PRIOR to writing anything, > that will take some. I seem to recall it being an optional checkbox for the installation. And, indeed, there is a "For more security: Overwrite empty disk space (The installation might take much longer.)" option on the next screen after the screen which has the "Encrypt the new Ubuntu installation for security" option. Now, the question is: If that option is checked, does it just overwrite the empty disk space? Or does it also encrypt it? I was assuming that it only overwrites it with zeros before encrypting it. I was assuming that the entire disk would be encrypted anyway using the Encrypt the new Ubuntu installation for security" option, regardless of the "For more security: Overwrite empty disk space (The installation might take much longer.)" option. Regards -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1602155 Title: "Encrypt the new Ubuntu installation for security" option does not seem to provide proper full disk encryption? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1602155/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
