I’m upgrading my laptop to hardy today, as I’m giving a presentation on Ubuntu and Hardy tomorrow at the Trenton Computer Festival — I’ve been running Hardy for months, but I like reinstalling after release, as I get rid of all the junk in the corners, and make sure all the important stuff gets enabled. I set up my desktop with Hardy already, as I usually have that at our table showing the latest and greatest desktop effects on dual lcd monitors.
When I installed Gutsy on my laptop, I used the new-fangled encrypted partitions system. I didn’t encrypt the whole drive — I like to keep my home directory separate from everything else, and that includes encryption — instead, I did the following:
- /boot, ext2
- / , ext3
- encrypted partition 1, lvm 1
- encrypted partition 2, lvm 2
Then in lvm 1:
- /var, ext3
- /tmp, ext2
- swap
and in lvm 2:
- /home, ext3
and then, all done. When I started up the machine, I was prompted for 2 passwords — one for each encrypted partition — , but other than that, I had what I wanted. Encrypted home, encrypted var, tmp, and swap, and everything else unencrypted (because it doesn’t need to be, and there’s no reason to slow it down).
So, today, using the alternative install CD, I set up my partitions exactly as they are. It prompted me for my passwords when I configured my encypted partitions, did its stuff, etc. Then I selected to use them as lvm groups, and figured i was ready to go.
It wasn’t until I stared at blank LVM groups that I realized when I entered my password, it was asking for the password for my new encrypted partitions. That it was making. While it was erasing all my data.
My first reaction: a loud shriek. Ever see those cheesy slasher films, where some woman runs screaming through the forest? That was me.
My second reaction was to go through a mental inventory of what I erased. Upon recall, I remembered that I backed up my home partition to an external about a month ago. Besides that, I keep my password lists on a remote server as an encrypted file, my senior project is kept in a subversion repository remotely, and I haven’t done much else important in the past month. I also moved tomorrow’s presentation to a flash stick, so I could work on it on my desktop (which I’m writing this on right now). In total, I lost:
- my xorg.confs
- my script to change symlinks back and forth for glx, depending on whether i was using intel or nvidia
- my cool php script to check an ubuntu cd’s md5sums.txt agaist my derived md5s
- my notes from my friend’s Orpheus game.
Overall, not very much, but I dodged a bullet. Nonetheless, as usual, back up your data before a reinstall — especially if you did something similar to what I did. The alternative installation CD is a fickle diety, and her wrath will be upon thee if you did not do full disk encryption. Next release, I think I’ll play it safe and configure my encrypted stuff manually.
JoeTerranova.net Print This Post
Andreas Kostyrka | 26-Apr-08 at 3:30 pm | Permalink
That’s basically logical.
To setup a secure encrypted partition,
you need to overwrite the whole partition, or else an attacker can at least guess which blocks are in use and which not.
Ubuntu being Ubuntu, the installer does that step for you.
Personally, I found it slightly irritating, because if you know what you are doing, you don’t necessary need it.
(E.g. you will be filling the disc anyway with content.)
Andreas