LiquidFiles Documentation
LiquidFiles Documentation

Full Disk Encryption

This article outlines how to encrypt the filesystem on Ubuntu based LF v4.x appliance. The setup utilizes LVM and LUKS to facilitate the secure encryption of your hard drive. The encryption used by Ubuntu is employing the Advanced Encryption Standard (AES) with a 256-bit key, a standard that is widely recognized for its strength and resilience against brute-force attacks. Before you start though, please beware of a couple of important caveats:

  • It will most likely cause noticeable performance degradation. Depending on what you use LiquidFiles for, network speed, system load and how critical transfer speeds are, this may or may not be a problem.
  • You will need to type a long random password on the console every time the machine boots, or reboots. There’s no way around this while still maintaining security.
  • It will prevent things like filesystem expansion. If you want to change the disk size, you will have to re-install the system and migrate the data across.

How to configure disk encryption

When installing LiquidFiles, please select to use the custom storage option as showed in the boot menu.

Custom storage boot menu option

Proceed with Install

Proceed with installation

In the Guided storage configuration select "Encrypt the LVM group with LUKS" option and enters your passphrase. Please make sure that it's a good random phrase.

LUKS encryption passphrase configuration

Next you will be directed to the partitioning page with a pre-populated LVM partition. If check, you will see that there is a default LVM mounted which is not encrypted (ubuntu-lv). We need to unmount and delete it.

Unmounting pre-populated LVM partition Deleting auto-created logical volume

After we have deleted the ubuntu-lv we are ready to create the new encrypted Logical Volume.

Creating new encrypted logical volume Setting logical volume to maximum size

After all, your partitions should look like that.

Encrypted partition layout summary

When you're finished, please click Done and confirm we can start with the installation.

Confirm installation dialog Installation progress screen

The installation will take some time. When the installation is completed you can optionally check full log and then reboot the server.

Note: Before the reboot please double check if on the screen are not any spinning elements indicating the installation is still running.
Installation completed with log option Installation log details Reboot server after installation

When the server will start from now on, every time the disk boots, you will be prompted to enter the passphrase.

Boot passphrase unlock prompt

There’s no way of recovering the encryption key, if you loose it, you will loose your data.

There’s no way of automating the boot, you have to enter the encryption key on the console every time.

Also, please note that you won't be able to expand the disk after it's been encrypted. If you want to expand the disk, you will have to re-install the system and migrate the data over.