installation - Fresh install on SSD with Ubuntu and Windows Vista, using whole disk encryption for Ubuntu

  • nategator

    I would like to do a fresh install on a OCZ Vertex Plus R2 SSD 60GB drive I purchased on the cheap. Since the AES-encryption looks like it may not work optimally for this drive, I would like to set up a dual-boot to Windows Vista (the only Windows copy I have for clean install purposes) and Ubuntu 12.04 with the best encryption scheme possible. My plan is to have Windows around just in case I need to use a program that won't work with Wine and Ubuntu as my daily OS with all of my information secured in case the laptop is ever stolen or sold. Although this setup will not provide a lot of space, I think I can squeeze both OSes and have enough for second-computer office tasks. So, my questions are:

    1. Which OS should I install first, Ubuntu or Vista?

    2. Any special considerations when partitioning the drive?

    3. How should I install Ubuntu to ensure full disk encryption for the Linux partition(s) and or my daily computing?

    4. Is there a significant performance upgrade with doing a solo install of Ubuntu instead of a dual boot setup? Will TRIM, for example, work correctly?

    5. Are there any significant security concerns with going the route of a dual-boot, other than the fact that any activity on Windows may be fully recoverable if the drive is stolen or sold?

    Thanks in advance!

  • Answers
  • Histo

    1) Install windows first

    2) I would recommend just encrypting your /home directory since this functionality is built directly into the installer and is easy for new users to setup.

    3) See #2

    4) No performance difference with dual-booting just avoid using WUBI.

    5) Make sure your /home where all your user data is stored is encrypted.

  • Related Question

    How do I set up Full Disk Encryption on an SSD?
  • Chad

    I have a new Lenovo Thinkpad with an Intel SSD. I want to set up full disk encryption with pre-authentication boot. From reading I see there is a Guided Setup with Encryption option on the alternate CD installer. If I select this and follow the prompts, will I be all set? Are there any specific partitions or anything I need to create? Are there any special things I need to do before, during, or after installation because I'm installing on an SSD and not on an HDD?

    The Thinkpad came preinstalled with Windows 7. I will be installing Natty Narwhal on the whole disk. I will not be dual-booting.

  • Related Answers
  • Dustin Kirkland

    There's no special considerations at all for SSD versus spinning HDD.

    And if you're comfortable using the Ubuntu Alternate Installer, it's fairly straightforward to setup full disk encryption.

  • chmac

    There are some performance considerations when using full disk encryption on an SSD. Here's an excerpt that explains the underlying issue nicely:

    You write in pages (4KB) but you can only erase in blocks (128 pages or 512KB); thus SSDs don't erase data when you delete it, only when they run out of space to write internally. When that time comes, you run into a nasty situation called the read-modify-write. Here, even to just write 4KB, the controller must read an entire block (512KB), update the single page, and write the entire block back out. Instead of writing 4KB, the controller has to actually write 512KB - a much slower operation.

    As discussed at great length in this masterpiece on SSD performance, SSD performance drops over time as the disk fills up. As explained above. Typically, when setting up full disk encryption, the entire disk is filled with random data so as to obscure the encrypted data from the free space. This, as I understand it (and I'm certainly no expert) means that using full disk encryption one immediately goes to the worst case performance of the drive.

    So, understand that the performance hit of encryption on an SSD will be far more potent than on a regular spinning drive.

    Second, because of the way data is read / written, again as above, the standard methods for securely deleting files (like the shred utility) don't apply to SSDs. If you're using full disk encryption from the beginning, no problem. But if you already have unencrypted data on the drive, you need to be careful to ensure you fully zero the drive first. I'm not sure how that is done, but I think it's discussed in the masterpiece.

    Fundamentally, SSDs function in a totally different way to traditional spinning disks. The bulk of encryption software, secure deletion tools, and guidelines, assume that disks are made of spinning platters. That doesn't apply to the world of SSDs.

    My advice to somebody starting out with full disk encryption on an SSD would be two-fold.

    First, either start with a clean drive, or carefully zero it before you begin.

    Second, under partition the drive. So partition 80%, or as little of the drive as you can get away with. The additional free space can help to maintain drive performance. It does depend on the specific drive, so you could research the details for the exact drive you have and so on, but as a general principle, it can dramatically extend the life of the drive.

    Thirdly, and I realise I said two-fold, understand that full disk encryption will simply massacre SSD performance. Personally, that's a trade off I'm willing to make for the security that full disk encryption affords me, but there are alternatives, such as an encrypted home directory in Ubuntu. That type of encryption will likely perform much better on an SSD, although it does have other issues worth considering.