Encrypted Ubuntu 14.04 File / LAMP Server

Question

I have a question regarding the safest method to encrypt a file and/or a LAMP server using Ubuntu 14.04.

When manually partitioning the disk, I chose the following:

/boot - 256 MB
/     - 51.4 GB (sda2_crypt)
swap  - 2 GB    (sda3_crypt)

The system boots and prompts me for my encryption password for both the root (/) and swap partitions.

My question is:

How secure is this system if I were to lose control of root partition (ie - someone steals this server)? I realize the boot loader is NOT encrypted - will someone realistically be able to retrieve the data on the root filesystem?

The scenario is that there is a lot of sensitive data I wish to keep encrypted using Ubuntu's built-in encryption. And if someone were to steal it, I am hoping the data would remain safe.

CAVEAT: I realize that with enough time, and physical access to any system, someone could retrieve data from the system. My question, is this a "safe" setup based on the fact that the /boot partition is NOT encrypted, and, without a significant effort to decrypt, is the data still safe?

Answer 1

It is secure enough but at the same time is not. Without the passphrase is not possible to unencrypt the data (of course there is a catch an a possible way to recover it. See this howto) If boot is encrytped, the system can't boot as it won't be possible to load the kernel nor init needed drivers such as filesystem, etc.

Anyway, always think encryption as buying time in order the data to be useless when already decrypted. For instance, I have sensitive information in my encrypted laptop HD such as passwords saved and ssh keys. If my laptop were lost/stolen, I will change all of them and not only relay on that encryption can't be broken (because eventually it would be)

If you data is that sensitive, pay a safer location for your server in order not to be physically stolen. Encryption is just another layer of security, but not a silver bullet (depending on the paranoid level the information deserves)