The alternate installation CD for Ubuntu and Kubuntu allows you to setup encrypted partitions using DM-Crypt.

The "easy" method will install a single partition using the Ext3 file system (and a small /boot partition).
The "Manual" method will allow you to use multiple partitions and more importantly, allow you to change the
file system type of the partitions.


The "easy" method of installing an encrypted version of Ubuntu...

Insert the Ubuntu/Kubuntu/Xununtu Alternate CD and go through the installation process
until you reach the Partition Disks section...


Partition Method:
Select [Guided - use entire disk and set up encrypted LVM] (not default)

Select disk to partition [Select your hard drive] (usually default)

Write the changes to disks and configure LVM [Yes] (not default)

Enter your passphrase, then [Yes]

Re-enter your passphrase, then [Yes]

Write changes to disk [Yes] (not default)

Continue through the standard installation process.

---

The "manual" method of installing an encrypted version of Ubuntu...

note:
You can easily change the values to suit your requirements.
In this working example, we will create:
200MB boot partition (necessary)
10GB /root partition
the rest of the disk as a /home partition
No swap partition

---

Partition Disks
Partition Method: [Manual] (not default)

Create an unencrypted 200MB /boot partition...

Select disk to partition 
[Select your hard drive] (usually default)

[Create a new partition]

New partition size type in [200MB]

Type for this new partition [Primary]

Location for the new partition [Beginning]

Mount Point [/boot] (not default)

Select [Done setting up the partition]

---

Create a 10GB partition for root filesystem...

[Select your hard drive partition]
i.e. the [Pri/Log xxxGB FREE SPACE] line

[Create a new partition]

New partition size type in [10 GB]

Type for this new partition [Primary]

Location for the new partition [Beginning]

Use as:  [Physical volume for encryption] (not default)

Select [Done setting up the partition]

---

Use the rest of the drive for a home partition...

[Select your hard drive partition]
i.e. the [Pri/Log xxxGB FREE SPACE] line

[Create a new partition]

New partition size type in [xxxx GB]

Type for this new partition [Primary]

Location for the new partition [Beginning]

Use as:  [Physical volume for encryption] (not default)

Select [Done setting up the partition]

---

Configure the encrypted volumes...

Select [Configure encrypted volumes]

Write changes to disk [Yes] (not default)

First drive passphrase...
Enter encryption passphrase [Continue]

Re-enter encryption passphrase [Continue]

Second drive passphrase...
Enter encryption passphrase [Continue]

Re-enter encryption passphrase [Continue]

---

Setup the encrypted partitions...

Encrypted volume section (not towards the bottom)
Select [#1 10GB f Ext3]
Use as: [Ext3 file system]
note: Use as: Ext2 if this is a flash drive

Mount point: [/]

[Done setting up the partition]

---

Encrypted volume section (not towards the bottom)
Select [#1 xxxxGB f Ext3] (the remaining partition)
Use as: [Ext3 file system]
note: Use as: Ext2 if this is a flash drive

Mount point: [/home]

[Done setting up the partition]


---

Select [Finish partitioning and write changes to disk]
and continue the Ubuntu installation.

---


Create an encrypted USB hard drive partition.

Caution:
Make sure you have the correct disk selected,
in this working example we will be using /dev/sda
and /dev/sda has already been partitioned with ext3.
If you are in doubt of which drive is which, verify using:
fdisk -l

Setup the partition:
cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda1

Open the partition:
cryptsetup luksOpen /dev/sda1 sda1

Format the partition:
mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/sda1

---

Keyfiles...

You can add an optional keyfile so you do not have to use a passphrase
each time you open your encrypted partition.

Create a random keyfile
dd if=/dev/random of=/path-to-the-keyfile-you-are-to-create bs=1 count=256

Add the new keyfile to the encrypted USB hard drive
cryptsetup luksAddKey /dev/sda1 /path-to-your-newly-created-keyfile

---

Manually mounting and unmounting an encrypted USB hard drive

Assuming USB Drive Is /dev/sda1 and you want it mounted at /mnt/sda1...

Open the partition:
cryptsetup luksOpen /dev/sda1 sda1

note:
If you created a keyfile, you can open it in this fashion...
cryptsetup luksOpen /dev/sda1 data --key-file /path-to-your-keyfile

Mount the partition:
mount /dev/mapper/sda1 /mnt/sda1

When finished, unmount the partition...
cryptsetup luksClose /dev/sda1

---

Delete keys...
The best feature of DM-Crypt is the ability to add additional and
remove passphrases/keys without changing the data on the partition.

All keys are stored in slots .  Slot numbering starts with 0 
(the first passphrase you entered) and go up.
This working example will delete the key in slot1,
cryptsetup luksDelKey /dev/sda1 1

This working example will add a key in the next available slot,
cryptsetup luksAddKey /dev/sda1

A TLS client and server negotiate a stateful connection by using 
a handshaking procedure. During this handshake, the client and 
server agree on various parameters used to establish the connection's 
security.

* The handshake begins when a client connects to a TLS-enabled server 
requesting a secure connection, and presents a list of supported 
ciphers and hash functions.

* From this list, the server picks the strongest cipher and hash 
function that it also supports and notifies the client of the decision.

* The server sends back its identification in the form of a digital 
certificate. The certificate usually contains the server name, the 
trusted certificate authority (CA), and the server's public encryption key.

The client MAY contact the server that issued the certificate (the 
trusted CA as above) and confirm that the certificate is authentic before 
proceeding.

* In order to generate the session keys used for the secure connection, 
the client encrypts a random number with the server's public key, and 
sends the result to the server. Only the server can decrypt it (with its 
private key): this is the one fact that makes the keys hidden from third 
parties, since only the server and the client have access to this data.

* From the random number, both parties generate key material for 
encryption and decryption.

This concludes the handshake and begins the secured connection, which is 
encrypted and decrypted with the key material until the connection closes.

If any one of the above steps fails, the TLS handshake fails, and the 
connection is not created.