Full Disk Encryption easy HOWTO

scott36
  13 years ago
  12

Easy Full System Encryption with Linux Mint (Howto)

The following HOWTO is an easy to use automated script to install a fully encrypted Linux Mint using LVM and cryptsetup. This works for new installations only and you will need internet access during the installation process to download a scipt.

The script is originally made for Ubuntu but works perfect for Linux Mint 10 (Ubuntu Version).

How to use it:

  • Boot from your Linux Mint Desktop from your Installation Live DVD/CD
  • Open a terminal (press ALT+F2 and type gnome-terminal or xterm)
    type or copy & paste:
    wget "http://readm3.org/_export/code/os/ubuntu/full-disk-encryption-lvm-luks.sh?codeblock=1" -O "/tmp/full-disk-encryption-lvm-luks.sh" && chmod a+rx "/tmp/full-disk-encryption-lvm-luks.sh" && sudo "/tmp/full-disk-encryption-lvm-luks.sh"
  • Press enter, this downloads and starts the encryption script
  • Follow the instructions in the script and answer a few questions about patition sizes
  • Start the installation of Linux Mint from the DVD/CD when you're being asked
  • At the partitioning section of the installation, you will need to choose "manual partitioning" and change the mountpoints which are stated in the script. Take extra care when changing the mountpoints as any mistyping will result in a non functioning system.
  • You are being asked to change one mountpoint to the destination "/root". As Linux Mint has a slightly different setup, you will need to choose "/" instead (slash only)
  • After the installation is finished, do NOT reboot, but click "continue trying Linux Mint"
  • The script automaticaly finishes it's work (installing the bootloader)
  • DONE
     

Thanks to Andreas Haerter who wrote this script which can be found in source code here:
http://readm3.org/os/ubuntu/full-disk-encryption-lvm-luks.sh


Scott
 


COPYRIGHT/LICENSE
The source code of the script is dual-licensed der GPLv2 and New/3-clause BSD

Comments
jelabarre59 9 years ago

> Using Mint 17 you can set up a fully encrypted disk using the regular Mint install process

That's only usable if you want to shove EVERYTHING on one single partition. You want to have a separate home partition? Don't think that's possible with a Ubuntu-based distribution. I have hunted down every script, tutorial, walkthrough, etc I could find on the subject, wasted the entire day doing install after install, and NOTHING has given me a working full-disk-encryption install (I am not even interested in trying the single-partition installation, as I'd only have to re-install it again later).


andreas21 10 years ago

This HOWTO refers to Mint versions below 17.
Using Mint 17 you can set up a fully encrypted disk using the regular Mint install process. („fully“ means everything except the boot partition, where no sensitive data should be stored.)


define 11 years ago

Hi all,

I added the apt-get update lines to the script trying to set this up on a Lenovo x1-carbon.
However, when i try to boot, i get a bios menu for boot device.
I select the hdd, and then get a black screen for 1 sec before getting kicked back to the bios to select a device.

If there is any way we can just get a Maya LTS version alternate installer, that would rule, as I'm going to have to go back to ubuntu now due to work restrictions.

If anyone does figure this out, please email me define2.0x@gmail.com .... long live Linux Mint!


vanZonker 11 years ago

Basically the latest version of the script seems to work with Linux Mint 14 (KDE), but after first reboot it always ends of in initramfs, because the time period for entering the password was exceeded. I don't get managed to cancel the splash screen, I think the splash screen from Mint does avaoid enetering the password successfully.

Any idea how to remove splash or extend splash screen, so it allows me to enter the password?


plaa 11 years ago

I tried these instructions to install Linux Mint 14, and while all the steps were successful, booting failed. However there's an easier way as well, directly using an updated installer: http://community.linuxmint.com/tutorial/view/1166


ndabar 12 years ago

Hello,

I have installed "LinuxMint 13 Maya (mate 32 bits)" using this tutorial. Thank you very much, it was really useful.

The link from "DAKEZ" with the modified script it doesn't work. So I have used a new one.

wget "https://www.dropbox.com/s/34fkcz2t8xrwy39/ubuntu-full-disk-encryption-lvm-luks.sh?dl=1" -O "/tmp/full-disk-encryption-lvm-luks.sh" && chmod a+rx "/tmp/full-disk-encryption-lvm-luks.sh" && sudo "/tmp/full-disk-encryption-lvm-luks.sh"

It works perfectly, it is a pitty that the encrypted windows doesn't have any image or you can not see the password characters.

ndabar ;-)


icezar 12 years ago

what about version 13?


dakez 12 years ago

Taking into account antiplex and Enkidu's modifications and suggestions, I've successfully installed Linux Mint 13 with FDE on a standard BIOS based machine. The thing with Enkidu's configuration is that he requires the first two modifications for his UEFI BIOS based machine, a standard box doesn't. That being said, I made the following modifications to the script and it worked:

-Changed line 736 to "echo "lvm_crypt UUID=`blkid /dev/sda2 | sed -e 's/.*UUID="//; s/".*//'` none luks" >> /etc/crypttab". Did not modify lines 502 and 519
-Removed installer launching and instead prompts user to complete the installation themselves and then hit enter when the installer has completed.
-Removed resolv.conf copying, as it doesn't seem to work and seems unnecessary enough.
-Script now terminates instead of prompting for reboot to allow you to check your work.

Make sure that when the script prompts you to go and run the installer, you do so prior to continuing as well as ensuring that the installer knows of the proper partition mountpoints, etc. The bootloader failed to install for me when I tried using a msdos based partition table, so I left it at gpt. Thus, you do not need to add "parted --script ${TARGET} set 1 boot" into the script either.

Modified script: http://files.g-oogle.net/private/ubuntu-full-disk-encryption-lvm-luks.sh.


antiplex 12 years ago

succesfully installed linuxmint 13 cinnamon following enkidus hints with a minor correction: variable {TARGET} is now called {DEVICE_TARGET}.
furthermore the installation of the bootloader failed for me initially and the partitions created are not ideally aligned. after some fiddling i enventually got it working though...

the changes enkidu apply to the following lines in the current version of the script (as of aug 12th 2012):
1. line 502 (replace existing)
2. line 519 (insert after)
3. line 736 (replace existing)

also be careful with change #3 when using an other device as installation target than /dev/sda !

anyhow i finally reverted to a unencrypted installation since in my case i was not able to use hibernate and suspend also showed a weird behaviour plus i found out that encryption is somewhat problematic on ssd disks.

still, thanks for this tutorial and its contributers!


Enkidu 12 years ago

Finally I got it working on my Lenovo Thinkpad T520 (UEFI Bios) together with Linuxmint 13 (maya).

I had to change from gpt partition table to msdos. Aditionally I set boot-flag and change method of getting blockid.

1. parted --script ${TARGET} mklabel msdos
2. parted --script ${TARGET} set 1 boot
3. echo "lvm_crypt UUID=`blkid /dev/sda2 | sed -e 's/.*UUID="//; s/".*//'` none luks" >> /etc/crypttab

After these few changes everything worked like a charm.

Enkidu


fleclercq 12 years ago

Worked great for me Linux Mint 12 / 80GB disk drive


Enkidu 12 years ago

Well... I tried it, installation works fine. But my BIOS does not detect any bootable media after installation. I did all the steps and the script finished with no error. A am also able to access all content. But booting is not possible (trying Mint 12 x64 on my Lenovo Thinkpad T520).

Any idea how I can fix it?

... and maybe some wants to support my idea: http://community.linuxmint.com/idea/view/2556 :)


BoingoInsanity 12 years ago

OMG!!! This was totally amazing and easy!!! The only hitch that got me was the blinking cursor after reboot, thought the system had crashed or didn't go in properly, but I tried my encrypt pw and a minute later I had my desktop!!! Thanks so much!! Works great with Mint 11 x64!


sgtPock 12 years ago

hi, i tried it in virtualbox, did not work (installer crashed). you can do it manually, which works well - follow this step-by-step howto, it's very detailed and easy:
http://forum.pocketables.net/showthread.php?t=1906&goto=nextnewest

two comments:
1. there's a typo in the commands starting with 'mount -o bind ...', replace /mnt/chroot/ with /mnt/mint/
2. you can skip the "modify grub" part

good luck


undoIT 12 years ago

Hi Scott. Does this script work with Linux Mint 12?