Linux Mint 17.X and 18.X (but also Ubuntu 14.X, 15.X, 16.X, 17.X) Full Disk Encryption (directory /boot included) Part 1 - PC with BIOS & HDD with MBR

linux22
  3 years ago
  4

Linux Mint with Full Disk Encryption, directory /boot included
Part 1 - PC with firmware BIOS & HDD with MBR partitioning scheme
Author: Naldi Stefano (linux22 at Mint Forum)
June 2015

Version 2.4

Last update:  3 May 2017

 

Other tutorials concerning  Linux Mint with Full Disk Encryption, directory /boot included:

 

Table of contents


GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

LINUX MINT FDE INSTALLATION FOR PC WITH BIOS AND HDD WITH MBR

Step 1 - Set up the target HDD, require Ubiquity

Step 2 - Set up the LVM, Physical Volume, Volume Group and Logical Volumes for root and  swap, require a few Terminal commands

Step 3 - Set up of the Linux installation, require Ubiquity

Step 4 - Fixing, patching and updating of the Linux installation made with Ubiquity, require a lot of Terminal commands

Appendix A – How to enhance the encryption strength of your Linux Mint FDE (for paranoids, like me)

Appendix B – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix C – Emergency tools - How to reinstall GRUB after ...

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint with Full Disk Encryption, directory /boot included - PC with BIOS and HDD with MBR

Copyright (C) 2015 2016 2017 2018 Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see <http://www.gnu.org/licenses/>.

 

 

GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint with Full Disk Encryption, directory /boot included - PC with BIOS and HDD with MBR

Copyright (C) 2015 2016 2017 2018 Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see <http://www.gnu.org/licenses/>.

 

 

Linux Mint 17.X and 18.X Full Disk Encryption (directory /boot included) - PC with firmware BIOS

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with Full Disk Encryption. The solution here reported is EXPERIMENTAL and need a good experience with Linux and ts installation. At the moment I have successfully experimented this solution with Linux Mint 17.X and 18.X Cinnamon and Mate, Ubuntu 14.X, 15.X, 16.X and 17.X, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.

Prior of all I must thank Pavel Kogan (http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ and http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/), because without his publications this solution would have never been possible.

Another thanks go to Rarylson Freitas (http://askubuntu.com/questions/468466/why-this-occurs-error-diskfilter-writes-are-not-supported), whose 00_header file patch has solved a fastidious warning during start-up.

Another thanks go to Callum Cameron, whose advices have showed me the correct installation of the system via Ubiquity (see the new structure of Step 1). That is an important achievement because now Ubiquity ends without errors, performing all the expected tasks. Callum has also build a script for the automatisation of the procedures described in this tutorial. If you want to try and test this script see the instructions at https://github.com/CallumCameron/mint-encrypted-install.



Other useful links are these:
 

  • https://help.ubuntu.com/community/EncryptedFilesystemsViaUbiquity
  • http://thesimplecomputer.info/full-disk-encryption-with-ubuntu
  • https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
  • https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles
  • https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
  • https://wiki.archlinux.org/index.php/GRUB#Boot_partition
  • https://wiki.archlinux.org/index.php/LVM
  • https://wiki.gentoo.org/wiki/GRUB2



The solution is essentially simple but require a lot of terminal commands. If the user make a mistake and commit a wrong command he can cancel the target HDD or damage its software structure. So, if you commit the commands listed in this guide/tutorial using 'Copy' and 'Paste' pay attention to do not alter them.

 

INSTALLATION FOR PC WITH BIOS AND HDD WITH MBR - BEGINNING


The installation require:

PC with firmware BIOS and HDD with MBR partitioning scheme.

HDD with at least 25 GB free space.

CD Live Mint 17.X, 18.X Cinnamon or Mate, or Ubuntu 14.X, 15.X, 16.X, 17.X


The installation here described assume:

Installation of Linux on: /dev/sda

Physical volume for encryption build on: /dev/sda1

Device for boot loader installation: /dev/sda

Physical Volume: /dev/mapper/sda1_crypt

Volume Group: mint

Logical Volume for swap: swap

Logical Volume for root: root

 

IF YOU CHANGE THESE ASSUMPTIONS THEN CHANGE THE UBIQUITY SETTINGS AND THE LISTED TERMINAL COMMANDS ACCORDINGLY !!!


MY ADVICE, BEFORE EXPERIMENTING THIS INSTALLATION ON A REAL PC, IS TO TRY AND INSTALL IT ON A VIRTUAL MACHINE LIKE VIRTUALBOX. WHEN THE USER SUCCEEDS WITH THE INSTALLATION AND BECOMES FAMILIAR WITH THE LISTED TERMINAL COMMANDS THEN HE CAN TRY A REAL INSTALLATION.
 


The procedure described in this guide/tutorial is divided in 4 steps and 3 appendix:


Step 1 – Set up the target HDD, require Ubiquity

Step 2 – Set up the LVM, Physical Volume, Volume Group and Logical Volumes for root and swap,
               require a few Terminal commands

Step 3 – Set up of the Linux installation, require Ubiquity

Step 4 – Fixing, patching and updating of the Linux installation made with Ubiquity, require a lot of
               Terminal commands

Appendix A – How to enhance the encryption strength of your Linux Mint FDE (for paranoids, like me)

Appendix B – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix C  Emergency tools - How to reinstall GRUB after ...

 

The Terminal commands listed in this guide/tutorial are typed in RED COLOR.


If you use 'Copy' and 'Paste' to insert these commands in your Terminal window, pay attention for those whose lenght takes two or more lines.
Prior to 'Paste' these long commands in Terminal check them inside an editor and if the command is broken in two or more lines reassemble it correctly over one single line. Then you can 'Paste' the command in your Terminal window.




Step 1

Boot your Live CD in the target PC and when ready open a Terminal windows, then start Ubiquity committing the following Terminal command:

sh -c 'ubiquity -b gtk_ui'&

 

In this way you can start Ubiquity skipping the installation of the boot loader and therefore finish the Ubiquity process without errors.

 

Click 'Continue'

 

If you are installing Linux Mint 18.X this new Ubiquity page will appear.

Here you can choose if installing third-party software or not.

Make your choice and go on.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Click 'Continue'

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now you are in the 'Installation type' page. Select 'Something else' and click 'Continue'

 

Now you are in the “Partition manager” page. Check that your HDD is showed. Select the free space on your HDD and click '+'. You can see that the ComboBox 'Device for the boot loader installation' is not available. Please assume the same concept also for the next pictures. I will update them as soon as possible.

 

 

From the dropdown menu select the 'Type for the new partition' as 'Primary', 'Location for the new partition' as 'Beginning of this space' and 'Use as' as 'physical volume for encryption'. The system will ask for the security key (password) of the physical volume. Insert it twice. If you want to erase the empty disk space check the radio button below, but remember that it take a long time. Then click 'OK'.

 

 

After a few seconds you will see a new device named '/dev/mapper/sda1_crypt'.

Leave Ubiquity window open and go on.


Step 2

Open a Terminal window and commit the following 4 commands:
 

 

 

 

 

 

 

 

 

 

 

 

sudo pvcreate /dev/mapper/sda1_crypt

sudo vgcreate mint /dev/mapper/sda1_crypt

sudo lvcreate -L 4G mint -n swap

sudo lvcreate -l +100%FREE mint -n root


The first command create the Physical Volume, the second command create the Volume Group, the third command create the Logical Volumes for swap, with a size of 4 GB (the size is arbitrary), the fourth command create the Logical Volumes for root, with the remaining space available in the Volume group.

Leave the Terminal window open and go back to Ubiquity window and there click 'Back'.


Step 3
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You are again in the 'Installation type' page of Ubiquity. Select 'Something else' and click 'Continue'

 

 

Now you are in the Partition manager page again. Check for the presence of the Logical Volumes named '/dev/mapper/mint-root' and '/dev/mapper/mint-swap'.

 

Select '/dev/mapper/mint-root', click 'Change' and select 'Use as' as 'Etx4 journaling file system' from the dropdown menu, then select 'Format the partition' and choose 'Mount point' as '/'. Then click 'OK'.

If you choose a different file system type (btrfs, JFS, XFS) pay attention for 'btrfs' file system. In this case see here for the correct 'btrfs' file system handling in Step 4.

 

 

Select '/dev/mapper/mint-swap', click 'Change' and select 'Use as' as 'swap area' from the dropdown menu, then click 'OK'. Then click 'Install Now'.

 

A popoup window named 'Write the changes to disks ?' will appear. Click 'Continue'.

 

Select your timezone and then click 'Continue'

Select your keyboard and then click 'Continue'

Choose your username and password and then click 'Continue'

 

Wait until Ubiquity show a popup like that ...

 

Click 'Continue Testing'. Ubiquity will ends.

 

Step 4

Now we have a Linux system build by Ubiquity that we must remount, fix, patch and update.


Go back to the Terminal window and commit the following 6 commands:

 

sudo mount /dev/mapper/mint-root /mnt

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run


These commands mount the Linux system, previusly build by Ubiquity, in the directory /mnt.

If you have chosen a 'btrfs' type filesystem for your '/dev/mapper/mint-root' device you must substitute the first command

     sudo mount /dev/mapper/mint-root /mnt

with this new one

sudo mount -o subvol=@ /dev/mapper/mint-root /mnt

You will get a few warnings during GRUB installation but it seems working correctly anyway. If you need more detail about using 'btrfs' filesystem with LUKS/dm-crypt you can read the ArchLinux wiki at 'https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Btrfs_subvolumes_with_swap', paragraph 'Mount top-level subvolumes'.

-----

Now commit the following 4 commands:

 

The second command in this list of 4 will ask for the password of the encrypted volume. When the
script 'Enter any passphrase:' appear enter it.

sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/boot/crypto_keyfile.bin

sudo cryptsetup luksAddKey /dev/sda1 /mnt/boot/crypto_keyfile.bin

sudo chmod 000 /mnt/boot/crypto_keyfile.bin

sudo chmod -R g-rwx,o-rwx /mnt/boot


These commands create a keyfile for automatic mounting of the encrypted volume when GRUB process ends. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

-----

Now commit the following 2 commands:

 

echo "cp /boot/crypto_keyfile.bin \"\${DESTDIR}\"" | sudo tee -a /mnt/etc/initramfs-tools/hooks/crypto_keyfile

sudo chmod +x /mnt/etc/initramfs-tools/hooks/crypto_keyfile


These commands create the hook required by initramfs for the keyfile loading. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

Otherwise you can create the hook file with sudo gedit /mnt/etc/initramfs-tools/hooks/crypto_keyfile and insert this line inside: cp /boot/crypto_keyfile.bin "${DESTDIR}"

-----

Now commit the following command:

 

echo "sda1_crypt UUID=`sudo blkid -s UUID -o value /dev/sda1` /crypto_keyfile.bin luks,keyscript=/bin/cat" | sudo tee -a /mnt/etc/crypttab


This command update the crypttab file. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com and the tutorial from the Ubuntu Official Documentation page at https://help.ubuntu.com/community/EncryptedFilesystemsViaUbiquity

-----

Now commit the following 2 commands:

 

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u


These commands update the initramfs

-----

Now commit the following 3 commands:

 

sudo sed -i.bak 's/GRUB_HIDDEN_TIMEOUT=0/#GRUB_HIDDEN_TIMEOUT=0/' /mnt/etc/default/grub

sudo sed -i '10a GRUB_ENABLE_CRYPTODISK=y' /mnt/etc/default/grub

sudo sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="cryptdevice=\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/dev\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/sda1:sda1_crypt"/' /mnt/etc/default/grub


These commands update the grub file. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

Otherwise you can edit the grub file with sudo gedit /mnt/etc/default/grub and modify the directives inside in this way:

############################################################
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:sda1_crypt"
############################################################

-----

If you are installing Linux Mint 18.X or Ubuntu 16.X skip the following 4 commands !!!

Otherwise commit them.

sudo mv /mnt/etc/grub.d/00_header /mnt/etc/grub.d/00_header.orig

sudo wget -O /mnt/etc/grub.d/00_header https://gist.githubusercontent.com/rarylson/da6b77ad6edde25529b2/raw/99f266a10e663e1829efc25eca6eddb9412c6fdc/00_header_patched

sudo chmod -x /mnt/etc/grub.d/00_header.orig

sudo chmod +x /mnt/etc/grub.d/00_header


These commands patch the 00_header file, fixing the handling of RAID and LVM volumes in GRUB.
You can omit these four command but when your system boot up it will show a message like that
"Error: diskfilter writes are not supported. Press any key to continue...". The system go fuhrter anyway but it is noisy. For more details see the article of  Rarylson Freitas  at http://askubuntu.com/questions/468466/why-this-occurs-error-diskfilter-writes-are-not-supported.

-----

Now commit the following 3 commands:

 

sudo chroot /mnt update-grub

sudo chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

sudo chroot /mnt grub-install /dev/sda


These commands update GRUB

-----

Now start the file browser Nemo (or Nautilus in Ubuntu) and search for a file named /mnt/sbin/initctl.REAL.

 

 

 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

If the file /mnt/sbin/initctl.REAL is present  you must rename /mnt/sbin/initctl  to  /mnt/sbin/initctl.orig and then rename /mnt/sbin/initctl.REAL  to  /mnt/sbin/initctl, committing the following 2 commands:

sudo mv /mnt/sbin/initctl /mnt/sbin/initctl.orig

sudo mv /mnt/sbin/initctl.REAL /mnt/sbin/initctl


These commands rename the correct initctl file

-----

Now commit the last command:

 

sudo umount /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt


This command umount the Linux system build by Ubiquity, now fixed, patched and updated.


-----------------------------------------------------------------------------------------------------------------------------
 

Now you can shut down the CD Live system and restart.


When your brand new Linux FDE start it will show a screen mask of GRUB like that.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Type your password for the encrypted volume and wait until the GRUB menu list appear (see hd0,msdos1).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Wait until the countdown expires or type ENTER.

At this point, sometimes, the system remain frozen 1 or 2 minutes, wait until it go on.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Then the system will show the usual Mint logo and then the cryptsetup message.

 

 

 

 

 

 

 

 

 

 

 

 

 

When the login page appear insert you username and your password and ... enjoy.

 

INSTALLATION FOR PC WITH BIOS AND HDD WITH MBR - END

 

 

Appendix A

How to enhance the encryption strength of your Linux Mint FDE (for paranoids, like me)

 

You can see at the start of this tutorial that is Ubiquity who create the encrypted partition.


But you can enhance the strenght of you Linux Mint FDE creating the encrypted partition with the characteristics of your choice.

 

My first advice for a stronger encrypted installation is:

Boot your Live CD in the target PC and when ready ...

 

  • Remeber that also this Appendix uses the same assumptions listed above
  • Do not even start Ubiquity
  • Skip Steps 1 and 2 of this tutorial

 

For HDD with MBR open a Terminal window and commit the following 8 commands:

sudo parted /dev/sda mklabel msdos

sudo parted --align optimal /dev/sda mkpart primary 0% 100%

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda1

sudo cryptsetup luksOpen /dev/sda1 sda1_crypt

sudo pvcreate /dev/mapper/sda1_crypt

sudo vgcreate mint /dev/mapper/sda1_crypt

sudo lvcreate -L 4G mint -n swap

sudo lvcreate -l +100%FREE mint -n root

The third command listed above will ask you for entering 'YES' (in uppercase) to continue; then remember to turn off the uppercase when it ask you for entering the password twice !!!

You can rise the '--iter-time' value of this third command but remember that it will slow down your system during the boot up !!!

A value of --iter-time 100000 take approx. 5 minutes for boot up on a PC with CPU i5 !!!

 

Now start Ubiquity with the Terminal command:

sh -c 'ubiquity -b gtk_ui'&

 

 

Select your language and Click 'Continue'

 

If you are installing Linux Mint 18.X this new Ubiquity page will appear.

Here you can choose if installing thirdy-part software or not.

Make your choice and go on.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Click 'Continue'

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

When you reach the 'Installation type' page select 'Something else', click 'Continue' and then proceed with steps 3 and 4 of this tutorial until the end.

 

My second advice is:

Change the sixth command listed in Step 4 of this tutorial:

sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/boot/crypto_keyfile.bin

with this new one

sudo dd bs=512 count=4 if=/dev/random iflag=fullblock of=/mnt/boot/crypto_keyfile.bin

Warning: this command take a long long long time - approx. 30-40 minutes !!! on a PC with CPU i5, but only during the installation !!!

 

Anyway, also after these enhancements, you must not think that you are invulnerable.

You are vulnerable when you leave your system on and alone and when you are connected to a network or to internet.

 

And finally you must never forget that if your files are really interesting for the bad guys, the ugly truth is probably best depicted in this vignette:

 

I found this vignette on internet same years ago. Below you can see links to its repositories and its license.

https://xkcd.com/538/

http://www.explainxkcd.com/wiki/index.php/538:_Security

http://creativecommons.org/licenses/by-nc/2.5/

 

 

Appendix B

Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD
 

If your system does not start, because of PC hardware failure, boot-up files damage, ecc., but you are sure that your HDD (containing the encrypted partition) is OK you can access your data using the following procedure.

Start your PC with a Mint Live CD containing the same Linux Mint version installed in your HDD.

 

 

When your live system is up and running open a terminal window and commit the following 2 commands:

sudo cryptsetup luksOpen /dev/sda1 sda1_crypt

sudo mount /dev/mapper/mint-root /mnt

In this example we assume that your HDD reside on the installation PC and that you followed the installation procedure listed in this tutorial. Otherwise change the devices and LVM letter, number and names accordingly.

Remember that if you have chosen a 'btrfs' type filesystem for your '/dev/mapper/mint-root' device you must substitute the second command

     sudo mount /dev/mapper/mint-root /mnt

with this new one

sudo mount -o subvol=@ /dev/mapper/mint-root /mnt

    

Now your encrypted partition is mounted under the /mnt directory of your Linux Mint live system and you can recover, backup or copy all the files that you need.
 

 

 

Appendix C

Emergency tools - How to reinstall GRUB after ...


A few people who have installed my Linux Full Disk Encryption solutions have asked me how reinstall GRUB after a:

- GRUB package update/upgrade
- Boot up failure
- Booting files damage
- Linux Mint release upgrade
- Linux kernel release upgrade

They are right because this Linux FDE solution is EXPERIMENTAL and the GRUB configuration is made with an unusual and NOT STANDARD method.

The lacking of a recovery/emergency tool for these eventualities has reached a great importance once I have knew that many people are using this Linux FDE solution and they are upgrading their Linux version with the latest release or they are installing software packages that modifies GRUB and its configuration files.

So I have writed this simple appendix containing the correct procedure for the reinstallation of the original GRUB configuration for this Linux FDE solution.

The first step is reaching the access to your encrypted partition using the procedure listed in the Appendix B of this tutorial.

Once you have a Linux Mint or Ubuntu Live CD system up and running and your encrypted partition mounted under the "/mnt" directory you can proceeed with the reconfiguration of GRUB.

You must only repeat 15 Terminal commands yet listed in Step 4 of this tutorial:

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u

sudo mv /mnt/etc/grub.d/00_header /mnt/etc/grub.d/00_header.orig

sudo wget -O /mnt/etc/grub.d/00_header https://gist.githubusercontent.com/rarylson/da6b77ad6edde25529b2/raw/99f266a10e663e1829efc25eca6eddb9412c6fdc/00_header_patched

sudo chmod -x /mnt/etc/grub.d/00_header.orig

sudo chmod +x /mnt/etc/grub.d/00_header

sudo chroot /mnt update-grub

sudo chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

sudo chroot /mnt grub-install /dev/sda

sudo umount /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt

The eighth ninth tenth and eleventh commands are necessary only in case of GRUB package update/upgrade and never if you are installing Linux Mint 18.X or Ubuntu 16.X !!!

Now your original Linux Mint FDE GRUB configuration have been reinstalled and you can restart your PC.

 

As my last consideration I want to say that I do not believe necessary rebuild also the '/mnt/etc/default/grub' file, because I think that a smart update/upgrade package for GRUB or Linux should not discard the modifications made by the user. Anyway if it will be necessary you must only edit your '/mnt/etc/default/grub' file and  rebuild the same modifications listed in Step 4 of this tutorial (remember only that you must do these modifications in the appropriate order, i.e. after you have committed the commands for the update of the initramfs).

 


 

The topic for this tutorial at the Mint Forum is: https://forums.linuxmint.com/viewtopic.php?t=198077


>
Hits since 22/10/2016

Comments
darkon11 5 years ago

Hi, I've used this great tutorial many times.
To speed things up I made a couple of scripts.
https://filebin.net/cci5ntjk6qer74w3/LM.zip?t=wux2n9v4
Password is "encryption".
Feel free to modify them.
Regards


linux22 7 years ago


Hello Yuggy and jaaday, the "btrfs" type filesystem for the '/dev/mapper/mint-root' device is now possible.

If you still need the solution for your FDE installation with "btrfs" type filesystem you can see the right configuration in Step 4 of my Tutorials.


Regards.

linux22


linux22 7 years ago


Hello jaaday and YuggY,

probably I have understood because you get that strange '@' directory under /mnt. Probably you have selected a "btrfs" filesystem type for your '/dev/mapper/mint-root' device. At the moment you can install this FDE solution only on native Linux ext type filesystems.

Anyway I am working on the problem and if I will get rid of it I will update the tutorial and warn you via community message.

Regards.

linux22


linux22 7 years ago


Hello Pepas, I have read your message.

I do not understand what do you mean when you said that the LUKS key
"... can be accessed by anyone after a kernel upgrade ...".

If you want reach the access to the 'inird.img' or to the crypto_keyfile.bin' files you need:

1) the PC with this Linux FDE solution turned on
2) insert the LUKS encrypted volume password at the GRUB prompt
3) insert the user password for login

If you mean that you can reach the key in case the PC is left alone and already turned on and logged in you still need the password of the logged user. You can not execute the commands that you listed,
i.e. 'cp /initrd.img i.gz; gunzip i.gz; cpio -i crypto_keyfile.bin',
if you do not have root privileges.

So, you can reach the key only if:

1) you can reach the PC turned on and already running this FDE solution
2) you have the user password

But if you have all these conditions satisfied probably the owner of the PC is not well aware about computer security.

Anyway, if you think that the system with two LUKS password insertion is in any case safer my opinion is that you are right.

But if your files are really interesting for the bad guys, the ugly truth is probably best depicted in the vignette at the end of Appendix A of this tutorial.


Regards.

linux22


Pepas 7 years ago

WARNING! With this method, the key to unlock the LUKS partition can be accessed by anyone after a kernel upgrade like this:

cp /initrd.img i.gz; gunzip i.gz; cpio -i crypto_keyfile.bin
It is safer to have to enter the password twice...


glubbar 7 years ago

This is a great tutorial, it worked for me 3 times for Linux Mint 18 and 17.3 KDE.
Sometimes ubiquity crashed because some partitions where busy/not available for some reason (most notable swap) so I had to start over.
Thanks for taking the time to write it! :)


linux22 7 years ago

Hello jaaday, I have read your message.

Please tell me:

your PC manufacturer, model and CPU type;
your PC firmware type and version;

Then try and install this FDE solution on a virtual machine, like Virtualbox. If you get the same errors you are committing some wrong command and then check them all !!!

If you succeed in installing this solution on a virtual machine try and install this solution on a second PC. If you then succeed in installing this FDE solution on the second PC probably there are some compatibility issues on your first PC.

Please keep me informed about your attempts.


Regards.

linux22


jaaday 7 years ago

I am getting the same thing /mnt/@, every command works until you try the;

sudo mount /dev/mapper/mint-root /mnt

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

then it all errors


linux22 7 years ago


Hello Yuggy, I have read your message. Onestly I have no idea about your weird installation problem with the '/mnt/@' directory.

Anyway what are your PC configuration and firmware ?

Remember that my FDE solutions are valid only for PC with Intel/AMD 64 bit CPUs.

Please also pay close attention to the correct syntax of the Terminal commands listed in my tutorials.

Regards.

linux22



YuggY 7 years ago

Hey Naldi :D
Thank you for such a great tutorial...
I've followed every step but something weird is happening

after install, when i mount the installed filesystem
sudo mount /dev/mapper/${LVM_NAME}-root /mnt

instead of having /mnt/dev or /mnt/proc, i get /mnt/@/dev or /mnt/@/proc

In my scripts, i try a workaround
export MNT="/mnt/@"

and use that variable instead of /mnt

It all goes ok until
sudo chroot ${MNT} update-grub


where i get this error
/usr/sbin/grub-probe:error:cannot find device for / (is /dev mounted?)

/dev is mounted as you can see in my scripts here: https://github.com/YuggY/MintInstall
sudo mount --bind /dev ${MNT}/dev


I'm thinking that the @ folder is messing up something in the system... it shouldn't be there... and yet i can't seem to be able to get rid of it...

I've already asked for assistence on the Official Linux Mint Support Channel but this is a non-standard issue so no help there...

I've tried searching online for this, but the search keywords "/mnt/@" wont give any relevant feedback

I've tried these scripts in Mint Mate 18, Mint XFCE 18 and LUbuntu 16.04 and the result was the same in all of these... a weird @ folder and a update-grub crash..

Any help would be highly appreciated :D


linux22 8 years ago

Hello heikos and alexandl67, that is my solution for installing Windows 7 with Veracrypt or Truecrypt and Linux Mint 17.X with Full Disk Encryption (directory /boot NOT INCLUDED) over a single HDD.

MY USUAL ADVICE IS ALWAYS THE SAME. BEFORE EXPERIMENTING THIS INSTALLATION ON A REAL PC TRY AND INSTALL IT ON A VIRTUAL MACHINE LIKE VIRTUALBOX. WHEN THE USER SUCCEEDS WITH THE INSTALLATION AND BECOMES FAMILIAR WITH THE LISTED TERMINAL COMMANDS THEN HE CAN TRY A REAL INSTALLATION.

Remember that you need a PC with firmware BIOS and a HDD with MBR partitioning scheme.

Install Windows 7 over your HDD, leaving at least 25 GB of HDD free space.

Install Veracrypt or Truecrypt and encrypt your Windows System Partition (NOT THE WHOLE DISK).

Choose your Veracrypt or Truecrypt "Number of Operating Systems" mode as "Single-boot".

Check that your encrypted Windows 7 work correctly.

Now start your PC with Linux Mint Live CD.

Open Ubiquity and go ahead until you get the “Partition manager” page (follow my Tutorial n. 2026 Step 1)

Your "physical volume for encryption" will reside on "/dev/sda3", because "/dev/sda1" hold the Windows 7 boot partition and "/dev/sda2" your Windows 7 encrypted partition.

Build your "physical volume for encryption" leaving at least 512 MB of free space for your "/dev/sda4" partition, that will hold the "/boot" directory.

Go one step back on Ubiquity and leave it open.

Now commit the following 4 Terminal commands:

- sudo pvcreate /dev/mapper/sda3_crypt
- sudo vgcreate mint /dev/mapper/sda3_crypt
- sudo lvcreate -L 1G mint -n swap
- sudo lvcreate -l +100%FREE mint -n root

Remember that you can choose the size of your swap partition at your own will (1G or whatever you want).

Now go back to Ubiquity and go one step ahead.

Mount your "root" and "swap" partitions inside your LVM volume as described in my Tutorial n. 2026 Step 3, BUT also create a new partition "/dev/sda4" type ext4 and mount it on "Mount point" as "/boot".

Then choose "Device for boot loader installation" as "/dev/sda4".

Go ahead with your Ubiquity installation until it ends without errors.

When you get the popup "Installation Complete" click "Continue Testing".

Now commit the following 10 Terminal commands:

- sudo mount /dev/mapper/mint-root /mnt
- sudo mount --bind /dev /mnt/dev
- sudo mount --bind /dev/pts /mnt/dev/pts
- sudo mount --bind /sys /mnt/sys
- sudo mount --bind /proc /mnt/proc
- sudo mount /dev/sda4 /mnt/boot
- echo "sda3_crypt UUID=`sudo blkid -s UUID -o value /dev/sda3` none luks" | sudo tee -a /mnt/etc/crypttab
- sudo chroot /mnt locale-gen --purge --no-archive
- sudo chroot /mnt update-initramfs -u
- sudo umount /mnt/proc /mnt/sys /mnt/dev/pts /mnt/dev /mnt/boot /mnt

Now your Linux Mint FDE system is installed. Shut down your Linux Mint live system and restart your PC.

When you get your Veracrypt or Truecrypt pre-boot authentication prompt press ESC on your keyboard.

Pressing ESC you will start your Veracrypt or Truecrypt build-in boot loader.

Now press the number linked to your "/dev/sda4" Linux Mint partition, containing the "/boot" directory and your Linux Mint FDE will starts.

At the crypsetup prompt enter your physical volume password and ... enjoy.

That is all.

Please keep me informed if you succeed in installing and running this
Windows 7 with Veracrypt or Truecrypt + Linux Mint FDE solution.

Regards.

linux22


linux22 8 years ago

Hello virtualizado, I have read your two more messages. I think you have installed your UEFI+GPT system using my tutorial n. 2061 (Linux Mint 17.1, 17.2 and 17.3 Full Disk Encryption (directory /boot included) - PC with firmware UEFI). So as I just said DO NOT WORRY !!! If you lose your boot but your HDD/SSD and your encrypted partition are undamaged you can access your data using a Live Mint CD and some 'crypsetup' terminal commands.

I am going to discuss these topics in my coming new appendix (release by 31/01/2016 and 29/02/2016) but if you need a quick rescue tools:

1) Start your PC with a Mint Live CD containing the same Linux Mint version installed in your HDD/SSD

2) Open a terminal window and commit the following 2 commands:

- sudo cryptsetup luksOpen /dev/sdXY sdXY_crypt
- sudo mount /dev/mapper/mint-root /mnt

where X and Y are the HDD/SSD letter and the encrypted partition number (if you used the tutorial listed above 'sudo cryptsetup luksOpen /dev/sda2 sda2_crypt')


Now your encrypted partition is mounted under the /mnt directory of your Linux Mint Live System and you can recover, backup or copy all the files that you need.

Here I can not explain the reinstallation of GRUB because it is more complex (the appendix will be available by 29/02/2016).

Finally I can not help you with your xen installation because I have never installed and/or used it.

Please keep me informed if you succeed in rescuing your encrypted partition and your encrypted data/files.

Regards.

linux22


linux22 8 years ago

Hello virtualizado, I have read your message. I need more details about your installations:

1) what type of installation have you made ?
BIOS+MBR, BIOS+GPT or UEFI+GPT ?

2) the first time you have installed your Linux
Mint FDE configuration it worked on not ?


I have put some notices at the top of my tutorials where I announce the release of two new appendix just concerning your questions.

The first will be available by 31/01/2016 and the second by 29/02/2016.

Anyway remember always that if you lose your boot but your HDD/SSD and your encrypted partition are undamaged you can access your data using a Live Mint CD and some 'crypsetup' terminal commands.


Regards

linux22


linux22 8 years ago

Hello heikos, I have read your message. It seems that you want/need a Linux FDE with '/boot' partition 'unencrypted' and a Windows 7 installation encrypted with Truecrypt (better Veracrypt because Truecrypt is now a dead project).
I think that this configuration should be possible but before state that I must experiment same things.
I will send you a new message by the end of January 2016.

Regards

linux22


linux22 8 years ago

Hello puzu, I have read your message. I think that the correct commands for building your partitions under the Volume Group mint are:

sudo lvcreate -L 4G mint -n swap
sudo lvcreate -l 10%VG mint -n home
sudo lvcreate -l +100%FREE mint -n root

If you need more details you can see:

https://www.centos.org/docs/5/html/Cluster_Logical_Volume_Manager/LV_create.html

http://linux.die.net/man/8/lvcreate

Anyway, I think that your missing 'memtest86' are not linked to the wrong lvcreate commands.

I think you must check the correctness of the syntax of your commands. Remember the notice inside my tutorial "If you use 'Copy' and 'Paste' to insert these commands in your Terminal window, pay attention for those whose lenght takes two or more lines. Prior to 'Paste' these long commands in Terminal check them inside an editor and if the command is broken in two or more lines reassemble it correctly over one single line. Then you can 'Paste' the command in your Terminal window."

Regards

linux22


808Souljah 8 years ago

ok I am going to try it with 17.2 It should work. I like the idea of doing this for exercise..