Linux Mint 19.X Tara (but also Ubuntu 17.10 and 18.X) Full Disk Encryption (directory /boot included) Part 3 - PC with UEFI & HDD with GPT

linux22
  3 years ago
  1

Linux Mint with Full Disk Encryption, directory /boot included
Part 3 - PC with firmware UEFI & HDD with GPT partitioning scheme
Author: Naldi Stefano (linux22 at Mint Forum)
July 2015

Version 3.0

Last update: 27 December 2018

Hits since 22/10/2016  web counter

 

Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:

 


Table of contents


GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

LINUX MINT FDE INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT

Step 1 - Set up for Ubiquity configuration file '/lib/partman/check.d/07crypto_check_mountpoints', require a basic text editor

Step 2 - Set up of the Linux installation, require Ubiquity

Step 3 - Adjusting and updating of the Linux installation made with Ubiquity, require a lot of Terminal commands

Appendix A – How to enhance the encryption strength of your Linux Mint FDE (for paranoids, like me)

Appendix B – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix C – Emergency tools - How to reinstall GRUB after ...

Appendix D – How to enable UEFI Secure Boot with your own Custom keys

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint with Full Disk Encryption, directory /boot included - PC with UEFI and HDD with GPT

Copyright (C) 2015 2016 2017 2018  2019  2020  2021  Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see < https://www.gnu.org/licenses/fdl.html >.


GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint with Full Disk Encryption, directory /boot included - PC with UEFI and HDD with GPT

Copyright (C) 2015 2016 2017 2018  2019  2020  2021  Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see < https://www.gnu.org/licenses/gpl.html >.

 

Linux Mint 19.X Full Disk Encryption (directory /boot included) - PC with firmware UEFI

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with Full Disk Encryption. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. This guide/tutorial comes with ABSOLUTELY NO WARRANTY.

Prior of all I must thank Pavel Kogan (http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ and http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/), because without his publications this solution would have never been possible.

One great thank go to Callum Cameron, whose advices have showed me the correct installation of the system via Ubiquity (see the new structure of Step 1). That is an important achievement because now Ubiquity ends without errors, performing all the expected tasks. Callum has also build many scripts for the automatisation of the procedures described in my tutorials. If you want to try and test this script see the instructions at https://github.com/CallumCameron/mint-encrypted-install (check if the scripts has been updated to Mint 19).

Another thanks go to Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation. Altought this package seems developed for ArchLinux we can find within it the rights commands and advices for almost every Linux distribution.


Other useful links are these:

 

INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT - BEGINNING


The installation require:

PC with firmware UEFI and Secure Boot disabled, HDD with GPT partitioning scheme.

HDD with at least 25 GB free space.

CD Live Mint 19.X Cinnamon or Mate, or Ubuntu 17.10 and above - all 64 bit version

 

The installation here described assume:

Installation of Linux on: /dev/sda

Physical volume for encryption reserved for swap build on: /dev/sda2

Physical volume for encryption reserved for root build on: /dev/sda3

Boot loader installation point: /boot/efi (inside EFI partition)

EFI Partition: /dev/sda1

Encrypted volume for swap: /dev/mapper/sda2_crypt

Encrypted volume for root: /dev/mapper/sda3_crypt


IF YOU CHANGE THESE ASSUMPTIONS THEN CHANGE THE UBIQUITY SETTINGS AND THE LISTED TERMINAL COMMANDS ACCORDINGLY !!!


MY ADVICE, BEFORE EXPERIMENTING THIS INSTALLATION ON A REAL PC, IS TO TRY AND INSTALL IT ON A VIRTUAL MACHINE LIKE VIRTUALBOX. WHEN THE USER SUCCEEDS WITH THE INSTALLATION AND BECOMES FAMILIAR WITH THE LISTED TERMINAL COMMANDS THEN HE CAN TRY A REAL INSTALLATION.


The procedure described in this guide/tutorial is divided in 3 steps:


Step 1 – Set up for Ubiquity configuration file '/lib/partman/check.d/07crypto_check_mountpoints', require a basic text editor

Step 2 – Set up of the Linux installation, require Ubiquity

Step 3 – Adjusting and updating of the Linux installation made with Ubiquity, require a lot of Terminal commands

Appendix A – How to enhance the encryption strength of your Linux Mint FDE (for paranoids, like me)

Appendix B – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix C – Emergency tools - How to reinstall GRUB after ...

Appendix D – How to enable UEFI Secure Boot with your own Custom keys


The Terminal commands listed in this guide/tutorial are typed in RED COLOR.


Step 1

Boot your Live CD in the target PC and when ready open a Terminal windows, then start 'xed' text editor with the following Terminal command:

sudo xed /lib/partman/check.d/07crypto_check_mountpoints


Now scroll down the file '/lib/partman/check.d/07crypto_check_mountpoints' till the end.


Remove the last nine rows. So we disable the check that inibith Ubiquity from installing the distribution when the /boot partition reside inside an encrypted device.

 

Then save the file and exit.

 

Step 2

Now start Ubiquity committing the following Terminal command:

sh -c 'ubiquity -b gtk_ui'&

In this way you can start Ubiquity skipping the installation of the boot loader and therefore finish the Ubiquity process without errors.


Once Ubiquity has opened choose your language and your keyboard layout and go on.

 


Then you get the following page where you can choose if installing third-party software or not. Make your choice and go on.

 


Now you are in the 'Installation type' page. Select 'Something else' and click 'Continue'

 


Now you are in the “Partition manager” page. Check that your HDD is showed.

 


Now select the free space on your HDD and click '+'. In the popup select the partition 'Size' with at least 512 MB, 'Type for the new partition' as 'Primary', 'Location for the new partition' as 'Beginning of this space' and 'Use as' as 'EFI System Partition', then click 'OK'.

 


Now select the free space on your HDD again and click '+'. In the popup select the partition 'Size' with 4096 MB (or the size you need) , 'Type for the new partition' as 'Primary', 'Location for the new partition' as 'Beginning of this space' and 'Use as' as 'physical volume for encryption'. The system will ask for the security key (password) of the physical volume. Insert it twice. If you want to erase the empty disk space check the radio button below, but remember that it take a long time.

 


Now select all the remaining free space on your HDD and click '+'. In the popup select 'Type for the new partition' as 'Primary', 'Location for the new partition' as 'Beginning of this space' and 'Use as' as 'physical volume for encryption'. The system will ask for the security key (password) of the physical volume. Insert it twice. If you want to erase the empty disk space check the radio button below, but remember that it take a long time.

 


The resulting HDD layout will be something like that.

 


Now select '/dev/mapper/sda2_crypt', click 'Change' and select 'Use as' as 'swap area' from the dropdown menu, then click 'OK'.

 


Now select '/dev/mapper/sda3_crypt', click 'Change' and select 'Use as' as 'Etx4 journaling file system' from the dropdown menu, then select 'Format the partition' and choose 'Mount point' as '/'. Then click 'OK'.

If you choose a different file system type (btrfs, JFS, XFS) pay attention for 'btrfs' file system. In this case see here for the correct 'btrfs' file system handling in Step 3.

 


The final resulting HDD layout will be something like that. Now click 'Install Now'.

 

 

A popup window named 'Write the changes do disks ?' will appear. Click 'Continue'. Then choose your Region and set up your user account. When ready go on and wait until Ubiquity install the whole system.

 


At the end of Ubiquity installation process you will get this popup window. Click 'Continue Testing' and Ubiquity will finish.

 

Step 3

Now we have a Linux system build by Ubiquity that we must adjust and update.

Go back to the Terminal window and commit the following 7 commands:

sudo mount /dev/mapper/sda3_crypt /mnt

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

sudo mount /dev/sda1 /mnt/boot/efi


These commands mount the Linux system, previusly build by Ubiquity, in the directory /mnt and the EFI boot partition in the directory /mnt/boot/efi.

If you have chosen a 'btrfs' type filesystem for your '/dev/mapper/sda3_crypt' device you must substitute the first command

sudo mount /dev/mapper/sda3_crypt /mnt

with this new one

sudo mount -o subvol=@ /dev/mapper/sda3_crypt /mnt

-----

Now commit the following 2 (or 9) commands:

sudo mkdir /mnt/media/cdrom

sudo mount --bind /cdrom /mnt/media/cdrom

sudo sed -i.bak 's/#deb cdrom/deb cdrom/' /mnt/etc/apt/sources.list


sudo chroot /mnt apt-get update

sudo chroot /mnt apt-get -y install grub-efi


sudo sed -i.bak 's/deb cdrom/#deb cdrom/' /mnt/etc/apt/sources.list

sudo umount /mnt/media/cdrom

sudo rmdir /mnt/media/cdrom

sudo chroot /mnt apt-get update


The commands typed in ORANGE color must be committed ONLY if you DO NOT HAVE an INTERNET CONNECTION. They permit the installation of package 'grub-efi' from the Linux Mint Live CD.

These commands install the GRUB package for UEFI systems.

-----

Now commit the following 5 commands:

sudo mkdir /mnt/etc/keys

sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/etc/keys/crypto_keyfile_swap.key

sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/etc/keys/crypto_keyfile_root.key

sudo cryptsetup luksAddKey /dev/sda2 /mnt/etc/keys/crypto_keyfile_swap.key

sudo cryptsetup luksAddKey /dev/sda3 /mnt/etc/keys/crypto_keyfile_root.key


The fourth and fifth commands in this list of 5 will ask for the passwords of the encrypted volumes. When the writing 'Enter any passphrase:' appear enter them.

These commands create a keyfile for the automatic mounting of the encrypted volumes when GRUB process ends. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

-----

Now commit the following 3 commands:

sudo sed -i.bak 's/#CRYPTSETUP=/CRYPTSETUP=y/' /mnt/etc/cryptsetup-initramfs/conf-hook

echo "KEYFILE_PATTERN=\"/etc/keys/*.key\"" | sudo tee -a /mnt/etc/cryptsetup-initramfs/conf-hook

echo "UMASK=0077" | sudo tee -a /mnt/etc/initramfs-tools/initramfs.conf


These commands instruct the system to include the keyfiles (with pattern ending with .key) contained in '/etc/keys/' directory inside the initramfs file during its updating.

This new option has been developed by Debian for package 'cryptsetup' versions 1.7.3 and above.

So the custom hooks are no longer required.

For more details see § "12. Storing keyfiles directly in the initrd" at the end of the documentation file contained in '/usr/share/doc/cryptsetup/README.initramfs.gz'.

-----

Now commit the following 3 command:

sudo truncate -s 0 /mnt/etc/crypttab

echo "sda3_crypt UUID=`sudo blkid -s UUID -o value /dev/sda3` /etc/keys/crypto_keyfile_root.key luks" | sudo tee -a /mnt/etc/crypttab

echo "sda2_crypt UUID=`sudo blkid -s UUID -o value /dev/sda2` /etc/keys/crypto_keyfile_swap.key luks" | sudo tee -a /mnt/etc/crypttab

These commands erase and then update the crypttab file. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com and the tutorial from the Ubuntu Official Documentation page at https://help.ubuntu.com/community/EncryptedFilesystemsViaUbiquity.

-----

Now commit the following 2 command:

sudo chmod -R g-rwx,o-rwx /mnt/boot

sudo chmod -R g-rwx,o-rwx /mnt/etc/keys


These commands lock out the directories containing the initrd images files and the key files of the encrypted partitions.

-----

Now commit the following 2 commands:

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u

These commands update the initramfs.

-----

Now commit the following 3 commands:

sudo sed -i.bak 's/GRUB_HIDDEN_TIMEOUT=0/#GRUB_HIDDEN_TIMEOUT=0/' /mnt/etc/default/grub

sudo sed -i '10a GRUB_ENABLE_CRYPTODISK=y' /mnt/etc/default/grub

sudo sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash cryptdevice=\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/dev\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/sda3:sda3_crypt"/' /mnt/etc/default/grub

These commands update the grub file. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

Otherwise you can edit the grub file with sudo gedit /mnt/etc/default/grub and modify the directives inside in this way:

############################################################
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash cryptdevice=/dev/sda3:sda3_crypt"
GRUB_CMDLINE_LINUX=""
############################################################

-----

Now commit the following 3 commands:

sudo chroot /mnt update-grub

sudo chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

sudo chroot /mnt grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck


These commands update GRUB and generate a single GRUB efi file, named 'grubx64.efi', which contains the boot loader with all the files and modules required. I choosed '--bootloader-id=Mint', so grub builded a directory named '/boot/efi/EFI/Mint' and an EFI NVRAM entry named 'Mint'.

You can see that I have abandoned the previous configuration with grub-mkstandalone. At the moment I think that this configuration with the standard grub-install is preferable because only one file remain exposed out of the encrypted partition. This file is the EFI boot loader 'grubx64.efi'. You can now protect also this file using UEFI Secure Boot (see Appendix D). In this way you can counteract an "Evil Maid Attack".

It seems that the last version of GRUB now install both '/boot/efi/EFI/Mint/grubx64.efi' and '/boot/efi/EFI/BOOT/bootx64.efi. So the UEFI/EFI default boot entry is now automatically build by command 'grub-install'.

-----

Now commit the last 2 command:

sudo rm -r /mnt/boot/efi/EFI/ubuntu

sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt


The first command remove the 'ubuntu' directory inside the 'EFI' directory. The second one umount the whole Linux system build by Ubiquity, now adjusted and updated.

 

---------------------------------------------------------------------------------------------------------------------------------------------------

 

Now you can shut down the CD Live system and restart.

When your brand new Linux FDE start it will ask for the LUKS passphrase.

Type your passphrase for the encrypted volume (see hd0,gpt3).

Then the system will show the GRUB menu list.

Wait until the countdown expires or type ENTER.

Then the system will show the usual Mint logo and then the cryptsetup message for 'sda3_crypt' and 'sda2_crypt'.

When the login page appear insert you username and your password and ... enjoy.

INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT - END

 

Appendix A

How to enhance the encryption strength of your Linux Mint FDE (for paranoids, like me)


You can see at the start of this tutorial that is Ubiquity who create the encrypted partition.

But you can enhance the strenght of you Linux Mint FDE creating the encrypted partition with the characteristics of your choice.


My first advice for a stronger encrypted installation is:

Boot your Live CD in the target PC and when ready ...

  • Remeber that also this Appendix uses the same assumptions listed above
  • Do not even start Ubiquity

 

Open a Terminal window and commit the following 12 commands:

sudo parted -s /dev/sda mklabel gpt

sudo parted -s /dev/sda mkpart ESP fat32 1MiB 513MiB

sudo mkfs.vfat -F32 /dev/sda1

sudo parted -s /dev/sda set 1 boot on

sudo parted -s /dev/sda mkpart primary 513MiB 4100MiB

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2

sudo cryptsetup luksOpen /dev/sda2 sda2_crypt

sudo mkswap /dev/mapper/sda2_crypt

sudo parted -s /dev/sda mkpart primary 4100MiB 100%

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda3

sudo cryptsetup luksOpen /dev/sda3 sda3_crypt

sudo mkfs.ext4 /dev/mapper/sda3_crypt

 

The sixth and tenth commands listed above will ask you for entering 'YES' (in uppercase) to continue; then remember to turn off the uppercase when it ask you for entering the password twice !!!

Now start from Step 1 of this guide/tuturial and go on until the end of Step 3. Naturally in Step 2 you will find the HDD yet configured with the partitions for EFI, swap and root. So for the swap area you must only select '/dev/mapper/sda2_crypt', click 'Change' and select 'Use as' as 'swap area' from the dropdown menu, then click 'OK'. Then for the root filesystem you must only select '/dev/mapper/sda3_crypt', click 'Change' and select 'Use as' as 'Etx4 journaling file system' from the dropdown menu, then select 'Format the partition' and choose 'Mount point' as '/'. Then click 'OK'.


My second advice is:

Change the eleventh and twelfth commands listed in Step 3 of this tutorial:

'sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/etc/keys/crypto_keyfile_swap.key'

'sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/etc/keys/crypto_keyfile_root.key'

with these new two

'sudo dd bs=512 count=4 if=/dev/random iflag=fullblock of=/mnt/etc/keys/crypto_keyfile_swap.key'

'sudo dd bs=512 count=4 if=/dev/random iflag=fullblock of=/mnt/etc/keys/crypto_keyfile_root.key'

 

Warning: these commands take a long long long time - approx. 30-60 minutes !!! on a PC with CPU i5, but only during the installation.


My third and last advice for rising the security level of your Linux Mint FDE is:

Put your GRUB booting file 'bootx64.efi' on a removable USB Flash Drive inside a directory named '/EFI/BOOT'. In this way the boot up of your computer is possible only if you have the right USB Flash Drive with the right files. If you use this solution you will probably need your UEFI booting menu for the system boot up.

---

Anyway, also after these enhancements, you must not think that you are invulnerable.

You are vulnerable when you leave your system on and alone and when you are connected to a network or to internet.

And finally you must never forget that if your files are really interesting for the bad guys, the ugly truth is probably best depicted in this vignette:

 


I found this vignette on internet same years ago. Below you can see links to its repositories and its license.

https://xkcd.com/538/

http://www.explainxkcd.com/wiki/index.php/538:_Security

http://creativecommons.org/licenses/by-nc/2.5/

 

Appendix B

Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

If your system does not start, because of PC hardware failure, boot-up files damage, ecc., but you are sure that your HDD (containing the encrypted partition) is OK you can access your data using the following procedure.

Start your PC with a Mint Live CD containing the same Linux Mint version installed in your HDD.

When your live system is up and running open a terminal window and commit the following 2 commands:

sudo cryptsetup luksOpen /dev/sda3 sda3_crypt

sudo mount /dev/mapper/sda3_crypt /mnt


In this example we assume that your HDD reside on the installation PC and that you followed the installation procedure listed in this tutorial. Otherwise change the devices and LVM letter, number and names accordingly.

Remember that if you have chosen a 'btrfs' type filesystem for your '/dev/mapper/sda3_crypt' device you must substitute the second command

sudo mount /dev/mapper/sda3_crypt /mnt

with this new one

sudo mount -o subvol=@ /dev/mapper/sda3_crypt /mnt


Now your encrypted partition is mounted under the /mnt directory of your Linux Mint live system and you can recover, backup or copy all the files that you need.


Appendix C

Emergency tools - How to reinstall GRUB after ...


For reinstall GRUB after a:

- GRUB package update/upgrade
- Boot up failure
- Booting files damage
- Linux Mint release upgrade
- Linux kernel release upgrade

the first step is reaching the access to your encrypted partition using the procedure listed in the Appendix B of this tutorial.

Once you have a Linux Mint or Ubuntu Live CD system up and running and your encrypted partition mounted under the "/mnt" directory you can proceeed with the reconfiguration of GRUB.

You must only repeat 13 Terminal commands yet listed in Step 3 of this tutorial:


sudo cryptsetup luksOpen /dev/sda2 sda2_crypt

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

sudo mount /dev/sda1 /mnt/boot/efi

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u

sudo chroot /mnt update-grub

sudo chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

sudo chroot /mnt grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck

sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt


Now your original Linux Mint FDE GRUB configuration have been reinstalled and you can restart your PC.


Appendix D

How to enable UEFI Secure Boot with your own Custom keys

You can find this topic at https://community.linuxmint.com/tutorial/view/2496

Comments
observativetiger 3 years ago

First off thank you linux22 for taking the time to write these tuts. I've been running two systems on NUC for the past few years using your tuts and they have been solid. I've used Appendix B and C to recover from no boots in the past. However this time it didn't work, on the same machines it previously worked to recover grub. I had to use part of the answer in https://askubuntu.com/a/1203713/344185. I installed grub-efi outside chroot, enabled GRUB_ENABLE_CRYPTODISK=y in /etc/default (followed by update-grub) in order to reinstall grub. Also had to add /dev/sda to your chroot grub-install command to get x86_64-efi to find the file verify.mod (which didn't actually exist until the install of grub-efi) Just thought you'd like to know. Would love to see this tut for LM20+ with GRUB not EFI-stub. Cheers!


linux22 3 years ago

Hello, user108, I have read your message. Please post your query on Mint Forum at: https://forums.linuxmint.com/viewtopic.php?f=42&t=198077
Please detail more your question and your needs.

Regards.

linux22


user108 3 years ago

How do I add a separate home partition & include it with the other partitions so it gets unlocked automatically, without having to enter the encryption password twice?

Thx kindly!


bigbuka 4 years ago

I followed these instructions and my installation has been working great for the last year. I am now looking to expand my storage and I am wondering if there's a way to migrate my home folder to a new drive and encrypt it on the new drive and keep booting off my current drive with encrypted boot without reinstalling mint? Thanks!


linux22 7 years ago



Hello Luyseyal, I have read your message.

I do not understand what do you mean with "BTRFS on /dev/nvme0n1".

Can you run 'blkid' on your machine and post it here ?

Remember that you can choose a BTRFS filesystem only for your / (root) directory inside your LVM volume !

Have you committed the command 'sudo mount -o subvol=@ /dev/mapper/mint-root /mnt' instead of 'sudo mount /dev/mapper/mint-root /mnt' for the first command of Step 4 ?

Remember that my new grub-install configuration require the preloading for a lot of modules that are required for booting an encrypted partition, but also in case of an installation with Secure Boot enabled.

In my installations running on VirtualBox and on my test machines the BTRFS filesystem on / (root) works without error.

Please keep me informed about your progress.

Regards

linux22


Luyseyal 7 years ago

My setup: GPT, LUKS, LVM, BTRFS on /dev/nvme0n1

While this tutorial mostly worked, I had trouble. grub-install insisted on installing the grub bootloader to look for /@/boot/grub as the prefix. This, of course, is a non-starter since only the EFI partition is available at boot time (until you run cryptomount).

Worse, neither luks nor lvm were compiled into the bootloader by grub-install. So I had to use the USB key Linux Mint to keep booting manually until I figured it out.

How I fixed it. As root...

mkdir -p '/boot/efi/@/boot/grub/x86_64-efi'
cp /boot/grub/x86_64-efi/* /boot/efi/@/boot/grub/x86_64-efi/
cp /boot/grub/efi/EFI/Mint/grub.cfg /boot/efi/@/boot/grub/grub.cfg
vim /boot/efi/@/boot/grub/grub.cfg

# cat /boot/efi/@/boot/grub/grub.cfg
## Added these three lines
insmod luks
cryptomount -a
insmod lvm
## This is from the original grub.cfg
search.fs_uuid uuid-string-here root lvmid/uuid-string2-here
set prefix=($root)'/@/boot/grub'
configfile $prefix/grub.cfg


I had to remove the following line to prevent an error with it trying to decrypt the disk twice:
/etc/default/grub:
GRUB_ENABLE_CRYPTODISK=y

(Also, I don't bother with PRELOAD_MODULES since I'm manually loading luks/lvm in the file above before /boot is decrypted.)


linux22 7 years ago

Hello zeina, I have read your message, I think you must check your FDE
installation and/or retry a new installation (reading your item 3 I
think something has gone wrong), checking then if your issues remain.
Anyway these are my advices:



1. The problem with file /mnt/sbin/initctl.REAL seems occuring until
Mint 17.2. With Mint 17.3 and above it seems solved.

2. I dont have an EFI folder inside my /boot/. I only have a couple of
files and a /grub/ directory. Is that a problem? (I set my VM to
simulate EFI).

Inside your /boot directory must be present a /boot/efi directory.
Your EFI boot partition is mounted by the system over that directory
(see Step 1).

3. After I rebooted the system for the first time after the installation my grub menu only had one single entry saying "*Ubuntu". I pressed enter and got the following error:
"error: failure reading sector 0x0 from `hd0'.
Attempting to decrypt master key...
Enter passphrase for hd1,gpt2 (7e.....)"
Then I entered the passphrase and the system nevertheless continued to boot and even said "sda2_crypt setup successfully". After bootup was completed I couldnt press mouse buttons and only few keys on my keyboard were working (wtf!?). Then I resetted my VM and booted once again. This time the entry in the grub menu was correct "Linux Mint..." and I also didnt get any error messages. Everything else (mouse/keyboard) was working normally again.

I have experimented a few malfunctions installing Mint 18 and 18.1. Sometimes, after the login, the screen remain black and freeze, the keybord and the mouse do not not working correctly. In this case I switch to command console with CTRL+ALT+F2. The I reboot with CTRL+ALT+CANC. Usually at the next boot it works correctly. I think it is a problem with the new kernel video drivers. Sometimes you can avoid this issue setting GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nomodeset" in your /etc/default/grub file, but your video performances will be badly affected. Usually this problem is superseeded updating the system with mintUpdate.


4. How is the boot partition encrypted now? I wonder because it was not included in the LVM we encrypted!? And in the title it says "directory /boot included".

If you have followed this guide/tutorial you can see that you have two partition. The first one is /dev/sda1 EFI boot partition where reside you grubx64.efi booting file. The second one is /dev/sda2. This partition is the physical encrypted partition. On this partition we build a LVM volume who holds two logical volumes, one named 'swap' and one named 'root'. Your /boot partition is automatically build by the system under your 'root' logical volume.

5. Isn't using keyfiles considered to be less secure than using passphrases? In another tutorial it says:
"When booting with total encryption, it is necessary to enter the password twice, once for grub and once for the kernel to decrypt the LUKS partition Entering a password only once to unlock is possible by using a keyfile that is stored in the initrd file, but anyone can access it and then use it to decrypt the LUKS-encrypted partition!"

You can see that the inird file is located under the boot directory. This directory in restricted to the root user. So you can reach the inird file only if you have started the PC inserting the LUKS passphrase and you can perform as superuser with sudo. But I think that you do not say neither your LUKS passphrase nor your user password to anybody. If no one except you know these two password your system is resonably sure.

6. I wanted to have a seperate /home/ directory, so I just used "sudo lvcreate -L 10G mint -n home" and later set it as /home in the Ubiquity partitioning page. Thats it, right? Nothing more to do?

I think so. But remember that your /home directory is build as logical volume under your LVM volume group, so you can not deal with it like a normal ext partition !!!


Please keep me informed about progress.


Regards

linux22


zeina 7 years ago


zeina
Hi,

first of all, big thanks for all your effort! I've been searching the whole web for this here.

I have a couple of remarks/bugs(?)/questions after my installation in an VM of LM 18.1 Cinnamon:

1. I dont have the file /mnt/sbin/initctl.REAL. I just have a "initctl" file. Thats not a problem, is it? That means that I just dont have to move/rename anything?

2. After I rebooted the system for the first time after the installation my grub menu only had one single entry saying "*Ubuntu". I pressed enter and got the following error:
"error: failure reading sector 0x0 from `hd0'.
Attempting to decrypt master key...
Enter passphrase for hd1,gpt2 (7e.....)"
Then I entered the passphrase and the system nevertheless continued to boot and even said "sda2_crypt setup successfully". After bootup was completed I couldnt press mouse buttons and only few keys on my keyboard were working (wtf!?). Then I resetted my VM and booted once again. This time the entry in the grub menu was correct "Linux Mint..." and I also didnt get any error messages. Everything else (mouse/keyboard) was working normally again.

3. How is the boot partition encrypted now? I wonder because it was not included in the LVM we encrypted!? And in the title it says "directory /boot included".

4. Isn't using keyfiles considered to be less secure than using passphrases? In another tutorial it says:
"When booting with total encryption, it is necessary to enter the password twice, once for grub and once for the kernel to decrypt the LUKS partition Entering a password only once to unlock is possible by using a keyfile that is stored in the initrd file, but anyone can access it and then use it to decrypt the LUKS-encrypted partition!"

5. I wanted to have a seperate /home/ directory, so I just used "sudo lvcreate -L 10G mint -n home" and later set it as /home in the Ubiquity partitioning page. Thats it, right? Nothing more to do?


linux22 8 years ago

Hello xstation1, I have understood that you want to wipe out your HDD and its Windows 10 installation.
Then you want to install a Linux Mint FDE over your clean HDD using the solution for PC with firmware UEFI and HDD with partitioning scheme (my tutorial n. 2061).

If I have understood correctly and you are a Linux beginner I want to tell you my advice.

If those are really your wishes you MUST BEFORE:

1) CREATE A FULL BACKUP OF YOUR WINDOWS 10 INSTALLATION (RESCUE DVD OR USB DRIVE)

2) CREATE A FULL BACKUP OF YOUR 250 GB PERSONAL DATA

3) TRY AND INSTALL THE LINUX MINT FDE SOLUTION ON A VIRTUAL MACHINE


Then if all these steps go well you can try a real Linux Mint FDE installation on your PC.

When you are in the Ubiquity partitioning page you can simply remove the existing partitions selecting them and clicking the - (minus) button. When your HDD is empty you can rebuild your new partitions following the steps listed in my tutorial.

Please keep me informed about progress.


Regards

linux22


linux22 8 years ago

Hello xstation1, I have read your message, but I have not undestood what type of FDE solution are you looking for. I think that your PC has UEFI firmaware and the HDD is partitioned with the GPT scheme.

Please explain me better:

- do you really want wipe out your Windows 10 installation ?

- what type of FDE solution are you looking for (BIOS+MBR, BIOS+GPT, UEFI+GPT, DUAL BOOT WINDOWS 10+LINUX MINT) ?

- can you backup your 250 GB of data on an external HDD drive ?


ANYWAY, MY ADVICE BEFORE EXPERIMENTING A FDE INSTALLATION ON A REAL PC IS TO TRY AND INSTALL IT ON A VIRTUAL MACHINE LIKE VIRTUALBOX. WHEN YOU SUCCEED WITH THE INSTALLATION AND BECOMES FAMILIAR WITH THE LISTED TERMINAL COMMANDS THEN YOU CAN TRY A REAL INSTALLATION.


Remember also that if your PC has Windows 10 preinstalled and you wipe out the HDD you will lost your Windows 10 reinstall capability forever !!!

Regards.

linux22


jelabarre59 9 years ago

All very nice, but my system does not have EFI/UEFI. I need to install full-disk encryption on that, and NONE of the tutorials I have found have worked. Have done 3-4 full re-installations, spent the entire day trying to make this work. The only working procedure seems to be to throw EVERYTHING on a single partition, which I do not want to do. I specifically want a separate home partition.


lib2know 9 years ago

Great work.
I tried the same not long ago but my solution was not so good.
Thanks for working that out!