They offer different flash templates with latest features.
Login

Forgot password
Register
Back
Written by:
linux22
Score: 3
votes: 6
Format: Article

 Dual boot for Windows 10 + Linux Mint 17.X and 18.X (but also Ubuntu 14.X, 15.X, 16.X, 17.X) Full System Encryption (directory /boot included) - PC with UEFI & HDD with GPT


Dual boot for Windows 10 + Linux Mint Full System Encryption (directory /boot included)
PC with firmware UEFI & HDD with GPT partitioning scheme
Author: Naldi Stefano (linux22 at Mint Forum)
October 2015

Version 2.3

Last update:  3 May 2017

 

Other tutorials concerning  Linux Mint with Full Disk Encryption, directory /boot included:

 

Table of contents


GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Preliminary notice

Disclaimer and acknowledgments

Useful links

Dual boot for Windows 10 + Linux Full System Encryption - PC with UEFI and HDD with GPT

Step 1 - Set up the target HDD, require Ubiquity

Step 2 - Set up the LVM, Physical Volume, Volume Group and Logical Volumes for root and  swap, require a few Terminal commands

Step 3 - Set up of the Linux installation, require Ubiquity

Step 4 - Fixing, patching and updating of the Linux installation made with Ubiquity, require a lot of Terminal commands

Appendix A – Facoltative, necessary only if you need GRUB as your default PC boot manager

Appendix B – How to enhance the encryption strength of your Linux Mint FSE (for paranoids, like me)

Appendix C – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix D – Emergency tools - How to reinstall GRUB after ...

Appendix E - How to enable UEFI Secure Boot with your own Custom keys

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Dual boot for Windows 10 + Linux Mint Full System Encryption (directory /boot included) - PC UEFI and HDD GPT

Copyright (C) 2015 2016 2017 2018 Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see <http://www.gnu.org/licenses/>.

 

 

GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Dual boot for Windows 10 + Linux Mint Full System Encryption (directory /boot included) - PC UEFI and HDD GPT

Copyright (C) 2015 2016 2017 2018 Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see <http://www.gnu.org/licenses/>.

 

Preliminary notice

Before you attempt this solution you need:

  • A PC with firmware UEFI and Windows 10 installed on it and at least 25 GB of free space on the HDD (reserve this free space at the moment of Windows 10 installation !!!).
  • A full backup of your Windows 10 installation.

 

Dual boot for Windows 10 + Linux Mint 17.X or 18.X Full System Encryption (directory /boot included) - PC with firmware UEFI

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a PC with both Windows 10 and Linux with Full System Encryption. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 17.X and 18.X Cinnamon and Mate, Ubuntu 14.X, 15.X, 16.X and 17.X, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.

Prior of all I must thank Pavel Kogan (http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ and http://www.pavelkogan.com/2015/01/25/linux-mint-encryption/), because without his publications this solution would have never been possible.

Another thanks go to Callum Cameron, whose advices have showed me the correct installation of the system via Ubiquity (see the new structure of Step 1). That is an important achievement because now Ubiquity ends without errors, performing all the expected tasks. Callum has also build a script for the automatisation of the procedures described in this tutorial. If you want to try and test this script see the instructions at https://github.com/CallumCameron/mint-encrypted-install.

Another thanks go to Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation. Altought this package seems developed for ArchLinux we can find within it the rights commands and advices for almost every Linux distribution.

 


Other useful links are these:

 

  • https://help.ubuntu.com/community/EncryptedFilesystemsViaUbiquity
  • http://thesimplecomputer.info/full-disk-encryption-with-ubuntu
  • https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
  • https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Keyfiles
  • https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
  • https://wiki.archlinux.org/index.php/GRUB#Boot_partition
  • https://wiki.archlinux.org/index.php/LVM
  • https://wiki.gentoo.org/wiki/GRUB2
  • https://bbs.archlinux.org/viewtopic.php?id=158003
  • http://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
  • https://technet.microsoft.com/en-us/library/hh824839.aspx

 


The solution is essentially simple but require a lot of terminal commands. If the user make a mistake and commit a wrong command he can destroy the Windows 10 installation, cancel the target HDD or damage its software structure. So, if you commit the commands listed in this guide/tutorial using 'Copy' and 'Paste' pay attention to do not alter them.


INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT - BEGINNING

 

The installation require:

PC with firmware UEFI and Secure Boot disabled, HDD with GPT partitioning scheme.

Windows 10 installed and at least 25 GB of free space on the HDD.

CD Live Mint 17.X, 18.X Cinnamon or Mate, or Ubuntu 14.X, 15.X, 16.X, 17.X


The installation here described assume:

Installation of Windows 10 and Linux on: /dev/sda

Windows Recovery Environment (Windows RE) Tools partition on: /dev/sda1

EFI system partition on: /dev/sda2

MSR on: /dev/sda3

Windows 10 partition on: /dev/sda4

Physical volume for encryption on: /dev/sda5

Boot loader installation point: /boot/efi (inside EFI partition)

Physical Volume: /dev/mapper/sda5_crypt

Volume Group: mint

Logical Volume for swap: swap

Logical Volume for root: root
 

IF YOU CHANGE THESE ASSUMPTIONS THEN CHANGE THE UBIQUITY SETTINGS AND THE LISTED TERMINAL COMMANDS ACCORDINGLY !!!


MY ADVICE, BEFORE EXPERIMENTING THIS INSTALLATION ON A REAL PC, IS TO TRY AND INSTALL IT ON A VIRTUAL MACHINE LIKE VIRTUALBOX. WHEN THE USER SUCCEEDS WITH THE INSTALLATION AND BECOMES FAMILIAR WITH THE LISTED TERMINAL COMMANDS THEN HE CAN TRY A REAL INSTALLATION.
 


The procedure described in this guide/tutorial is divided in 4 steps and another one facoltative:


Step 1 – Set up the target HDD, require Ubiquity

Step 2 –  Set up the LVM, Physical Volume, Volume Group and Logical Volumes for root and swap,
                require a few Terminal commands

Step 3 – Set up of the Linux installation, require Ubiquity

Step 4 – Fixing, patching and updating of the Linux installation made with Ubiquity, require a lot of
               Terminal commands.

Appendix A – Facoltative, necessary only if you need GRUB as your default PC boot manager

Appendix B – How to enhance the encryption strength of your Linux Mint FSE (for paranoids, like me)

Appendix C – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix D – Emergency tools - How to reinstall GRUB after ...

Appendix E – How to enable UEFI Secure Boot with your own Custom keys

 

The Terminal commands listed in this guide/tutorial are typed in RED COLOR.


If you use 'Copy' and 'Paste' to insert these commands in your Terminal window, pay attention for those whose lenght takes two or more lines.
Prior to 'Paste' these long commands in Terminal check them inside an editor and if the command is broken in two or more lines reassemble it correctly over one single line. Then you can 'Paste' the command in your Terminal window.

 

Step 1

Boot your Live CD in the target PC and when ready open a Terminal windows, then start Ubiquity committing the following Terminal command:

sh -c 'ubiquity -b gtk_ui'&

In this way you can start Ubiquity skipping the installation of the boot loader and therefore finish the Ubiquity process without errors.

 

Click 'Continue'

 

If you are installing Linux Mint 18.X this new Ubiquity page will appear.

Here you can choose if installing third-party software or not.

Make your choice and go on.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Click 'Continue'

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Now you are in the 'Installation type' page. Select 'Something else' and click 'Continue'

 

Now you are in the “Partition manager” page. Check that your HDD is showed. Here you can see the Windows 10 default UEFI/GPT partition configuration (as described in 'The installation here described assume'). The EFI system partition is already present in your target HDD, so select the remaining free space on your HDD and click '+'. You can see that the ComboBox 'Device for the boot loader installation' is not available. Please assume the same concept also for the next pictures. I will update them as soon as possible.

 

From the dropdown menu select the 'Type for the new partition' as 'Primary', 'Location for the new partition' as 'Beginning of this space' and 'Use as' as 'physical volume for encryption'. The system will ask for the security key (password) of the physical volume. Insert it twice. If you want to erase the empty disk space check the radio button below, but remember that it take a long time. Then click 'OK'.

 

After a few seconds you will see a new device named '/dev/mapper/sda5_crypt'.

Leave Ubiquity window open and go on.


Step 2

Open a Terminal window and commit the following 4 commands:
 

sudo pvcreate /dev/mapper/sda5_crypt

sudo vgcreate mint /dev/mapper/sda5_crypt

sudo lvcreate -L 4G mint -n swap

sudo lvcreate -l +100%FREE mint -n root


The first command create the Physical Volume, the second command create the Volume Group, the third command create the Logical Volumes for swap, with a size of 4 GB (the size is arbitrary), the fourth command create the Logical Volumes for root, with the remaining space available in the Volume group.

Leave the Terminal window open and go back to Ubiquity window and there click 'Back'.


Step 3
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You are again in the 'Installation type' page of Ubiquity. Select 'Something else' and click 'Continue'

 

Now you are in the Partition manager page again. Check for the presence of the Logical Volumes named '/dev/mapper/mint-root' and '/dev/mapper/mint-swap'.

 

Select '/dev/mapper/mint-root', click 'Change' and select 'Use as' as 'Etx4 journaling file system' from the dropdown menu, then select 'Format the partition' and choose 'Mount point' as '/'. Then click 'OK'.

If you choose a different file system type (btrfs, JFS, XFS) pay attention for 'btrfs' file system. In this case see here for the correct 'btrfsfile system handling in Step 4.

 

Select '/dev/mapper/mint-swap', click 'Change' and select 'Use as' as 'swap area' from the dropdown menu, then click 'OK'. Then click 'Install Now'.

 

A popoup window named 'Write the changes do disks ?' will appear. Click 'Continue'.

 

Select your timezone and then click 'Continue'

Select your keyboard and then click 'Continue'

Choose your username and password and then click 'Continue'

 

Wait until Ubiquity show a popup like that ...

 

Click 'Continue Testing'. Ubiquity will ends.



Step 4
 

Now we have a Linux system build by Ubiquity that we must remount, fix and update.

If you are installing this Linux FSE solution with Linux Mint 18.X or Ubuntu 16.X you will get a few warnings during GRUB packages installation. Do not worry, it will end anyway without errors.

Go back to the Terminal window and commit the following 9 (or 13) commands:

 

sudo mount /dev/mapper/mint-root /mnt

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

sudo mount /dev/sda2 /mnt/boot/efi

commit this command only in the absence of an Internet connection: sudo mkdir /mnt/media/cdrom

commit this command only in the absence of an Internet connection: sudo mount --bind /cdrom /mnt/media/cdrom

commit this command only in the absence of an Internet connection: sudo sed -i.bak 's/#deb/deb/' /mnt/etc/apt/sources.list

sudo chroot /mnt apt-get update

sudo chroot /mnt apt-get -y install grub-efi

commit this command only in the absence of an Internet connection: sudo sed -i 's/deb/#deb/' /mnt/etc/apt/sources.list

 

These commands mount the Linux system, previusly build by Ubiquity, in the directory /mnt and the EFI boot partition in the directory /mnt/boot/efi. The last 2 (or 6) commands install the GRUB package for UEFI systems. You can see that four commands are necessary only if you do not have an Internet connection. These commands instruct the system to retrieve the packages from your installation CD.

If you have chosen a 'btrfs' type filesystem for your '/dev/mapper/mint-root' device you must substitute the first command

     sudo mount /dev/mapper/mint-root /mnt

with this new one

     sudo mount -o subvol=@ /dev/mapper/mint-root /mnt

You will get a few warnings during GRUB installation but it seems working correctly anyway. If you need more detail about using 'btrfs' filesystem with LUKS/dm-crypt you can read the ArchLinux wiki at 'https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Btrfs_subvolumes_with_swap', paragraph 'Mount top-level subvolumes'.

-----

Now commit the following 4 commands:

 

The second command in this list of 4 will ask for the password of the encrypted volume. When the script 'Enter any passphrase:' appear enter it.


sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/boot/crypto_keyfile.bin

sudo cryptsetup luksAddKey /dev/sda5 /mnt/boot/crypto_keyfile.bin

sudo chmod 000 /mnt/boot/crypto_keyfile.bin

sudo chmod -R g-rwx,o-rwx /mnt/boot



These commands create a keyfile for automatic mounting of the encrypted volume when GRUB process ends. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

-----

Now commit the following 2 commands:

 

echo "cp /boot/crypto_keyfile.bin \"\${DESTDIR}\"" | sudo tee -a /mnt/etc/initramfs-tools/hooks/crypto_keyfile

sudo chmod +x /mnt/etc/initramfs-tools/hooks/crypto_keyfile


These commands create the hook required by initramfs for the keyfile loading. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

Otherwise you can create the hook file with sudo gedit /mnt/etc/initramfs-tools/hooks/crypto_keyfile and insert this line inside: cp /boot/crypto_keyfile.bin "${DESTDIR}"

-----

Now commit the following command:

 

echo "sda5_crypt UUID=`sudo blkid -s UUID -o value /dev/sda5` /crypto_keyfile.bin luks,keyscript=/bin/cat" | sudo tee -a /mnt/etc/crypttab

This command update the crypttab file. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com and the tutorial from the Ubuntu Official Documentation page at https://help.ubuntu.com/community/EncryptedFilesystemsViaUbiquity

-----

Now commit the following 2 commands:

 

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u


These commands update the initramfs

-----

Now commit the following 3 commands:

 

sudo sed -i.bak 's/GRUB_HIDDEN_TIMEOUT=0/#GRUB_HIDDEN_TIMEOUT=0/' /mnt/etc/default/grub

sudo sed -i '10a GRUB_ENABLE_CRYPTODISK=y' /mnt/etc/default/grub

sudo sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="cryptdevice=\/dev\/sda5:sda5_crypt"/' /mnt/etc/default/grub


These commands update the grub file. For more details see the articles of Pavel Kogan at http://www.pavelkogan.com.

Otherwise you can edit the grub file with sudo gedit /mnt/etc/default/grub and modify the directives inside in this way:

############################################################
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda5:sda5_crypt"
############################################################

-----

Now commit the following 3 commands:

sudo chroot /mnt update-grub

sudo chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

sudo chroot /mnt grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck

 

These commands update GRUB and generate a single GRUB .efi file, named 'grubx64.efi', which contains the boot loader with all the files and modules required. I choosed '--bootloader-id=Mint', so grub builded a directory named '/boot/efi/EFI/Mint' and an EFI NVRAM entry named 'Mint'.

You can see that I have abandoned the previous configuration with grub-mkstandalone. At the moment I think that this configuration with the standard grub-install is preferable because only one file remain exposed out of the encrypted partition. This file is the EFI boot loader 'grubx64.efi'. You can now protect also this file using UEFI Secure Boot (see Appendix E). In this way you can counteract an "Evil Maid Attack".

If you are installing Mint 17.X or Ubuntu 14.X or Ubuntu 15.X you can see that GRUB has not detected the Windows 10 installation !!!

Otherwise, if you are installing Mint 18.X or Ubuntu 16.X you can see that GRUB has correctly detected the Windows 10 installation, also when running in chroot mode. In this case the only thing remaining to do for a clean GRUB boot process is comment out with a # the line 'cryptomount -u', within 'Section 30_os_prober' of the 'grub.cfg' file, once you have booted this Linux FSE. For more details see the procedure and the screenshots at the bottom of Appendix A of this tutorial.
 

-----

Now start the file browser Nemo (or Nautilus in Ubuntu) and search for a file named /mnt/sbin/initctl.REAL.

 

 

 

 

 

 

 

 


 

 

 

 

 

 

 

 

 

If the file /mnt/sbin/initctl.REAL is present  you must rename /mnt/sbin/initctl  to  /mnt/sbin/initctl.orig and then rename /mnt/sbin/initctl.REAL  to  /mnt/sbin/initctl, committing the following 2 commands:


sudo mv /mnt/sbin/initctl /mnt/sbin/initctl.orig

sudo mv /mnt/sbin/initctl.REAL /mnt/sbin/initctl


These commands rename the correct initctl file

-----

Now commit the last command:

sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt

This command umount the Linux system build by Ubiquity, now fixed and updated.


-----------------------------------------------------------------------------------------------------------------------------
 

Now you can shut down the CD Live system and restart.

You can boot Windows 10 or Linux Mint FSE using your UEFI boot manager, pressing the appropriate Function Key at startup (F8 or whatever is yours) and then select the OS you want to boot.


When your brand new Linux FSE start it will show the GRUB screen where entering the master key for decrypting your LUKS partition.

Type your password for the encrypted volume (see hd0,gpt5).

 

Now you can see the GRUB menu list.

As previoulsy said, unless you are installing Linux Mint 18.X or Ubuntu 16.X, GRUB has not detected the Windows 10 installation and therefore there is not a Windows boot item in grub.cfg menu list !!!

Wait until the countdown expires or make your choice and type ENTER.


At this point, sometimes, the system remain frozen 1 or 2 minutes, wait until it go on.

 

Then the system will show the usual Mint logo and then the cryptsetup message.

 

 

 

 

 

 

 

 

 

 

 

 

 

When the login page appear insert you username and your password and ... enjoy.
 

 

The EFI directories will look like these:

Directory /boot/efi/EFI

 

Directory /boot/efi/EFI/Mint

 

Directory /boot/efi/EFI/Microsoft

 

Directory /boot/efi/EFI/Boot

 

INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT - END

 

My advice is to let your dual boot system in that configuration and do not mess with the directory /boot/efi/EFI/Boot.
 

Anyway, if you want to make GRUB your default PC boot manager see Appendix A.

 

 

Appendix A

Facoltative, necessary only if you need GRUB as your default PC boot manager

 

This is my last warning. If you are sure you want to mess with the UEFI default boot sequence and make GRUB your default PC boot manager go ahead.

 

Restart your Linux Mint FSE, open a Terminal window and then commit the following 2 commands:

sudo os-prober

sudo update-grub

The first command detect your Windows 10 installation and the second one update GRUB.

-----

Now commit the following 3 commands:

sudo update-grub

sudo grub-mkconfig -o /boot/grub/grub.cfg

sudo grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck

sudo mv /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/windows_bootx64.efi

sudo cp -b -f /boot/efi/EFI/Mint/grubx64.efi /boot/efi/EFI/Boot/bootx64.efi

 

These commands update GRUB and generate a single GRUB efi file, named 'grubx64.efi', which contains the boot loader with all the files and modules required. I choosed '--bootloader-id=Mint', so grub builded a directory named '/boot/efi/EFI/Mint' and an EFI NVRAM entry named 'Mint'. The second-last command rename the original Windows 10 'bootx64.efi' file as 'windows_bootx64.efi'. The last command copies your new 'grubx64.efi' file as 'bootx64.efi' in directory '/boot/efi/EFI/Boot'.

-----

Now your directory '/boot/efi/EFI/Boot' contain 2 files, 'bootx64.efi' and 'windows_bootx64.efi'.

 

Now you can restart your system and after the startup you will get this GRUB menu list.

 

 

You can see that now a menu item for Windows booting is available ... but if you select this item you get this error page ...

 

Do not worry. If you press any key your Windows 10 will start anyway.

 

If you want to resolve this last error you must break a taboo ...

You must edit the 'grub.cfg' file in your directory '/boot/grub', search for the menuentry 'Windows Boot Manager' and comment out the line 'cryptomount -u' with a # ...

 

as you can see in this screenshot.

Remember that you need root privileges for editing these files.

 

That is all.

 

Now, when you select the item 'Windows Boot Manager' in your GRUB menu list, you can start your Windows 10 without errors.

 

 

 

 

 

Appendix B

How to enhance the encryption strength of your Linux Mint FSE (for paranoids, like me)

 

You can see at the start of this tutorial that is Ubiquity who create the encrypted partition.


But you can enhance the strenght of you Linux Mint FSE creating the encrypted partition with the characteristics of your choice.

 

My first advice for a stronger encrypted installation is:

Boot your Live CD in the target PC and when ready ...

 

  • Remeber that also this Appendix uses the same assumptions listed above
  • Do not even start Ubiquity
  • Skip Steps 1 and 2 of this tutorial

 

Open a Terminal window and commit the following 9 commands:

sudo parted /dev/sda unit MiB print

sudo parted --align optimal /dev/sda mkpart primary 32000MiB 100%

sudo parted /dev/sda unit MiB print

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda5

sudo cryptsetup luksOpen /dev/sda5 sda5_crypt

sudo pvcreate /dev/mapper/sda5_crypt

sudo vgcreate mint /dev/mapper/sda5_crypt

sudo lvcreate -L 4G mint -n swap

sudo lvcreate -l +100%FREE mint -n root

 

Watch the first and the second commands !!!
The first command show you the disk size (51493MiB) and the end of last partition (32000MiB).
Then with the second command we create a partition that start at 32000MiB and take all the remaining disk space !!!
 

The fourth command listed above will ask you for entering 'YES' (in uppercase) to continue; then remember to turn off the uppercase when it ask you for entering the password twice !!!

You can rise the '--iter-time' value of this fourth command but remember that it will slow down your system during the boot up !!!

A value of --iter-time 100000 take approx. 5 minutes for boot up on a PC with CPU i5 !!!

 

Now start Ubiquity with the Terminal command:

sh -c 'ubiquity -b gtk_ui'&

Select your language and Click 'Continue'

 

If you are installing Linux Mint 18.X this new Ubiquity page will appear.

Here you can choose if installing thirdy-part software or not.

Make your choice and go on.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Click 'Continue'

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

When you reach the 'Installation type' page select 'Something else', click 'Continue' and then proceed with steps 3 and 4 of this tutorial until the end.

 

My second advice is:

Change the sixth command listed in Step 4 of this tutorial:

'sudo dd bs=512 count=4 if=/dev/urandom of=/mnt/boot/crypto_keyfile.bin'

with this new one

'sudo dd bs=512 count=4 if=/dev/random iflag=fullblock of=/mnt/boot/crypto_keyfile.bin'

Warning this command take a long long long time - approx. 30-40 minutes !!! on a PC with CPU i5, but only during the installation.

 

My third and last advice for rising the security level of your Linux Mint FDE is:

Put your GRUB booting files 'grub.cfg' and 'grubx64.efi' in the same directory on a removable USB Flash Drive. In this way the boot up of your computer is possible only if you have the right USB Flash Drive with the right files. If you use this solution you will probably need your UEFI booting menu for the system boot up.

 

Anyway, also after these enhancements, you must not think that you are invulnerable.

You are vulnerable when you leave your system on and alone and when you are connected to a network or to internet.

 

And finally you must never forget that if your files are really interesting for the bad guys, the ugly truth is probably best depicted in this vignette:

 

I found this vignette on internet same years ago. Below you can see links to its repositories and its license.

https://xkcd.com/538/

http://www.explainxkcd.com/wiki/index.php/538:_Security

http://creativecommons.org/licenses/by-nc/2.5/


 

Appendix C

Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD
 

If your system does not start, because of PC hardware failure, boot-up files damage, ecc., but you are sure that your HDD (containing the encrypted partition) is OK you can access your data using the following procedure.

Start your PC with a Mint Live CD containing the same Linux Mint version installed in your HDD.

 

 

When your live system is up and running open a terminal window and commit the following 2 commands:

sudo cryptsetup luksOpen /dev/sda5 sda5_crypt

sudo mount /dev/mapper/mint-root /mnt

 

In this example we assume that your HDD reside on the installation PC and that you followed the installation procedure listed in this tutorial. Otherwise change the devices and LVM letter, number and names accordingly.

Remember that if you have chosen a 'btrfs' type filesystem for your '/dev/mapper/mint-root' device you must substitute the second command

     sudo mount /dev/mapper/mint-root /mnt

with this new one

     sudo mount -o subvol=@ /dev/mapper/mint-root /mnt

Now your encrypted partition is mounted under the /mnt directory of your Linux Mint live system and you can recover, backup or copy all the files that you need.
 

 

 

Appendix D

Emergency tools - How to reinstall GRUB after ...

 

A few people who have installed my Linux Full Disk Encryption solutions have asked me how reinstall GRUB after a:

- GRUB package update/upgrade
- Boot up failure
- Booting files damage
- Linux Mint release upgrade
- Linux kernel release upgrade

They are right because this Linux FDE solution is EXPERIMENTAL and the GRUB configuration is made with the standard 'grub-install' tool, but arranged with many parameters.

The lacking of a recovery/emergency tool for these eventualities has reached a great importance once I have knew that many people are using this Linux FDE solution and they are upgrading their Linux version with the latest release or they are installing software packages that modifies GRUB and its configuration files.

So I have writed this simple appendix containing the correct procedure for the reinstallation of the original GRUB configuration for this Linux FDE solution.

The first step is reaching the access to your encrypted partition using the procedure listed in the Appendix C of this tutorial.

Once you have a Linux Mint or Ubuntu Live CD system up and running and your encrypted partition mounted under the "/mnt" directory you can proceeed with the reconfiguration of GRUB.

You must only repeat 12 Terminal commands yet listed in Step 4 of this tutorial:
 

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

sudo mount /dev/sda2 /mnt/boot/efi

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u


sudo chroot /mnt update-grub

sudo chroot /mnt grub-mkconfig -o /boot/grub/grub.cfg

sudo chroot /mnt grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Mint --boot-directory=/boot --modules="all_video boot btrfs cat chain configfile crypto cryptodisk disk diskfilter echo efifwsetup efinet ext2 fat font gettext gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gfxmenu gfxterm gfxterm_background gzio halt hfsplus iso9660 jpeg keystatus loadenv loopback linux linuxefi lsefi lsefimmap lsefisystab lssal luks lvm mdraid09 mdraid1x memdisk minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png raid5rec raid6rec reboot search search_fs_uuid search_fs_file search_label sleep squash4 test true verify video zfs zfscrypt zfsinfo" --recheck

sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt
 

Now your original Linux Mint FSE GRUB configuration have been reinstalled and you can restart your PC.

Furthermore if you need GRUB as your default PC boot manager you can proceed with the Appendix A of this tutorial.

 

Appendix E

How to enable UEFI Secure Boot with your own Custom keys

You can find this topic at https://community.linuxmint.com/tutorial/view/2360.

 


 

The topic for this tutorial at the Mint Forum is: https://forums.linuxmint.com/viewtopic.php?t=198077

 

Counter for tumblr
Hits since 22/10/2016


Tags: dual boot windows 10 linux mint ubuntu fde full disk system encryption /boot included bios uefi mbr gpt
Created: 3 years ago.
Last edited: 2 months ago.
Reviewed: 2 years ago.


Comments
3 years ago

linux22
Hello Newby, I have read your message.

Do not worry about the crash window at the end of Ubiquiry. Leave it aside.

Check if your system has the initctl.REAL file.
ONLY IF IT EXIST commit the terminal commands indicated in my tutorial:

- sudo mv /mnt/sbin/initctl /mnt/sbin/initctl.orig
- sudo mv /mnt/sbin/initctl.REAL /mnt/sbin/initctl

Check that your initctl file has the correct size (approximately 193 kB).

Now I have a few question for you:

- Is your computer UEFI firmware setting "Secure Boot" enabled or disabled ?
- Have you get any warning/error message during the installation of my Mint FDE solution ?
- Have you checked, after every Terminal command, that your system responded as indicated in my screenshots ?

If your computer have the Secure Boot enabled try and disable it.
DO NOT touch other UEFI settings !!!

Please keep me informed about your installation attempts.


Regards

linux22
 
3 years ago

MagicMint
Great work ! But I can’t help mentioning that it’s kinda ironic to make that tremendous labor just in order to have a fully protected Linux installation aside the worst spyware ever seen ;-)  
3 years ago

Rebel450
I appreciate the work you made;
thank you for your efforts.
 

Other tutorials from linux22