They offer different flash templates with latest features.
Login

Forgot password
Register
Back
Written by:
linux22
Score: 0
votes: 1
Format: Awaiting official review

 Linux Mint 19.X (but also Ubuntu) with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader


Linux Mint 19.X with Full Disk Encryption, directory /boot included
PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader
Author: Naldi Stefano (linux22 at Mint Forum)
First Release: 30 January 2019

Version 1.0

Last update: 30 January 2019

Hits since 30/01/2019  website counter

 

_____________________________________

 

I have developed this new solution for Linux Mint Full Disk Encryption (FDE) with PC UEFI & HDD GPT.

In this new project I am abandoning the standard boot loader GRUB, replacing it with the EFI STUB loader.

This new solution has the following PROS and CONS:

PROS:

 

  • VERY FAST BOOTING
  • VERY FAST SHUTDOWN
  • VERY SIMPLE
  • SUPPORT FOR TYPE 2 LUKS ENCRYPTED PARTITIONS (LUKS2)
  • FULL DISK ENCRYPTION (FDE) REQUESTING ONLY ONE PASSWORD AT BOOT-UP
  • NO LUKS UNLOCK KEYFILES REQUIRED
  • NO LVM REQUIRED
  • NO MORE HEADACHE FOR GRUB UPDATING AND/OR UPGRADING
  • WORKS (WITH MINOR CHANGES) ALSO ON LINUX 32-BIT SYSTEMS (TESTED ON VIRTUAL MACHINES ONLY)


CONS:

  • POINTLESS AND/OR POTENTIALLY DANGEROUS FOR FULL DISK ENCRYPTION (FDE) SYSTEMS IF SECURE BOOT IS DISABLED
  • POOR CONFIGURATION OPTIONS (COMPARED TO GRUB)
  • NOT COMMON / NOT STANDARD
  • NEED GREATER EFI PARTITION SIZE (MINIMUM RECOMMENDED SIZE 1GB)

 

_____________________________________

 

 

Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:

 


Table of contents


GNU Free Documentation License

GNU GENERAL PUBLIC LICENSE

Disclaimer and acknowledgments

Useful links

LINUX MINT FDE INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT, EFI STUB LOADER

Step 1 - Set up for Ubiquity configuration file '/lib/partman/check.d/07crypto_check_mountpoints', require a basic text editor

Step 2 - Set up of HDD and partitions, require a few Terminal commands

Step 3 - Set up of the Linux installation, require Ubiquity

Step 4 - Configuring the EFI STUB loader for the Linux Mint FDE installation, require a lot of Terminal commands

Appendix A – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix B – Emergency tools - How to reinstall EFI STUB loader after ...

 

 

GNU Free Documentation License
Version 1.3, 3 November 2008

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader

Copyright (C) 2019 Naldi Stefano.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

You should have received a copy of the "GNU Free Documentation License" along with this document.

If not, see < https://www.gnu.org/licenses/fdl.html >.


GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader

Copyright (C) 2019 Naldi Stefano

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the "GNU General Public License" along with this program.

If not, see < https://www.gnu.org/licenses/gpl.html >.

 

 

Linux Mint Full Disk Encryption (directory /boot included) installation - PC with UEFI and HDD with GPT, EFI STUB loader

I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with Full Disk Encryption. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 19.X Cinnamon and Mate, Ubuntu 17.10 and above, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.

Prior of all I must thank Matthew Bentley (https://bentley.link/secureboot), because his publications show very well the whole process of building and configuring a reliable EFI STUB loader for Linux systems. You can see that his solution was published on 12 May 2016, more than 2 year ago.

Another thanks go to Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation.

Altought these two software solutions seem both developed for ArchLinux we can find within them the rights commands and advices for almost every Linux distribution.


Other useful links are these:

 

INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT, EFI STUB LOADER - BEGINNING


The installation require:

PC with firmware UEFI and Secure Boot disabled, HDD with GPT partitioning scheme.

HDD with at least 25 GB free space.

CD Live Mint 19.X Cinnamon or Mate, or Ubuntu 17.10 and above - all 64 bit version

 

The installation here described assume:

Installation of Linux on: /dev/sda

Physical volume for encryption reserved for root build on: /dev/sda2

EFI Partition: /dev/sda1

EFI STUB loader installation point: /boot/efi (inside EFI partition)

Encrypted volume for root: /dev/mapper/sda2_crypt

Encrypted swapfile build on: /dev/mapper/sda2_crypt   (i.e  /swapfile)


IF YOU CHANGE THESE ASSUMPTIONS THEN CHANGE THE UBIQUITY SETTINGS AND THE LISTED TERMINAL COMMANDS ACCORDINGLY !!!


MY ADVICE, BEFORE EXPERIMENTING THIS INSTALLATION ON A REAL PC, IS TO TRY AND INSTALL IT ON A VIRTUAL MACHINE LIKE VIRTUALBOX. WHEN THE USER SUCCEEDS WITH THE INSTALLATION AND BECOMES FAMILIAR WITH THE LISTED TERMINAL COMMANDS THEN HE CAN TRY A REAL INSTALLATION.


The procedure described in this guide/tutorial is divided in 4 steps:

Step 1 - Set up for Ubiquity configuration file '/lib/partman/check.d/07crypto_check_mountpoints', require a basic text editor

Step 2 - Set up of HDD and partitions, require a few Terminal commands

Step 3 - Set up of the Linux installation, require Ubiquity

Step 4 - Configuring the EFI STUB loader for the Linux Mint FDE installation, require a lot of Terminal commands

Appendix A – Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

Appendix B – Emergency tools - How to reinstall EFI STUB loader after ...
 

The Terminal commands listed in this guide/tutorial are typed in RED COLOR.


Step 1

Boot your Live CD in the target PC and when ready open a Terminal windows, then start 'xed' text editor with the following Terminal command:

sudo xed /lib/partman/check.d/07crypto_check_mountpoints


Now scroll down the file '/lib/partman/check.d/07crypto_check_mountpoints' till the end.


Remove the last nine rows. So we disable the check that inibith Ubiquity from installing the distribution when the /boot partition reside inside an encrypted device.

 

Then save the file and exit.

 

Step 2

Now commit the following 8 commands:



sudo parted -s /dev/sda mklabel gpt

sudo parted -s /dev/sda mkpart ESP fat32 1MiB 1025MiB

sudo mkfs.vfat -F32 /dev/sda1

sudo parted -s /dev/sda set 1 boot on

sudo parted -s /dev/sda mkpart primary 1025MiB 100%

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat --type luks2 /dev/sda2

sudo cryptsetup luksOpen /dev/sda2 sda2_crypt

sudo mkfs.ext4 /dev/mapper/sda2_crypt

 

These commands build the EFI boot partition and the encrypted volume for FDE (see --type luks2 option for LUKS2 type partition).

 

Step 3

Now start Ubiquity committing the following Terminal command:

sh -c 'ubiquity -b gtk_ui'&

In this way you can start Ubiquity skipping the installation of the boot loader and therefore finish the Ubiquity process without errors.


Once Ubiquity has opened choose your language and your keyboard layout and go on.

 


Then you get the following page where you can choose if installing third-party software or not. Make your choice and go on.

 


Now you are in the 'Installation type' page. Select 'Something else' and click 'Continue'

 


Now you are in the “Partition manager” page. Check that your HDD show a partition scheme like that showed above.

 

Now select '/dev/mapper/sda2_crypt', click 'Change' and select 'Use as' as 'Etx4 journaling file system' from the dropdown menu, then select 'Format the partition' and choose 'Mount point' as '/'. Then click 'OK'.

 

The final resulting HDD layout will be something like that. Now click 'Install Now'.

 

A popup window named 'Write the changes to disks ?' will appear. Click 'Continue'. Then choose your Region and set up your user account. When ready go on and wait until Ubiquity install the whole system.

 


At the end of Ubiquity installation process you will get this popup window. Click 'Continue Testing' and Ubiquity will finish.

 

Step 4

Now commit the following 8 Terminal commands:


sudo mount /dev/mapper/sda2_crypt /mnt

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

sudo mount /dev/sda1 /mnt/boot/efi

sudo chmod -R g-rwx,o-rwx /mnt/boot

 

These commands mount the Linux system, previously build by Ubiquity, in the directory /mnt and the EFI boot partition in the directory /mnt/boot/efi. The last command lock out the  directory.

The last command lock out the directory /mnt/boot, containing the kernel, initramfs and EFI STUB loader files.

Check your system for the package 'efibootmgr'. If it not installed commit the following 2 commands:

sudo chroot /mnt apt-get update

sudo chroot /mnt apt-get install efibootmgr

-----

Now commit the following Terminal command:



echo "sda2_crypt UUID=`sudo blkid -s UUID -o value /dev/sda2` none luks" | sudo tee -a /mnt/etc/crypttab
 

This command build the 'crypttab' file.

-----

Now commit the following 6 Terminal commands:

sudo chroot /mnt swapoff /swapfile

sudo chroot /mnt rm -r /swapfile

sudo chroot /mnt fallocate -l 8G /swapfile

sudo chroot /mnt chmod 600 /swapfile

sudo chroot /mnt mkswap /swapfile

sudo chroot /mnt swapon /swapfile

These commands build the swapfile with the size you need (i.e. 8G or whatever you want) and activate it.

-----

Now commit the following 2 Terminal commands:



sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u
 

These commands update the initramfs.

-----

Now commit the following 8 Terminal commands:


sudo chroot /mnt mkdir /boot/efistub

sudo chroot /mnt mkdir -p /boot/efi/EFI/Boot

sudo chroot /mnt mkdir -p /boot/efi/EFI/Mint

echo "/vmlinuz root=/dev/mapper/sda2_crypt ro quiet splash" | sudo tee -a /mnt/boot/efistub/cmdline.txt

sudo chroot /mnt objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline=/boot/efistub/cmdline.txt --change-section-vma .cmdline=0x30000 --add-section .linux=/vmlinuz --change-section-vma .linux=0x40000 --add-section .initrd=/initrd.img --change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi

sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Mint/kernel.efi

sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Boot/Bootx64.efi

sudo chroot /mnt efibootmgr -c -d /dev/sda -p 1 -D -L "Mint" -l "\EFI\Mint\kernel.efi"

 

These commands build the EFI STUB loaders (.efi files containing the kernel command line, the kernel and the initramfs). The last command set the EFI NVRAM boot entry.

-----

Now commit the following 3 Terminal commands:


sudo chroot /mnt mkdir -p /etc/initramfs/post-update.d

sudo chroot /mnt touch /etc/initramfs/post-update.d/objcopy_update_hook

sudo chroot /mnt chmod +x /etc/initramfs/post-update.d/objcopy_update_hook
 

These commands build a hook file for automatic update of EFI STUB loader .efi files after an initramfs (and kernel) update.

The tipical contents of the 'objcopy_update hook' is something like that:

------------------------------------------------------------------------------------------------------------

#! /bin/sh
objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline=/boot/efistub/cmdline.txt --change-section-vma .cmdline=0x30000 --add-section .linux=/vmlinuz --change-section-vma .linux=0x40000 --add-section .initrd=/initrd.img --change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Mint/kernel.efi
cp -f /boot/efistub/kernel.efi /boot/efi/EFI/Boot/Bootx64.efi
if [ -d "/boot/efikeys" ]
    then
        sbsign --key /boot/efikeys/db.key --cert /boot/efikeys/db.crt --output /boot/efi/EFI/Mint/kernel.efi /boot/efi/EFI/Mint/kernel.efi
        sbsign --key /boot/efikeys/db.key --cert /boot/efikeys/db.crt --output /boot/efi/EFI/Boot/Bootx64.efi /boot/efi/EFI/Boot/Bootx64.efi
        sync
        sbverify --cert /boot/efikeys/db.crt /boot/efi/EFI/Mint/kernel.efi
        sbverify --cert /boot/efikeys/db.crt /boot/efi/EFI/Boot/Bootx64.efi
fi

------------------------------------------------------------------------------------------------------------

-----

Now commit the following 3 Terminal commands:

sudo rm -r /mnt/boot/efi/EFI/ubuntu

sudo chroot /mnt swapoff /swapfile

sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt

These commands remove the EFI ubuntu directory, turn swap off and umount the entire /mnt directory, containing the new Linux Mint 19 FDE installation with a ready-to-go EFI STUB loader.

-----

Now you can reboot your system and check if it is all OK.

Enter the password for your encrypted partition and if all works well you can now go ahead and activate Secure Boot in your PC.

For Secure Boot activation you can follow my other tutorial at https://community.linuxmint.com/tutorial/view/2360.

Following my tutorial 'https://community.linuxmint.com/tutorial/view/2360' you must:

- start from Step 3 (enabling Secure Boot and clearing Secure Boot keys databases)

- go ahead to Step 4, committing all the 24 listed command from a bash Terminal set in root mode

- then skip Step 5

- commit the following 6 terminal commands (your bash Terminal should still be in root mode):

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Mint/kernel.efi /boot/efi/EFI/Mint/kernel.efi

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Boot/Bootx64.efi /boot/efi/EFI/Boot/Bootx64.efi

sync

sbverify --cert db.crt /boot/efi/EFI/Mint/kernel.efi

sbverify --cert db.crt /boot/efi/EFI/Boot/Bootx64.efi

exit

- and finally go to Step 6.

 

Now your Linux Mint 19 FDE installation with EFISTUB boot loader is ready and all the files outside the encrypted partition (the EFI STUB loaders) are protected from tampering by EFI Secure Boot, now enabled.

 

INSTALLATION FOR PC WITH UEFI AND HDD WITH GPT, EFI STUB LOADER - END

 

Appendix A

Emergency tools - How to access your encrypted partition with your Mint or Ubuntu Live CD

If your system does not start, because of PC hardware failure, boot-up files damage, ecc., but you are sure that your HDD (containing the encrypted partition) is OK you can access your data using the following procedure.

Start your PC with a Mint Live CD containing the same Linux Mint version installed in your HDD.

Remember that if you have installed and enabled Secure Boot with your own Custom keys you MUST prior disable Secure Boot !!!

When your live system is up and running open a terminal window and commit the following 2 commands:

sudo cryptsetup luksOpen /dev/sda2 sda2_crypt

sudo mount /dev/mapper/sda2_crypt /mnt


In this example we assume that your HDD reside on the installation PC and that you followed the installation procedure listed in this tutorial. Otherwise change the devices letter, number and names accordingly.


Now your encrypted partition is mounted under the /mnt directory of your Linux Mint live system and you can recover, backup or copy all the files that you need.

 


Appendix B

Emergency tools - How to reinstall EFI STUB loader after ...


For reinstall EFI STUB loader after a malfuncion generated by:

- Linux kernel/initramfs package update/upgrade
- Booting files damage
- Linux Mint release upgrade

the first step is reaching the access to your encrypted partition using the procedure listed in the Appendix A of this tutorial.

Once you have a Linux Mint or Ubuntu Live CD system up and running and your encrypted partition mounted under the "/mnt" directory you can proceeed with the reconfiguration of the EFI STUB loader.

You must only repeat 14 Terminal commands yet listed in Step 4 of this tutorial:

sudo mount --bind /dev /mnt/dev

sudo mount --bind /dev/pts /mnt/dev/pts

sudo mount --bind /sys /mnt/sys

sudo mount --bind /proc /mnt/proc

sudo mount --bind /run /mnt/run

sudo mount /dev/sda1 /mnt/boot/efi

sudo chroot /mnt locale-gen --purge --no-archive

sudo chroot /mnt update-initramfs -u

echo "/vmlinuz root=/dev/mapper/sda2_crypt ro quiet splash" | sudo tee -a /mnt/boot/efistub/cmdline.txt

sudo chroot /mnt objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline=/boot/efistub/cmdline.txt --change-section-vma .cmdline=0x30000 --add-section .linux=/vmlinuz --change-section-vma .linux=0x40000 --add-section .initrd=/initrd.img --change-section-vma .initrd=0x3000000 -S /usr/lib/systemd/boot/efi/linuxx64.efi.stub /boot/efistub/kernel.efi

sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Mint/kernel.efi

sudo cp -f /mnt/boot/efistub/kernel.efi /mnt/boot/efi/EFI/Boot/Bootx64.efi

sudo chroot /mnt efibootmgr -c -d /dev/sda -p 1 -D -L "Mint" -l "\EFI\Mint\kernel.efi"

sudo umount /mnt/boot/efi /mnt/proc /mnt/dev/pts /mnt/dev /mnt/sys /mnt/run /mnt
 

The penultimate command is necessary ONLY if the system has also lost the EFI NVRAM boot entry.


Now your original Linux Mint FDE EFI STUB loaders have been reinstalled and you can restart your PC.

 


 

The topic for this tutorial at the Mint Forum is: https://forums.linuxmint.com/viewtopic.php?t=198077

 



Tags: linux 19.X tara mint ubuntu fde full disk encryption /boot included bios uefi mbr gpt secure boot efi stub efistub
Created: 2 weeks ago.
Last edited: 1 day ago.


Comments

No comments so far.

Other tutorials from linux22