trent/trents_blog
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
6ee2141c07
trents_blog/site/posts/lmde3-xfs-full-disk-encryption/index.html
Trent Palmer 6ee2141c07 change theme
2021-09-10 04:30:02 -07:00

392 lines
21 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="canonical" href="https://blog.trentsonlinedocs.xyz/posts/lmde3-xfs-full-disk-encryption/">
<link rel="shortcut icon" href="../../img/favicon.ico">
<title>LMDE3 xfs Full Disk Encryption - Trent's Blog</title>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700" />
<link rel="stylesheet" href="../../css/theme.css" />
<link rel="stylesheet" href="../../css/theme_extra.css" />
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/styles/github.min.css" />
<link href="../../extra.css" rel="stylesheet" />
<script>
// Current page data
var mkdocs_page_name = "LMDE3 xfs Full Disk Encryption";
var mkdocs_page_input_path = "posts/lmde3-xfs-full-disk-encryption.md";
var mkdocs_page_url = "/posts/lmde3-xfs-full-disk-encryption/";
</script>
<script src="../../js/jquery-2.1.1.min.js" defer></script>
<script src="../../js/modernizr-2.8.3.min.js" defer></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/10.5.0/highlight.min.js"></script>
<script>hljs.initHighlightingOnLoad();</script>
</head>
<body class="wy-body-for-nav" role="document">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side stickynav">
<div class="wy-side-scroll">
<div class="wy-side-nav-search">
<a href="../.." class="icon icon-home"> Trent's Blog</a>
<div role="search">
<form id ="rtd-search-form" class="wy-form" action="../../search.html" method="get">
<input type="text" name="q" placeholder="Search docs" title="Type search term here" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<p class="caption"><span class="caption-text">RSS</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../rss/">RSS</a>
</li>
</ul>
<p class="caption"><span class="caption-text">Links</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="../../links/">Links</a>
</li>
<li class="toctree-l1"><a class="" href="https://trentpalmer.org">TrentReads</a>
</li>
<li class="toctree-l1"><a class="" href="https://blog.trentpalmer.org">AttentionSpanHistory</a>
</li>
<li class="toctree-l1"><a class="" href="https://github.com/TrentSPalmer">GitHub</a>
</li>
<li class="toctree-l1"><a class="" href="https://twitter.com/boringtrent">Twitter</a>
</li>
<li class="toctree-l1"><a class="" href="https://www.facebook.com/trentspalmer">Facebook</a>
</li>
<li class="toctree-l1"><a class="" href="https://docs.trentsonlinedocs.xyz/">TrentDocs</a>
</li>
<li class="toctree-l1"><a class="" href="https://trentsonlinedocs.xyz/hugo-themes-report/hugo-themes-report.html">HugoThemesReport</a>
</li>
<li class="toctree-l1"><a class="" href="https://play.google.com/store/apps/details?id=org.trentpalmer.libre_gps_parser">LibreGpsParser</a>
</li>
<li class="toctree-l1"><a class="" href="https://concise-pdx.com/">ConcisePDX</a>
</li>
<li class="toctree-l1"><a class="" href="https://trentspalmer.github.io/fcc-challenges/">FreeCodeCampChallenges</a>
</li>
<li class="toctree-l1"><a class="" href="https://trentpalmer.work/6a57bbe24d8244289610bf57533d6c6f/">DeviceLayout</a>
</li>
</ul>
<p class="caption"><span class="caption-text">Posts</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../trents-favorite-podcasts/">Trent's Favorite Podcasts</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../test-qr-svg-django/">Test QRCODE Svg in Django</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../prosody-photo-uploads/">Prosody Photo Uploads</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../xmpp-apt-notifications/">Xmpp Apt Notifications</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../apache-virtual-hosts/">Apache Virtual Hosts</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../sendxmpp-handler-for-python-logging/">SENDXMPPHandler for Python Logging</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../instructions-for-tethering-from-phone/">Instructions For Tethering From Phone</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../lmde4-custom-partitions-disk-encryption/">LMDE4 Custom Partitions Disk Encryption</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../linux-move-cursor-with-keyboard/">Linux Move Cursor With Keyboard</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../simplified-raspberry-streaming/">Simplified Raspberry Streaming</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../clear-linux-encrypted-xfs-root/">Clear Linux Encrypted xfs Root</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../clear-linux-guest-virt-manager/">Clear Linux Guest Virt Manager</a>
</li>
<li class="toctree-l1"><a class="reference internal" href="../faster-partitioning-with-sgdisk/">Faster Partitioning With sgdisk</a>
</li>
<li class="toctree-l1 current"><a class="reference internal current" href="./">LMDE3 xfs Full Disk Encryption</a>
<ul class="current">
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../rewrite-hugo-themes-report-in-python/">Rewrite Hugo Themes Report in Python</a>
</li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="../..">Trent's Blog</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="../..">Docs</a> &raquo;</li>
<li>Posts &raquo;</li>
<li>LMDE3 xfs Full Disk Encryption</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main">
<div class="section">
<p>date: 2019-01-25T23:25:36-08:00</p>
<h2 id="introduction"><strong>Introduction</strong></h2>
<p>Linux Mint Debian Edition is the alternate version of Linux Mint, but built on a Debian base. The result is quite pleasant: the
stability of desktop Debian, but with the rough edges polished smooth, nicely configured fonts and ui, and all the multi-media codecs included.</p>
<p>Unfortunately, the LMDE 3 installer does not support disk encryption, but manually setting this up by hand is pretty straightforward.
On the other hand, manually setting up your partitions by hand allows extra freedom and flexibility,
and so I have chosen a simple luks-encrypted <code>/</code> partition formatted xfs.</p>
<p>As far as swap is concerned, my preference is to use a swap file instead of a swap partition. Having a swap file instead of a swap partition is more flexible because obviously you can easily recreate a
different size swap file whenever you like (or use none at all), and the encryption requires no extra set up because the <code>/</code> partition is encrypted anyway.</p>
<p>Will this work with a dual-boot set up? Of course! Because you have to manually configure the partitions anyway, just arrange them exactly how you would need for dual-boot.</p>
<p>Assumes uefi-configured boot, with separate partitions for <code>/boot</code> formatted ext4, <code>/boot/efi</code> formatted fat32, and a regular luks-encrypted partition for <code>/</code> formatted xfs.</p>
<h2 id="prepare-the-installation-media"><strong>Prepare The Installation Media</strong></h2>
<p>Visit the <a href="https://www.linuxmint.com/" target="_blank">Linux Mint Website</a>
and <a href="https://www.linuxmint.com/edition.php?id=259" target="_blank">download</a> the iso file for LMDE 3 64bit. Download from torrents if possible, to save bandwidth.</p>
<ul>
<li>verify the sha256 sum of the iso file
<div class="highlight"><pre><span></span><code><span class="go">sha256sum lmde-3-201808-cinnamon-64bit.iso</span>
</code></pre></div></li>
</ul>
<p>Identify the thumb drive you are going to install from.</p>
<ul>
<li>type <code>lsblk</code>, note the output, and then insert the thumb drive</li>
<li>then type <code>lsblk</code> again and note the <em>additional output</em></li>
</ul>
<div class="highlight"><pre><span></span><code># lsblk /dev/sdb
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:32 1 14.5G 0 disk
├─sdb1 8:33 1 3.4G 0 part /media/trent/Debian 9.6.0 amd64
└─sdb2 8:34 1 416K 0 part
</code></pre></div>
<p>In the above example output we see that our thumb drive is identified as <code>/dev/sdb</code>, and partition <code>/dev/sdb1</code> is automatically mounted.</p>
<p>Take special care that you have accurately identified the thumb drive before proceeding. For the sake of example,
we will proceed on the assumption that our thumb drive is identified as <code>/dev/sdb</code>, but you need to compensate accordingly.</p>
<ul>
<li>
<p>unmount any partition of the thumb drive that are automatically mounted
<div class="highlight"><pre><span></span><code><span class="go">umount /dev/sdb1</span>
</code></pre></div></p>
</li>
<li>
<p>write the disk image to the thumb drive
<div class="highlight"><pre><span></span><code><span class="go">ddrescue -D --force lmde-3-201808-cinnamon-64bit.iso /dev/sdb</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="boot-the-install-disc"><strong>Boot The Install Disc</strong></h2>
<ul>
<li>boot into bios to disable fastboot and secureboot</li>
<li>invoke your machine's device boot menu and boot the install disc in uefi mode</li>
<li>confirm that you have booted in uefi mode by listing efivars
<div class="highlight"><pre><span></span><code><span class="go">ls /sys/firmware/efi/vars</span>
</code></pre></div></li>
</ul>
<h2 id="partition-the-hard-drive"><strong>Partition The Hard Drive</strong></h2>
<p>If you recall we are assuming the target hard drive is <code>/dev/sda</code>, as an example. So, make adjustments as necessary.</p>
<p>If you would rather use a different partition tool, make sure the efi partition is an efi partition type, and you definitely need a separate <code>/boot</code> partition.</p>
<ol>
<li>if needed you can clear the drive with wipefs
<div class="highlight"><pre><span></span><code><span class="go">wipefs --all /dev/sda</span>
</code></pre></div></li>
<li>create a new partition table for <code>/dev/sda</code>
<div class="highlight"><pre><span></span><code><span class="go">sgdisk /dev/sda -o</span>
</code></pre></div></li>
<li>create a new efi partition for <code>/dev/sda</code>
<div class="highlight"><pre><span></span><code><span class="go">sgdisk /dev/sda --new=1::+512MiB --typecode=1:ef00</span>
</code></pre></div></li>
<li>create a new <code>/boot</code> partition for <code>/dev/sda</code>
<div class="highlight"><pre><span></span><code><span class="go">sgdisk /dev/sda --new=2::+1G</span>
</code></pre></div></li>
<li>create a new <code>/</code> partition for <code>/dev/sda</code>
<div class="highlight"><pre><span></span><code><span class="go">sgdisk /dev/sda --new=3</span>
</code></pre></div></li>
<li>verify your partition work
<div class="highlight"><pre><span></span><code><span class="go">sgdisk /dev/sda -p</span>
</code></pre></div></li>
<li>format the efi partition
<div class="highlight"><pre><span></span><code><span class="go">mkfs.vfat -F32 /dev/sda1</span>
</code></pre></div></li>
<li>format the /boot partition
<div class="highlight"><pre><span></span><code><span class="go">mkfs.ext4 /dev/sda2</span>
</code></pre></div></li>
<li>encrypt the <code>/</code> partition, you will be prompted for a password
<div class="highlight"><pre><span></span><code><span class="go">cryptsetup -y -v luksFormat --type luks2 /dev/sda3</span>
</code></pre></div></li>
<li>decrypt the <code>/</code> partition, you will be prompted for a password
<div class="highlight"><pre><span></span><code><span class="go">cryptsetup open /dev/sda3 cryptroot</span>
</code></pre></div></li>
<li>format the <code>/</code> device
<div class="highlight"><pre><span></span><code><span class="go">mkfs.xfs /dev/mapper/cryptroot</span>
</code></pre></div></li>
</ol>
<h2 id="mount-the-hard-drive"><strong>Mount The Hard Drive</strong></h2>
<p>This takes advantage of <em>expert mode</em> in the LMDE installer.</p>
<ol>
<li>create an <code>/target</code> directory
<div class="highlight"><pre><span></span><code><span class="go">mkdir /target</span>
</code></pre></div></li>
<li>mount the <code>/</code> device at <code>/target</code>
<div class="highlight"><pre><span></span><code><span class="go">mount /dev/mapper/cryptroot /target</span>
</code></pre></div></li>
<li>create an <code>/target/boot</code> directory
<div class="highlight"><pre><span></span><code><span class="go">mkdir /target/boot</span>
</code></pre></div></li>
<li>mount the <code>/boot</code> partition at <code>/target/boot</code>
<div class="highlight"><pre><span></span><code><span class="go">mount /dev/sda2 /target/boot</span>
</code></pre></div></li>
<li>create an <code>/target/boot/efi</code> directory
<div class="highlight"><pre><span></span><code><span class="go">mkdir /target/boot/efi</span>
</code></pre></div></li>
<li>mount the efi partition at <code>/target/boot/efi</code>
<div class="highlight"><pre><span></span><code><span class="go">mount /dev/sda1 /target/boot/efi</span>
</code></pre></div></li>
</ol>
<h2 id="run-the-installer-app"><strong>Run The Installer App</strong></h2>
<p>At this point you're ready to run the live installer. You can click the disc icon on the desktop.</p>
<p>The first three pages of the live-installer cover Language,Timezone, and Keymap.
The fourth page of the live-installer covers name, password, and hostname.
On the fifth page of the live-installer, you come to a partition configuration page.
But there is nothing to do, so select <em>expert mode</em> at the bottom of the page.</p>
<p>Again select <em>forward</em>, and when you come to the page where you configure the location
to install grub, that should be the efi partition, i.e. <code>/dev/sda1</code>.</p>
<p>Select forward one more time, and then select install. The installation will run for a
few minutes and will then pause. During the pause you need to manually configure <code>fstab</code> and <code>crypttab</code>.</p>
<h2 id="configure-fstab"><strong>Configure Fstab</strong></h2>
<ol>
<li>find the UUID of the efi partition
<div class="highlight"><pre><span></span><code><span class="go">blkid /dev/sda1 -s UUID</span>
</code></pre></div></li>
<li>find the UUID of the <code>/boot</code> partition
<div class="highlight"><pre><span></span><code><span class="go">blkid /dev/sda2 -s UUID</span>
</code></pre></div></li>
<li>find the UUID of the <code>/</code> device
<div class="highlight"><pre><span></span><code><span class="go">blkid /dev/mapper/cryptroot -s UUID</span>
</code></pre></div></li>
</ol>
<p>And when you find the correct UUID numbers, use them to configure <code>/etc/fstab</code> which is actually currently at <code>/target/etc/fstab</code>.
<div class="highlight"><pre><span></span><code># /etc/fstab
###############
# efi partition
# run the command `blkid /dev/sda1 -s UUID` which outputs
# /dev/sda1: UUID=&quot;17C4-215D&quot;, from which derive
UUID=17C4-215D /boot/efi vfat defaults 0 2
# /boot partition
# run the command `blkid /dev/sda2 -s UUID` which outputs
# /dev/sda2: UUID=&quot;f2509fff-4854-4721-b546-0274c89e6aec&quot;, from which derive
UUID=f2509fff-4854-4721-b546-0274c89e6aec /boot ext4 defaults 0 2
# &quot;/&quot; device
# run the command `blkid /dev/mapper/cryptroot -s UUID` which outputs
# /dev/mapper/cryptroot: UUID=&quot;72241377-cd65-43a6-8363-1afce5bd93f6&quot;, from which derive
UUID=72241377-cd65-43a6-8363-1afce5bd93f6 / xfs defaults 0 1
</code></pre></div></p>
<h2 id="configure-crypttab"><strong>Configure Crypttab</strong></h2>
<p>But before the file systems can be mounted, <code>crypttab</code> needs to mount <code>/dev/sda3</code> at <code>/dev/mapper/cryptroot</code>.
Configure <code>/etc/crypttab</code> which is actually currently at <code>/target/etc/crypttab</code></p>
<ul>
<li>find the UUID of the partition that will be mounted at <code>/dev/mapper/crypttab</code>
<div class="highlight"><pre><span></span><code><span class="go">blkid /dev/sda3 -s UUID</span>
</code></pre></div></li>
</ul>
<p>And when you find the correct UUID number for <code>/dev/sda3</code>,
use that to configure <code>/etc/crypttab</code> which is actually currently at <code>/target/etc/crypttab</code>.</p>
<div class="highlight"><pre><span></span><code># /etc/crypttab
# run the command `blkid /dev/sda3 -s UUID` which outputs
# /dev/sda3: UUID=&quot;da3e0967-711f-4159-85ac-7d5743a75201&quot;, from which derive
# &lt;target name&gt; &lt;source device&gt; &lt;key file&gt; &lt;options&gt;
cryptroot UUID=da3e0967-711f-4159-85ac-7d5743a75201 none luks
</code></pre></div>
<h2 id="resume-installer-app"><strong>Resume Installer App</strong></h2>
<p>At this point finish running the live installer, and you'll be done.</p>
<h2 id="uefi-fix"><strong>UEFI Fix</strong></h2>
<p>On some machines, such as HP Laptops, UEFI is broken and efi boot entries don't persist.</p>
<ol>
<li>remount the efi parition
<div class="highlight"><pre><span></span><code><span class="go">mount /dev/sda1 /mnt/ ; cd /mnt/EFI/</span>
</code></pre></div></li>
<li>create a default efi executable
<div class="highlight"><pre><span></span><code><span class="go">mkdir BOOT ; cp linuxmint/grubx64.efi BOOT/BOOTX64.efi</span>
</code></pre></div></li>
</ol>
<h2 id="optional-swap-file"><strong>Optional Swap File</strong></h2>
<p>Visit the <a href="https://wiki.archlinux.org/index.php/Swap#Swap_file" target="_blank">Arch Wiki</a> and they will hook you up.</p>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="../rewrite-hugo-themes-report-in-python/" class="btn btn-neutral float-right" title="Rewrite Hugo Themes Report in Python">Next <span class="icon icon-circle-arrow-right"></span></a>
<a href="../faster-partitioning-with-sgdisk/" class="btn btn-neutral" title="Faster Partitioning With sgdisk"><span class="icon icon-circle-arrow-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<!-- Copyright etc -->
</div>
Built with <a href="https://www.mkdocs.org/">MkDocs</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<div class="rst-versions" role="note" aria-label="versions">
<span class="rst-current-version" data-toggle="rst-current-version">
<span><a href="../faster-partitioning-with-sgdisk/" style="color: #fcfcfc">&laquo; Previous</a></span>
<span><a href="../rewrite-hugo-themes-report-in-python/" style="color: #fcfcfc">Next &raquo;</a></span>
</span>
</div>
<script>var base_url = '../..';</script>
<script src="../../js/theme_extra.js" defer></script>
<script src="../../js/theme.js" defer></script>
<script src="../../search/main.js" defer></script>
<script defer>
window.onload = function () {
SphinxRtdTheme.Navigation.enable(true);
};
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink