[dm-crypt] how to get a full disk encryption running on Linux Mint 17

[dm-crypt] how to get a full disk encryption running on Linux Mint 17

[Andreas]

[-- Attachment #1: Type: text/plain, Size: 2222 bytes --]

hello,

having used a Windows-based Truecrypt encryption with
pre-boot-authentication for some years, I want to do the corresponding
action under Linux. I am using Linux Mint 17 Cinnamon. The system has
one harddisk.

I already found, read and unsuccessfully tried out

    -
    http://blog.andreas-haerter.com/2011/06/18/ubuntu-full-disk-encryption-lvm-luks.sh
    and
    - http://community.linuxmint.com/tutorial/view/344


Both tutorials / scripts refer to older Linux versions.
Since I am new to Linux I do not know, what syntaxes may have changed.

I got things working so far, using a VirtualBox machine, (so Mint 17 x32
is used):

    - 200 MB primary partition ext3 on /dev/sda1 (unencrypted) as /boot
    - 9,81 GB crypt-luks on /dev/sda2 (as seen from GParted)


This configuration boots up GRUB, Mint's green/white dots start flashing.
Then I think a timeout appears - message reads:

    "Gave up waiting for root device ...
    ALERT /dev/mapper/ubuntu-root does not exist - dropping to a shell."


When I boot up from CD, start "Preferences - Disks"
I can use the built-in unlock feature and I see

     /dev/mapper/luks-0a410528-cde8-440c-891f-ef6068aad0b3   LVM2
    Physical Volume (LVM2 001)
    which consists of

        /dev/ubuntu/swap (4.1 GB)
        /dev/ubuntu/root (5.2 GB)
        /dev/ubuntu/home (1.2 GB)


So, the partions exist and can be unlocked.

I also can mount e.g. /dev/ubuntu/root
Mounted at /media/mint/fc34585c-ca63-4b28-aaca-5a00f3776856

There is /etc/fstab present.
It reads

    (...)
    /dev/mapper/ubuntu-root /               ext4    errors=remount-ro
    0       1
    # /boot was on /dev/sda1 during installation
    UUID=30b080b5-9b39-46c9-9b61-2320efde52dc /boot           ext3   
    defaults        0       2
    /dev/mapper/ubuntu-home /home           ext4    defaults       
    0       2
    /dev/mapper/ubuntu-swap none            swap    sw             
    0       0



There is a good deal accomplished on my way to a disk encryption, but
some small problems still prevent it from running flawlessly.

I wish to have the system booting up and asking for the passphrase to
unlock all three partitions at once.

Help would be appreciated.

regards,
Andreas




[-- Attachment #2: Type: text/html, Size: 3299 bytes --]

Re: [dm-crypt] how to get a full disk encryption running on Linux Mint 17

[Jonas Meurer]

Am 12.06.2014 13:42, schrieb Andreas:> hello,
>
> having used a Windows-based Truecrypt encryption with
> pre-boot-authentication for some years, I want to do the corresponding
> action under Linux. I am using Linux Mint 17 Cinnamon. The system has
> one harddisk.

Hello Andreas,

first, welcome to the Linux world :)

This list is mainly about dm-crypt kernel implementation, cryptsetup
userspace tool and LUKS. Full disk encryption implementations by Linux
distributions like in Debian, CentOS or Linux Mint are better discussed
on the respective distribution-specific mailinglists or in suitable forums.

I've no experiences with Linux Mint. But as it's a Ubuntu derivate which
itself is a Debian derivate I guess that the disk encryption
implementation is rather similar over there.
At least Debian and Ubuntu Installers do support full disk encrpytion at
installation time. So you don't have to setup it yourself.

Nevertheless I'll give short comments below.

> I got things working so far, using a VirtualBox machine, (so Mint 17 x32
> is used):
> 
>     - 200 MB primary partition ext3 on /dev/sda1 (unencrypted) as /boot
>     - 9,81 GB crypt-luks on /dev/sda2 (as seen from GParted)
> 
> 
> This configuration boots up GRUB, Mint's green/white dots start flashing.
> Then I think a timeout appears - message reads:
> 
>     "Gave up waiting for root device ...
>     ALERT /dev/mapper/ubuntu-root does not exist - dropping to a shell."

Sounds like the disk (/dev/sda2) unlocking mechanism is missing from
your boot process. Therefore LVM doesn't find the logical volumes,
especially not the logical volume 'root' in volume group 'ubuntu'.
Hence, the script that's responsible to mount your root filesystem fails
with the error.

> When I boot up from CD, start "Preferences - Disks"
> [...]
> So, the partions exist and can be unlocked.

So at least the encryption works. My guess is that either the relevant
line in /etc/crypttab is missing, or the cryptsetup binaries and scripts
aren't included in the initramfs.

I suggest you read /usr/share/doc/cryptsetup/README.Debian.gz and
/usr/share/doc/cryptsetup/README.initramfs.gz.

Kind regards,
 jonas

Re: [dm-crypt] how to get a full disk encryption running on Linux Mint 17

[Benjamin Eberhardt]

[-- Attachment #1: Type: text/plain, Size: 3093 bytes --]

Hi Andreas,

the linux mint 17 installer can do this for you automatically. If you boot
your system with the mint 17 live cd and then run the install program at
some point it will ask you for disk encryption. You just have to tick the
coressponding box [1] during the install process, probably as well as the
"use lvm" box so that all volumes can be unlocked at once. I just did this
a week ago.
I used to do this manually before but I do not remember the details on how
to get the unlocking at boot time right..

[1] e.g.:
http://cyberraiden.files.wordpress.com/2014/05/linux-mint-17-mate-screenshot-install-2.png

Cheers,
Benjamin



On 12 June 2014 13:42, Andreas <dm-crypt_mailing_list@schmidt9.de> wrote:

>  hello,
>
> having used a Windows-based Truecrypt encryption with
> pre-boot-authentication for some years, I want to do the corresponding
> action under Linux. I am using Linux Mint 17 Cinnamon. The system has one
> harddisk.
>
> I already found, read and unsuccessfully tried out
>
> -
> http://blog.andreas-haerter.com/2011/06/18/ubuntu-full-disk-encryption-lvm-luks.sh
> and
> - http://community.linuxmint.com/tutorial/view/344
>
>
> Both tutorials / scripts refer to older Linux versions.
> Since I am new to Linux I do not know, what syntaxes may have changed.
>
> I got things working so far, using a VirtualBox machine, (so Mint 17 x32
> is used):
>
> - 200 MB primary partition ext3 on /dev/sda1 (unencrypted) as /boot
> - 9,81 GB crypt-luks on /dev/sda2 (as seen from GParted)
>
>
> This configuration boots up GRUB, Mint's green/white dots start flashing.
> Then I think a timeout appears - message reads:
>
> "Gave up waiting for root device ...
> ALERT /dev/mapper/ubuntu-root does not exist - dropping to a shell."
>
>
> When I boot up from CD, start "Preferences - Disks"
> I can use the built-in unlock feature and I see
>
>  /dev/mapper/luks-0a410528-cde8-440c-891f-ef6068aad0b3   LVM2 Physical
> Volume (LVM2 001)
> which consists of
>
> /dev/ubuntu/swap (4.1 GB)
> /dev/ubuntu/root (5.2 GB)
> /dev/ubuntu/home (1.2 GB)
>
>
> So, the partions exist and can be unlocked.
>
> I also can mount e.g. /dev/ubuntu/root
> Mounted at /media/mint/fc34585c-ca63-4b28-aaca-5a00f3776856
>
> There is /etc/fstab present.
> It reads
>
> (...)
> /dev/mapper/ubuntu-root /               ext4    errors=remount-ro 0       1
> # /boot was on /dev/sda1 during installation
> UUID=30b080b5-9b39-46c9-9b61-2320efde52dc /boot           ext3
> defaults        0       2
> /dev/mapper/ubuntu-home /home           ext4    defaults        0       2
> /dev/mapper/ubuntu-swap none            swap    sw              0       0
>
>
>
> There is a good deal accomplished on my way to a disk encryption, but some
> small problems still prevent it from running flawlessly.
>
> I wish to have the system booting up and asking for the passphrase to
> unlock all three partitions at once.
>
> Help would be appreciated.
>
> regards,
> Andreas
>
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
>

[-- Attachment #2: Type: text/html, Size: 4831 bytes --]

Re: [dm-crypt] how to get a full disk encryption running on Linux Mint 17

[Andreas]

[-- Attachment #1: Type: text/plain, Size: 1460 bytes --]

Hi Benjamin, hi Jonas,

thanks for the warm welcome.

I didn't try do set up encryption in Mint using its own installer.
But you are right, Mint 17 is able to handle this.

So, also thanks for this hint.

The file cryptsetup/README, that you gave me the link to, is also helpful.
But most of the Linux commands are completely new to me, so it takes
some time to understand everything.

regards
Andreas

Am 12.06.2014 14:11, schrieb Benjamin Eberhardt:
> Hi Andreas,
>
> the linux mint 17 installer can do this for you automatically. If you
> boot your system with the mint 17 live cd and then run the install
> program at some point it will ask you for disk encryption. You just
> have to tick the coressponding box [1] during the install process,
> probably as well as the "use lvm" box so that all volumes can be
> unlocked at once. I just did this a week ago.
> I used to do this manually before but I do not remember the details on
> how to get the unlocking at boot time right..
>
> [1] e.g.:
> http://cyberraiden.files.wordpress.com/2014/05/linux-mint-17-mate-screenshot-install-2.png
>
> Cheers,
> Benjamin
>
>
>
>
>
>     _______________________________________________
>     dm-crypt mailing list
>     dm-crypt@saout.de <mailto:dm-crypt@saout.de>
>     http://www.saout.de/mailman/listinfo/dm-crypt
>
>
>
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


[-- Attachment #2: Type: text/html, Size: 3236 bytes --]

Re: [dm-crypt] how to get a full disk encryption running on Linux Mint 17

[Arno Wagner]

Hi Andreas,

I have in fact a netbook with this done by the MINT installer.
No issues with it.

Doing this yoruself is hard and requires changing the initrd 
for your distro, which is decidedly advanced.

Arno

On Fri, Jun 13, 2014 at 08:24:27 CEST, Andreas wrote:
> Hi Benjamin, hi Jonas,
> 
> thanks for the warm welcome.
> 
> I didn't try do set up encryption in Mint using its own installer.
> But you are right, Mint 17 is able to handle this.
> 
> So, also thanks for this hint.
> 
> The file cryptsetup/README, that you gave me the link to, is also helpful.
> But most of the Linux commands are completely new to me, so it takes
> some time to understand everything.
> 
> regards
> Andreas
> 
> Am 12.06.2014 14:11, schrieb Benjamin Eberhardt:
> > Hi Andreas,
> >
> > the linux mint 17 installer can do this for you automatically. If you
> > boot your system with the mint 17 live cd and then run the install
> > program at some point it will ask you for disk encryption. You just
> > have to tick the coressponding box [1] during the install process,
> > probably as well as the "use lvm" box so that all volumes can be
> > unlocked at once. I just did this a week ago.
> > I used to do this manually before but I do not remember the details on
> > how to get the unlocking at boot time right..
> >
> > [1] e.g.:
> > http://cyberraiden.files.wordpress.com/2014/05/linux-mint-17-mate-screenshot-install-2.png
> >
> > Cheers,
> > Benjamin
> >
> >
> >
> >
> >
> >     _______________________________________________
> >     dm-crypt mailing list
> >     dm-crypt@saout.de <mailto:dm-crypt@saout.de>
> >     http://www.saout.de/mailman/listinfo/dm-crypt
> >
> >
> >
> >
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno@wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -  Plato