Manual Full System Encryption has been updated and simplified

[metal450]

Thanks for posting the solution. How large is your /boot partition? Ideally, it should be at least 500Mb (½Gb).

df -h shows 488M. It was created automatically by this script - I didn't manually change it. Looks like the script does:

setUpLogicalVolume Boot boot system 512M # Create /boot.

[metal450]

Question: when using this form of /boot encryption, rebooting is agonizingly slow - easily an order of magnitude slower than "normal" encryption (ie. encrypting just /, but not /boot). I understand that this is because grub doesn't have any hardware optimization at all, and so it takes forever to do the encryption with grub. I also dual boot with Windows (encrypted via VeraCrypt) & Linux. Booting into Linux takes ten times longer than Windows. Is there no way to improve this, or is it just a choice between "unencrypted /boot," or "rebooting takes forever?"

[Paddy Landau]

df -h shows 488M. It was created automatically by this script - I didn't manually change it. Looks like the script does:
setUpLogicalVolume Boot boot system 512M # Create /boot.

That's interesting. Default Ubuntu updates automatically remove older kernels, so it should have been dealt with.

[Paddy Landau]

when using this form of /boot encryption, rebooting is agonizingly slow…

I didn't get this problem during my tests, so I can't comment on what's happening with you. Unless there is a clash between VeraCrypt and Grub? I've never used VeraCrypt for an operating system, so I don't know how it works.

As you are using VeraCrypt, have you considered using it as the encryption method for Linux? It's something that's worth testing, and if I get some time, I'll test it myself.

[metal450]

That's interesting. Default Ubuntu updates automatically remove older kernels, so it should have been dealt with.

I was having driver compatibility issues, so I installed some other ones myself.

[metal450]

I didn't get this problem during my tests, so I can't comment on what's happening with you. Unless there is a clash between VeraCrypt and Grub? I've never used VeraCrypt for an operating system, so I don't know how it works.

As you are using VeraCrypt, have you considered using it as the encryption method for Linux? It's something that's worth testing, and if I get some time, I'll test it myself.

Nope, definitely not a clash - this is just the amount of time taken for grub to decrypt, which I've since read about all over the web. Apparently grub's encryption implementation is extremely un-optimized & slow. Bummer.

I did some research about using VeraCrypt vs LUKS on Linux, & the conclusion I came to was that LUKS is the better approach, since it's kernel/native, widely supported, and much faster. Reference: https://superuser.com/questions/1019...with-veracrypt

[metal450]

Question: on boot, I keep seeing the message:

ln /tmp/mountroot-fail-hooks.d//scripts/init-remount/lvm2: no such file or directory
Volume group "system" not found
Cannot process volume group system

Is that related to this script? Everything seems to be working otherwise.

[thrdroom]

So I just installed a new kernel, & refreshgrub always reports:



I've run it like 10 times. It always fails. And the message makes me afraid to reboot. What should I do?

Im having the same problem, like metal450. But freeing up the /boot/ partition by removing old kernels did not help. What should i do?

$ sudo refreshgrub
refreshgrub: Grub update required
Grub update will be done automatically.

Do not restart or shut down until you receive another message telling you that this has been done, even if the Software Updater asks you restart.

Depending on your system, it could take several minutes.


refreshgrub: Grub update will be done automatically.\n\nDo not restart or shut down until you receive another message telling you that this has been done, even if the Software Updater asks you restart.\n\nDepending on your system, it could take several minutes.

x86_64-efi wird für Ihre Plattform installiert.
Could not delete variable: Invalid argument
grub-install: error: efibootmgr failed to register the boot entry: Block device required.
Failed to reinstall Grub.
refreshgrub: Grub update failed
Grub update failed.

Please do not restart or shut down until you have manually run the following command, even if the Software Updater asks you restart.

sudo refreshgrub

refreshgrub: Grub update failed.\n\nPlease do not restart or shut down until you have manually run the following command, even if the Software Updater asks you restart.\n\nsudo refreshgrub

@Paddy
How should one uninstall/remove your script "Manual Full System Encryption"? Are there uninstall instructions?
How should one transition from your method "Manual Full System Encryption" script to TJ's method?

Thanks in advance

[Dáire Fagan]

I'm on my phone so I will have to format properly another time.

Not sure if it will help you or not but when I was still using this setup and ran into issues booting running this fix-grub.sh script from a live USB saved me a few times: https://gist.github.com/lovromazgon/...a8b97e8442720b

Further, I considered Tj's setup but then I found this: Ubuntu 20.04 with btrfs-luks full disk encryption including /boot and auto-apt snapshots with Timeshift

https://mutschler.eu/linux/install-guides/ubuntu-btrfs/

This setup is way forward. Ignore the swap partition and just set up the swap file so you can resume from hibernate or suspend-then-hiberbate. I have not managed to set up true hybrid suspend, or suspend-and-hibernate yet.

Warning: I tried this first on Ubuntu Mate 20.04.1 but restoring timeshift snapshots broke things. It works perfectly with Ubuntu 20.04.1

As far as I know the guide is based on HOWTO - GPT/UEFI install with full disk encryption: BTRFSonLUKS with separate root, home and pkg subvolumes; hibernation with a swapfile; auto-snapshots with easy system rollback (GUI); boot into snapshots

https://forum.endeavouros.com/t/howt...snapshots/3782

[Paddy Landau]

I can't understand why I don't get notifications for posts on this thread.

Sorry for not having replied sooner — I only now got a notification for posts on this thread since I last posted.

Question: on boot, I keep seeing the message: …

This is quite an old post. Did you resolve your problem?

How should one uninstall/remove your script "Manual Full System Encryption"? Are there uninstall instructions?

It's not something that you can uninstall. It's how you installed your Ubuntu system, not an add-on after installation.

How should one transition from your method "Manual Full System Encryption" script to TJ's method?

The best way is to ensure that your backups are fully up-to-date, and then reinstall from scratch. It's a pain, I know, but converting would probably drive you crazy and take a week. While you're about it, I would instead go for the method that @dusf pointed to.

… I found this: Ubuntu 20.04 with btrfs-luks full disk encryption including /boot and auto-apt snapshots with Timeshift
https://mutschler.eu/linux/install-guides/ubuntu-btrfs/

That's excellent, as it's updated to version 20.04. Thank you. I have put both of your links into the current instructions.