Ubuntu Member
Thank you for that bug report, which I believe that is relevant to this process. Useful to know!Originally Posted by absolute512
Does that mean that you still don't have an encrypted system? If so, you can work around it with the guide for 18.04 from Linux Uprising. Using eCryptfs is deprecated, but until Canonical fixes Ubuntu, it will have to do for many people.
Always make regular backups of your data (and test them).
Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.
First Cup of Ubuntu
Re: Manual Full System Encryption has been updated and simplified
Hello there
This is my first post in this forum, as im not familiar with the rules please have patience with me.
First of all i wanna thank you Paddy! Your contribution on this topic is really awesome and the "old" detailed "pre-script"-guide helped me to get a better understanding on certain mechanisms.
I greatly appreciate your work, you rock
The first thing i did after the registration was to support/vote the bugs you have mentioned in this post https://ubuntuforums.org/showthread....1#post13803281 [check!]
You are totally right about the fact that Canonical should implement and maintain this officially! In this times, it shouldn't be that hard for an average user to get a proper full-encrypted system imho.
I used this guide a year ago to setup my station and was really thrilled about how smooth everything was going because of the detailed description.
As i have now decided to make the switch from Kubuntu to KDE Neon i revisited your guide. To be honest i was amazed and at the same time a little bit unhappy about the fact that the detailed steps were replaced in favour of a script. Don't get me wrong, the script is really well. It is at the same time convenient for beginners and a little annoying/restrictive for someone who knows exactly what he needs.
Let me give you some examples for problems i came across with the current script compared to the detailed manual-process before:
- The script forces me to choose two different passwords for system and data-drives. As i don’t want to overcomplicate things(in case of dataloss or crash), i want to have the same password for both drives and only one single keyfile. I think the user should have the choice to choose what he want's.
- The script don’t give me the option to choose NOT to delete/format the home-partition. As in my case where i just wanted to reinstall/switch the distribution while keeping(choose and mount) my existing encrypted home-partition on the second drive.
- The script don’t give me the option to choose an already existing swap-partition(no matter which drive).
- The script only gives a user the option to place the swap partition on the system-drive. In my case, the system-drive is a small SSD and the data-drive a big HDD. Therefore i do want to place the swap partition on the bigger data-HDD to reduce io-workload from the system-SSD. Assuming i don’t already have a swap-partition.
- The script don’t give me the option to choose/change the hash, and the key-size of the luks-container and the block-size of the encryption-key(s). The default value of 512 is too low for me.
I think Zythyr has a good point in sayingand that by switching from instructions to the script, the learning-process has degraded. You might argue that everyone could read the source-code of the script to understand the process, but not everyone understands the use of variables, functions etc. especially not users without coding-skills.ManualFullSystemEncryption guide was one of the few very well written guides on partition encryption in Linux
As archphoenix has pointed out before, the dropbox-hosting/wget stuff is kinda insecure an i also had a bad feeling about getting some scripts hosted on dropbox.
Also the fact that the "encryptinstallation" script does download and execute the "encryptinstallationchroot" and "refreshgrub" script later on, without the users consent is a little no-go for me, sorry
Therefore i have setup an git repository for this project on Github. I hope that Paddy is ok with that? If you are not ok with that please let me know.
Also please let me know how you would like to handle the maintenance of the script(maybe also the wiki/manual) on Github, i would suggest you create an Github account. Lets discuss this via Private Message paddy.
You can find the repository right here:
https://github.com/thrdroom/ManualFullSystemEncryption
As you are new to git, and maybe dont want loose much time i would suggest you should use a gui for git.
You could use SmartGit https://www.syntevo.com/smartgit/ for example.
I hope that this will help to get this script more popular and further developed.
I already have some changes/pull-requests for your original-script which fixes most of the 5 issues listed above, but i haven't committed them to the git-repo without your consent paddy. Please pm me
Im sorry to hear that you are struggling with a long-term illness. I wish you the best and send you some positive energy! As you have stated before that the maintenance of the documentation had become a time-consuming burden for you, i may suggest you/we could also switch the documentation to a git-hosted markdown-wiki. Then everybody who has time could work on the project and send you pull-requests. You and maybe other mods you choose then would only have to pick pull-request from other users. So this would give others the option to work on the project, which would take time of your shoulders while you still would be in control of what gets in and what not. Hosting the guide as a wiki also via a git-repo would also give option of versioning and going back in time in the future (like requested by
Zythyr).
I am looking forward to a feedback from you guys.
Last edited by thrdroom; November 28th, 2018 at 09:47 PM.
Ubuntu Member
Those are correct.
As explained in post #67, I didn't have a reasonable choice: "The reason why I removed the detailed explanation was that maintaining it had become a time-consuming burden for me — I am struggling with a long-term illness on top of everything else, so time is not something that I have much of. Had I left the explanations, they would quickly have become out of date. Maintaining the script is much faster than maintaining a detailed description of how it works, and the script itself contains (I hope) understandable documentation."
Having the same passphrase is unnecessary, because once the system has been decrypted, it will automatically decrypt the data drive. However, if it's really what you want, all that you need to do is to replace the existing passphrase with the new one.
Code:sudo cryptsetup luksChangeKey /dev/sda3 # Replace /dev/sda3 with the correct partition name.
That's true. Sorry.
In such a case, when you install, don't use a swap partition. After installation, you can add the swap partition manually to /etc/fstab. You will need to ensure that the swap partition is correctly encrypted, which means that you'd have to also add it to /etc/crypttab.
See the previous point.
You are correct. I have used sha512 as being the best encryption available for this particular setup. As for the key size, my investigations showed that anything greater than 512 was pointless. Maybe my investigations were incorrect; if so, please let me have the details.
As I already explained, I simply don't have time to maintain a complex set of instructions. This was never intended to be for a beginner, anyway. That's something that I'm hoping that Canonical will fix, which will render this process redundant.
I am absolutely happy with this, and thank you for taking the initiative! Thank you also for the instructions.
Please go ahead! I am most grateful for the help. Let me know how to change the documentation, specifically the download instruction. I'll change it accordingly.I already have some changes/pull-requests for your original-script which fixes most of the 5 issues listed above, but i haven't committed them to the git-repo without your consent paddy. Please pm me
Thank you
Feel free to go ahead with this!
Thank you again.
Always make regular backups of your data (and test them).
Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.
Way Too Much Ubuntu
Paddy, first of all, Merry Christmas, and thank you very much for authoring your guide on the Community Help Wiki.
When I first attempted dual booting Windows and Ubuntu with LUKS and LVM some years ago, I do not remember having the benefit of it, and wish I had. At the time I had planned to then encrypt Windows with TrueCrypt, until I learned about the concerns that had been raised about it. Despite this, I did manage to configure LUKS and LVM, though I will not be surprised to learn I missed something when I have finished reading your guide. I have reinstalled since after a broken upgrade, and I did not employ LUKS and LVM, and had thought I might remedy that today.
I am posting now, as the Overview Partition Preparation section drew my attention to something on my system that may cause an issue when I am actually carrying out the steps. You display your existing Windows partitions that look very similar to my own, but I wonder if my drive is in a state that would cause problems later. I still have that existing non LUKS LVM Ubuntu installed, which I am happy to wipe, but as Grub was already installed during the Ubuntu install, will this cause an issue? Also, today I completed a very interesting guide, Using VeraCrypt with a UEFI dual boot setup to encrypt Windows 10 on the same drive, and it occurred to me if any of that might have changed something that would cause an issue?
Before finding your guide today, reviewing my old posts on this forum when I struggled through my last LUKS LVM setup, I was thinking I would just wait until I have some new larger SSD in the future. If I am able to still apply your guide to my system I am very happy to, but I thought I would run my concerns by you before I delete my current Ubuntu install!
Way Too Much Ubuntu
I decided to opt for a complete reinstall of both operating systems, and so far I have filled the HDDs with dd using /urandom, and executed a hdram --secure-erase-enhanced on the SSD before filling with urandom also. I have just reinstalled Windows 10 with a custom EFI partition of 600MB, as the guide mentions at least 577MB is the recommended size, and I am letting Windows 10 update.
The next issue I am trying to work out, is should I apply Veracrypt to Windows 10 first before following the ManualFullSystemEncryption guide, or use Veracrypt afterwards? Perhaps either will work? I know Veracrypt will make some changes to the EFI partition...
Ubuntu Member
Thanks for the link to the VeraCrypt guide, @dusf.
I have never used VeraCrypt to encrypt an operating system (although I'm well familiar with using it for data partitions and virtual partitions). This means, unfortunately, that I'm unable to answer your question.
As this is a brand new installation, might I suggest that you try? From what I can gather, according to the link that you posted, you should:
- Install Windows
- Install Ubuntu (using the guide)
- Use VeraCrypt to encrypt Windows
- Follow the guide to repair Grub
Don't bother running updates on Windows until you are sure that everything works.
If your hardware is powerful enough, and you don't need a superfast Windows (e.g. for gaming), might I suggest that you install Ubuntu on the entirety of your computer, and then install Windows in a virtual machine (e.g. VirtualBox or VMWare) within Ubuntu? That way, you don't have to encrypt Windows as it will be already encrypted through LUKS, and you can run both systems simultaneously.
Sorry that I can't give you a straight answer to your question.
By the way, the size 577 Mb is sufficient for the EFI System Partition, according to the relevant documentation.
Always make regular backups of your data (and test them).
Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.
Way Too Much Ubuntu
Hi Paddy, thanks for the input.
I have completed the Windows 10 install, and I did let it update as I know some of the major releases make changes to at least the recovery partition.
I have successfully completed the Manual Full System Encryption Guide, although to login for the first time I had to use recovery, enable networking, install lightdm, set nomodeset in Grub, login, and then install my nvidia-415 driver (this is something I encountered on my last normal install, I think due to my using an Nvidia GTX 970). I am now logged in to my desktop, without nomodeset, after entering the master key and my password, but in the Ubuntu launcher panel, top left, I have a hard drive icon arrow with an arrow pointing over it, and when I mouseover it displays the tooltip 'Install Release'. Is this something you have seen? It is almost like some of the Live CD came across with my install? I am certain I am logged into my desktop and not the Ubuntu Live USB
Also, I cannot open GParted. When I pressed the superkey and searched for it nothing was found, but then when I tried to install it the terminal output it was installed already, when I tried to launch it from terminal it took my login password, but then nothing happened. There were also some errors also displayed. I uninstalled and reinstalled GParted but there was no change. Please see the errors, and some of the commands I have been trying to fix this in the pastebin: https://paste.ubuntu.com/p/6tJW4P9sHj/. I am just hoping I did not do something wrong during the install that has caused this, as I am not sure I can face another re-installation of any OS (though I will if I have to as I want to see this through) as I am at all of this several days already!
Also, just to draw your attention to the error:
in case this should concern us.Code:Unit tmp.mount does not exist, proceeding anyway.
On my laptop (18.04, desktop which I used your guide for is 18.10), when I launch gparted from terminal it mentions 'Unit -.mount does not exist, proceeding anyway'.
=======
On my first attempt following the guide, I did close the Ubuntu installer and start over, first when I discovered the separate data partition referring to /home (I have a separate data hard drive but I wanted /home encrypted on my primary SSD) not a separate data non-home partition, and I closed it and started again discovering that the 'system' partition would not split part of itself into a separate /home partition. When I tried the third time the script failed, giving an error about system being resized. So I deleted all partitions, and rebooted, and started again, redownloading the script etc. I was able to get through the guide that time - just mentioning in case relevant to the issue with GParted and Install Release visible.
Last edited by howefield; December 30th, 2018 at 01:40 PM. Reason: posts merged.
Ubuntu Member
I presume that you installed Ubuntu 18.04. This is not something that I've seen, sorry. I suggest that you post a new thread, with a screenshot, in the forum Desktop Environments.
Usually, uninstalling and reinstalling a program does nothing. Unlike Windows, there isn't a spaghetti-like Registry. To clear a program's settings, you need to delete its configuration file or folder. However, I don't believe that this is your problem, because…
From my personal tests, GPartEd is unable to cope with LVM over LUKS. (At least, that's what I believe; I might be wrong! As I wrote in the documentation, "Close gparted now, because it has done its job and cannot correctly handle encryption.") That shouldn't explain why GPartEd crashes, though.
I suggest that you start a new thread. I don't know the best forum; maybe General Help or Hardware? In your new thread, explain that GPartEd crashes (include the pastebin link) and that your system is installed on LVM over LUKS.
Please would you post the links to both of your new threads here, so that I can follow them.
Always make regular backups of your data (and test them).
Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.
Ubuntu Member
Sorry, no, my guide is for 18.04 LTS.
EDIT: I think that I misread your post. But the guide is untested on 18.10.
Last edited by Paddy Landau; December 29th, 2018 at 02:03 PM.
Always make regular backups of your data (and test them).
Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.
Way Too Much Ubuntu
The question now is whether to keep going with 18.10, or start again with 18.04...
It is crucial for work and study that my desktop (and my laptop which I will work on next) are working, and if something goes wrong I will not have this sort of time available during term (not just to follow your guide, but the days I spent preparing my 4 drives, opening up PC case to securely erase SSDs, get Windows 10 installed with custom diskpart partition scripts etc) so I am leaning towards reinstalling 18.04, as like you have mentioned it is tested.
To undo everything so far, can I just delete sd5 where I created system, and sd6 where I created the data-home partition, or have the installer or your script made any changes to the EFI partition that need to be undone some how?
Or I can keep going as is, keep up with releases, and if I do encounter an issue in the future just reinstall normal encrypted Ubuntu and reassess my options when I have more time.
The following code removed the install release icon, and whatever was causing it:
I will post about GParted a bit later.Code:sudo apt-get remove ubiquity
18.10 custom LVM over LUKS, GParted will not start
Last edited by howefield; December 29th, 2018 at 02:40 PM. Reason: posts merged.
Adv Reply
Bookmarks