Page 13 of 17 FirstFirst ... 31112131415 ... LastLast
Results 121 to 130 of 169

Thread: Manual Full System Encryption has been updated and simplified

  1. #121
    Join Date
    Aug 2019
    Beans
    1

    Re: Manual Full System Encryption has been updated and simplified

    Hello! Could you tell me please, why is there two enabled key-slots? First (0) slot contains my password, but what about second slot (1)?

  2. #122
    Join Date
    Mar 2012
    Beans
    9

    Re: Manual Full System Encryption has been updated and simplified

    Quote Originally Posted by no95typem View Post
    Hello! Could you tell me please, why is there two enabled key-slots? First (0) slot contains my password, but what about second slot (1)?
    I think the subject has been addressed (see quotation below) : one key is for the first-stage decryption and corresponds to your password, and the other is for the rest and is automatically retrieved during first-stage decryption.
    Quote Originally Posted by Paddy Landau View Post
    Quote Originally Posted by thrdroom View Post
    The script forces me to choose two different passwords for system and data-drives. As i don’t want to overcomplicate things(in case of dataloss or crash), i want to have the same password for both drives and only one single keyfile. I think the user should have the choice to choose what he want's.
    Having the same passphrase is unnecessary, because once the system has been decrypted, it will automatically decrypt the data drive. However, if it's really what you want, all that you need to do is to replace the existing passphrase with the new one.
    Code:
    sudo cryptsetup luksChangeKey /dev/sda3   # Replace /dev/sda3 with the correct partition name.
    I could be wrong however, since I was only reading this out of curiosity and don't intend to use it right now, so I may be missing something...

  3. #123
    Join Date
    Sep 2019
    Beans
    1

    Re: Manual Full System Encryption has been updated and simplified

    Thanks for this! I found it very helpful while setting up a new install of ubuntu-19.04.


    One issue I ran into, however, was that I couldn't seem to get GRUB to open the LUKS volume at boot time. Turns out the LUKS volume was being created as LUKS2 by default, and GRUB doesn't support LUKS2 volumes.


    I resolved this by modifying encryptinstallation to force it to use LUKS1:

    Code:
    echo -n "${PASSPHRASE}" | sudo cryptsetup luksFormat --type=luks1 --hash=sha512 --key-size=512 --key-file=- ${PARTITION}

  4. #124
    Join Date
    Jul 2005
    Beans
    20

    Re: Manual Full System Encryption has been updated and simplified

    I had this problem too when trying to install with Ubuntu 19.10 on a dual boot system with Windows 10.

    The Luks1 tweek above fixed it, though I did get an error about the grub-efi-amd64-signed package not installing that I didn't get before making the tweek, but it didn't hinder booting.

    Otherwise great instructions, can't believe Canonical haven't made this the default yet.

  5. #125
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,261
    Distro
    Ubuntu

    Re: Manual Full System Encryption has been updated and simplified

    Sorry for not replying to messages earlier. For some reason, Ubuntu Forums doesn't send me notifications to this specific thread until weeks afterwards.

    Thank you NovHak, blaxpot and raif for your responses.
    Quote Originally Posted by no95typem View Post
    … why is there two enabled key-slots? First (0) slot contains my password, but what about second slot (1)?
    The first passphrase is for your system partition, and the second for your data partition.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  6. #126
    Join Date
    Dec 2019
    Beans
    1

    Re: Manual Full System Encryption has been updated and simplified

    @Paddy -- I just want to join on the well-deserved praise and thanks for all of the effort you've put in to this. It really is tremendous -- I've been using Ubuntu for 12 years now, and this is one of the best, most thorough guides I've seen. Cheers!

    I just had the dreaded grub/kernel update causes failure to boot, and the steps in your troubleshooting guide [1] saved my bacon! Phwew, what a huge relief that is! I'm really in awe of the work you've done on all of this!

    One minor suggestion on the troubleshooting page -- I wasn't able to get it to work initially, because I wasn't reading carefully enough and the string "PARTITION" is used in two places to mean two things... I kept putting my system partition in the slot where I should have been putting my EFI partition. So my suggestion, which of course you can take or leave, would be to disambiguate those strings in steps 4 and 5 by specifying SYSTEM_PARTITION and EFI_PARTITION, as follows:

    4. To unlock your partition, enter the following command. Replace /dev/SYSTEM_PARTITION with your system partition, e.g. /dev/sda5 or /dev/nvme01n1p5. You will be prompted for your system passphrase.


    • sudo cryptsetup open --type=luks /dev/SYSTEM_PARTITION system

    5. Mount your system partition. Replace /dev/EFI_PARTITION with your EFI System Partition (ESP), e.g. /dev/sda2 or /dev/nvme01n1p2.


    • sudo mkdir /mnt/root
      sudo mount /dev/mapper/system-root /mnt/root
      sudo mount /dev/mapper/system-boot /mnt/root/boot
      sudo mount /dev/EFI_PARTITION /mnt/root/boot/efi


    Again, thanks so much!


    [1] https://help.ubuntu.com/community/Ma...roubleshooting

  7. #127
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,261
    Distro
    Ubuntu

    Re: Manual Full System Encryption has been updated and simplified

    Quote Originally Posted by ersatz-logins View Post
    … disambiguate those strings…
    Thanks for kind words and your suggestion. I like your suggestion. I've also bolded the names in the instructions.

    I have a feeling that these instructions won't work on 20.04 (the next LTS). I do wish that Canonical would take this issue seriously!
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  8. #128
    Join Date
    Jan 2020
    Beans
    7

    Re: Manual Full System Encryption has been updated and simplified

    Is the below procedure something I can do once the system has already been encrypted, or do I need to modify Paddy's script beforehand?

    Also could you elaborate on
    # 3. create an extra passphrase as a back-stop. Enter your passphrase when prompted (3 times)
    as I don't understand what it's intended for? Do I delete this back-stop passphrase later on (it's not detailed in the steps)?

    Also:

    If you'd like to reduce the boot time, repeat steps 1, 4, 6 & 8
    it doesn't mention step #3? Step #3 seems to really confuse me!

    Quote Originally Posted by 3-david-o View Post
    Hi Paddy,
    I may have been wrong about the key order (it isnt immediately obvious which key is stored in which slot), and just jumping to conclusions.

    Here are the steps that I used to ensure the keys are in the optimum order, and also to adjust the number of iterations done on each key - which influences how quickly the device can be unlocked. The steps are fairly simple and quick, but you do have to enter your passphrase many times!

    # 1. specify your encrytped device (subtitute your device name)
    device=/dev/nvme0n1p5
    # 2. check what's in the encyption header - note the iterations for each key
    sudo cryptsetup luksDump $device
    # 3. create an extra passphrase as a back-stop. Enter your passphrase when prompted (3 times)
    sudo cryptsetup --key-slot 7 luksAddKey $device
    # 4. delete existing user key slot
    sudo cryptsetup luksKillSlot $device 0
    # 5. delete existing machine key slot
    sudo cryptsetup luksKillSlot $device 1
    # 6. Create a new key slot for your passphrase, with required iter-time:
    sudo cryptsetup --iter-time 500 --key-slot 0 luksAddKey $device
    # 7. Create a new key slot for the machine key, with required iter-time:
    sudo cryptsetup --iter-time 1000 --key-slot 1 luksAddKey $device /etc/crypt.system
    # 8. check what's in the encyption header - note the iterations for each key
    sudo cryptsetup luksDump $device
    # 9. Reboot, and check to see how fast the startup is.

    If you'd like to reduce the boot time, repeat steps 1, 4, 6 & 8, choosing a lower value for iter-time (the iter-time is the amount of time, in milliseconds, that the encryption process spends "hashing" (scrambling) your passphrase before it is stored. It would take the same amount of time to repeat this process each time you decrypt the device - but only if your processor can operate at the same speed during boot. That's not always the case - in my case it was 10 times slower.)
    You can also repeat steps 5 & 7, choosing a lower iter-time, to speed up the second part of the boot process, but this will make less of a difference.
    When you've finished, you can optionally delete the "back-stop" key in slot 7 (but there's no harm in leaving it).

    In my case, I found that an iter-time of 200 for my passphrase gave 185000 iterations, which took about 2 seconds during boot. For the machine key, I found that an iter-time of 1000 gave 900000 iterations, which took about 1 second during boot. The default iter-time is 2000. The relationship between iter-time and number of iterations depends on how fast your machine is. As I mentioned previously, there are potential security implications of reducing the number of iterations, but so long as a sufficiently long/complex passphrase is used, there's no problem. This topic is well discussed here.

    I hope that the above proves to be useful for anyone suffering agonisingly long boot times.

  9. #129
    Join Date
    Jan 2020
    Beans
    7

    Re: Manual Full System Encryption has been updated and simplified

    Please help!

    I must have done something because now I don't get a password prompt on boot, only `grub>` and I get stuck on that. Booting from a LiveCD I can mount the encrypted partitions (boot and root) by entering the password, so they work fine. So something must have gone wrong withe bootloader? Can I fix that without having to reinstall everything again i.e. without losing my current Ubuntu installation?

  10. #130
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    5,261
    Distro
    Ubuntu

    Re: Manual Full System Encryption has been updated and simplified

    @elgo2 — First, which version of Ubuntu are you using? This system has been tested on 18.04 and I don't know if it will work on later versions (it should, but I can't guarantee that).

    Second, have you followed the troubleshooting guide?
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

Page 13 of 17 FirstFirst ... 31112131415 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •