LMDE 201303 or 201403 with luks encrypted lvm2 partitions
Forum rules
LMDE 2 has reached end of support as of 1-1-2019
LMDE 2 has reached end of support as of 1-1-2019
Re: LMDE 201303 with luks encrypted lvm2 partitions
Well caught MoonSire, I guess I never tried to do that.
It's fixed now.
It's fixed now.
Re: LMDE 201303 with luks encrypted lvm2 partitions
Thank you for a very nice script by the way
I have been trying to learn more and more about this, mostly to have some kind of noob protection if anyone breaks into my house and steals my things
maybe an optional disk wipe could be added, as in step #3 here (with the nice progress display):
http://www.cyberciti.biz/hardware/howto ... p-command/
PS. I did an edit to my earlier post as well
I have been trying to learn more and more about this, mostly to have some kind of noob protection if anyone breaks into my house and steals my things
maybe an optional disk wipe could be added, as in step #3 here (with the nice progress display):
http://www.cyberciti.biz/hardware/howto ... p-command/
PS. I did an edit to my earlier post as well
Re: LMDE 201303 with luks encrypted lvm2 partitions
Yes, something like that is not hard to add. Usually people use pseudorandom data instead of zero though. The pv utility (or dfcldd) will need to be installed first for a progress bar. I'll look into this. The problem is also, it is likely to take very long... And I have never heard of a method to break the encryption due to not preformatting in such a way.
Re: LMDE 201303 with luks encrypted lvm2 partitions
I think it would be most useful if people are reusing old hard drives, just to keep people from gaining access to old stored data. And if it is in the script they might be interested to learn more about why and that's always nice
I read that it could take days for multi-terabyte hard drives, so the optional bit might be nice
I read that it could take days for multi-terabyte hard drives, so the optional bit might be nice
Re: LMDE 201303 with luks encrypted lvm2 partitions
Thank you MoonSire for your debugging. I encorporated the modifications you linked to in your earlier post.
And I added the pseudo-random filling of the encrypted partion, using badblocks. (That's already installed, has a progress bar, and has the nice side effect of making sure there are no bad blocks to start out with!)
I also added some more comments in the SETTINGS section.
And I added the pseudo-random filling of the encrypted partion, using badblocks. (That's already installed, has a progress bar, and has the nice side effect of making sure there are no bad blocks to start out with!)
I also added some more comments in the SETTINGS section.
Re: LMDE 201303 with luks encrypted lvm2 partitions
Oooh, extremely nice I am just happy to help!
After upgrading the system (I suspect to UP7) I lost the font on the boot screen that would tell me to input the password for the encrypted volume (it was just squares). I found a solution here:
http://forums.linuxmint.com/viewtopic.p ... 9&t=146997
(Mostly just added to this thread to help others find it easily )
Maybe this should be transferred to an official wiki page for everyone to see You have done a great job and made it so very easy, so it would be nice if as many people as possible could benefit from it.
After upgrading the system (I suspect to UP7) I lost the font on the boot screen that would tell me to input the password for the encrypted volume (it was just squares). I found a solution here:
http://forums.linuxmint.com/viewtopic.p ... 9&t=146997
(Mostly just added to this thread to help others find it easily )
Maybe this should be transferred to an official wiki page for everyone to see You have done a great job and made it so very easy, so it would be nice if as many people as possible could benefit from it.
Re: LMDE 201303 with luks encrypted lvm2 partitions
I tried using your script on LMDE 201403, it didn't work. After reboot grub commandline met me, and no kernel got loaded.
Even so, your script helped me - I looked at it to know what to do when using linux mint default installer when it told me to mount everything at /target and then told me to chroot, write fstab and install packages.
Btw you should add a setting for choosing cipher.
Even so, your script helped me - I looked at it to know what to do when using linux mint default installer when it told me to mount everything at /target and then told me to chroot, write fstab and install packages.
Btw you should add a setting for choosing cipher.
Re: LMDE 201303 with luks encrypted lvm2 partitions
Sorry, I had been hacking on it after uploading, it now works for me at Cinnamon 32bit and Mate 64bit 201403.volodka wrote:I tried using your script on LMDE 201403, it didn't work.
It would not be difficult, but people who really require this can easily edit the Makefile at the luksFormat line and add --cipher and/or --key-size. Most people are only concerned with average people being able to decrypt their stuff. The biggest way to increase security is to use longer and stronger passphrases. But, I have changed the default to honour Dr.Bruce and speed it up.volodka wrote:Btw you should add a setting for choosing cipher.
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
I successfully created a FDE drive with LMDE 201403 64bit with Mate using the updated script. Worked a charm for me. I only have one thing I question. The script has:
My thinking is it should be:
...and be adjusted if the user desires.
Overall, I am very happy the updated Makefile script for 201403 has been made available. Thank you!
Code: Select all
root_size=REST
swap_size=DEFAULT
data_size=NO
Code: Select all
root_size=DEFAULT
swap_size=DEFAULT
data_size=REST
Overall, I am very happy the updated Makefile script for 201403 has been made available. Thank you!
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
I had something more similar to what you propose, but it's more likely to fail for smaller spaces. This way, any install can fit in a smaller space.Trapper wrote:Overall, I am very happy the updated Makefile script for 201403 has been made available. Thank you!Code: Select all
data_size=NO
But people are encouraged to change the settings according to their need: separate /home partition perhaps, particular size for root, perhaps more (or no) swap space.
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
I understand your reasoning. Thanks. Thanks again for the updated script too.
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
Pepas,Pepas wrote:Upgraded the Makefile to work with LMDE 201403 as well.
It works for both the Mate and the Cinnamon 32bit and 64bit editions
Makefile: http://j.mp/makelmde
"This Makefile will result in a working install of Linux Mint Debian Edition edition (version 201303 or 201403) on a luks encrypted lvm2 partition with root, swap and data filesystem"
Instructions:
.
.
.
And that's it!
Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer. I've reviewed your Makefile and have some observations re: _encrypt (line 294-307).
# LINE 300 - ORIGINAL
Code: Select all
cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device} ## effective twofish 128 bit due to halving by XTS mode
Code: Select all
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 ${crypt_device}
cryptsetup luksFormat -c aes-xts-plain64:sha512 -s 512 ${crypt_device}
# -c twofish-xts-plain #ORIGINAL
# -c aes-xts-plain64 #SUGGESTION
# "plain" initialization vector (IV) is susceptible to watermarking on devices >2TiB
# "plain64" IV should be identical to output of "plain" <2TiB, yet handle output >2TiB
#
# REFERENCE (section 5.15)
# https://code.google.com/p/cryptsetup/wi ... ty_Aspects
#
# 5.15 Are there any problems with "plain" IV? What is "plain64"?
#
# First, "plain" and "plain64" are both not secure to use with CBC, see previous FAQ item.
#
# However there are modes, like XTS, that are secure with "plain" IV. The next limit is that "plain" is 64 bit,
# with the upper 32 bit set to zero. This means that on volumes larger than 2TiB, the IV repeats, creating a
# vulnerability that potentially leaks some data. To avoid this, use "plain64", which uses the full sector number
# up to 64 bit. Note that "plain64" requires a kernel >= 2.6.33. Also note that "plain64" is backwards compatible
# for volume sizes <= 2TiB, but not for those > 2TiB. Finally, "plain64" does not cause any performance penalty
# compared to "plain".
I'm trying to understand why you include two different cipher/mode/IV strings in the Makefile.
Code: Select all
cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device} ## LINE 300 ## force_reencrypt==yes > luksFormat with cipher/mode/IV "twofish-xts-plain"
cryptsetup luksFormat -c aes -s 128 ${crypt_device} ## LINE 304 ## force_reencrypt==no > lukstest > if luks header not found encrypt with 128 bit aes cipher
Code: Select all
_encrypt:
@echo
ifeq "${force_reencrypt}" "YES" ## force_reencrypt test
ifeq "${force_random}" "YES" ## force_reencrypt==yes > force_random test
badblocks -c 10240 -s -w -t random -v ${crypt_device} ## force_reencrypt==yes > force_random==yes > run badblocks
endif ## force_reencrypt==yes > force_random==no > continue
cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device} ## force_reencrypt==yes > luksFormat with cipher/mode/IV "twofish-xts-plain"
rm -fv _decrypt ## force_reencrypt==yes > remove -f _decrypt?
else ## force_reencrypt==no > continue
if cryptsetup isLuks ${crypt_device}; then echo; echo " ${crypt_device} is already formatted";\ ## force_reencrypt==no > lukstest > if luks header found (encrypted container) do nothing
else cryptsetup luksFormat -c aes -s 128 ${crypt_device}; rm -fv _decrypt; fi ## force_reencrypt==no > lukstest > if luks header not found encrypt with 128 bit aes cipher
endif
touch $@
Last edited by j0b on Mon Mar 17, 2014 4:04 pm, edited 1 time in total.
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
Thank you for your review. Unfortunately, the latest version where I had fixed the encryption options got overwritten by an older version. This should be fixed now.j0b wrote: Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer.
I did change the default to "-c aes-xts-plain64 -s 512 -h sha512" with the longer cypher and hash, and chose aes because it is much more likely to be supported by hardware (making it much faster). It can be adapted in the SETTINGS section. If you have further comments, I'm looking forward to hearing from you.
Incidentally, there is a great installer available that the creator and maintainer of Semplce Linux (also Debian based) coded, which has the support built in. But it looks like LMDE only gets minimal resources...
create public git repo?
ditto! I'm setting up a new box, and was going to ask if any LMDE installers supported resizable encrypted partitions.j0b wrote: Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer.
My proposal is, put this Makefile (and any related files) in a web-based `git` repository, hosted by, e.g., Bitbucket or GitHub. That wouldPepas wrote:Unfortunately, the latest version where I had fixed the encryption options got overwritten by an older version. This should be fixed now.
- provide a commit trail, so one could see what was added when, and why
- tend to prevent problems like that overwrite (above)
- allow others to fork and contribute via pull request
Hafta disagree there: LMDE is (IMHO) the single most usable direct Debian fork (i.e., non-Ubuntu fork), and that doesn't "just happen." That being said, IIUC, the Debian installer has supported LUKS and LVM for awhile. I'd like to see such support in the "native" LMDE installers, and perhaps making your Makefile more available would help that happen.Pepas wrote:looks like LMDE only gets minimal resources...
created public git repo
`s/Makefile/bash script/g`TomRoche wrote:My proposal is, put this Makefile
As a quick'n'dirty example, I made this.TomRoche wrote:(and any related files) in a web-based `git` repository
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
Sure Tom. I see you somehow already 'found' the bash script I made for this task...
I've decided to focus on 201403 only. We don't want to encourage people installing from the old 201303 iso, that does not make sense.
http://j.mp/makelmdescript <-- NOW OUTDATED! USE http://j.mp/lmdescrypt INSTEAD
It's not too difficult to have the script also do the partitioning, but it gets very destructive that way...
I've decided to focus on 201403 only. We don't want to encourage people installing from the old 201303 iso, that does not make sense.
http://j.mp/makelmdescript <-- NOW OUTDATED! USE http://j.mp/lmdescrypt INSTEAD
It's not too difficult to have the script also do the partitioning, but it gets very destructive that way...
Last edited by Pepas on Sun Sep 20, 2015 11:45 am, edited 1 time in total.
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
I love this script! Running straight outta terminal is fast (and ... umm ... I ♥ character-mode graphics :-) and being able to specify additional packages in the script is great. (Gotta find a way to hook `mintbackup` into this workflow.) Thanks, PePas. FWIW, I have
That being said, IMHO what really needs done (and is in the TODOs is to get this functionality into the mainline LMDE installer, so that this doesn't need bolted on.
- added a few more tests
- refactored it so that users will only need to edit a .properties file (sourced by the script) without needing to touch the script itself.
That being said, IMHO what really needs done (and is in the TODOs is to get this functionality into the mainline LMDE installer, so that this doesn't need bolted on.
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
Thanks for the great makefile/script.
The link to the makefile seems to point to an outdated file as it has the 256bit encryption and a strange line lvmdata=-l +100%FREE -Zn where the + does not seem right.
The script does not accept username characters like - though the makefile does.
The link to the makefile seems to point to an outdated file as it has the 256bit encryption and a strange line lvmdata=-l +100%FREE -Zn where the + does not seem right.
The script does not accept username characters like - though the makefile does.
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
Sorry, dropbox did something undesirable again... Updated the makefile.LarkinVB wrote: The link to the makefile seems to point to an outdated file as it has the 256bit encryption and a strange line lvmdata=-l +100%FREE -Zn where the + does not seem right.
The script does not accept username characters like - though the makefile does.
But the script is really better. As you noticed, it has more checks. The only thing is, the makefile also works with 201303 (which I think should not be used anymore).
Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition
I constantly get 'Invalid partition table' after install before grub menu is displayed with a Dell 6420 laptop. I can boot up normally afterwards. Same Samsung 840 EVO SSD does work in a different laptop without this message. Any idea what the reason is for the Dell to show this warning or how to fix it ?
EDIT: I guess it is because the Dell BIOS is expecting the boot flag on the boot partition and there is none.
EDIT: I guess it is because the Dell BIOS is expecting the boot flag on the boot partition and there is none.