LMDE 201303 or 201403 with luks encrypted lvm2 partitions

[Pepas]

Well caught MoonSire, I guess I never tried to do that.
It's fixed now.

[MoonSire]

Thank you for a very nice script by the way

I have been trying to learn more and more about this, mostly to have some kind of noob protection if anyone breaks into my house and steals my things

maybe an optional disk wipe could be added, as in step #3 here (with the nice progress display):
http://www.cyberciti.biz/hardware/howto ... p-command/

PS. I did an edit to my earlier post as well

[Pepas]

Yes, something like that is not hard to add. Usually people use pseudorandom data instead of zero though. The pv utility (or dfcldd) will need to be installed first for a progress bar. I'll look into this. The problem is also, it is likely to take very long... And I have never heard of a method to break the encryption due to not preformatting in such a way.

[MoonSire]

I think it would be most useful if people are reusing old hard drives, just to keep people from gaining access to old stored data. And if it is in the script they might be interested to learn more about why and that's always nice

I read that it could take days for multi-terabyte hard drives, so the optional bit might be nice

[Pepas]

Thank you MoonSire for your debugging. I encorporated the modifications you linked to in your earlier post.
And I added the pseudo-random filling of the encrypted partion, using badblocks. (That's already installed, has a progress bar, and has the nice side effect of making sure there are no bad blocks to start out with!)
I also added some more comments in the SETTINGS section.

[MoonSire]

Oooh, extremely nice I am just happy to help!

After upgrading the system (I suspect to UP7) I lost the font on the boot screen that would tell me to input the password for the encrypted volume (it was just squares). I found a solution here:
http://forums.linuxmint.com/viewtopic.p ... 9&t=146997
(Mostly just added to this thread to help others find it easily )

Maybe this should be transferred to an official wiki page for everyone to see You have done a great job and made it so very easy, so it would be nice if as many people as possible could benefit from it.

[volodka]

I tried using your script on LMDE 201403, it didn't work. After reboot grub commandline met me, and no kernel got loaded.
Even so, your script helped me - I looked at it to know what to do when using linux mint default installer when it told me to mount everything at /target and then told me to chroot, write fstab and install packages.
Btw you should add a setting for choosing cipher.

[Pepas]

I tried using your script on LMDE 201403, it didn't work.

Sorry, I had been hacking on it after uploading, it now works for me at Cinnamon 32bit and Mate 64bit 201403.

Btw you should add a setting for choosing cipher.

It would not be difficult, but people who really require this can easily edit the Makefile at the luksFormat line and add --cipher and/or --key-size. Most people are only concerned with average people being able to decrypt their stuff. The biggest way to increase security is to use longer and stronger passphrases. But, I have changed the default to honour Dr.Bruce and speed it up.

[Trapper]

I successfully created a FDE drive with LMDE 201403 64bit with Mate using the updated script. Worked a charm for me. I only have one thing I question. The script has:

Code: Select all

root_size=REST
swap_size=DEFAULT
data_size=NO

My thinking is it should be:

Code: Select all

root_size=DEFAULT
swap_size=DEFAULT
data_size=REST

...and be adjusted if the user desires.

Overall, I am very happy the updated Makefile script for 201403 has been made available. Thank you!

[Pepas]

Code: Select all

data_size=NO

Overall, I am very happy the updated Makefile script for 201403 has been made available. Thank you!

I had something more similar to what you propose, but it's more likely to fail for smaller spaces. This way, any install can fit in a smaller space.
But people are encouraged to change the settings according to their need: separate /home partition perhaps, particular size for root, perhaps more (or no) swap space.

[Trapper]

I understand your reasoning. Thanks. Thanks again for the updated script too.

[j0b]

Upgraded the Makefile to work with LMDE 201403 as well.
It works for both the Mate and the Cinnamon 32bit and 64bit editions

Makefile: http://j.mp/makelmde
"This Makefile will result in a working install of Linux Mint Debian Edition edition (version 201303 or 201403) on a luks encrypted lvm2 partition with root, swap and data filesystem"

Instructions:

.
.
.

And that's it!

Pepas,

Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer. I've reviewed your Makefile and have some observations re: _encrypt (line 294-307).

# LINE 300 - ORIGINAL

Code: Select all

cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device}     ## effective twofish 128 bit due to halving by XTS mode

# LINE 300 - SUGGESTION (either)

Code: Select all

cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 ${crypt_device}
cryptsetup luksFormat -c aes-xts-plain64:sha512 -s 512 ${crypt_device}

# -c [cipher/mode/IV]
# -c twofish-xts-plain #ORIGINAL
# -c aes-xts-plain64 #SUGGESTION
# "plain" initialization vector (IV) is susceptible to watermarking on devices >2TiB
# "plain64" IV should be identical to output of "plain" <2TiB, yet handle output >2TiB
#
# REFERENCE (section 5.15)
# https://code.google.com/p/cryptsetup/wi ... ty_Aspects
#
# 5.15 Are there any problems with "plain" IV? What is "plain64"?
#
# First, "plain" and "plain64" are both not secure to use with CBC, see previous FAQ item.
#
# However there are modes, like XTS, that are secure with "plain" IV. The next limit is that "plain" is 64 bit,
# with the upper 32 bit set to zero. This means that on volumes larger than 2TiB, the IV repeats, creating a
# vulnerability that potentially leaks some data. To avoid this, use "plain64", which uses the full sector number
# up to 64 bit. Note that "plain64" requires a kernel >= 2.6.33. Also note that "plain64" is backwards compatible
# for volume sizes <= 2TiB, but not for those > 2TiB. Finally, "plain64" does not cause any performance penalty
# compared to "plain".



I'm trying to understand why you include two different cipher/mode/IV strings in the Makefile.

Code: Select all

cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device}        ## LINE 300          ## force_reencrypt==yes > luksFormat with cipher/mode/IV "twofish-xts-plain"
cryptsetup luksFormat -c aes -s 128 ${crypt_device}                                ## LINE 304          ## force_reencrypt==no  > lukstest > if luks header not found encrypt with 128 bit aes cipher

# LINE 294-307 - ORIGINAL

Code: Select all

_encrypt:
  @echo
ifeq "${force_reencrypt}" "YES"                                                                         ## force_reencrypt test
ifeq "${force_random}" "YES"                                                                            ## force_reencrypt==yes > force_random test
  badblocks -c 10240 -s -w -t random -v ${crypt_device}                                                 ## force_reencrypt==yes > force_random==yes > run badblocks
endif                                                                                                   ## force_reencrypt==yes > force_random==no  > continue
  cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device}                           ## force_reencrypt==yes > luksFormat with cipher/mode/IV "twofish-xts-plain"
  rm -fv _decrypt                                                                                       ## force_reencrypt==yes > remove -f _decrypt?
else                                                                                                    ## force_reencrypt==no  > continue 
  if cryptsetup isLuks ${crypt_device}; then echo; echo "  ${crypt_device} is already formatted";\      ## force_reencrypt==no  > lukstest > if luks header found (encrypted container) do nothing
  else cryptsetup luksFormat -c aes -s 128 ${crypt_device}; rm -fv _decrypt; fi                         ## force_reencrypt==no  > lukstest > if luks header not found encrypt with 128 bit aes cipher
endif
  touch $@

[Pepas]

Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer.

Thank you for your review. Unfortunately, the latest version where I had fixed the encryption options got overwritten by an older version. This should be fixed now.

I did change the default to "-c aes-xts-plain64 -s 512 -h sha512" with the longer cypher and hash, and chose aes because it is much more likely to be supported by hardware (making it much faster). It can be adapted in the SETTINGS section. If you have further comments, I'm looking forward to hearing from you.

Incidentally, there is a great installer available that the creator and maintainer of Semplce Linux (also Debian based) coded, which has the support built in. But it looks like LMDE only gets minimal resources...

[TomRoche]

Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer.

ditto! I'm setting up a new box, and was going to ask if any LMDE installers supported resizable encrypted partitions.

Unfortunately, the latest version where I had fixed the encryption options got overwritten by an older version. This should be fixed now.

My proposal is, put this Makefile (and any related files) in a web-based `git` repository, hosted by, e.g., Bitbucket or GitHub. That would

1. provide a commit trail, so one could see what was added when, and why
2. tend to prevent problems like that overwrite (above)
3. allow others to fork and contribute via pull request

as well as retain easy download of the current version. Bitbucket has an advantage here with its separate project section=Downloads (e.g., this, but that shouldn't be a problem for just a Makefile. Bitbucket also allows one to give a URI that points directly to the "raw"/downloadable latest version (i.e., HEAD) of a managed file (e.g., this); I suspect GitHub also allows this, but it's been awhile since I've used GH much (since they removed Downloads).

looks like LMDE only gets minimal resources...

Hafta disagree there: LMDE is (IMHO) the single most usable direct Debian fork (i.e., non-Ubuntu fork), and that doesn't "just happen." That being said, IIUC, the Debian installer has supported LUKS and LVM for awhile. I'd like to see such support in the "native" LMDE installers, and perhaps making your Makefile more available would help that happen.

[TomRoche]

My proposal is, put this Makefile

`s/Makefile/bash script/g`

(and any related files) in a web-based `git` repository

As a quick'n'dirty example, I made this.

[Pepas]

Sure Tom. I see you somehow already 'found' the bash script I made for this task...
I've decided to focus on 201403 only. We don't want to encourage people installing from the old 201303 iso, that does not make sense.

http://j.mp/makelmdescript <-- NOW OUTDATED! USE http://j.mp/lmdescrypt INSTEAD

It's not too difficult to have the script also do the partitioning, but it gets very destructive that way...

[TomRoche]

I love this script! Running straight outta terminal is fast (and ... umm ... I ♥ character-mode graphics :-) and being able to specify additional packages in the script is great. (Gotta find a way to hook `mintbackup` into this workflow.) Thanks, PePas. FWIW, I have

• added a few more tests
• refactored it so that users will only need to edit a .properties file (sourced by the script) without needing to touch the script itself.

and added more documentation in the README. All: feel free to [fork, pull request]!

That being said, IMHO what really needs done (and is in the TODOs is to get this functionality into the mainline LMDE installer, so that this doesn't need bolted on.

[LarkinVB]

Thanks for the great makefile/script.

The link to the makefile seems to point to an outdated file as it has the 256bit encryption and a strange line lvmdata=-l +100%FREE -Zn where the + does not seem right.

The script does not accept username characters like - though the makefile does.

[Pepas]

The link to the makefile seems to point to an outdated file as it has the 256bit encryption and a strange line lvmdata=-l +100%FREE -Zn where the + does not seem right.

The script does not accept username characters like - though the makefile does.

Sorry, dropbox did something undesirable again... Updated the makefile.
But the script is really better. As you noticed, it has more checks. The only thing is, the makefile also works with 201303 (which I think should not be used anymore).

[LarkinVB]

I constantly get 'Invalid partition table' after install before grub menu is displayed with a Dell 6420 laptop. I can boot up normally afterwards. Same Samsung 840 EVO SSD does work in a different laptop without this message. Any idea what the reason is for the Dell to show this warning or how to fix it ?

EDIT: I guess it is because the Dell BIOS is expecting the boot flag on the boot partition and there is none.