Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
linux22
Level 1
Level 1
Posts: 23
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 » Sat Feb 09, 2019 7:37 am

Hello hotwolf, I have read your message. I have a few questions:

- the message you get from NUC appeared after the installation of new hardware (like a USB Hub) ?

- the message you get from NUC appeared prior or after the installation of Linux FDE ?

- is your UEFI Firmware up-to-date (have you installed the last version) or did you recently installed a new firmware version ?

Anyway you can check the following links:

https://superuser.com/questions/904004/ ... t-attempts

http://www.aslab.com/support/kb/191.html

https://www.intel.com/content/www/us/en ... 1549670358


The first one recommend to answer 'Y' entering your UEFI/BIOS firmware and then commit 'Save and Exit'.

The second one recommend to change the kernel boot command line adding the option 'reboot= acpi' or 'reboot=t' and then re-booting many time until the message disappear.

The last one is from Intel and suggest to reload the default UEFI Firmware setting. Doing so you will probably lose you UEFI Firmware Secure Boot settings.

You can test these solution and eventually re-install the Linux FDE system. My first impression is that this warning message is due to hardware and/or firmware issues. So if you don't get rid of this problem with software 'escamotages' (like these explained in the first and second links) my advice is resetting your UEFI Firmware to default setting (as recommended by Intel) and then install the latest UEFI Firmware version. If doing so the warning message remain that is the proof that the problem is most likely due to a hardware and/or firmware problem.

Please keep me informed about your progress.

Regards.

linux22

hotwolf
Level 1
Level 1
Posts: 5
Joined: Sat Feb 02, 2019 12:58 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by hotwolf » Wed Feb 13, 2019 7:18 pm

Hello Linux22,

thanks for all the tips.

First to answer your questions:
- the message you get from NUC appeared after the installation of new hardware (like a USB Hub) ?
I had an external DVD drive connected to my NUC, which I had used for the OS installation. I did remove at it some point later on. So the message may have come at some point after a change of hardware configuration.
- the message you get from NUC appeared prior or after the installation of Linux FDE ?
I don't remember this message showing up after the Linux FDE installation. I think it started to pop up after I tried the secure boot setup.
- is your UEFI Firmware up-to-date (have you installed the last version) or did you recently installed a new firmware version ?
I'm using version 2.2.23 of the Intel Visual BIOS, which my NUC was shipped with.

I followed your links, and the first thing I've tried was to disable the "Failsafe Watchdog" option in the BIOS (as described here https://www.intel.com/content/www/us/en ... 1549670358). And this solved the problem right away. My NUC now boots right to the FDE password entry without any prior BIOS prompt. So I didn't even need to modify the kernel boot options.

Thanks again for your great help.

Regards,
hotwolf

artrieu
Level 1
Level 1
Posts: 6
Joined: Mon Feb 25, 2019 4:50 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by artrieu » Thu Feb 28, 2019 9:12 pm

I'm desperately trying to install Mint 18.3 KDE on a system that already has windows 10 for dual boot.
I'd like to have a full encryption.

I did follow this guide:https://www.youtube.com/watch?v=etzJAG_H5F8 and tried it with Debian first, which worked great. I just would prefer to use Mint.
So I deleted all of that and wanted to repeat it with mint, but the manual partitioning via the wizard crashes or just doesnt let me.


The difference: in Debian you create the encrypted volume and then you manage the volume and create from that root & swap. But with mint i choose the encrypted drive and then im stuck. does someone know how this works?

thanks

linux22
Level 1
Level 1
Posts: 23
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 » Fri Mar 01, 2019 4:57 pm

Hello artrieu, I have read your message. If you are looking for a Dual Boot solution W10+Mint FDE I can suggest my tutorial
at: http://community.linuxmint.com/tutorial/view/2191 but I must warn you that it can be a bit outdated.

Anyway reading it you can learn how to manage LUKS partitions and LVM working with Mint and Ubiquity.
Remember that my solution works on PC with UEFI firmware and HDD with GPT partitioning scheme.

Please keep me informed about your progress.

Regards.

linux22

lofi
Level 1
Level 1
Posts: 4
Joined: Sun Mar 10, 2019 3:10 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by lofi » Sun Mar 10, 2019 4:13 pm

hi Linux22,
I have found and used your tutorial https://community.linuxmint.com/tutorial/view/2438 (EFI, GPT, encrypted /boot, secure boot) and it worked well ! Thanks! I've had no problem at all : I restarted the computer, activated secure boot, and it booted correctly! :wink:
But now I'm stuck after the first apt-get update/upgrade of the system... I read all the thread, searched the web for a solution but didn't find one.
Here are the errors I get :

Code: Select all

~$ sudo apt-get upgrade
(...)
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
5 not fully installed or removed.
(...)
Do you want to continue? [Y/n] Y
Setting up initramfs-tools (0.130ubuntu3.7) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-4.15.0-46-generic (4.15.0-46.49) ...
Setting up linux-firmware (1.173.3) ...
update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic
run-parts: failed to exec /etc/initramfs/post-update.d//objcopy_update_hook: Exec format error
run-parts: /etc/initramfs/post-update.d//objcopy_update_hook exited with return code 1
dpkg: error processing package linux-firmware (--configure):
 installed linux-firmware package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of linux-image-generic:
 linux-image-generic depends on linux-firmware; however:
  Package linux-firmware is not configured yet.

dpkg: error processing package linux-image-generic (--configure):
 dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of linux-generic:
 linux-generic depends on linux-image-generic (= 4.15.0.46.48); however:
  Package linux-image-generic is not configured yet.

dpkg: error processing package linux-generic (--configure):
 dependency problems - leaving unconfigured
No apport report written because the error message indicates its a followup error from a previous failure.
                                                                                                          No apport report written because the error message indicates its a followup error from a previous failure.
                                           Processing triggers for initramfs-tools (0.130ubuntu3.7) ...
update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic
run-parts: failed to exec /etc/initramfs/post-update.d//objcopy_update_hook: Exec format error
run-parts: /etc/initramfs/post-update.d//objcopy_update_hook exited with return code 1
dpkg: error processing package initramfs-tools (--configure):
 installed initramfs-tools package post-installation script subprocess returned error exit status 1
No apport report written because MaxReports is reached already
                                                              Processing triggers for linux-image-4.15.0-46-generic (4.15.0-46.49) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic
run-parts: failed to exec /etc/initramfs/post-update.d//objcopy_update_hook: Exec format error
run-parts: /etc/initramfs/post-update.d//objcopy_update_hook exited with return code 1
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-4.15.0-46-generic (--configure):
 installed linux-image-4.15.0-46-generic package post-installation script subprocess returned error exit status 1
No apport report written because MaxReports is reached already
                                                              Errors were encountered while processing:
 linux-firmware
 linux-image-generic
 linux-generic
 initramfs-tools
 linux-image-4.15.0-46-generic
E: Sub-process /usr/bin/dpkg returned an error code (1)
This is the first error :

Code: Select all

update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic
run-parts: failed to exec /etc/initramfs/post-update.d//objcopy_update_hook: Exec format error
objcopy_update_hook is present, but it's an empty file.

second error :

Code: Select all

dpkg: error processing package linux-firmware (--configure):
 installed linux-firmware package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of linux-image-generic:
 linux-image-generic depends on linux-firmware; however:
  Package linux-firmware is not configured yet.
At first I used the Mint GUI updater, and I had unticked "install Grub" which we don't use. But then I retried the update in the terminal, I didn't know how to cherry-pick and refuse the installation of Grub. Apparently it's not the problem, but could it be?

Now for the real problem : here's what I saw online :
- You have a disk size problem : partition is full => not my case (I think)
- You have to apt-get purge, autoremove, then force install. Should I do that?

I have not rebooted since the problem, so I don't know if the failed update of initramfs (et caetera...) has made my computer unbootable or not.
Do you know what's causing the problem? What should I do?
Thanks in advance.
-- lofi.

lofi
Level 1
Level 1
Posts: 4
Joined: Sun Mar 10, 2019 3:10 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by lofi » Thu Mar 14, 2019 11:37 pm

ok, my bad, I created an empty objcopy_update_hook file, I put nothing in it, didn't copy/paste the example provided. Will test that and report if it works.
-- lofi

linux22
Level 1
Level 1
Posts: 23
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 » Fri Mar 15, 2019 12:20 pm

Hello lofi, I have read your message. I think you must check your objcopy_update_hook file inside directory /etc/initramfs/post-update.d and verify the syntax of all lines of code. Some days ago I have got the same error (run-parts: failed to exec /etc/initramfs/post-update.d//objcopy_update_hook) because I had mistaken the first line #! /bin/sh with #! /bin/sh".

This banal error had resulted in hours of trouble until I saw the quotation mark at the end of the line and removed it.

So try again and copy and paste the code listed in my tutorial inside your objcopy_update_hook file.

Anyway if you have enough room in your ESP directory my advice is to leave a working copy of kernel.efi inside a rescue directory and boot from it in case of troubles.

Please keep me informed about your progress.

Regards.

linux22

lofi
Level 1
Level 1
Posts: 4
Joined: Sun Mar 10, 2019 3:10 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by lofi » Sat Mar 16, 2019 7:53 pm

hi linux22,
thanks for your reply.
You may have had a banal error, mine was just lame!

Now with the objcopy_update_hook file, I was able to (almost?) update the kernel and restart. :D
I say "almost", because I had this (please watch the last 2 lines),

Code: Select all

(...)
Setting up linux-firmware (1.173.3) ...
update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic
Signature verification OK
Signature verification OK
update-initramfs: Generating /boot/initrd.img-4.15.0-20-generic
Signature verification OK
Signature verification OK
(…)
Setting up linux-image-generic (4.15.0.46.48) ...
Setting up linux-generic (4.15.0.46.48) ...
Processing triggers for initramfs-tools (0.130ubuntu3.7) ...
update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic
Signature verification OK
Signature verification OK
Processing triggers for linux-image-4.15.0-46-generic (4.15.0-46.49) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.15.0-46-generic
Signature verification OK
Signature verification OK
W: APT had planned for dpkg to do more than it reported back (168 vs 178).
   Affected packages: initramfs-tools:amd64 linux-firmware:amd64 linux-image-4.15.0-46-generic:amd64
But then I did apt-get upgrade again (=> nothing to upgrade) and dpkg -s for the "affected packages" and it said "install ok installed" (btw, how could I inquire about partially successful updates? the warning must have meant something...)
Anyway, rebooting worked, so I think this is fixed!

>if you have enough room in your ESP directory my advice is to leave a working copy of kernel.efi inside a rescue directory and boot from it in case of troubles.
ok, that's what I did.

Thanks a lot!

linux22
Level 1
Level 1
Posts: 23
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 » Mon Mar 18, 2019 8:23 pm

Hello lofi, I do not know the meaning of the last 2 line you get after your upgrade, but I think you should install the updates via mintUpdate. When you run commands like apt-get upgrade you can get an incomplete satisfaction of all dependencies.

In my experiences with the FDE installation described in this tutorial I have reached a correct installation of all available updates via the standard Mint update tool:
i.e. mintUpdate.

Regards.

linux22

lofi
Level 1
Level 1
Posts: 4
Joined: Sun Mar 10, 2019 3:10 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by lofi » Tue Mar 19, 2019 7:57 pm

Hi linux22,
thanks for the reply,
ok I'll update through mintUpdate preferably.
No other problem so far, looking good !

thanks,
lofi

Post Reply

Return to “Tutorials”