How to: get the whole system encrypted

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Brock

Re: How to: get the whole system encrypted

Post by Brock »

Last night I had to do a hard reboot on an HP laptop setup exactly like the tutorial. Works great, I've used it for several installs of Linux Mint, currently LM8 Fluxbox, and have never had so much as a hiccup.

On restart the "croot" and "cswap" mounted fine, but on login, the hdd accessed for a bit then restarted the login (never getting past that).

From a terminal on the live CD, I can open "chome" with cryptsetup, but when I go to mount it I get a "mount: wrong fs type, bad option, bad superblock on /dev/mapper/chome,
missing codepage or helper program, or other error"

Specifically:

Code: Select all

mint@mint mnt $ sudo cryptsetup luksOpen /dev/sda4 chome
Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.

mint@mint mnt $ sudo mkdir home

mint@mint mnt $ sudo mount -t ext3 /dev/mapper/chome /mnt/home
mount: wrong fs type, bad option, bad superblock on /dev/mapper/chome,
       missing codepage or helper program, or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so
Am I trying to mount that volume correctly? If so, does that indicate a disk problem? Is there any way to fix that and save what I can from that volume?

I have looked at fstab, crypttab, the pam_mount config xml on "croot" and all the rest and verified they still match the tutorial.

Edit to add: Looks like I do have disk errors. Syslog:

Code: Select all

Apr 29 16:55:18 mint kernel: [ 8191.456102] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:18 mint kernel: [ 8191.456109] ata1.00: BMDMA stat 0x25
Apr 29 16:55:18 mint kernel: [ 8191.456119] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:18 mint kernel: [ 8191.456121]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:18 mint kernel: [ 8191.456125] ata1.00: status: { DRDY ERR }
Apr 29 16:55:18 mint kernel: [ 8191.456129] ata1.00: error: { UNC }
Apr 29 16:55:18 mint kernel: [ 8191.472422] ata1.00: configured for UDMA/100
Apr 29 16:55:18 mint kernel: [ 8191.472443] ata1: EH complete
Apr 29 16:55:20 mint kernel: [ 8194.061416] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:20 mint kernel: [ 8194.061423] ata1.00: BMDMA stat 0x25
Apr 29 16:55:20 mint kernel: [ 8194.061433] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:20 mint kernel: [ 8194.061435]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:20 mint kernel: [ 8194.061439] ata1.00: status: { DRDY ERR }
Apr 29 16:55:20 mint kernel: [ 8194.061443] ata1.00: error: { UNC }
Apr 29 16:55:20 mint kernel: [ 8194.078095] ata1.00: configured for UDMA/100
Apr 29 16:55:20 mint kernel: [ 8194.078117] ata1: EH complete
Apr 29 16:55:23 mint kernel: [ 8196.861069] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:23 mint kernel: [ 8196.861076] ata1.00: BMDMA stat 0x25
Apr 29 16:55:23 mint kernel: [ 8196.861086] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:23 mint kernel: [ 8196.861088]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:23 mint kernel: [ 8196.861092] ata1.00: status: { DRDY ERR }
Apr 29 16:55:23 mint kernel: [ 8196.861096] ata1.00: error: { UNC }
Apr 29 16:55:23 mint kernel: [ 8196.879909] ata1.00: configured for UDMA/100
Apr 29 16:55:23 mint kernel: [ 8196.879931] ata1: EH complete
Apr 29 16:55:26 mint kernel: [ 8199.464602] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:26 mint kernel: [ 8199.464609] ata1.00: BMDMA stat 0x25
Apr 29 16:55:26 mint kernel: [ 8199.464619] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:26 mint kernel: [ 8199.464621]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:26 mint kernel: [ 8199.464625] ata1.00: status: { DRDY ERR }
Apr 29 16:55:26 mint kernel: [ 8199.464629] ata1.00: error: { UNC }
Apr 29 16:55:26 mint kernel: [ 8199.488407] ata1.00: configured for UDMA/100
Apr 29 16:55:26 mint kernel: [ 8199.488427] ata1: EH complete
Apr 29 16:55:28 mint kernel: [ 8202.077700] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:28 mint kernel: [ 8202.077707] ata1.00: BMDMA stat 0x25
Apr 29 16:55:28 mint kernel: [ 8202.077718] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:28 mint kernel: [ 8202.077720]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:28 mint kernel: [ 8202.077724] ata1.00: status: { DRDY ERR }
Apr 29 16:55:28 mint kernel: [ 8202.077728] ata1.00: error: { UNC }
Apr 29 16:55:28 mint kernel: [ 8202.092389] ata1.00: configured for UDMA/100
Apr 29 16:55:28 mint kernel: [ 8202.092408] ata1: EH complete
Apr 29 16:55:31 mint kernel: [ 8204.879434] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0
Apr 29 16:55:31 mint kernel: [ 8204.879441] ata1.00: BMDMA stat 0x25
Apr 29 16:55:31 mint kernel: [ 8204.879451] ata1.00: cmd c8/00:00:37:99:a6/00:00:00:00:00/e7 tag 0 dma 131072 in
Apr 29 16:55:31 mint kernel: [ 8204.879453]          res 51/40:52:e5:99:a6/00:00:00:00:00/e7 Emask 0x9 (media error)
Apr 29 16:55:31 mint kernel: [ 8204.879458] ata1.00: status: { DRDY ERR }
Apr 29 16:55:31 mint kernel: [ 8204.879461] ata1.00: error: { UNC }
Apr 29 16:55:31 mint kernel: [ 8204.900415] ata1.00: configured for UDMA/100
Apr 29 16:55:31 mint kernel: [ 8204.900456] sd 0:0:0:0: [sda] Unhandled sense code
Apr 29 16:55:31 mint kernel: [ 8204.900460] sd 0:0:0:0: [sda] Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
Apr 29 16:55:31 mint kernel: [ 8204.900465] sd 0:0:0:0: [sda] Sense Key : Medium Error [current] [descriptor]
Apr 29 16:55:31 mint kernel: [ 8204.900471] Descriptor sense data with sense descriptors (in hex):
Apr 29 16:55:31 mint kernel: [ 8204.900474]         72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00 
Apr 29 16:55:31 mint kernel: [ 8204.900494]         07 a6 99 e5 
Apr 29 16:55:31 mint kernel: [ 8204.900501] sd 0:0:0:0: [sda] Add. Sense: Unrecovered read error - auto reallocate failed
Apr 29 16:55:31 mint kernel: [ 8204.900509] end_request: I/O error, dev sda, sector 128358885
Apr 29 16:55:31 mint kernel: [ 8204.900553] ata1: EH complete
Apr 29 16:55:31 mint kernel: [ 8204.901905] JBD: Failed to read block at offset 29825
Apr 29 16:55:31 mint kernel: [ 8204.901914] JBD: recovery failed
Apr 29 16:55:31 mint kernel: [ 8204.901917] EXT3-fs: error loading journal.
Now what?

Edit 2:

Easy fix, actually. Boot to live CD, plug in USB external HDD (mounted to /media/disk) and make a backup copy of the partition.

Code: Select all

mint@mint media $ sudo dd if=/dev/sda4 of=/media/disk/chome.img
Open the encrypted volume:

Code: Select all

mint@mint media $ sudo cryptsetup luksOpen /dev/sda4 chome
Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.
Check and repair the file system:

Code: Select all

mint@mint media $ sudo e2fsck -C0 -f -y /dev/mapper/chome
fsck checks and repairs the corrupt superblock. Reboot to the HDD, and viola! Back to normal.
User avatar
na5m
Level 1
Level 1
Posts: 2
Joined: Sun Mar 25, 2007 7:53 pm
Location: California

Re: How to: get the whole system encrypted

Post by na5m »

Great tutorial. I substituted aes-xts-plain for the older cbc mode and
I used the aes_x86_64 module, as I'm running 64-bit Isadora. I chose sha512 for
password hash and also for key creation. I put everything under / (except for /boot, of course)
and I have no swap. Suspend to ram works fine. I don't use suspend to disk as this is my desktop
machine connected to a UPS. I feel that my data is pretty secure now (not that I have anything
interesting hidden :mrgreen: ).

Cheers to the OP.

EDIT:
Having played with the information in this thread for a few days, I discovered that:

1) (for Isadora x64, anyway) you only need to mount /proc in the chroot environment to achieve a successful update-initramfs pass. BTW, you should umount /proc before you leave the chroot environment.

2) (for Isadora x64, anyway) you don't need to apt-get anything. It's already on the liveDVD.

3) (for Isadora x64, anyway) you don't need to modprobe anything. See below 4).

4) (for Isadora x64, anyway) you don't need to put anything in /etc/initramfs-tools/modules. The modules' functionality gets automagically loaded into the running kernel. See above 3).

5) Mint ROCKS!
macias

Re: How to: get the whole system encrypted

Post by macias »

Thank you for great howto! I will try it out with LMDE

The auto-mount on login link is dead, I found some others:

https://we.riseup.net/debian/automatica ... ypted-home
http://gentoo-blog.de/ubuntu/encrypted- ... uto-logon/
willie42
Level 7
Level 7
Posts: 1970
Joined: Tue Jun 22, 2010 7:52 pm
Location: Oak Ridge, TN USA

Re: How to: get the whole system encrypted

Post by willie42 »

Great how too.......very detailed and very well stated.
Comptia A+ Certified Technician
Comptia Network + Certified Technician
You can not have Success without Failures.
phaed

Re: How to: get the whole system encrypted

Post by phaed »

Thanks for this.
Last edited by phaed on Mon Oct 21, 2013 11:18 am, edited 1 time in total.
turqoisehex
Level 2
Level 2
Posts: 52
Joined: Tue Aug 03, 2010 9:33 pm

Re: How to: get the whole system encrypted

Post by turqoisehex »

Finally! A full disk encryption technique that works! All the others I had used complex LVM setups and would never work. Thank you for sharing this!
Paddy Landau

Re: How to: get the whole system encrypted

Post by Paddy Landau »

sharney wrote:This works great, however, if you have a laptop and you want to use hibernate to disk, you can't because the swap partition is encrypted with a random key. However, I found another howto at http://www.c3l.de/linux/howto-completly ... y-eft.html which helped me figure out how to do fix this. Basically you make the swap partition like you do the other paritions with a passphrase but there are a few wrinkles ...
@sharney, thank you for that great description.

Thanks to you, I have managed to modify the process to work with Ubuntu!
sisteczko

Re: How to: get the whole system encrypted

Post by sisteczko »

This recipe ceased to work on Mint 16 Petra; there's no file /etc/acpi/hibernate.sh and I failed to find something similar.

Skipping the step involving the hibernate.sh leads to the system without swap and never asking the password on boot time.

I use fairly vanilla Mint 16 Petra Cinnamon.
undecided

Re: How to: get the whole system encrypted

Post by undecided »

Hey, found the hibernation fixes post very useful (not yet brave enough for full-disk encryption!) - it does still work, however the following is my notes:
  • Don't worry about the lack of hibernate.sh. I believe it is unnecessary if you are using the vanilla kernel-based hibernation tools. However, I will point out that I've named my encrypted filesystem cryptswap1 instead of cswap - because Linux Mint had already done the heavy lifting for me, and I wanted to keep things as consistent as possible. I may have escaped some further edits by doing this.
  • No need for croot entry in crypttab if you're not doing full-disk encryption (I'm not - I'm just trying to fix the default Linux Mint borked setup)
  • Once your new crypt is mounted, do

    Code: Select all

    swapon -a
    - it will tell you that it can't read the swap headers. This is because you've basically set up a blank encrypted disk - and you need to put the swap "file"system on it. Very easy to do - if you've called your swap `cswap`, then as root you need to run

    Code: Select all

    mkswap /dev/mapper/cswap
Other than that, everything else on the hibernation fixes works. Hope that helps!
Post Reply

Return to “Tutorials”