Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
1ng0

Re: Mint 17.X and 18.X Full Disk Encryption (directory /boot included)

Post by 1ng0 »

Hello linux22,

I just want to say thanks for your great tutorials! They helped me a lot when setting up my new PC.

In my setup I use BTRFS inside the LVM inside the LUKS volume on an NVMe SSD and I ran into the issue reported by user Luyseyal in the comments section of the tutorial (when /boot/grub is stored on the cryptroot as well, only /boot/efi remains unencrypted). Despite of mounting individual BTRFS subvolumes within the chroot environment, GRUB paths always relate to the BTRFS filesystem root and the prefix path contains the @ somewhere, for example.

I'd like to share my solution, I came up with after some research on the issue: A script which parses the main grub.cfg (created by update-grub) and builds an EFI bootable image for crypt-mounting of the encrypted root volume to get access to the kernel and the main grub.cfg. It is similar to the one created by the grub-install command but adds the cryptmount command, an appropriate keyboard layout and fixes the prefix and root paths regarding BTRFS. Moreover, I don't know how this relates to the grub-mkstandalone command you refer to in the text. However, my script creates a single 'grubx64.efi' file as well, which can then be signed with the Secure Boot key. As Luyseyal wrote, 'GRUB_ENABLE_CRYPTODISK=y' in /etc/defaults/grub is not required with this script because the disk is opened at a very early stage during boot.

The dash-compatible shell script can be run by update-grub after the main grub.cfg was populated, it just needs to be appended to the scripts in /etc/grub.d/ with a small delay. It can be found as github gist.

Your guide on configuring UEFI Secure Boot in custom mode with my own keys together with the original M$ keys worked perfectly!

Keep up the good work and best wishes!
Ingo
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X and 18.X Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello 1ng0, I have read your message. I have installed my FDE solution with BTRFS filesystem a few times only, without any particular issues. So I think I will test these solutions again, trying to reproduce the error reported from you and Luyseyal. I think I will end the test within 30/11/2017. We will talk again after the test.

Regards.

linux22
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X and 18.X Full Disk Encryption (directory /boot included)

Post by linux22 »

By the way, 1ng0 and Luyseyal, did you committed the command 'sudo mount -o subvol=@ /dev/mapper/mint-root /mnt' instead of 'sudo mount /dev/mapper/mint-root /mnt' as the first command of Step 4 ?

See the note for BTRFS filesystem inside Step 4 !!!

Please keep me informed about this.

Regards.

linux22
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X and 18.X Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello 1ng0, I have done my tests and the results are:

Test with HDD SATA on hardware PC UEFI: OK
Test with HDD SATA on VirtualBox 5.2.0 machine UEFI: OK
Test with HDD NVMe on hardware PC UEFI: NOT AVAILABLE
Test with HDD NVMe on VirtualBox 5.2.0 machine UEFI: OK

So, the installation seems working smoothly for me, without any particular issue.

Anyway I do not have an hardware PC with NVMe and therefore I can not test FDE+BTRFS for this configuration.

I can say that if you use a Linux distribution that adopt BTRFS with subvolumes (like Ubuntu, Mint, ecc.)
you MUST commit the command 'sudo mount -o subvol=@ /dev/mapper/mint-root /mnt' instead of
'sudo mount /dev/mapper/mint-root /mnt' as the first command of Step 4 of my tutorial.

Instead, if you use a Linux distribution that adopt BTRFS without subvolumes (like Debian) you MUST
commit the common command 'sudo mount /dev/mapper/mint-root /mnt' as the first command of Step 4
of my tutorial.

If you get the same error again my advice is updating your NVMe and/or your MOTHERBOARD firmwares and
try again.

Please keep me informed about your attempts.

Regards.

linux22
RobertoR

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by RobertoR »

I have been using this setup for 2 years now, and the only thing I regret about it that I did not used it before!

I there also a way to setup the keyfile on a usb disk and that you need to have a password and the usb stick for to boot?
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello RobertoR, I have read your message. If your PC has UEFI firmware you can easily boot via USB copying your bootx64.efi (or grubx64.efi) in your USB drive under a directory named /EFI/BOOT and renaming it as bootx64.efi. At boot-up you must enter your PC UEFI firmware boot menu and select the boot-up from your /EFI/BOOT/bootx64.efi file inside your USB drive. You can find this tip as the 3rd advice in Appendix A of my tutorial at https://community.linuxmint.com/tutorial/view/2061


Regards.

linux22
RobertoR

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by RobertoR »

Thanks linux22

I did not see this reply until now.

I have UEFI but never used the EFI/GPT setup.
But so far I can see is the EFI System Partition un-encrypted and there is a lot of space to put something there!
And me being paranoid about computer security... and not without a reason.

I don't know noting about EFI and how secure it is, but I stay with MBR so long I can.
From MBR I know that the size is only 512 bytes, and that looks for me not so much space for to put some kind of virus.
But I don't really know much about this subject, but for me MBR looks more secure.
MikZ
Level 3
Level 3
Posts: 101
Joined: Sun Mar 17, 2013 7:08 pm
Contact:

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by MikZ »

Hi @linux22! I do appreciate these guides, but I still haven't managed to get what I want, which is a multi-drive Mint 19 system (/home on its own drive) with FDE on each drive. It'd be really great if hibernate to worked in such a setup, too, since i'm tired of having to reboot everything from scratch when I swap a battery on an airliner. So I don't think _all_ of 'our concerns for an easy, standard and reliable FDE solution' are over quite yet. :wink:

I posted for help with this a few weeks ago. Perhaps you can offer me some advice? Cheers.
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello MikZ, I have read your message. I do not see great difficulties to achieve your wishes.
You can easily configure a LUKS encrypted drive and mount it under '/home' directory at boot time, simply configuring your '/etc/crypttab' file.

Then if you really want to enable the 'hibernate' function you must correctly configure the parameters 'root' and 'resume' inside the GRUB_CMDLINE_LINUX_DEFAULT directive in your '/etc/default/grub' file and then re-enable the option in the 'power menu'.

Remember that the 'hibernate' function is disabled by default in Ubuntu (and many based/derived), probably because of the data losses occurred in the past versions.

Regards.

linux22
MikZ
Level 3
Level 3
Posts: 101
Joined: Sun Mar 17, 2013 7:08 pm
Contact:

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by MikZ »

Thanks, @linux22! I seem to have muddled along far enough so far; /etc/fstab and /etc/crypttab weren't as complicated as they initially looked. ☺

Thanks for the tops about hibernating; I'll give those a go soon. We're starting to drift off topic, but were the data losses you talked about anything more than sessions failing to fully restore after hibernation?
john523

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by john523 »

Hello,

I have used BIOS and PC with GPT method and everything went fine except renaming initctl because it was not present in the /mnt/sbin/ folder. I eventually skipped that step, committed the last comand (sudo umount ...) and finished with tutorial.
What consequences will skipping renaming initctl (because I couldn't find it) have and can any future adjustments be made after completing tutorial, or will I need to start it over from scratch?

Although I was installing linux mint 19 this time (using method for Mint 17.x & 18.x), but if I remember correctly, last time that I was installing linux mint 18.x I also couldn't find initctl in its supposed folder.

(I also used Appendix A 1st recommendation if it matters)
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello john523, I have read your message. Do not worry about initctl.

This issue was present in Linux Mint 17.X only. If your installation works fine let initctl as it is.

Regards.

linux22
john523

Re: Mint 17.X, 18.X and 19 Full Disk Encryption (directory /boot included)

Post by john523 »

Thank you for your reply! It's a relief to hear everything is working as it supposed to and thank you for the tutorial.
hotwolf

Re: Mint 17.X, 18.X and 19.X Full Disk Encryption (directory /boot included)

Post by hotwolf »

Hello Linux22,

Thanks for the really helpful tutorial. I was able to install Mint 19.1 on my 8th gen NUC without issues.
However I'm struggling with enabling secure boot. When I follow the instructions and run the command:

Code: Select all

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Mint/kernel.efi /boot/efi/EFI/Mint/kernel.efi
...I get the following error message:

Code: Select all

Can't load key from file 'db.key'
140570829908864:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('db.key','r')
140570829908864:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Do you have any idea why this doesn't work on my setup?

Thanks!
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19.X Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello hotwolf, I have read your message. I need more informations about your installation.
I think you have installed Linux Mint 19.1, following the procedure described in my last
tutorial at https://community.linuxmint.com/tutorial/view/2438, on a NUC8 Intel Box, set in
UEFI mode.

If your installation works fine and you have then followed the instructions contained in my
other tutorial https://community.linuxmint.com/tutorial/view/2496 (How enable Secure Boot),
Step 3 and 4, please check the following items:

1) does your NUC8 UEFI Firmware panel "SECURE BOOT CONFIG" looks like that depicted in Step 6 of my tutorial at https://community.linuxmint.com/tutorial/view/2496 ?

2) has your directory "/boot/efikeys" been populated with your Custom keys ?

3) when you commit the command "sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Mint/kernel.efi /boot/efi/EFI/Mint/kernel.efi" is your working directory located in "/boot/efikeys" and the command run as root ?

Regards.

linux22
Last edited by linux22 on Sun Aug 16, 2020 10:43 am, edited 2 times in total.
hotwolf

Re: Mint 17.X, 18.X and 19.X Full Disk Encryption (directory /boot included)

Post by hotwolf »

Hello Linux22,

Thanks for taking the time to look into my secure boot problem.

Yes, I've successfully followed the full disk encryption tutorial on my 8th gen NUC in UEFI mode.
As suggested in there, I've continued with step 3 of the secure boot tutorial.

My "Visual BIOS" screen looks almost like yours:
screenshot.jpg
I do not have a "/boot/efikeys" directory. Should that have been generated by the "objcopy_update hook" script? Here I have just simply copied the "typical content" listed in the tutorial into my version of this file. Or did I miss any other step?

Regards,
hotwolf
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello hotwolf, I have read your message. It seems that you have missed the correct configuration of Secure Boot.

So you must go back to my tutorial https://community.linuxmint.com/tutorial/view/2496 (How enable Secure Boot),
restart from Step 3, clearing your UEFI Firmware Secure Boot database.

Once you have selected the right option (as indicated in your screenshot), you must restart the PC confirming for the
modifications selected. At the next boot-up re-enter you UEFI Firmware and re-check your NUC8 UEFI Firmware panel
"SECURE BOOT CONFIG".
Secure Boot must be checked, Secure Boot Mode must be set to Custom and PK, KEK, db and dbx keys must be set
to Not Installed.

Now you can go on to Step 4 of my tutorial https://community.linuxmint.com/tutorial/view/2496 (How enable Secure Boot),
committing all the 24 listed commands. Doing so you build your Custom Keys, save them to directory "/boot/efikeys" and
finally enroll your PK, KEK and db keys inside the Secure Boot database of your UEFI platform Firmware.
If you get error committing the last three command you have failed clearing your UEFI platform database, as indicated in
Step 3.

The final step is committing the last 5 command listed at the end of Step 4 of the main tutorial https://community.linuxmint.com/tutorial/view/2438:

sudo sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Mint/kernel.efi /boot/efi/EFI/Mint/kernel.efi
sudo sbsign --key db.key --cert db.crt --output /boot/efi/EFI/Boot/Bootx64.efi /boot/efi/EFI/Boot/Bootx64.efi
sudo sync
sudo sbverify --cert db.crt /boot/efi/EFI/Mint/kernel.efi
sudo sbverify --cert db.crt /boot/efi/EFI/Boot/Bootx64.efi

If your bash Terminal is still in root mode (from the previous steps when you committed "sudo -i") you can omit 'sudo' from
these 5 command lines.

Check that your working directory running these 5 commands is still "/boot/efikeys".

Now you have signed your EFI STUB loaders and you can reboot your PC with Secure Boot enabled and correctly activated.

Please keep me informed about your progress.

Regards.

linux22
Last edited by linux22 on Sun Aug 16, 2020 10:43 am, edited 2 times in total.
hotwolf

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by hotwolf »

Hello Linux22,

I followed your instructions and this time it worked. I must have somehow left out some parts of step 4 in my earlier attempt. My BIOS now shows that PKpub, KEK, and db are installed. I assume that is the indicator that secure boot is now effective.

Thanks a lot for your help!

Regards,
hotwolf
linux22
Level 2
Level 2
Posts: 56
Joined: Mon Jun 08, 2015 2:41 pm

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by linux22 »

Hello hotwolf, I have read your message.

Well done.

Now if you want the confirmation that Secure Boot is enabled and active you can try and boot your PC with another media. You can try and boot your PC from the USB stick containing the Live ISO image used for the installation of Linux Mint 19.1. If Secure Boot is working correctly the Linux Mint Live ISO image won't boot, because its boot loader is not signed with your Custom keys. Anyway you can disable or enable Secure Boot anytime unchecking or checking the "Secure Boot" option in your PC UEFI Firmware panel "SECURE BOOT CONFIG".

Regards.

linux22
hotwolf

Re: Mint 17.X, 18.X and 19.X (but also Ubuntu) Full Disk Encryption (directory /boot included)

Post by hotwolf »

Hello Linux22,

Yes, secure boot is working. I can no longer boot from the ISO image.
I have one more question, though:
Everytime I boot my Nook, I get the following message:
Boot message.jpeg
This is not a problem, selecting 'N' boots the system securely as it is supposed to.
I'm just wondering if that message has anything to do with the custom boot setup or if it this is caused by something totally unrelated.

Thanks,
hotwolf
Post Reply

Return to “Tutorials”