Mint 17.X to 21.X and LMDE 6 Full Disk Encryption (directory /boot included) - Using LUKS2, SecureBoot & TPM 2.0+PIN
Posted: Mon Jun 15, 2015 6:56 am
Last update: 3 December 2023
Hi folks, release Ver. 1.1 of tutorials for LMDE 6 Full Disk Encryption with LUKS2+SECURE^BOOT+TPM2.0+PIN for EXT4 and BTRFS filesystems are now available for downloading.
You can get the tutorials from my Linux Mint Community web page at:
https://community.linuxmint.com/tutorial/view/2438
The zip files are linked at the bottom of the page and are named:
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 14 November 2023
New tutorial LMDE 6 Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN over BTRFS filesystem.
You can get the tutorial downloading the zip file linked to my Linux Mint Community web page at:
https://community.linuxmint.com/tutorial/view/2438
The file is linked at the bottom of the page and is named:
LMDE 6 with Full Disk Encryption - UKI - Btrfs Version 1.0.zip
The tutorial deal with Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN for systems using btrfs filesytems.
The 'dracut' configuration is quite different and now builds and signs all UKI .efi booting files on the fly.
The same 'dracut' configuration will be soon available also for ext4 tutorial, with my last effort for the release of Version 1.1.
Anyway I think that this race for 'Linux FDE' is over for me, now.
I also do not see a great interest from the "Linux World" for the topic of 'Full Disk Encryption'.
I think that going any further is pointless, at least until new security solutions emerge.
Regards.
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 11 November 2023
Coming soon ... LMDE 6 Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN over BTRFS filesystem.
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 31 October 2023
Hi folks, I am finally ready to publish my tutorial for LMDE 6 Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN.
This solution is quite weird and I do not like it so much but it is the only one working, at the moment.
You know that almost all Debian based distros available today have systemd installed but their support to LUKS2,
SECURE BOOT and TPM 2.0 is quite poor.
At the moment, October 2023, none of the Debian based distros I know can deal with LUKS and/or SECURE BOOT and/or
TPM 2.0 in a reasonable manner.
Have you ever experimented the following ‘crypttab’ related error trying to activate the LUKS2 automatic unlock via TPM 2.0 ?:
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'
This error is due to the lack of update for the “initramfs-tools” package modules concerning the TPM 2.0.
So I thought I had to switch forward a solution that has yet implemented some working and useful tools for LUKS2,
SECURE BOOT and TPM 2.0+PIN.
SO WHY NOT TO SWITCH FROM ‘initramfs-tool’ TO ‘dracut’ ?
This way I have finally get rid of systemd-cryptenroll and initramfs, managing to get a functioning unlocking of a Linux Full
Disk Encryption system using a LUKS2+SECURE BOOT+TPM 2.0+PIN chain, at least until we have a working ‘initramfs-tool’
package !!!
This outcome has been possible thank to the new Linux LMDE 6 with kernel version 6.1, systemd version 252 and
‘dracut’ initramfs tools.
You can get the tutorial downloading the zip file linked to my Linux Mint Community web page at:
https://community.linuxmint.com/tutorial/view/2438
The file is linked at the bottom of the page and is named:
LMDE 6 with Full Disk Encryption - UKI - Version 1.0.zip
The tutorial pdf file embed 7 txt files, containing the list of all required Terminal commands.
Click on the pin at the top left corner of the pdf file pages 8, 15, 18, 20, 21, 23, 30 to open the txt files.
For more details read page 7 of the tutorial.
The installation process consist of:
Step 1
Step 2
Step 3
Step 4
Step 5
Appendix C
Appendix D
Appendix A and B are for emergency/rescue cases only.
Please send me your evalutions and tell me if this solution works on your workstations.
Cheers.
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 12 October 2023
Hi folks, I am happy to announce my success in unlocking my Linux Mint Debian Edition LMDE 6 'Faye' with systemd v. 252, enrolling the LUKS2 key and a PIN inside the TPM 2.0 using systemd-cryptenroll.
I think I will release the tutorial explaining the hardware & software configuration within the end of October 2023.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Previous update: 30 December 2022
Hello folks, I am happy to announce my first success in unlocking my Linux FDE Mint 21.1 (Secure Boot On) with systemd v. 249, using systemd-cryptenroll tools.
At the moment it works like 'clevis', without the PIN option introduced in systemd v. 251.
Anyway this is the first time I get it working !
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Previous update: 8 May 2021
Hi folks, tutorials "Linux Mint with Full Disk Encryption, directory /boot included - PC UEFI & HDD GPT - Booting with EFI STUB loader" have been updated today. This release include "Appendix F (Experimental) - How to enable LUKS2 AutoUnlock via TPM 2.0". This configuration works similar to Windows Bitlocker. Once correctly configured when you boot-up your PC the unlocking of your Linux FDE system is performed by the TPM (Trusted Platform Module) module, which release the key for automatic unlock of the root LUKS partition, performed by the initramfs scripts (now using 'clevis' Automated Encryption Framework but soon also with the other method from systemd v. 248 and systemd-cryptenroll tool).
The core procedure is explained in about 15 pages, reporting just over fifty terminal commands.
See details at:
https://community.linuxmint.com/tutorial/view/2438
Previous update: 19 December 2020
Hi folks, tutorial "Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10" has been updated today.
See details at:
https://community.linuxmint.com/tutorial/view/2191
The other tutorials listed below will be updated as soon as possible:
1) Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC UEFI & HDD GPT --------------------------------- Minor changes
https://community.linuxmint.com/tutorial/view/2496
I think I will merge all my tutorials, concerning Linux Full Disk encryption, in one single web page. This process will take place once I will have converted all my tutorials in pdf format files.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Previous Update: 20 July 2020
Hi folks, my old guide/tutorial 'Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' on Linux Mint Community at: https://community.linuxmint.com/tutorial/view/2360 has been deleted because malfuncioning and not updatable anymore.
The old tutorial has been replaced by this new one: https://community.linuxmint.com/tutorial/view/2496
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hi folks, I was trying to update my guide/tutorial 'Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' on Linux Mint Community at: https://community.linuxmint.com/tutorial/view/2360 but when I send the update command I get an error and the web page remain unchanged. So I will copy and paste the entire tutorial inside a new one. When ready I will put the new tutorial web page address here.
Release within the end of August 2020.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hello everyone. I am working on two new solutions for Linux Mint FDE with PC UEFI & HDD GPT.
You can find these new solutions at: https://community.linuxmint.com/tutorial/view/2438
You can download the last versions as tutorials in pdf format from my cloud storage. The links are at the end of the web page.
In this new project I am abandoning the standard boot loader GRUB, replacing it with EFISTUB.
These new solutions have the following PROS and CONS:
PROS:
- VERY FAST BOOTING
- VERY FAST SHUTDOWN
- VERY SIMPLE
- SUPPORT FOR TYPE 2 LUKS PARTITIONS (LUKS2)
- FULL DISK ENCRYPTION (FDE) REQUESTING ONLY ONE PASSWORD AT BOOT-UP
- NO LUKS KEYFILES REQUIRED
- WITHOUT OR WITH LVM (FOR ENABLING HIBERNATE FUNCTION)
- NO MORE HEADACHE FOR GRUB UPDATING AND/OR UPGRADING
- WORKS (WITH MINOR CHANGES) ALSO ON LINUX 32-BIT SYSTEMS (TESTED ON VIRTUAL MACHINES ONLY)
CONS:
- POINTLESS AND/OR DANGEROUS FOR FULL DISK ENCRYPTION (FDE) SYSTEMS IF SECURE BOOT IS DISABLED
- POOR CONFIGURATION OPTIONS (COMPARED TO GRUB)
- NOT COMMON / NOT STANDARD
- NEED GREATER EFI PARTITION SIZE (MINIMUM RECOMMENDED SIZE 1GB)
Please post here your opinion about this my new idea.
Hi folks, great news. Our concerns for an easy, standard and reliable FDE solution may be over, because LMDE 3 is out and it implements an FDE solution very similar to that indicated in my last tutorial at http://community.linuxmint.com/tutorial/view/2061. This solution can be activated by installing the distro with Calamares (an indipendent installer framework, available from the menu of the distro) and selecting its build-in FDE encryption function. If the installation with Calamares will become available as standard on all versions of Linux Mint we will have an easy, standard and reliable FDE solution available without further efforts. The same FDE solution is also available on distro Manjaro and it seems that it will be available with the new releases of Debian !!! (unluckily at the moment in Debian Live Testing it does not work)
Hello everyone, the promised new Debian method for the implementation of FDE (directory /boot included) with the standard cryptsetup package (version 1.7.3 and above) for Mint 19.X is ready (at the moment only for UEFI+GPT: ).
I have already tested this new configuration with Debian 9.3.0 and above, Ubuntu from 17.10 to 18.X, and now with Mint 19.X. It seems working smoothly.
The new configuration will not use LVM and will be working only with Debian and Debian-derived (Ubuntu, Mint, ecc.) distros equipped with cryptsetup version 1.7.3 and above.
You can read my guide/tutorial 'Linux Mint with Full Disk Encryption, directory /boot included - PC with BIOS & HDD with MBR' on Linux Community at: http://community.linuxmint.com/tutorial/view/2026
You can read my guide/tutorial 'Linux Mint with Full Disk Encryption, directory /boot included - PC with BIOS & HDD with GPT' on Linux Community at: http://community.linuxmint.com/tutorial/view/2231
You can read my guide/tutorial 'Linux Mint with Full Disk Encryption, directory /boot included - PC with UEFI & HDD with GPT' on Linux Community at: http://community.linuxmint.com/tutorial/view/2061 (This works only for Linux Mint 19 Tara and Ubuntu 17.10 and above)
You can read my guide/tutorial 'Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' on Linux Mint Community at: https://community.linuxmint.com/tutorial/view/2496
You can read my guide/tutorial for 'Dual boot for Windows 10 + Linux Mint 17.X and 18 Full System Encryption (directory /boot included) - PC with UEFI & HDD with GPT' on Linux Mint Community at: http://community.linuxmint.com/tutorial/view/2191
Please feedback me if you succeed in installing and running Linux Mint using these solutions.
Thank you.
Hi folks, release Ver. 1.1 of tutorials for LMDE 6 Full Disk Encryption with LUKS2+SECURE^BOOT+TPM2.0+PIN for EXT4 and BTRFS filesystems are now available for downloading.
You can get the tutorials from my Linux Mint Community web page at:
https://community.linuxmint.com/tutorial/view/2438
The zip files are linked at the bottom of the page and are named:
- Linux Mint Debian Edition LMDE 6 with Full Disk Encryption - UKI - ext4 Version 1.1.zip
- Linux Mint Debian Edition LMDE 6 with Full Disk Encryption - UKI - btrfs Version 1.1.zip
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 14 November 2023
New tutorial LMDE 6 Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN over BTRFS filesystem.
You can get the tutorial downloading the zip file linked to my Linux Mint Community web page at:
https://community.linuxmint.com/tutorial/view/2438
The file is linked at the bottom of the page and is named:
LMDE 6 with Full Disk Encryption - UKI - Btrfs Version 1.0.zip
The tutorial deal with Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN for systems using btrfs filesytems.
The 'dracut' configuration is quite different and now builds and signs all UKI .efi booting files on the fly.
The same 'dracut' configuration will be soon available also for ext4 tutorial, with my last effort for the release of Version 1.1.
Anyway I think that this race for 'Linux FDE' is over for me, now.
I also do not see a great interest from the "Linux World" for the topic of 'Full Disk Encryption'.
I think that going any further is pointless, at least until new security solutions emerge.
Regards.
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 11 November 2023
Coming soon ... LMDE 6 Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN over BTRFS filesystem.
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 31 October 2023
Hi folks, I am finally ready to publish my tutorial for LMDE 6 Full Disk Encryption with LUKS2+SECURE-BOOT+TPM2.0+PIN.
This solution is quite weird and I do not like it so much but it is the only one working, at the moment.
You know that almost all Debian based distros available today have systemd installed but their support to LUKS2,
SECURE BOOT and TPM 2.0 is quite poor.
At the moment, October 2023, none of the Debian based distros I know can deal with LUKS and/or SECURE BOOT and/or
TPM 2.0 in a reasonable manner.
Have you ever experimented the following ‘crypttab’ related error trying to activate the LUKS2 automatic unlock via TPM 2.0 ?:
cryptsetup: WARNING: sda3_crypt: ignoring unknown option 'tpm2-device'
This error is due to the lack of update for the “initramfs-tools” package modules concerning the TPM 2.0.
So I thought I had to switch forward a solution that has yet implemented some working and useful tools for LUKS2,
SECURE BOOT and TPM 2.0+PIN.
SO WHY NOT TO SWITCH FROM ‘initramfs-tool’ TO ‘dracut’ ?
This way I have finally get rid of systemd-cryptenroll and initramfs, managing to get a functioning unlocking of a Linux Full
Disk Encryption system using a LUKS2+SECURE BOOT+TPM 2.0+PIN chain, at least until we have a working ‘initramfs-tool’
package !!!
This outcome has been possible thank to the new Linux LMDE 6 with kernel version 6.1, systemd version 252 and
‘dracut’ initramfs tools.
You can get the tutorial downloading the zip file linked to my Linux Mint Community web page at:
https://community.linuxmint.com/tutorial/view/2438
The file is linked at the bottom of the page and is named:
LMDE 6 with Full Disk Encryption - UKI - Version 1.0.zip
The tutorial pdf file embed 7 txt files, containing the list of all required Terminal commands.
Click on the pin at the top left corner of the pdf file pages 8, 15, 18, 20, 21, 23, 30 to open the txt files.
For more details read page 7 of the tutorial.
The installation process consist of:
Step 1
Step 2
Step 3
Step 4
Step 5
Appendix C
Appendix D
Appendix A and B are for emergency/rescue cases only.
Please send me your evalutions and tell me if this solution works on your workstations.
Cheers.
linux22
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Last update: 12 October 2023
Hi folks, I am happy to announce my success in unlocking my Linux Mint Debian Edition LMDE 6 'Faye' with systemd v. 252, enrolling the LUKS2 key and a PIN inside the TPM 2.0 using systemd-cryptenroll.
I think I will release the tutorial explaining the hardware & software configuration within the end of October 2023.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Previous update: 30 December 2022
Hello folks, I am happy to announce my first success in unlocking my Linux FDE Mint 21.1 (Secure Boot On) with systemd v. 249, using systemd-cryptenroll tools.
At the moment it works like 'clevis', without the PIN option introduced in systemd v. 251.
Anyway this is the first time I get it working !
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Previous update: 8 May 2021
Hi folks, tutorials "Linux Mint with Full Disk Encryption, directory /boot included - PC UEFI & HDD GPT - Booting with EFI STUB loader" have been updated today. This release include "Appendix F (Experimental) - How to enable LUKS2 AutoUnlock via TPM 2.0". This configuration works similar to Windows Bitlocker. Once correctly configured when you boot-up your PC the unlocking of your Linux FDE system is performed by the TPM (Trusted Platform Module) module, which release the key for automatic unlock of the root LUKS partition, performed by the initramfs scripts (now using 'clevis' Automated Encryption Framework but soon also with the other method from systemd v. 248 and systemd-cryptenroll tool).
The core procedure is explained in about 15 pages, reporting just over fifty terminal commands.
See details at:
https://community.linuxmint.com/tutorial/view/2438
Previous update: 19 December 2020
Hi folks, tutorial "Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10" has been updated today.
See details at:
https://community.linuxmint.com/tutorial/view/2191
The other tutorials listed below will be updated as soon as possible:
1) Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC UEFI & HDD GPT --------------------------------- Minor changes
https://community.linuxmint.com/tutorial/view/2496
I think I will merge all my tutorials, concerning Linux Full Disk encryption, in one single web page. This process will take place once I will have converted all my tutorials in pdf format files.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Previous Update: 20 July 2020
Hi folks, my old guide/tutorial 'Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' on Linux Mint Community at: https://community.linuxmint.com/tutorial/view/2360 has been deleted because malfuncioning and not updatable anymore.
The old tutorial has been replaced by this new one: https://community.linuxmint.com/tutorial/view/2496
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hi folks, I was trying to update my guide/tutorial 'Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' on Linux Mint Community at: https://community.linuxmint.com/tutorial/view/2360 but when I send the update command I get an error and the web page remain unchanged. So I will copy and paste the entire tutorial inside a new one. When ready I will put the new tutorial web page address here.
Release within the end of August 2020.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hello everyone. I am working on two new solutions for Linux Mint FDE with PC UEFI & HDD GPT.
You can find these new solutions at: https://community.linuxmint.com/tutorial/view/2438
You can download the last versions as tutorials in pdf format from my cloud storage. The links are at the end of the web page.
In this new project I am abandoning the standard boot loader GRUB, replacing it with EFISTUB.
These new solutions have the following PROS and CONS:
PROS:
- VERY FAST BOOTING
- VERY FAST SHUTDOWN
- VERY SIMPLE
- SUPPORT FOR TYPE 2 LUKS PARTITIONS (LUKS2)
- FULL DISK ENCRYPTION (FDE) REQUESTING ONLY ONE PASSWORD AT BOOT-UP
- NO LUKS KEYFILES REQUIRED
- WITHOUT OR WITH LVM (FOR ENABLING HIBERNATE FUNCTION)
- NO MORE HEADACHE FOR GRUB UPDATING AND/OR UPGRADING
- WORKS (WITH MINOR CHANGES) ALSO ON LINUX 32-BIT SYSTEMS (TESTED ON VIRTUAL MACHINES ONLY)
CONS:
- POINTLESS AND/OR DANGEROUS FOR FULL DISK ENCRYPTION (FDE) SYSTEMS IF SECURE BOOT IS DISABLED
- POOR CONFIGURATION OPTIONS (COMPARED TO GRUB)
- NOT COMMON / NOT STANDARD
- NEED GREATER EFI PARTITION SIZE (MINIMUM RECOMMENDED SIZE 1GB)
Please post here your opinion about this my new idea.
Hi folks, great news. Our concerns for an easy, standard and reliable FDE solution may be over, because LMDE 3 is out and it implements an FDE solution very similar to that indicated in my last tutorial at http://community.linuxmint.com/tutorial/view/2061. This solution can be activated by installing the distro with Calamares (an indipendent installer framework, available from the menu of the distro) and selecting its build-in FDE encryption function. If the installation with Calamares will become available as standard on all versions of Linux Mint we will have an easy, standard and reliable FDE solution available without further efforts. The same FDE solution is also available on distro Manjaro and it seems that it will be available with the new releases of Debian !!! (unluckily at the moment in Debian Live Testing it does not work)
Hello everyone, the promised new Debian method for the implementation of FDE (directory /boot included) with the standard cryptsetup package (version 1.7.3 and above) for Mint 19.X is ready (at the moment only for UEFI+GPT: ).
I have already tested this new configuration with Debian 9.3.0 and above, Ubuntu from 17.10 to 18.X, and now with Mint 19.X. It seems working smoothly.
The new configuration will not use LVM and will be working only with Debian and Debian-derived (Ubuntu, Mint, ecc.) distros equipped with cryptsetup version 1.7.3 and above.
You can read my guide/tutorial 'Linux Mint with Full Disk Encryption, directory /boot included - PC with BIOS & HDD with MBR' on Linux Community at: http://community.linuxmint.com/tutorial/view/2026
You can read my guide/tutorial 'Linux Mint with Full Disk Encryption, directory /boot included - PC with BIOS & HDD with GPT' on Linux Community at: http://community.linuxmint.com/tutorial/view/2231
You can read my guide/tutorial 'Linux Mint with Full Disk Encryption, directory /boot included - PC with UEFI & HDD with GPT' on Linux Community at: http://community.linuxmint.com/tutorial/view/2061 (This works only for Linux Mint 19 Tara and Ubuntu 17.10 and above)
You can read my guide/tutorial 'Linux Mint - How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' on Linux Mint Community at: https://community.linuxmint.com/tutorial/view/2496
You can read my guide/tutorial for 'Dual boot for Windows 10 + Linux Mint 17.X and 18 Full System Encryption (directory /boot included) - PC with UEFI & HDD with GPT' on Linux Mint Community at: http://community.linuxmint.com/tutorial/view/2191
Please feedback me if you succeed in installing and running Linux Mint using these solutions.
Thank you.