<SOLVED> FDE Dual Boot Trouble - No boot password.

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
secdash
Level 1
Level 1
Posts: 6
Joined: Wed Dec 02, 2015 10:41 pm

<SOLVED> FDE Dual Boot Trouble - No boot password.

Post by secdash »

Here is a link to my post further down explaining the steps I took to solve this. I do plan to clean this guide up in the future. However, I am pretty busy and wanted to get something posted sooner rather than later.

inxi output:

Code: Select all

System:    Host: mint Kernel: 3.16.0-38-generic x86_64 (64 bit, gcc: 4.8.2) 
            Desktop: Cinnamon 2.6.11  Distro: Linux Mint 17.2 Rafaela	

Drives:    HDD Total Size: 134.2GB (-) 
	      1: id: /dev/sda model: VBOX_HARDDISK size: 53.7GB temp: 0C 
          2: id: /dev/sdb model: VBOX_HARDDISK size: 80.5GB temp: 0C 

Partition: ID: / size: 3.9G used: 36M (1%) fs: overlayfs
Greetings,

I am having some difficulty installing Mint 17.2, dual booting with full disk encryption. What I'm trying to accomplish is:
  • sda1 - /boot
  • sda2 - Windows 7 boot loader
  • sda3 - Windows 7 x64
  • sdb - LVM on LUKS Container
  • lvmlocal - /
  • lvmlocal - /home
  • lvmlocal - swap
  • Dual Boot Mint 17.2 x64 with Windows 7 x64
  • Mint will be fully encrypted with LVM on LUKS
  • The volume group with have separate partitions for /, /home, swap
  • The LUKS container will be on sdb (or sdb1... I'm not sure if this is part of my issue)
  • /boot will be on sda1
  • /sda2 and sda3 are Window's boot loader and Windows respectively.
Here are the commands I used the create the LUKS container and lvm group

Code: Select all

cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random -y luksFormat /dev/sdb

cryptsetup luksOpen /dev/sdb lvmlocal

pvcreate /dev/mapper/lvmlocal && vgcreate lvmlocal /dev/mapper/lvmlocal && lvcreate -L 8G -n swap lvmlocal && lvcreate -L 15G -n root lvmlocal && lvcreate -l 100%FREE -n home lvmlocal
/etc/default/grub

Code: Select all

GRUB_CMDLINE_LINUX=""
I've tried reading the above guides along with several others (that I don't have bookmarked) to help me with setting up this custom FDE setup, but all of them assume that I am installing Mint on sda and all but one assumed I was only setting up a root partition or root and swap.

I can get as far as setting up the LUKS container and the lvm partitions and even assigning the lvm partitions /, /home, swap via ubiquity and finishing the installer. During reboot I can get to grub from the windows boot loader as intended and then use grub to start loading Mint. However, at the Mint splash screen where it would normally ask for the password it just sits and times out.

I pretty sure I'm getting stuck with the steps to take after installing Mint. I can't say I'm too familiar to setting up the system as described in the guide at this point. I've tried several variations which have all failed because I've had to try and tweak them to my specific set up.

Does anyone know of a guide for what I'm trying to do or have any advice on how to prepare system properly?

Note: I'll update this post with more info as I experiment and when I eventually get things working.
Last edited by secdash on Sat Dec 12, 2015 1:46 am, edited 2 times in total.

User avatar
austin.texas
Level 20
Level 20
Posts: 12051
Joined: Tue Nov 17, 2009 3:57 pm
Location: at /home

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by austin.texas »

I can't offer advice on lvm, sorry, but if you are using Mint 17.2 Cinnamon, the "Guide for LMDE" would probably not be the best resource.
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2018

secdash
Level 1
Level 1
Posts: 6
Joined: Wed Dec 02, 2015 10:41 pm

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by secdash »

austin.texas wrote:I can't offer advice on lvm, sorry, but if you are using Mint 17.2 Cinnamon, the "Guide for LMDE" would probably not be the best resource.
Hello,

Thank you for the response. I am aware that the LMDE guide wouldn't quite work, but it was one of the only ones I could find that came close to the set up I'm trying to accomplish. Currently I'm working through a couple of tests on a VM using this Arch guide that someone on Reddit suggested. Still no luck though. My main issue is that I've never had to "manually" install Mint (or any other Linux distro for that matter) like this before so I'm not even sure what steps I'm missing; I'm sure it's something stupidly obvious though... Thank you again for the reply though, I will surely post the steps to solve this matter if/when I get them worked out, or if someone else is able to post and help me with this. Take care!

Sec

Laurent85
Level 16
Level 16
Posts: 6244
Joined: Tue May 26, 2015 10:11 am

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by Laurent85 »

Why don't you use the installer ? You can install the default full drive encryption + lvm scheme on sdb and tailor the logical partitions later on.
Image

secdash
Level 1
Level 1
Posts: 6
Joined: Wed Dec 02, 2015 10:41 pm

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by secdash »

Laurent85 wrote:Why don't you use the installer ? You can install the default full drive encryption + lvm scheme on sdb and tailor the logical partitions later on.
Hello,

Thank you for the reply. I am unaware of a way to have the installer use sdb rather than sda. The only options I get are the standard ones for dual booting; "install beside Windows, erase /use full disk, encrypt with lvm, something else." Also, this is a secondary concern, but what strength encryption does the installer use? I really wish the something else option had this stuff built in -
  • An option to select which disk to install on
  • An option to select encryption strength
  • An option to select partition scheme
I'll give it another try with your suggestion see if I can work it out. Thank you for your time and suggestion.

Sec

User avatar
austin.texas
Level 20
Level 20
Posts: 12051
Joined: Tue Nov 17, 2009 3:57 pm
Location: at /home

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by austin.texas »

secdash wrote: I really wish the something else option had this stuff built in -
An option to select which disk to install on
No problem. It is there. Pick the partitions you want, and the bootloader location at the bottom.
Image
secdash wrote: An option to select encryption strength

And there. (encryption, but not strength, granted)
Image Image
secdash wrote:An option to select partition scheme
You can create and resize partitions as you wish. The only thing you can't do (that I know of) is create a new partition table - like if you want to switch from msdos to GPT.
Mint 18.2 Cinnamon, Quad core AMD A8-3870 with Radeon HD Graphics 6550D, 8GB DDR3, Ralink RT2561/RT61 802.11g PCI
Linux Linx 2018

Laurent85
Level 16
Level 16
Posts: 6244
Joined: Tue May 26, 2015 10:11 am

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by Laurent85 »

An option to select which disk to install on
Actually the procedure is counter intuitive, you need to confirm Erase disk and install Linux Mint before the installer offers to select which drive to install on.
im1.png
im2.png
im3.png
Image

secdash
Level 1
Level 1
Posts: 6
Joined: Wed Dec 02, 2015 10:41 pm

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by secdash »

austin.texas wrote:
secdash wrote: I really wish the something else option had this stuff built in -
An option to select which disk to install on
No problem. It is there. Pick the partitions you want, and the bootloader location at the bottom.
Image
secdash wrote: An option to select encryption strength

And there. (encryption, but not strength, granted)
Image Image
secdash wrote:An option to select partition scheme
You can create and resize partitions as you wish. The only thing you can't do (that I know of) is create a new partition table - like if you want to switch from msdos to GPT.
Thank you for the help and suggestion. While the forums were down I was actually able to find 2 more guides in the depths of Google, and get a working set up. My current set up was done with the method you provided, and ends up being just plain LUKS, which is fine and all, but I have to enter my password 3 times. Thank you again though for the time and help. I'll be writing up an edit to my main post about the steps I took to get my working setup; it's not pretty, but it works.

secdash
Level 1
Level 1
Posts: 6
Joined: Wed Dec 02, 2015 10:41 pm

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by secdash »

Laurent85 wrote:
An option to select which disk to install on
Actually the procedure is counter intuitive, you need to confirm Erase disk and install Linux Mint before the installer offers to select which drive to install on.
im1.png
im2.png
im3.png
/facepalm...

Well that would be why I never saw it, because I never clicked past the Erase disk prompt. I'll give that method a go in my virtual machine that I've been testing this on and see if I can get a cleaner solution. While the forums were down, I was able to put together a working procedure to get this the way I wanted, but it's kinda patchwork. I'll be writing up an edit for my main post to include the steps I took. Thank you for your time and help, I truly appreciate it.

secdash
Level 1
Level 1
Posts: 6
Joined: Wed Dec 02, 2015 10:41 pm

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by secdash »

Hello,

So the problem I was having was that Grub was not getting set up with the right stuff to launch cryptsetup to unlock the LUKS container. I still can't say I entirely grasp what each command is doing, but I have a much better idea now. If anyone has any suggestions for me to try or add to these steps I'd be glad to hear them.

What I wanted was a dual boot setup where Windows was on sda and Mint was on sdb. To further complicate things, I wanted Mint to be a FDE LVM on LUKS setup with /, /home, swap partitions. Even more complication, the Windows partitions was also to be encrypted with Veracrypt.

Following these guides:
Ubuntu LVM on LUKS FDE.
Windows Truecrypt FDE and Debian FDE.
Arch LVM on LUKS wiki.
LMDE LVM on LUKS guide.
General Mint FDE (including /boot) guide.

I was able to piece together a working procedure to set up a custom LVM on LUKS on a different drive than the /boot partition with or without an encrypted windows partition. Sadly I could not get this working with GPT yet so both disks have to be set up with MBR.

First - Preparing the Disks:
1- Give sda a MBR partition table and format sda1 to 500MB
2- Give sdb a MBR partition table and format sdb1 to clear/un-formatted

Second - Installing Windows:
1- use the remaining space on sda for Windows and let the installer set up the partitions.
1a- When that's finish, sda1 should be 500MB un-formatted, sda2 should be 100MB and the windows boot-loader, sd3 should be Windows
*2- If you're going to encrypt Windows with Veracrypt this is where you do it. Make sure you only encrypt the Windows partition and not all of sda and to save the rescue.iso to a flash drive because you'll need it later.

Third - Installing Mint:
1- Load up the Live CD and open a Terminal
1a- Make an encrypted container on sdb1 and then mount it when it's done.

Code: Select all

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random -y luksFormat /dev/sdb1 && sudo cryptsetup open --type luks /dev/sdb1 lvm_crypt
2- Next make the LVM physical volume and volume group and logical volumes.

Code: Select all

sudo pvcreate /dev/mapper/lvm_crypt && sudo vgcreate mint /dev/mapper/lvm_crypt && sudo lvcreate -L 8192M -n swap mint && sudo lvcreate -L 16384M -n root mint && sudo lvcreate -l 100%FREE -n home mint && sudo mkswap /dev/mapper/mint-swap && sudo mkfs.ext4 /dev/mapper/mint-root && sudo mkfs.ext4 /dev/mapper/mint-home
3- Once that is finished you're going to start up ubiquity and select the "something else" option when it asks how you want to install Mint.

4- In here you should see your logical volumes and you're going to assign and format each one to their respective roles: /, /home, swap.
4a- Here you're going to set sda1 as /boot and format it. Then on the drop down at the bottom of the window where it asks "where to install boot loader" select sda.

5- Proceed through the rest of ubiquity as normal and after it's finished installing **DO NOT** restart - select "continue testing."

6- Next we're going to mount the stuff ubiquity just installed and chroot into it's terminal.

Code: Select all

sudo mount /dev/mapper/mint-root /mnt && sudo mount /dev/sda1 /mnt/boot && sudo mount -o bind /dev /mnt/dev && sudo mount -t proc proc /mnt/proc && sudo mount -t sysfs sys /mnt/sys && sudo cp /etc/resolv.conf /mnt/etc/resolv.conf && sudo chroot /mnt /bin/bash
7- Now I'm not entirely sure what this next command is doing, but I belive it is setting up a hook so Grub can know how to open the LUKS container.

Code: Select all

echo "lvm_crypt UUID=$(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdb1) | cut -d ' ' -f 11) none luks" >> /etc/crypttab
8- Now we need to update initramfs. Note that I recived an warning when running this command that one of the locales is not supported. However, it did not seem to affect the installation of my system.

Code: Select all

update-initramfs -u -k all
9- Now we can reboot **IF** you **do not** have the windows partition encrypted with Veracrypt. If you do, there are a couple more steps.

Code: Select all

exit
sudo reboot
If this worked the way it's supposed to, you should now be able to boot into either Windows or Mint with them on separate disks and Mint having a custom LVM on LUKS setup.

10- Because Grub over writes the Veracrypt boot-loader with this method (I could not get it to work any other way) we're going to use the rescue.iso that Veracrypt makes you save when you encrypt Windows.

11- First we're going to copy the memdisk to /boot/

Code: Select all

sudo cp /usr/lib/syslinux/memdisk /boot/
12- Next we're going to copy the rescue iso from where ever you stored it to /boot/

Code: Select all

sudo cp /mnt/rescue.iso /boot/rescue.iso
13- Now we need the UUID of sda3

Code: Select all

sudo blkid /dev/sda3
14- Now we edit grub to add the entry for the rescue iso.

Code: Select all

sudo nano /etc/grub.d/40_custom

Code: Select all

menuentry "VeraCrypt ISO boot" {
   insmod part_msdos
   insmod fat
   insmod ext2
   insmod search_fs_uuid
   search --fs-uuid --no-floppy --set=boot <UUID without quotes or brackets>
   linux16 ($boot)/memdisk iso raw
   initrd16 ($boot)/vrcr.iso
}
15- Now we update grub.

Code: Select all

sudo update-grub
At this point you should be able to freely start up either encrypted OS. One thing I noticed was that Veracrypt gives me a warning when I boot up about a potential evil maid attack because of the mucking around we did with the boot-loaders. I do not know a way around this, but someone else might.

I know this is all very patchwork but this is how I was able to solve my issue. I plan to make a more detailed guide and video in the future for this. For now, I hope this helps anyone else who may be trying to do this setup.

Thank you everyone for your suggestions, they helped a lot.

Sec.

Master
Level 1
Level 1
Posts: 2
Joined: Sun Dec 13, 2015 2:11 pm

Re: FDE Dual Boot Trouble - Mint won't prompt me boot passwo

Post by Master »

Master wrote:Hello, I have win7 x64 already installed, then installed Mint 17.3. But still can't get windows to boot. No encryption on either OS. Follow the instructions here.
Is there a method that doesn't require a degree in software engineering?

So the problem I was having was that Grub was not getting set up with the right stuff to launch cryptsetup to unlock the LUKS container. I still can't say I entirely grasp what each command is doing, but I have a much better idea now. If anyone has any suggestions for me to try or add to these steps I'd be glad to hear them.

What I wanted was a dual boot setup where Windows was on sda and Mint was on sdb. To further complicate things, I wanted Mint to be a FDE LVM on LUKS setup with /, /home, swap partitions. Even more complication, the Windows partitions was also to be encrypted with Veracrypt.

Following these guides:
Ubuntu LVM on LUKS FDE.
Windows Truecrypt FDE and Debian FDE.
Arch LVM on LUKS wiki.
LMDE LVM on LUKS guide.
General Mint FDE (including /boot) guide.

I was able to piece together a working procedure to set up a custom LVM on LUKS on a different drive than the /boot partition with or without an encrypted windows partition. Sadly I could not get this working with GPT yet so both disks have to be set up with MBR.

First - Preparing the Disks:
1- Give sda a MBR partition table and format sda1 to 500MB
2- Give sdb a MBR partition table and format sdb1 to clear/un-formatted

Second - Installing Windows:
1- use the remaining space on sda for Windows and let the installer set up the partitions.
1a- When that's finish, sda1 should be 500MB un-formatted, sda2 should be 100MB and the windows boot-loader, sd3 should be Windows
*2- If you're going to encrypt Windows with Veracrypt this is where you do it. Make sure you only encrypt the Windows partition and not all of sda and to save the rescue.iso to a flash drive because you'll need it later.

Third - Installing Mint:
1- Load up the Live CD and open a Terminal
1a- Make an encrypted container on sdb1 and then mount it when it's done.

Code: Select all

sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random -y luksFormat /dev/sdb1 && sudo cryptsetup open --type luks /dev/sdb1 lvm_crypt
2- Next make the LVM physical volume and volume group and logical volumes.

Code: Select all

sudo pvcreate /dev/mapper/lvm_crypt && sudo vgcreate mint /dev/mapper/lvm_crypt && sudo lvcreate -L 8192M -n swap mint && sudo lvcreate -L 16384M -n root mint && sudo lvcreate -l 100%FREE -n home mint && sudo mkswap /dev/mapper/mint-swap && sudo mkfs.ext4 /dev/mapper/mint-root && sudo mkfs.ext4 /dev/mapper/mint-home
3- Once that is finished you're going to start up ubiquity and select the "something else" option when it asks how you want to install Mint.

4- In here you should see your logical volumes and you're going to assign and format each one to their respective roles: /, /home, swap.
4a- Here you're going to set sda1 as /boot and format it. Then on the drop down at the bottom of the window where it asks "where to install boot loader" select sda.

5- Proceed through the rest of ubiquity as normal and after it's finished installing **DO NOT** restart - select "continue testing."

6- Next we're going to mount the stuff ubiquity just installed and chroot into it's terminal.

Code: Select all

sudo mount /dev/mapper/mint-root /mnt && sudo mount /dev/sda1 /mnt/boot && sudo mount -o bind /dev /mnt/dev && sudo mount -t proc proc /mnt/proc && sudo mount -t sysfs sys /mnt/sys && sudo cp /etc/resolv.conf /mnt/etc/resolv.conf && sudo chroot /mnt /bin/bash
7- Now I'm not entirely sure what this next command is doing, but I belive it is setting up a hook so Grub can know how to open the LUKS container.

Code: Select all

echo "lvm_crypt UUID=$(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdb1) | cut -d ' ' -f 11) none luks" >> /etc/crypttab
8- Now we need to update initramfs. Note that I recived an warning when running this command that one of the locales is not supported. However, it did not seem to affect the installation of my system.

Code: Select all

update-initramfs -u -k all
9- Now we can reboot **IF** you **do not** have the windows partition encrypted with Veracrypt. If you do, there are a couple more steps.

Code: Select all

exit
sudo reboot
If this worked the way it's supposed to, you should now be able to boot into either Windows or Mint with them on separate disks and Mint having a custom LVM on LUKS setup.

10- Because Grub over writes the Veracrypt boot-loader with this method (I could not get it to work any other way) we're going to use the rescue.iso that Veracrypt makes you save when you encrypt Windows.

11- First we're going to copy the memdisk to /boot/

Code: Select all

sudo cp /usr/lib/syslinux/memdisk /boot/
12- Next we're going to copy the rescue iso from where ever you stored it to /boot/

Code: Select all

sudo cp /mnt/rescue.iso /boot/rescue.iso
13- Now we need the UUID of sda3

Code: Select all

sudo blkid /dev/sda3
14- Now we edit grub to add the entry for the rescue iso.

Code: Select all

sudo nano /etc/grub.d/40_custom

Code: Select all

menuentry "VeraCrypt ISO boot" {
   insmod part_msdos
   insmod fat
   insmod ext2
   insmod search_fs_uuid
   search --fs-uuid --no-floppy --set=boot <UUID without quotes or brackets>
   linux16 ($boot)/memdisk iso raw
   initrd16 ($boot)/vrcr.iso
}
15- Now we update grub.

Code: Select all

sudo update-grub
At this point you should be able to freely start up either encrypted OS. One thing I noticed was that Veracrypt gives me a warning when I boot up about a potential evil maid attack because of the mucking around we did with the boot-loaders. I do not know a way around this, but someone else might.

I know this is all very patchwork but this is how I was able to solve my issue. I plan to make a more detailed guide and video in the future for this. For now, I hope this helps anyone else who may be trying to do this setup.

Thank you everyone for your suggestions, they helped a lot.

Sec.

Kudalufi
Level 1
Level 1
Posts: 17
Joined: Mon Nov 30, 2015 12:03 pm

Re: <SOLVED> FDE Dual Boot Trouble - No boot password.

Post by Kudalufi »

The reason why Grub overwrote the VeraCrypt boot loader was because you let it get installed in the MBA (/dev/sda) rather than in the /boot partition. This is unnecessary and dangerous, as every time you try and update Grub, it is going to overwrite the MBA (and VeraCrypt's boot loader) all over again.

A better solution is this:
  • Reorder the drive zero (sda) partitions so that the Linux /boot partition is after the Windows boot partition. So in your case /dev/sda1 is Windows bootloader, /dev/sda2 is Windows and /dev/sda3 is Linux /boot.
  • At step 4a when you set the Grub boot loader location, do NOT use /dev/sda - use /dev/sda3.
  • Before you leave the Linux installer, perform an "fdisk /dev/sda" and ensure that both /dev/sda1 and /dev/sda3 are flagged as bootable
Now at boot time, the VeraCrypt loader will come up. If you want to boot into Windows, you simply enter in your password as per normal VeraCrypt. If you want to boot into Linux, you press ESC and then VeraCrypt will show you a list of bootable partitions. Select the second one and Linux will boot and ask you for a password.

Post Reply

Return to “Installation & Boot”