Linux Mint 19 FDE across multiple drives—the right way?

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
Post Reply
User avatar
MikZ
Level 2
Level 2
Posts: 61
Joined: Sun Mar 17, 2013 7:08 pm
Contact:

Linux Mint 19 FDE across multiple drives—the right way?

Post by MikZ » Tue Sep 04, 2018 8:09 am

Hi everyone,

I've seen questions like this asked a lot, but I haven't found the answers very helpful, either because they don't do quite what I want, suggest something that seems unsatisfactory, or gloss over steps and go over my head.

What I want:
  • Linux Mint 19 (nothing else—no dual boot or anything)
  • Full disk encryption (because I understand that the home drive encryption option comes with a performance penalty)
  • /home in its own partition, on a separate drive from / and everything else
  • Reliability—I don't want to stray further from the happy path than necessary, because I've had Mint systems break on OS updates when they've been too customised
  • nice to have: a swap partition
I've successfully installed Mint (and Ubuntu) on various machines over the years, and am pretty comfortable using the installer to create separate partitions across multiple drives for /boot, /home, swap, etc. Sometimes it comes with repercussions, e.g. hibernating not working, or GRUB completely freaking out when I do a system update and everything getting messed up. But I'm not a complete n00b at this—I even have an old laptop with Mint 17, installed the way I want. When I boot that machine, it asks me for the encryption passwords for the two drives; this is basically what I want on my new laptop, with Mint 19. (Hibernation doesn't work on my old laptop, which is frustrating, but close enough.)

And yet, I've made numerous attempts to install Mint 19 on my shiny new laptop, with two 1TB SDD drives and a third 1TB spinning metal drive, and it never quite works out. It either won't boot, or only one drive is encrypted, or everything just ends up on one of the drives.

I'm actually okay with starting with a stock-standard one-drive FDE installation, as long as I can move my /home directory to a separate, fully encrypted drive. But I haven't had any success with that, either; I think I got LUKS to work at one point, but it didn't prompt me for the password when I booted, and the system couldn't find my home directory on time.

So can anybody point to detailed instructions for what I want, for a configuration will play nicely across updates? I guess it boils down to, how can I do 'something else', but maintain FDE on all drives?

Thanks,
MikZ.

User avatar
xenopeek
Level 24
Level 24
Posts: 23193
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Linux Mint 19 FDE across multiple drives—the right way?

Post by xenopeek » Tue Sep 04, 2018 1:56 pm

It's a whole lot easier if you don't need hibernate to work with disk encryption or don't need the swap partition (or you'd be okay with leaving swap unencrypted which is silly of course :)). Without hibernate you can just reserve a partition for swap and add a single line to /etc/crypttab to have encrypted swap. With hibernate requirement I'm not confident on the steps. There's this bit on the Ubuntu wiki https://help.ubuntu.com/community/Enabl ... ryptedSwap but that's from a topic on the Linux Mint forums from 9 years ago. Hopefully somebody else can pitch in if you really need hibernate.
MikZ wrote:
Tue Sep 04, 2018 8:09 am
I'm actually okay with starting with a stock-standard one-drive FDE installation, as long as I can move my /home directory to a separate, fully encrypted drive. But I haven't had any success with that, either; I think I got LUKS to work at one point, but it didn't prompt me for the password when I booted, and the system couldn't find my home directory on time.
Can you clarify that part. Do you want to have to enter a separate, second, passphrase for the home partition? After already having entered the passphrase for your root partition.

Personally I'd just add a second way to unlock the home partition namely a keyfile stored on your root partition. That way, when you unlock your root partition the system itself can unlock the home partition with that keyfile. You can also unlock the home partition manually (say in case you need to do system recovery) with its passphrase.
Image

User avatar
MikZ
Level 2
Level 2
Posts: 61
Joined: Sun Mar 17, 2013 7:08 pm
Contact:

Re: Linux Mint 19 FDE across multiple drives—the right way?

Post by MikZ » Tue Sep 18, 2018 1:27 pm

Thanks for the reply. Sorry for taking a long time to get back; I had to put this on the back burner again.
It's a whole lot easier if you don't need hibernate to work with disk encryption or don't need the swap partition (or you'd be okay with leaving swap unencrypted which is silly of course :)).
Well, swapping's always been crazy-slow for me anyhow—my system always locks up for 30 seconds when it runs out of memory—so there's not a lot lost there. But I'm honestly more reluctant to live without hibernation; I'm really tired of having to reboot and restart everything from scratch when I swap out a battery on an airliner, or old trains that doesn't have power outlets (I always seem to end up on those when I travel on work days :roll:).

Does hibernation just not work with FDE? I thought it did when I accepted all the defaults for a one-drive setup, but perhaps I'm misremembering… or maybe it was unencrypted and silly and I didn't notice. :wink:
Do you want to have to enter a separate, second, passphrase for the home partition? After already having entered the passphrase for your root partition.
I suppose it would be nice to only have to enter one passphrase, but entering two never bothered me. I'll take whichever option is most reliable and future-proof.
Personally I'd just add a second way to unlock the home partition namely a keyfile stored on your root partition. That way, when you unlock your root partition the system itself can unlock the home partition with that keyfile. You can also unlock the home partition manually (say in case you need to do system recovery) with its passphrase.
It looks like the article you linked to explains a bit about that, so thank you. I do worry about following such old advice—I'm honestly scared of my whole system breaking because of an update. This has happened a couple of times before, and always on days that I could least afford not to have a working computer. But it looks like this is the only thing I've got to try tomorrow. :wink:

Cheers,
MikZ.

User avatar
xenopeek
Level 24
Level 24
Posts: 23193
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Linux Mint 19 FDE across multiple drives—the right way?

Post by xenopeek » Tue Sep 18, 2018 3:16 pm

No, same. It's a very old article but I couldn't find anything recent conclusive specific for Ubuntu/Linux Mint at the time. Perhaps hibernate will work fine if you let the installer handle everything for FDE or even with custom install. Could be my google-fu failing me. On Linux Mint installs I as a rule let the installer handle everything. On another distro I use for custom installs it gets quite involved to get this to work. And I don't use hibernate hence hoping somebody else would pipe in :)
Image

User avatar
MikZ
Level 2
Level 2
Posts: 61
Joined: Sun Mar 17, 2013 7:08 pm
Contact:

Re: Linux Mint 19 FDE across multiple drives—the right way?

Post by MikZ » Wed Sep 19, 2018 2:12 am

Perhaps hibernate will work fine if you let the installer handle everything for FDE or even with custom install.
I'd love to try. How do I have the installer handle the FDE with my custom installation? I've never seen the option for that.

MikZ.

User avatar
MikZ
Level 2
Level 2
Posts: 61
Joined: Sun Mar 17, 2013 7:08 pm
Contact:

Re: Linux Mint 19 FDE across multiple drives—the right way?

Post by MikZ » Sun Oct 07, 2018 6:33 am

For anybody who finds this post with the same question, I've managed to get my system set up across drives. I'm afraid I don't have a reliable step-by-step guide, but it seems to be working well, and I'm feeling fairly confident that upgrades won't foul things up. I'll report back here when I can confirm that. I'll also report back on any progress with hibernation.

Here's what I did:
  1. Installed Mint 19 Cinnamon with FDE (Full Disk Encryption), not 'encrypt home folder' (because it degrades performance and is unnecessary—I believe it's eCryptfs under the bonnet) and the default single-drive partitions (not 'something else').
  2. Rebooted into my freshly installed system. It asked me to type my passphrase to unlock the drive.
  3. Used the Gnome Disk Utility (Menu→Preferences→Disks) to format my second drive as an encrypted ext4 drive. Turns it out's a fairly intuitive tool. I left some free space for the swap partition that I hope to eventually add to make hibernation work, but one thing at a time. ☺
  4. Manually and carefully added entries to my /etc/fstab and /etc/crypttab files, so my system will mount the partition on my second drive to /mnt/new-home, a temporary mount point I made up. (If you don't know how to edit those files, then, in all honesty, I'm afraid these steps might be too advanced for you, and you should get help from somebody more Linux-savvy.) I simply copied the entries the installer put in those files, but used the UUID from my second drive. I got the UUID from the Gnome Disk Utility, and compared the UUID the installer used with primary drive, to make sure I got the structure right. Here's what it looked like:

    Code: Select all

    # appended to /etc/fstab
    /dev/mapper/luks-home /mnt/new-home auto nosuid,nodev,nofail 0 0

    Code: Select all

    # appended to /etc/crypttab (not a real UUID)
    luks-home       UUID=12345678-abcd-7890-cdef-ba9876543210 none luks,discard
  5. sudo mkdir /mnt/new-home # create that temporary mountpoint
  6. Rebooted again. It asked me to type my passphrase for both drives. Promising. ☺
  7. Verified that my temporary mount point was indeed present and that I could save files to it.
  8. Edited my /etc/fstab file again, to change the mount point for the partition on my second drive from /mnt/new-home to /home
  9. sudo mv -iv /home/$USER /mnt/new-home # Move the installed home directory to the temporary mountpoint. -i makes sure nothing gets clobbered; -v keeps me updated with progress
  10. Rebooted again. Entered two passphrases again. Yay.
  11. Successfully logged into my session. Everything works!
  12. Removed my /mnt/new-home directory (which was empty), and the test files I created in step 7, which were littered in /home

User avatar
xenopeek
Level 24
Level 24
Posts: 23193
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Linux Mint 19 FDE across multiple drives—the right way?

Post by xenopeek » Sun Oct 07, 2018 12:01 pm

Good of you to share your steps. Will be useful for others seeking answer to the same.

You could add a keyfile as way to unlock your second disk and store that file on your primary disk. With a change to /etc/crypttab you can make it so that when you unlock the primary disk the second disk gets automatically unlocked with that keyfile (which is encrypted on the primary disk). It would also still be manually unlockable with its passphrase that you are currently using.

Here are the steps as I remember:
  1. First create a keyfile with random data. Let's store the keyfile as /etc/home.keyfile and make in 2 KiB big.

    Code: Select all

    sudo dd bs=512 count=4 if=/dev/urandom of=/etc/home.keyfile
  2. Next restrict it to root.

    Code: Select all

    sudo chmod 400 /etc/home.keyfile
  3. Now the keyfile should be added to the encrypted volume as a way to unlock it. Replace /dev/sdXY with the device name of the partition (like /dev/sdb1).

    Code: Select all

    sudo cryptsetup luksAddKey /dev/sdXY /etc/home.keyfile
  4. Finally change /etc/crypttab and replace "none" in the line you added with the absolute path to the keyfile /etc/home.keyfile and that should be all.
Image

Post Reply

Return to “Installation & Boot”