Hello,
So the problem I was having was that Grub was not getting set up with the right stuff to launch cryptsetup to unlock the LUKS container. I still can't say I entirely grasp what each command is doing, but I have a much better idea now. If anyone has any suggestions for me to try or add to these steps I'd be glad to hear them.
What I wanted was a dual boot setup where Windows was on sda and Mint was on sdb. To further complicate things, I wanted Mint to be a FDE LVM on LUKS setup with /, /home, swap partitions. Even more complication, the Windows partitions was also to be encrypted with Veracrypt.
Following these guides:
Ubuntu LVM on LUKS FDE.
Windows Truecrypt FDE and Debian FDE.
Arch LVM on LUKS wiki.
LMDE LVM on LUKS guide.
General Mint FDE (including /boot) guide.
I was able to piece together a working procedure to set up a custom LVM on LUKS on a different drive than the /boot partition with or without an encrypted windows partition. Sadly I could not get this working with GPT yet so both disks have to be set up with MBR.
First - Preparing the Disks:
1- Give sda a MBR partition table and format sda1 to 500MB
2- Give sdb a MBR partition table and format sdb1 to clear/un-formatted
Second - Installing Windows:
1- use the remaining space on sda for Windows and let the installer set up the partitions.
1a- When that's finish, sda1 should be 500MB un-formatted, sda2 should be 100MB and the windows boot-loader, sd3 should be Windows
*2- If you're going to encrypt Windows with Veracrypt this is where you do it. Make sure you only encrypt the Windows partition and not all of sda and to save the rescue.iso to a flash drive because you'll need it later.
Third - Installing Mint:
1- Load up the Live CD and open a Terminal
1a- Make an encrypted container on sdb1 and then mount it when it's done.
Code: Select all
sudo cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random -y luksFormat /dev/sdb1 && sudo cryptsetup open --type luks /dev/sdb1 lvm_crypt
2- Next make the LVM physical volume and volume group and logical volumes.
Code: Select all
sudo pvcreate /dev/mapper/lvm_crypt && sudo vgcreate mint /dev/mapper/lvm_crypt && sudo lvcreate -L 8192M -n swap mint && sudo lvcreate -L 16384M -n root mint && sudo lvcreate -l 100%FREE -n home mint && sudo mkswap /dev/mapper/mint-swap && sudo mkfs.ext4 /dev/mapper/mint-root && sudo mkfs.ext4 /dev/mapper/mint-home
3- Once that is finished you're going to start up ubiquity and select the "something else" option when it asks how you want to install Mint.
4- In here you should see your logical volumes and you're going to assign and format each one to their respective roles: /, /home, swap.
4a- Here you're going to set sda1 as /boot and format it. Then on the drop down at the bottom of the window where it asks "where to install boot loader" select sda.
5- Proceed through the rest of ubiquity as normal and after it's finished installing
**DO NOT** restart - select "continue testing."
6- Next we're going to mount the stuff ubiquity just installed and chroot into it's terminal.
Code: Select all
sudo mount /dev/mapper/mint-root /mnt && sudo mount /dev/sda1 /mnt/boot && sudo mount -o bind /dev /mnt/dev && sudo mount -t proc proc /mnt/proc && sudo mount -t sysfs sys /mnt/sys && sudo cp /etc/resolv.conf /mnt/etc/resolv.conf && sudo chroot /mnt /bin/bash
7- Now I'm not entirely sure what this next command is doing, but I belive it is setting up a hook so Grub can know how to open the LUKS container.
Code: Select all
echo "lvm_crypt UUID=$(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdb1) | cut -d ' ' -f 11) none luks" >> /etc/crypttab
8- Now we need to update initramfs. Note that I recived an warning when running this command that one of the locales is not supported. However, it did not seem to affect the installation of my system.
9- Now we can reboot
**IF** you
**do not** have the windows partition encrypted with Veracrypt. If you do, there are a couple more steps.
If this worked the way it's supposed to, you should now be able to boot into either Windows or Mint with them on separate disks and Mint having a custom LVM on LUKS setup.
10- Because Grub over writes the Veracrypt boot-loader with this method (I could not get it to work any other way) we're going to use the rescue.iso that Veracrypt makes you save when you encrypt Windows.
11- First we're going to copy the memdisk to /boot/
Code: Select all
sudo cp /usr/lib/syslinux/memdisk /boot/
12- Next we're going to copy the rescue iso from where ever you stored it to /boot/
Code: Select all
sudo cp /mnt/rescue.iso /boot/rescue.iso
13- Now we need the UUID of sda3
14- Now we edit grub to add the entry for the rescue iso.
Code: Select all
menuentry "VeraCrypt ISO boot" {
insmod part_msdos
insmod fat
insmod ext2
insmod search_fs_uuid
search --fs-uuid --no-floppy --set=boot <UUID without quotes or brackets>
linux16 ($boot)/memdisk iso raw
initrd16 ($boot)/vrcr.iso
}
15- Now we update grub.
At this point you should be able to freely start up either encrypted OS. One thing I noticed was that Veracrypt gives me a warning when I boot up about a potential evil maid attack because of the mucking around we did with the boot-loaders. I do not know a way around this, but someone else might.
I know this is all very patchwork but this is how I was able to solve my issue. I plan to make a more detailed guide and video in the future for this. For now, I hope this helps anyone else who may be trying to do this setup.
Thank you everyone for your suggestions, they helped a lot.
Sec.
