Hi,
Still evaluating your method.
In the meantime can you tell me what lines to remove from the 4th script If I don't want SWAP at all ?
Thanks
Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Re: Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
Hello linux22 and thank you very much for your tutorial.
I come from a dual boot W10 bitlocked + kubuntu with luks2 that I installed in 2021 following this tutorial https://bruceoutdoors.wordpress.com/202 ... dual-boot/
However every now and then, a random update would break my kubuntu and when reading your tutorials, you gave me hopes to go and try again, as you seem to have struggled and get victorious over the same issues.
I tried following your tutorial but unfortunately I cannot get the disk partition prerequisites, I lack experience on first installs sadly. I did try to go ahead with the commands but couldn't get it right, and I am not sure if I ran the wizard it will create something related to boot that it's not desirable here.
EDIT: My problems come from having nvme disk instead of SATA, I guess I would have to substitute the commands for something similar to:
nvme0n1 where sda is
nvme0n1p1 where sda1 is
nvme0n1p2 where sda2 is
etc
but I am not sure if that will be all.
-deleted this paragraph as I saw in other of your posts you want to keep your tutorials for the essential -
As a last note I will say that an encrypted disk is pretty much the step 0 in every corporate Windows laptops, and that despite a strange lack of interest for the most part in the community, I can assure you you do a great job in fulfilling this lack of knowledge for us. Thank you so much in advance!
I come from a dual boot W10 bitlocked + kubuntu with luks2 that I installed in 2021 following this tutorial https://bruceoutdoors.wordpress.com/202 ... dual-boot/
However every now and then, a random update would break my kubuntu and when reading your tutorials, you gave me hopes to go and try again, as you seem to have struggled and get victorious over the same issues.
I tried following your tutorial but unfortunately I cannot get the disk partition prerequisites, I lack experience on first installs sadly. I did try to go ahead with the commands but couldn't get it right, and I am not sure if I ran the wizard it will create something related to boot that it's not desirable here.
EDIT: My problems come from having nvme disk instead of SATA, I guess I would have to substitute the commands for something similar to:
nvme0n1 where sda is
nvme0n1p1 where sda1 is
nvme0n1p2 where sda2 is
etc
but I am not sure if that will be all.
-deleted this paragraph as I saw in other of your posts you want to keep your tutorials for the essential -
As a last note I will say that an encrypted disk is pretty much the step 0 in every corporate Windows laptops, and that despite a strange lack of interest for the most part in the community, I can assure you you do a great job in fulfilling this lack of knowledge for us. Thank you so much in advance!
Re: Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
Hello darkon11, I have read your post.
Today almost all Linux distros do not care about installing a swap device or not.
So, if you want install the Linux Mint FDE system without swap you must:
1) remove the package 'systemd-zram-generator' from the 11th terminal command of the 4th script, i.e. substitute the terminal command;
'sudo chroot /mnt apt install -y cryptsetup efibootmgr binutils systemd-boot systemd-boot-efi systemd-zram-generator gawk zstd'
... with the terminal command
'sudo chroot /mnt apt install -y cryptsetup efibootmgr binutils systemd-boot systemd-boot-efi gawk zstd'
2) remove the terminal commands from 12th to 20th of the 4th script, i.e the following lines ;
echo "zram-size = ram / 3" | sudo chroot /mnt tee -a /etc/systemd/zram-generator.conf
echo "compression-algorithm = zstd" | sudo chroot /mnt tee -a /etc/systemd/zram-generator.conf
echo "swap-priority = 100" | sudo chroot /mnt tee -a /etc/systemd/zram-generator.conf
echo "# /etc/sysctl.d/99-vm-zram-parameters.conf" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.swappiness = 180" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.watermark_boost_factor = 0" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.watermark_scale_factor = 125" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.page-cluster = 0" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "RESUME=none" | sudo chroot /mnt tee -a /etc/initramfs-tools/conf.d/resume
That is all.
Regards.
linux22
Coming soon.. the answer for iorgnix
Today almost all Linux distros do not care about installing a swap device or not.
So, if you want install the Linux Mint FDE system without swap you must:
1) remove the package 'systemd-zram-generator' from the 11th terminal command of the 4th script, i.e. substitute the terminal command;
'sudo chroot /mnt apt install -y cryptsetup efibootmgr binutils systemd-boot systemd-boot-efi systemd-zram-generator gawk zstd'
... with the terminal command
'sudo chroot /mnt apt install -y cryptsetup efibootmgr binutils systemd-boot systemd-boot-efi gawk zstd'
2) remove the terminal commands from 12th to 20th of the 4th script, i.e the following lines ;
echo "zram-size = ram / 3" | sudo chroot /mnt tee -a /etc/systemd/zram-generator.conf
echo "compression-algorithm = zstd" | sudo chroot /mnt tee -a /etc/systemd/zram-generator.conf
echo "swap-priority = 100" | sudo chroot /mnt tee -a /etc/systemd/zram-generator.conf
echo "# /etc/sysctl.d/99-vm-zram-parameters.conf" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.swappiness = 180" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.watermark_boost_factor = 0" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.watermark_scale_factor = 125" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "vm.page-cluster = 0" | sudo chroot /mnt tee -a /etc/sysctl.d/99-vm-zram-parameters.conf
echo "RESUME=none" | sudo chroot /mnt tee -a /etc/initramfs-tools/conf.d/resume
That is all.
Regards.
linux22
Coming soon.. the answer for iorgnix
Re: Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
OK, here's some (sparse) thoughs about your method:
1. Thanks. As an (old) programmer myself I see how much work there's behind all this.
2. It's a very long (and complicated) method. I suggest users that want more control on the output to put this line:
trap 'read -p "run: $BASH_COMMAND"' DEBUG
at the beginning of the scripts so to execute them line by line.
3. Boot is slower (and uglier ) than the old method (UEFI + GPT).
4. RAM usage is 200/300 MB more on average. But not setting up swap (by deleting lines in the 4th script), usage is pretty much the same.
Final cosideration:
I can't judge if this method has real security advantages over the other one. For me I will stick with the old that I consider more straightforward.
I suggest users that want to try this one to do it without swap (that is irrelevant in modern systems).
Regards and thanks again.
1. Thanks. As an (old) programmer myself I see how much work there's behind all this.
2. It's a very long (and complicated) method. I suggest users that want more control on the output to put this line:
trap 'read -p "run: $BASH_COMMAND"' DEBUG
at the beginning of the scripts so to execute them line by line.
3. Boot is slower (and uglier ) than the old method (UEFI + GPT).
4. RAM usage is 200/300 MB more on average. But not setting up swap (by deleting lines in the 4th script), usage is pretty much the same.
Final cosideration:
I can't judge if this method has real security advantages over the other one. For me I will stick with the old that I consider more straightforward.
I suggest users that want to try this one to do it without swap (that is irrelevant in modern systems).
Regards and thanks again.
Re: Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
Hello iorgnix, I have read your post.
Installing a Linux Mint FDE system alongside Windows in a very challenging task, because:
1) often you must resize the ESP partition or create a Linux Extended Boot Partition (a.k.a. XBOOTLDR)
2) you must setup your system with UKI booting files if you want to deal with LUKS2 without restrictions
3) you must setup and enable Secure Boot with keys (PK, KEK, CA, DB, DBX, etc.) coming from both 'Your Own Custom Keys' and Microsoft
You can read about my solutions concerning these problems by reading the following tutorials:
'Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10' - https://community.linuxmint.com/tutorial/view/2191
'How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' - https://community.linuxmint.com/tutorial/view/2496
I can not speak about the new versions of Windows 10 and 11 with Bitlocker requesting a TPM because I never experimented these configurations.
I am quite worried about the possibility of sharing a TPM between a Windows system with Bitlocker and a Linux FDE system because I fear/suspect that
Windows takes full control of the TPM and does not grants permission to deal with it to other applications but its own.
Regards.
linux22
P.S.
The configuration depicted in my tutorial 'Linux Mint 22 Full Disk Encryption, booting with UKI.pdf' using a nvme device probably need the following
configuration (wich is also my PC configuration):
/dev/nvme0n1 ------ nvme disk
/dev/nvme0n1p1 --- ESP partition
/dev/nvme0n1p2 --- ENCRYPTED LUKS2 partition for root filesystem
Coming soon.. the answer for darkon11
Installing a Linux Mint FDE system alongside Windows in a very challenging task, because:
1) often you must resize the ESP partition or create a Linux Extended Boot Partition (a.k.a. XBOOTLDR)
2) you must setup your system with UKI booting files if you want to deal with LUKS2 without restrictions
3) you must setup and enable Secure Boot with keys (PK, KEK, CA, DB, DBX, etc.) coming from both 'Your Own Custom Keys' and Microsoft
You can read about my solutions concerning these problems by reading the following tutorials:
'Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10' - https://community.linuxmint.com/tutorial/view/2191
'How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' - https://community.linuxmint.com/tutorial/view/2496
I can not speak about the new versions of Windows 10 and 11 with Bitlocker requesting a TPM because I never experimented these configurations.
I am quite worried about the possibility of sharing a TPM between a Windows system with Bitlocker and a Linux FDE system because I fear/suspect that
Windows takes full control of the TPM and does not grants permission to deal with it to other applications but its own.
Regards.
linux22
P.S.
The configuration depicted in my tutorial 'Linux Mint 22 Full Disk Encryption, booting with UKI.pdf' using a nvme device probably need the following
configuration (wich is also my PC configuration):
/dev/nvme0n1 ------ nvme disk
/dev/nvme0n1p1 --- ESP partition
/dev/nvme0n1p2 --- ENCRYPTED LUKS2 partition for root filesystem
Coming soon.. the answer for darkon11
Re: Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
Hello darkon11, I have read your post.
This new configuration has the same security level and performance of all others using the scheme: LUKS2+UKI+SECUREBOOT+TPM2+PIN
Here the only differences are:
1) swap over zram, that has no influence on security level or performance
2) some extra packages neeeded for a smooth installation of Linux Mint 22
Anyway we can install the FDE system with a standard encrypted swap over HDD/SSD partition (see my previous tutorials) or without a swap at all,
especially if we have enought RAM (16 GB or more).
The configuration of my last tutorials is quite long and very complicated because I must deal with 'dracut' instead of 'initramfs-tools'.
Indeed the standard Linux Mint (and Debian) package 'initramfs-tools' can not yet deal with LUKS2 unlock via TPM chip.
So I have had to uninstall 'initramfs-tools' and install 'dracut', that from version 059 onwards support LUKS2 unlocking via TPM chip.
I know I repeat myself but, despite I must admit that 'dracut' is VERY cool, I still do not like it. It is too 'low level' for me.
It does its job using binary executables that you can not analize step by step, unless you go to read its source files.
I prefer initramfs builders like 'update-initramfs' or 'mkinitcpio' with their structure build over bash scripts, where you can read
what happens step by step.
I do not like 'dracut' so much but I must admit that with its simple and efficent configuration files it is conquering my appreciation
more and more...
Thank you for your useful advice concerning the tracing command: trap 'read -p "run: $BASH_COMMAND"' DEBUG'
Regards.
linux22
This new configuration has the same security level and performance of all others using the scheme: LUKS2+UKI+SECUREBOOT+TPM2+PIN
Here the only differences are:
1) swap over zram, that has no influence on security level or performance
2) some extra packages neeeded for a smooth installation of Linux Mint 22
Anyway we can install the FDE system with a standard encrypted swap over HDD/SSD partition (see my previous tutorials) or without a swap at all,
especially if we have enought RAM (16 GB or more).
The configuration of my last tutorials is quite long and very complicated because I must deal with 'dracut' instead of 'initramfs-tools'.
Indeed the standard Linux Mint (and Debian) package 'initramfs-tools' can not yet deal with LUKS2 unlock via TPM chip.
So I have had to uninstall 'initramfs-tools' and install 'dracut', that from version 059 onwards support LUKS2 unlocking via TPM chip.
I know I repeat myself but, despite I must admit that 'dracut' is VERY cool, I still do not like it. It is too 'low level' for me.
It does its job using binary executables that you can not analize step by step, unless you go to read its source files.
I prefer initramfs builders like 'update-initramfs' or 'mkinitcpio' with their structure build over bash scripts, where you can read
what happens step by step.
I do not like 'dracut' so much but I must admit that with its simple and efficent configuration files it is conquering my appreciation
more and more...
Thank you for your useful advice concerning the tracing command: trap 'read -p "run: $BASH_COMMAND"' DEBUG'
Regards.
linux22
Re: Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
Hello and thanks for your reply,linux22 wrote: ⤴Wed Sep 04, 2024 10:20 am Hello iorgnix, I have read your post.
Installing a Linux Mint FDE system alongside Windows in a very challenging task, because:
1) often you must resize the ESP partition or create a Linux Extended Boot Partition (a.k.a. XBOOTLDR)
2) you must setup your system with UKI booting files if you want to deal with LUKS2 without restrictions
3) you must setup and enable Secure Boot with keys (PK, KEK, CA, DB, DBX, etc.) coming from both 'Your Own Custom Keys' and Microsoft
You can read about my solutions concerning these problems by reading the following tutorials:
'Dual boot for Linux Mint 20.X Full Disk Encryption with EFI STUB loader + Windows 10' - https://community.linuxmint.com/tutorial/view/2191
'How to enable UEFI Secure Boot with your own Custom keys on PC with UEFI & HDD with GPT' - https://community.linuxmint.com/tutorial/view/2496
I can not speak about the new versions of Windows 10 and 11 with Bitlocker requesting a TPM because I never experimented these configurations.
I am quite worried about the possibility of sharing a TPM between a Windows system with Bitlocker and a Linux FDE system because I fear/suspect that
Windows takes full control of the TPM and does not grants permission to deal with it to other applications but its own.
Regards.
linux22
P.S.
The configuration depicted in my tutorial 'Linux Mint 22 Full Disk Encryption, booting with UKI.pdf' using a nvme device probably need the following
configuration (wich is also my PC configuration):
/dev/nvme0n1 ------ nvme disk
/dev/nvme0n1p1 --- ESP partition
/dev/nvme0n1p2 --- ENCRYPTED LUKS2 partition for root filesystem
Coming soon.. the answer for darkon11
I meant to say that the dual boot was my previous setup, which I dropped for a single linux install. And that my current issue is that your scripts are based in SATA unlike with any modern laptop, but you adressed it on your postscript, thanks.
By the way, Ubuntu has now FDE with TPM solution integrated in their last installer, you may want to give it a check
Re: Linux Mint 22 and LMDE 6 Full Disk Encryption - Using LUKS2, SecureBoot & TPM 2.0+PIN
Hello iorgnix, I have read your post.
In my modest opinion installing Linux Mint FDE system alone is the best solution, if you really want to abandon Windows.
This leads us to also look for all replacement software for Windows programs and determine the definitive abandonment
of Windows and other Microsoft products.
About the last Ubuntu configuration dealing with FDE and TPM I do not care about it so much.
It seems that installing Ubuntu with FDE and TPM is quite difficult. I tried it repeatedly but the installation aborted every time.
In any case, it may be interesting to try the installation, when and if possible, to examine the method they have implemented
to unlock the FDE disk at startup using the TPM chip.
Anyway, since Canonical introduced the 'snap' package manager I no longer deal with the Ubuntu related distributions as I
believe this approach is wrong and potentially harmful, leading to the same closed proprietary software policies that such of
Microsoft. For more informatione see: https://linuxmint-user-guide.readthedoc ... /snap.html
For some time now, I have been focusing my interest on Linux Mint Debian Edition - LMDE 6.
Regards.
linux22
In my modest opinion installing Linux Mint FDE system alone is the best solution, if you really want to abandon Windows.
This leads us to also look for all replacement software for Windows programs and determine the definitive abandonment
of Windows and other Microsoft products.
About the last Ubuntu configuration dealing with FDE and TPM I do not care about it so much.
It seems that installing Ubuntu with FDE and TPM is quite difficult. I tried it repeatedly but the installation aborted every time.
In any case, it may be interesting to try the installation, when and if possible, to examine the method they have implemented
to unlock the FDE disk at startup using the TPM chip.
Anyway, since Canonical introduced the 'snap' package manager I no longer deal with the Ubuntu related distributions as I
believe this approach is wrong and potentially harmful, leading to the same closed proprietary software policies that such of
Microsoft. For more informatione see: https://linuxmint-user-guide.readthedoc ... /snap.html
For some time now, I have been focusing my interest on Linux Mint Debian Edition - LMDE 6.
Regards.
linux22