This document belongs to Manual Full System Encryption (with Extras): Detailed Process.

1. Repair swap

If you encrypted your home folder (the recommended option earlier), the Installer re-encrypts swap. This step undoes that.

Open a terminal and enter the following commands.

  • The first line might take a minute or so to complete.
  • The second line will return an error if you didn't encrypt your home folder; ignore the error. 

sudo swapoff --all
sudo cryptsetup luksClose /dev/mapper/cryptswap1
sudo mkswap --label=swap /dev/mapper/system-swap
sudo swapon /dev/mapper/system-swap

2. Mount partitions

mount
Make a device available via a folder.

In preparation for fixing the broken pieces, we prepare some mounts.

Reminder: Replace /dev/sdA2 with the correct partition for your ESP (as described in the naming conventions). 

sudo mkdir /mnt/root
sudo mount /dev/mapper/system-root /mnt/root
cd /mnt/root
sudo mount /dev/mapper/system-boot /mnt/root/boot
sudo mount /dev/sdA2 /mnt/root/boot/efi

The next line is only if you have a separate data partition. 

sudo mount /dev/mapper/data-home /mnt/root/home

Don't close the terminal until instructed otherwise!

3. Create key files

A key file is a file that holds a passphrase for the encrypted partitions. This will be used by the system where necessary; it's really only useful if you have a separate partition for your data. Don't worry about it being exposed, because the key file will be available only after the partition has been decrypted (when you type your passphrase).

In the terminal, enter the commands as instructed.

Mentally-Deranged-Smiley-Face-Silhouette.png

For paranoid mode, you can change the number 512 in the command to 8M (which means 8,000KB). However, this is pointless as your passphrase anyway cannot be longer than 512 characters.

Reminder: Replace /dev/sdA5 and /dev/sdB1 with the correct letter and digit (as described in the naming conventions).

For your system partition: 

sudo dd if=/dev/urandom of=/mnt/root/etc/crypt.system count=1 bs=512
sudo cryptsetup luksAddKey /dev/sdA5 /mnt/root/etc/crypt.system

The last command will prompt you, "Enter any passphrase". Enter your system passphrase.

The next two lines are only if you have a separate data partition. 

sudo dd if=/dev/urandom of=/mnt/root/etc/crypt.data count=1 bs=512
sudo cryptsetup luksAddKey /dev/sdB1 /mnt/root/etc/crypt.data

The last command will prompt you, "Enter any passphrase". Enter your data passphrase.

4. Fix crypttab

You will now fix a text file using the method previously outlined in How to edit a text file. This file tells Ubuntu about the encrypted partitions.

4.1. Find the system and data UUIDs

UUID
Universally Unique Identifier: An ID to uniquely identify a whole number of things, including partitions. It consists of a bunch of letters, digits, and the hyphen.

  • Enter this command to list the UUIDs of the various partitions. 
    lsblk --fs --paths | grep -F crypto_LUKS
    Here is an example.

lsblk-cryptsetup.png

  • Do you have a separate data partition?
    • Yes:
      • The command lists two lines. Look at the first column to note which line is for your system partition, and which line for your data partition.
      • Note the UUID (the long string of letters, digits and hyphens) for each partition. You will need to copy-and-paste these UUIDs shortly.
    • No:
      • The command lists one line, which is for your system partition.
      • Note the UUID (the long string of letters, digits and hyphens) for the partition.
      • You will need to copy-and-paste the UUID shortly.

4.2. Set crypttab

  • Enter this command. 
    sudo rm --force /mnt/root/etc/crypttab

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V). 

    sudo -H gedit /mnt/root/etc/crypttab
  • Do you have a separate data partition?
    • Yes:
      • Copy the following lines into the editor. 

        #name> <source device>                           <key file>        <options>
system UUID= /etc/crypt.system luks,discard,noearly,keyscript=/lib/cryptsetup/scripts/getinitramfskey.sh
data   UUID= /etc/crypt.data   luks,discard,noearly

      • Warning: The second line is a long line, which appears to be split here. If the editor is too narrow, it may look as though the long line is split into two. Simply drag the left or right border of the editor to make it wider.

      • Using cut (from the terminal) and paste (into the editor):

        • Paste the system partition's UUID after the first "UUID=" but without any spaces.

        • Paste the data partition's UUID after the second "UUID=" but without any spaces.

    • No:
      • Copy the following lines into the editor. 

        #name> <source device>                           <key file>        <options>
system UUID= /etc/crypt.system luks,discard,noearly,keyscript=/lib/cryptsetup/scripts/getinitramfskey.sh

      • Warning: The second line is a long line, which appears to be split here. If the editor is too narrow, it may look as though the long line is split into two. Simply drag the left or right border of the editor to make it wider.

      • Using cut (from the terminal) and paste (into the editor):

        • Paste the system partition's UUID after the first UUID= but without any spaces.

  • Here is an example of what it looks like. Note that the formatting on this page has split the second line into two, but in fact it should be all on one line. 
    #name> <source device>                           <key file>        <options>
system UUID=b2efcc62-738d-4317-ae75-de7f270f82bd /etc/crypt.system luks,discard,noearly,keyscript=/lib/cryptsetup/scripts/getinitramfskey.sh
data   UUID=a95c1152-1197-4112-934f-1bfe28b10969 /etc/crypt.data   luks,discard,noearly
  • Save the file and close the editor.

4.3. For extra security

For extra security, protect the crypt files with the following command. 

sudo chmod -rw /mnt/root/etc/crypt*

5. Fix fstab

The file fstab tells Ubuntu how to mount devices. You will be fixing it if the Installer got it wrong.

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V). 

    sudo -H gedit /mnt/root/etc/fstab
  • The contents should look something like the following mess. 
    # /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/system-root /               ext4    errors=remount-ro 0       1
/dev/mapper/system-boot /boot           ext3    defaults        0       2
# /boot/efi was on /dev/sda2 during installation
UUID=E4B5-2056  /boot/efi       vfat    umask=0077      0       1
/dev/mapper/data-home /home           ext4    defaults        0       2
#/dev/mapper/system-swap none            swap    sw              0       0
/dev/mapper/cryptswap1 none swap sw 0 0

5.1. Check the ESP

  • Look at the line containing /boot/efi vfat. The line begins with UUID=. The UUID should already be correct, but check it anyway by entering the following command. 

    lsblk --fs --paths | grep -F vfat

    If more than one line is displayed, choose the one for your ESP partition. (You previously determined it and then used it in the installation.)

  • If the UUID in fstab is incorrect, replace the UUID with the correct one.

5.2. Fix the swap

If you didn't choose to encrypt your home folder, this section won't apply to you.

  • See the last two lines. One has # in front of it (which means to ignore it) and the other doesn't.

  • The line with system-swap is correct, so it shouldn't be ignored, while the line with cryptswap1 is incorrect, so it should be ignored.

  • Therefore, swap the '#' so that the last two lines look like this: 
    /dev/mapper/system-swap none            swap    sw              0       0
#/dev/mapper/cryptswap1 none swap sw 0 0

5.3. Save the results

Save the file (if changed) and close the editor.

6. Enable hibernation

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V). 

    sudo -H gedit /mnt/root/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
  • Copy the following lines into the editor. Note the blank line in the middle. 
    [Re-enable hibernate by default in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes

[Re-enable hibernate by default in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
ResultActive=yes
  • Save the file and close the editor.

7. Enable hybrid suspend

This step is optional, and enables hybrid suspend. Unfortunately, it does not work on all hardware, but there is no harm in trying.

  • This does not change the action of "Suspend" from the drop-down menu. It only changes the action of a physical sleep button or closing the lid of your computer. You can manually enact it with sudo pm-suspend-hybrid, for which you can make a standard menu entry, or a keyboard shortcut. Refer to Support in Troubleshooting for how to ask for help.

7.1. Check that hybrid suspend is supported on your hardware.

Enter the following command in the terminal. 

sudo pm-is-supported --suspend-hybrid && echo yes || echo no
  • If the result reads, "sudo: pm-is-supported: command not found":
    • Install pm-utils with the following command: 
    sudo apt install pm-utils
    • Then try again.
  • If the result reads "yes", your hardware supports hybrid suspend and you can continue.

  • If the result reads "no" or is an error, skip this part and continue with Set default Grub.

7.2. Fix login.conf

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V). 

    sudo -H gedit /mnt/root/etc/systemd/logind.conf
  • The file contains a number of lines, including the following two (not necessarily next to each other). 
    #HandleSuspendKey=suspend
#HandleLidSwitch=suspend

    They should both have # in front of them.

  • At the end of the file, add these two lines. 
    HandleSuspendKey=hybrid-sleep
HandleLidSwitch=hybrid-sleep
  • Save the file and close the editor.

8. Set default Grub

Grub is the name of the application that gets the system going when you turn on the computer. The Installer has not properly installed the Grub defaults, so you will fix them here.

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V). 

    sudo -H gedit /mnt/root/etc/default/grub
  • Find the following line and add '#' in front of it. 
    GRUB_HIDDEN_TIMEOUT=0
  • Find the following line and change "true" to "false". 
    GRUB_HIDDEN_TIMEOUT_QUIET=true
  • Add the following line to the end of the file. 
    GRUB_ENABLE_CRYPTODISK=y
  • Save the file and close the editor.

9. Continue

Return to Detailed Process and continue from there.

ManualFullSystemEncryption/DetailedProcessFixBrokenPieces (last edited 2017-04-18 09:17:29 by paddy-landau)