This document belongs to Manual Full System Encryption (with Extras): Detailed Process.

1. Mount partitions

mount
Make a device available via a folder.

In preparation for fixing the broken pieces, we prepare some mounts.

Reminder: Replace /dev/sdA2 with the correct partition for your ESP (as described in the naming conventions).

sudo mkdir /mnt/root
sudo mount /dev/mapper/system-root /mnt/root
cd /mnt/root
sudo mount /dev/mapper/system-boot /mnt/root/boot
sudo mount /dev/sdA2 /mnt/root/boot/efi

The next line is only if you have a separate data partition.

sudo mount /dev/mapper/data-home /mnt/root/home

Don't close the terminal until instructed otherwise!

2. Create key files

A key file is a file that holds a passphrase for the encrypted partitions. This will be used by the system where necessary; it's really only useful if you have a separate partition for your data. Don't worry about it being exposed, because the key file will be available only after the partition has been decrypted (when you type your passphrase).

In the terminal, enter the commands as instructed.

Mentally-Deranged-Smiley-Face-Silhouette.png

For paranoid mode, you can change the number 512 in the command to 8M (which means 8,000KB). However, this is pointless as your passphrase anyway cannot be longer than 512 characters.

Reminder: Replace /dev/sdA5 and /dev/sdB1 with the correct letter and digit (as described in the naming conventions).

For your system partition:

sudo dd if=/dev/urandom of=/mnt/root/etc/crypt.system count=1 bs=512
sudo cryptsetup luksAddKey /dev/sdA5 /mnt/root/etc/crypt.system

The last command will prompt you, "Enter any existing passphrase". Enter your system passphrase.

If you get the error, "No key available with this passphrase," despite trying carefully repeatedly, see the warning about keyboards in Choosing a passphrase and password.


The next two lines are only if you have a separate data partition.

sudo dd if=/dev/urandom of=/mnt/root/etc/crypt.data count=1 bs=512
sudo cryptsetup luksAddKey /dev/sdB1 /mnt/root/etc/crypt.data

The last command will prompt you, "Enter any existing passphrase". Enter your data passphrase.

If you get the error, "No key available with this passphrase," despite trying carefully repeatedly, see the warning about keyboards in Choosing a passphrase and password.

3. Create crypttab

You will now create a text file using the method previously outlined in How to edit a text file. This file tells Ubuntu about the encrypted partitions.

3.1. Find the system and data UUIDs

UUID
Universally Unique Identifier: An ID to uniquely identify a whole number of things, including partitions. It consists of a bunch of letters, digits, and the hyphen.


  • Enter this command to list the UUIDs of the various partitions.
    lsblk --fs --paths | grep -F crypto_LUKS
    Here is an example.

lsblk-cryptsetup.png

  • Do you have a separate data partition?
    • Yes:
      • The command lists two lines. Look at the first column to note which line is for your system partition, and which line for your data partition.
      • Note the UUID (the long string of letters, digits and hyphens) for each partition. You will need to copy-and-paste these UUIDs shortly.
    • No:
      • The command lists one line, which is for your system partition.
      • Note the UUID (the long string of letters, digits and hyphens) for the partition.
      • You will need to copy-and-paste the UUID shortly.

3.2. Set crypttab

  • Enter this command.
    sudo rm --force /mnt/root/etc/crypttab
  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V).

    sudo -H gedit /mnt/root/etc/crypttab
  • Do you have a separate data partition?
    • Yes:
      • Copy the following lines into the editor.

        #name> <source device>                           <key file>        <options>
        system UUID= /etc/crypt.system luks,discard,noearly,keyscript=/lib/cryptsetup/scripts/getinitramfskey.sh
        data   UUID= /etc/crypt.data   luks,discard,noearly

      • Warning: The second line is a long line, which appears to be split here. If the editor is too narrow, it may look as though the long line is split into two. Simply drag the left or right border of the editor to make it wider.

      • Using cut (from the terminal) and paste (into the editor):
        • Paste the system partition's UUID after the first "UUID=" but without any spaces.

        • Paste the data partition's UUID after the second "UUID=" but without any spaces.

    • No:
      • Copy the following lines into the editor.

        #name> <source device>                           <key file>        <options>
        system UUID= /etc/crypt.system luks,discard,noearly,keyscript=/lib/cryptsetup/scripts/getinitramfskey.sh

      • Warning: The second line is a long line, which appears to be split here. If the editor is too narrow, it may look as though the long line is split into two. Simply drag the left or right border of the editor to make it wider.

      • Using cut (from the terminal) and paste (into the editor):
        • Paste the system partition's UUID after the first UUID= but without any spaces.

  • Here is an example of what it looks like. Note that the formatting on this page has split the second line into two, but in fact it should be all on one line.
    #name> <source device>                           <key file>        <options>
    system UUID=b2efcc62-738d-4317-ae75-de7f270f82bd /etc/crypt.system luks,discard,noearly,keyscript=/lib/cryptsetup/scripts/getinitramfskey.sh
    data   UUID=a95c1152-1197-4112-934f-1bfe28b10969 /etc/crypt.data   luks,discard,noearly
  • Save the file and close the editor.

3.3. For extra security

For extra security, protect the crypt files with the following command.

sudo chmod -rw /mnt/root/etc/crypt*

4. Enable hibernation

If you are not using a separate swap partition, you can't hibernate. Skip to Set default Grub.

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V).

    sudo -H gedit /mnt/root/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
  • Copy the following lines into the editor. Note the blank line in the middle.
    [Re-enable hibernate by default in upower]
    Identity=unix-user:*
    Action=org.freedesktop.upower.hibernate
    ResultActive=yes
    
    [Re-enable hibernate by default in logind]
    Identity=unix-user:*
    Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.hibernate-multiple-sessions
    ResultActive=yes
  • Save the file and close the editor.

5. Enable hybrid suspend

If you are not using a separate swap partition, you can't hybrid suspend. Skip to Set default Grub.

This step is optional, and enables hybrid suspend. Unfortunately, it does not work on all hardware, but there is no harm in trying.

  • This does not change the action of "Suspend" from the drop-down menu. It only changes the action of a physical sleep button or closing the lid of your computer. You can manually enact it with sudo pm-suspend-hybrid, for which you can make a standard menu entry, or a keyboard shortcut. Refer to Support in Troubleshooting for how to ask for help.

5.1. Check that hybrid suspend is supported on your hardware.

Enter the following command in the terminal. When asked if you'd like to proceed, press Enter.

sudo apt install pm-utils

Now enter this command.

sudo pm-is-supported --suspend-hybrid && echo yes || echo no
  • If the result reads "no" or returns an error, your hardware doesn't support hybrid suspend. Skip this part and continue with Set default Grub.

  • If the result reads "yes", your hardware supports hybrid suspend and you can continue.

5.2. Fix login.conf

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V).

    sudo -H gedit /mnt/root/etc/systemd/logind.conf
  • The file contains a number of lines, including the following two (not necessarily next to each other).
    #HandleSuspendKey=suspend
    #HandleLidSwitch=suspend

    They should both have # in front of them.

  • At the end of the file, add these two lines.
    HandleSuspendKey=hybrid-sleep
    HandleLidSwitch=hybrid-sleep
  • Save the file and close the editor.

6. Set default Grub

Grub is the name of the application that gets the system going when you turn on the computer. The Installer has not properly installed the Grub defaults, so you will fix them here.

  • Press Alt+F2. In the prompt, enter this command (you can copy from here and paste in the prompt with Ctrl+V).

    sudo -H gedit /mnt/root/etc/default/grub
  • Find the following line and change "hidden" to "menu".
    GRUB_TIMEOUT_STYLE=hidden
  • Add the following line to the end of the file.
    GRUB_ENABLE_CRYPTODISK=y
  • Save the file and close the editor.

7. Continue

Return to Detailed Process and continue from there.


ManualFullSystemEncryption/DetailedProcessFixBrokenPieces (last edited 2018-08-12 18:04:47 by paddy-landau)