This document belongs to Manual Full System Encryption (with Extras): Detailed Process.

1. chroot

In Linux, there is something called chroot. Don't worry about what it means; but we will set it up now.

For now, enter the following commands in the terminal.

sudo mount --bind /dev /mnt/root/dev
sudo mount --bind /run /mnt/root/run
sudo chroot /mnt/root
mount --types=proc proc /proc
mount --types=sysfs sys /sys

You'll notice that the prompt has changed from green-and-blue to white, as in the following screenshot. This is your clue that you're in chroot.

enter-chroot.png

2. Fix EFI

On some systems, the ESP does not respond correctly. We correct this here.

In a terminal, enter the following command. Notice that it uses Windows-style backslashes instead of the normal forward slashes.

echo '\EFI\ubuntu\grubx64.efi' >/boot/efi/startup.nsh

3. Obtain the decryption key file

  • Press Alt+F2. In the prompt, enter this command (you can copy and paste).

    sudo -H gedit /mnt/root/lib/cryptsetup/scripts/getinitramfskey.sh
  • Copy the following lines into the editor.


  • # File:
    #       /lib/cryptsetup/scripts/getinitramfskey.sh
    #
    # Description:
    #       Called by initramfs using busybox ash to obtain the decryption key for the system.
    #
    # Purpose:
    #       Used with loadinitramfskey.sh in full disk encryption to decrypt the system LUKS partition,
    #       to prevent being asked twice for the same passphrase.
    
    KEY="${1}"
    
    if [ -f "${KEY}" ]
    then
            cat "${KEY}"
    else
            PASS=/bin/plymouth ask-for-password --prompt="Key not found. Enter LUKS Password: "
            echo "${PASS}"
    fi
    
    #<<EOF


  • Save the file and exit the editor.
  • Now enter this command:
    chmod +x /lib/cryptsetup/scripts/getinitramfskey.sh

4. Use the decryption key file

  • Press Alt+F2. In the prompt, enter this command (you can copy and paste).

    sudo -H gedit /mnt/root/etc/initramfs-tools/hooks/loadinitramfskey.sh
  • Copy the following lines into the editor.


  • # File:
    #       /etc/initramfs-tools/hooks/loadinitramfskey.sh
    #
    # Description:
    #       Called by update-initramfs and loads getinitramfskey.sh to obtain the system decryption key.
    #
    # Purpose:
    #       Used with getinitramfskey.sh in full disk encryption to decrypt the system LUKS partition,
    #       to prevent being asked twice for the same passphrase.
    
    PREREQ=""
    
    prereqs()
    {
            echo "${PREREQ}"
    }
    
    case "${1}" in
            prereqs)
                    prereqs
                    exit 0
            ;;
    esac
    
    . "${CONFDIR}"/initramfs.conf
    
    . /usr/share/initramfs-tools/hook-functions
    
    if [ ! -f "${DESTDIR}"/lib/cryptsetup/scripts/getinitramfskey.sh ]
    then
            if [ ! -d "${DESTDIR}"/lib/cryptsetup/scripts/ ]
            then
                    mkdir --parents "${DESTDIR}"/lib/cryptsetup/scripts/
            fi
            cp /lib/cryptsetup/scripts/getinitramfskey.sh "${DESTDIR}"/lib/cryptsetup/scripts/
    fi
    
    if [ ! -d "${DESTDIR}"/etc/ ]
    then
            mkdir -p "${DESTDIR}"/etc/
    fi
    
    cp /etc/crypt.system "${DESTDIR}"/etc/
    
    #<<EOF


  • Save the file and exit the editor.
  • Now enter this command:
    chmod +x /etc/initramfs-tools/hooks/loadinitramfskey.sh

5. Repair hibernation resume

Enter this command:

echo RESUME=/dev/mapper/system-swap > /etc/initramfs-tools/conf.d/resume

6. Script to refresh Grub

  • Press Alt+F2. In the prompt, enter this command (you can copy and paste).

    sudo -H gedit /mnt/root/usr/local/sbin/refreshgrub
  • Copy the following lines into the editor. Beware that some lines overflow in this browser, but are actually one line. If you copy-and-paste rather than manually typing, they will be correctly copied.


  • ####################################################################################################
    #       Automated Grub refresh after kernel updates.
    #
    # See:
    #       https://help.ubuntu.com/community/ManualFullSystemEncryption/DetailedProcessSetUpBoot
    #
    # This must be run with administrative permissions, i.e. with sudo.
    ####################################################################################################
    
    #---------------------------------------------------------------------------------------------------
    #       Copy boot modules to EFI
    
    mkdir --parents /boot/efi/EFI/ubuntu/
    (( ${?} )) && echo 'Failed to create boot modules folder in EFI.' >&2 && exit 3
    
    cp --recursive /boot/grub/x86_64-efi /boot/efi/EFI/ubuntu/
    (( ${?} )) && echo 'Failed to copy boot modules to EFI.' >&2 && exit 3
    
    #---------------------------------------------------------------------------------------------------
    #       Install and repair Grub
    
    grub-install --target=x86_64-efi --uefi-secure-boot --efi-directory=/boot/efi --bootloader=ubuntu --boot-directory=/boot/efi/EFI/ubuntu --recheck /dev/sdA
    (( ${?} )) && echo 'Failed to reinstall Grub.' >&2 && exit 3
    
    grub-mkconfig --output=/boot/efi/EFI/ubuntu/grub/grub.cfg
    (( ${?} )) && echo 'Failed to reconfigure Grub.' >&2 && exit 3
    
    #---------------------------------------------------------------------------------------------------
    #       Allow Ubuntu to boot
    
    cd /boot/efi/EFI
    (( ${?} )) && echo 'Failed to enter /boot/efi/EFI.' >&2 && exit 3
    
    [[ -d Boot ]] && rm --force --recursive Boot-backup && mv Boot Boot-backup
                                                            # Ignore error code 1.
    (( ${?} > 1 )) && echo 'Failed to enter /boot/efi/EFI.' >&2 && exit 3
    
    #---------------------------------------------------------------------------------------------------
    #       Prepare initramfs
    
    update-initramfs -ck all
    (( ${?} )) && echo 'Failed to prepare initrafms.' >&2 && exit 3
    
    #---------------------------------------------------------------------------------------------------
    #       Successful end.
    
    echo 'Successfully refreshed Grub.'


  • Look at the line that begins with grub-install and ends with /dev/sdA. You need to replace /dev/sdA with your primary drive (which is most likely /dev/sda) — this is the same device that you put into Select the bootloader.

  • Save the file and exit the editor.
  • Now enter these two commands:
    chmod +x /usr/local/sbin/refreshgrub
    /usr/local/sbin/refreshgrub

6.1. Explanation of the script

You don't need to understand the script, but if you wish to do so, read the explanation.

7. Finish

You have finished setup. It is time to check the system.

  1. In the terminal, enter the word exit (this will take you back to the green-and-blue prompt).

  2. Close all open windows.
  3. Click the cog-wheel at the very top right of the screen, select "Shut Down…" and then "Restart". This will restart your computer.
  4. Once your computer has restarted, return to Detailed Process and continue from there.


ManualFullSystemEncryption/DetailedProcessSetUpBoot (last edited 2017-07-05 13:46:35 by paddy-landau)