On 4/22/19 6:43 AM, Selin Yukaribakmaz - selinyukaribakmaz@xxxxxxxxxxxxx wrote: > Hi All, > > I tried to install Ubuntu with full disk encryption including /boot partition with my friend. We found some articles and we merged all of them and created a guide for us. Please tell us if you see a wrong step. > We are trying to figure out some steps while installing LUKS. Let us explain. > > cryptsetup -c serpent-xts-plain64 --key-size 512 --hash sha512 --header secure.hdr luksFormat /dev/disk/by-id/ata-0CZ-........ > > And he asked me "Header file does not exist, do you want to create it?" And i replied, yes. > > cryptsetup --header disk.hdr luksOpen /dev/disk/by-id/ata-0CZ-........ hdcrypt0 > > and i created partitions. > > I clicked to Install Ubuntu on Desktop and i followed steps. I selected my USB drive for /boot partition and clicked "Install Now". > > When installation GUI is finished i selected "Continue testing" for making additional configurations. > > I mounted OS. > > mount /dev/mapper/vg0-root /target/ > mount /dev/sdc1 /target/boot/ > mount --bind /proc /target/proc > mount --bind /sys /target/sys > mount --bind /dev /target/dev > > mkdir /target/etc/initramfs-tools/conf.d/cryptheader > cp secure.hdr /target/etc/initramfs-tools/conf.d/cryptheader/ > > > cd /etc/ > nano crypttab > hdcrypt0 /dev/disk/by-id/ata-0CZ-........ none luks,discard,header=/conf/conf.d/cryptheader/secure.hdr > Saved. I believe ... you probably needed to edit fstab too, am I right? > Then i edited cryptroot for allowing grup compatibility. I found "# disabled for now due to security reasons" line and uncommented the lines. Was that all? I remember having to do more than just uncomment those lines. If you're sure that was it, more power to you! > nano /usr/share/initramfs-tools/hooks/cryptroot > Saved. > > update-initramfs -v -k all -c I think in some cases at least, you might have to do an update-grub so the right modules are available. > umount /target/boot > umount /target/sys > umount /target/proc > umount /target/dev > umount /target > sync > reboot > > > When rebooted he asked us passphrase and we entered. Then OS launched but we are confused. We are copying secure.hdr file to system's inside. If my disk is encrypted how can USB drive is seeing this file for decrypt? You'll find it in your initramfs, so it's on your USB. > And secondly how can we create second USB for backup? Not certain, but I'm guessing you could just copy over the files over and run grub-install to that second USB. > And lastly could you please help us to improve this guide? Because we are not real tech savy and we need your experiences and help.. > > Thank you in advance.. > _______________________________________________ I've done all this on 16.04 and it works, but once ubuntu shifted over to systemd, I started to get complaints on startup. It still boots, but systemd doesn't like it. I don't understand the init system particularly well, but it seems sysvinit is still running along with systemd (?) Have you, by the way, come across this? https://github.com/kriswebdev/cryptsetup-deluks Or this? http://grub.johnlane.ie/ /D _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt