On this new laptop model, EFI boot was already in use, Secure Boot was enabled and the SSD had GPT from the beginning. The only thing I wanted to change thus was the / to be encrypted.
Some notes for 2018 to clarify what is needed and what is not needed:
- Before luksipc, remember to resize existing partitions to have 10 MB of free space at the end of the / partition, and also create a new partition of eg 1 GB size partition for /boot.
- To get the code and compile luksipc on Ubuntu 16.04.4 LTS live USB, just apt install git build-essential is needed. cryptsetup package is already installed.
- After luksipc finishes and you've added your own passphrase and removed the initial key (slot 0), it's useful to cryptsetup luksOpen it and mount it still under the live session - however, when using ext4, the mounting fails due to a size mismatch in ext4 metadata! This is simple to correct: sudo resize2fs /dev/mapper/root. Nothing else is needed.
- I mounted both the newly encrypted volume (to /mnt) and the new /boot volume (to /mnt2 which I created), and moved /boot/* from the former to latter.
- I edited /etc/fstab of the encrypted volume to add the /boot partition
- Mounted as following in /mnt:
- mount -o bind /dev dev
- mount -o bind /sys sys
- mount -t proc proc proc
- Then:
- chroot /mnt
- mount -a # (to mount /boot and /boot/efi)
- Edited files /etc/crypttab (added one line: root UUID none luks) and /etc/grub/default (I copied over my overkill configuration that specifies all of cryptopts and cryptdevice some of which may be obsolete, but at least one of them and root=/dev/mapper/root is probably needed).
- Ran grub-install ; update-grub ; mkinitramfs -k all -c (notably no other parameters were needed)
- Rebooted.
- What I did not need to do:
- Modify anything in /etc/initramfs-tools.
No comments:
Post a Comment