encrypted installation with unencrypted kernel and bootloader on USB flash drive

bracca · 07-29-2013, 09:27 PM

Hi,

I posted this on as ubuntu, but it's not getting any attention.

I am really excited to get into linux (ubuntu or debian or mint), but I want to encrypt my data and can't find out how to do it the way I want it done, if it's even possible.

Copy-and-paste is below.

--
I have searched a lot.

The manual partitioning in the Ubuntu install is so confusing to me. I am new to Linux.

I come from a Truecrypt-full-disk-encrypted Windows installation and I boot from CD every time, which uses the bootloader on CD.

I understand that when I install Ubuntu I can encrypt the installation hard drive, but I can choose to install bootloader and kernel (and leave them unencrypted) on a USB flash drive for maximum security.

I just can't figure out all the options. LVM volume, encrypted volume... I am so confused.

Is my scenario possible and is there already a guide out there to achieve it?

I tried manual partitioning and choosing USB flash drive partition as "mounts in /boot" But it never boots when I try to boot from that USB. I am doing something wrong.
--

Thank you so much,
Bert

Meson · 07-29-2013, 11:31 PM

Well, try to avoid LVM, I think it sucks.

When you install, have your flash drive connected and set that as a new filesystem, to be mounted on /boot. If you have multiple partitions that need to be encrypted, I recommend you store keyfiles for them on the root file system (so you can avoid LVM). For swap, if you need it, you can use a random password, or just use a swapfile.

Edit: Sorry, I missed your last sentance. Really tired. I'll come back tomorrow.

shm0 · 07-30-2013, 03:21 AM

I tried LUKS on Slackware using this helpful guide here.

bracca · 07-30-2013, 03:32 PM

@ shm0: thank you. I'll look at that article more in-depth later after work. It seems from GLANCING that it's for after install. I may be wrong.

@ Meson: yes, I want help AT install time. It really is confusing. Awaiting your (and any others') reply.

Thank you,
Bert

Meson · 07-30-2013, 08:02 PM

(Assuming your hard drive is /dev/sda and flash drive is /dev/sdb)

Does the installer say it's installing grub to /dev/sdb? Is your BIOS giving an error message saying no boot disk found? Make sure, in the installer, that the filesystem you're creating by boot is on a partition that's marked as bootable.

yancek · 07-31-2013, 09:40 AM

Check the Live CD you have. Many have an option "boot from Hard drive". If so, you should be able to set the computer to boot from the CD, then select that option. It normally points to the first partition on the first drive so that is where you need your boot files on the installation.

You would need to create a /boot partition on the flash drive and format it. Have you done that? You need to install Grub to the mbr of the flash. The link below explains creating a separate boot partition on Ubuntu 'after the install'.

https://help.ubuntu.com/community/Cr...onAfterInstall

bracca · 07-31-2013, 04:43 PM

thank you, all. I'm not giving up.

Yes, I think I formatted it as part of the install.

Here is what my manual partitioning looked like before clicking "Install Now."
https://www.dropbox.com/s/y7vz6passj...730_230718.jpg

Then, here is a video.
Around 1:22 is when it starts showing boot partition installation. But don't let me stop you from enjoying the thing from the beginning.
https://www.dropbox.com/s/kou6iay9ba...730_231004.mp4

After reboot, I just get a white blinking cursor on a black screen.

I know the USB flash drive works, because using Pendrive Linux to make a bootable live-cd works with it.

Thank you all again.
Bert

Meson · 07-31-2013, 04:48 PM

So I saw that grub was installed to /dev/sdg1, it should be /dev/sdg.

If you are unable to fix this in the installer, are you willing to setup your partitions and filesystems from a live CD and then coax the installer into using them?

bracca · 07-31-2013, 04:51 PM

thanks for the quick reply.

I CAN install in /dev/sdg, but I thought I was doing the right thing by creating sdg1 partition and installing in IT. Do i even need to create a partition on /dev/sdg?

Can;t wait to try it.

Janus_Hyperion · 07-31-2013, 05:03 PM

Yes. You need a partition on sdg because you are putting /boot there. sdg1 will be the /boot partition. However, grub must be installed to /dev/sdg (MBR) as Meson has indicated.

Meson · 07-31-2013, 05:54 PM

Where you don't need partitions is /dev/sda. You can encrypt /dev/sda entirely and then create a root (ext4) file system on that block device. With this, you'd ignore any complaints the installer gives about no swap partition. To be honest, with 8-16G RAM, I don't use them at all. However, sometimes I put a file in /var/swap and use that.

bracca · 07-31-2013, 06:21 PM

cool. thank you, guys.

1. I did new partition table on both devices to where i now see:
/dev/sda
free space
/dev/sdg/
free space

2.
You said, "Where you don't need partitions is /dev/sda" but
I HAVE to create a partition, it seems, on /dev/sda. When I double-click "free space" under /dev/sda, which do I select first:
use as Ext4
or
use as "physical wolume for encryption
?

then what's the next step?

Thank you

bracca · 07-31-2013, 06:40 PM

well, maybe I got it. it looks JUST like the above screenshot, with the exception of "Device for boot loader installation" being:
/dev/sdg
instead of
/dev/sdg1

Janus_Hyperion · 07-31-2013, 06:43 PM

That would be correct, yes.

Meson · 07-31-2013, 06:44 PM

Ah, to trick the installer into not needing a partition, you can create a temporary filesystem directly on /dev/sda from a live-cd. However, if you got it working then a partitionless /dev/sda is not a big deal