Home » Forum » Trisquel users
Submitted by sam-d16 on Thu, 07/10/2025 - 14:28

Full disk encryption, including Boot partition "ISO NetInstall Aramo 11.0.1"

5 replies [Last post]
Thu, 07/10/2025 - 14:28
sam-d16
sam-d16
Offline
Joined: 09/28/2023

Hello everyone.

Please tell me, according to this instruction https://trisquel.info/en/wiki/full-disk-encryption-install , the BOOT partition is encrypted?

If not, where is the instruction in the wiki?

How do I use iso NetInstall ISO without a GUI?

I don't want to install grub from the repository.

Top
  • Login or register to post comments
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Thu, 07/10/2025 - 15:07
#1
Avron
Avron

I am a translator!

Offline
Joined: 08/18/2020

> according to this instruction https://trisquel.info/en/wiki/full-disk-encryption-install , the BOOT partition is encrypted?

No, it is not encrypted.

> If not, where is the instruction in the wiki?

I don't think I have ever seen instructions to have /boot encrypted on Trisquel. I found https://www.dwarmstrong.org/fde-debian/ and https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html to do this with Debian. I don't expect these guides to work for Trisquel unchanged, but this may give ideas on how to do it.

> How do I use iso NetInstall ISO without a GUI?

I am not sure what you are looking for. The GUI of the netinstaller should work in most terminals. I already used (the same?) GUI via minicom on a machine connected with a serial line to the machine running a Debian netinstaller, the refresh of the display wasn't good but it was still usable. Or do you mean that you want to use debootstrap from a live CD?

> I don't want to install grub from the repository.

In my recollection, the netinstaller asks if you want to install grub, you are allowed not to install it. Do you want to install another version of grub, not via apt?

Top
  • Login or register to post comments
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Thu, 07/10/2025 - 22:28
#2
sam-d16
sam-d16
Offline
Joined: 09/28/2023

Hello Avron.
Thank you for your answers. As for installing Grub, you're right, the installer asks about it, and you can skip this point. I don't want to install Grub from a repository so that after installation I can use Gnuboot or Canoeboot to unlock the system.

You don't know what commands in Trisquel for this? Usually, it's something like:


grub> cryptomount -a
ls
grub> set root=(lvm/trisquel-rootvol)
grub> linux /boot/vmlinuz-linux-libre root=/dev/mapper/trisquel-rootvol cryptdevice=/dev/sda1:lvm
grub> initrd /boot/initramfs-linux-libre-lts.img
grub> boot

Top
  • Login or register to post comments
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Fri, 07/11/2025 - 12:37
#3
Avron
Avron

I am a translator!

Offline
Joined: 08/18/2020

> I don't want to install Grub from a repository so that after installation I can use Gnuboot or Canoeboot to unlock the system.

I always thought that, if you use the grub payload in canoeboot or in gnuboot, grub on the disk will be ignored, so it does not matter whether grub from trisquel is installed or not. However, I never checked that.

> You don't know what commands in Trisquel for this?

These are grub commands, they don't depend on Trisquel. From https://canoeboot.org/docs/linux/, it seems grub from canoeboot will automatically try to unlock what everencrypted volume it can find (so it will ask for the passphrase) and then try to find /boot/grub/grub.cfg somewhere on the disk.

https://canoeboot.org/docs/linux/ also suggests to have the LVM VG called grubcrypt and the LVM LV called rootvol, which are not the names used by default in Trisquel, but as it is written, it looks like it may not be absolutely necessary.

So you could first boot using the grub commands as above, then modify /etc/default/grub so that it includes the same information like in the grub commands above (need to check the syntax to be used in /etc/default/grub, it may be different) and run update-grub (check that it has modified /boot/grub/grub.cfg), and then try to reboot and see if that works. If grub from canoeboot does not find /boot/grub/grub.cfg, you could try renaming the VG and the LV to the suggested names, and then you need to update /etc/fstab, /etc/default/grub (and run update-grub), and perhaps some other places, and then try to reboot to see if that works.

These are not complete instructions at all, there might be other issues why it fails (I mean, not that it cannot find the grub.cfg, but that some options are not set properly) that you will discover when trying. Good luck.

Top
  • Login or register to post comments
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Fri, 07/11/2025 - 17:34
#4
sam-d16
sam-d16
Offline
Joined: 09/28/2023

Thanks for your answers.

As for Canoeboot, unlike Grub Trisquel, one of the reasons is the heating is Argon2id.

(ENCRYPTED /BOOT VIA LUKS2 with Argon2)

As for the GRUB commands, I asked since after installing NetinStall Aramo 11.0.1, including my fault, I just wanted to clarify which particular list of teams in Trusquel, but of course this can be understood by the GRUB and get a command:

$ cat /proc/cmdline

Top
  • Login or register to post comments
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines
Fri, 07/11/2025 - 20:35
#5
sam-d16
sam-d16
Offline
Joined: 09/28/2023

If the Netinstall Aramo 11.0.1 default does not encrypt the Boot section, then what? ))

desktop.png

desktop-2.png

Top
  • Login or register to post comments
  • +1
    0
    -1
    Please use the rating system to mark posts that go against the Community Guidelines