How to install GPT on BIOS & full disk encryption (with boot)?

41 replies [Last post]
anonymous

How to install FULL disk encryption (including /boot) with GPT on BIOS?
I used text mode install, created /boot, /, /home and swap partitions on big encrypted bootable LVM, then added encryption option in GRUB, changed LVM partition type (GRUB BIOS) and installed it. After rebooting, GRUB cannot detect cryptodisk and FS is crashed. Now I'm going to do dd if=/dev/zero of=/dev/sda, then another deleting data function (in install) and reinstall…
In short words:
Bootable encrypted LVM with /boot and / partitons. I changed type to bios_grub:
$ sudo parted /dev/sda
(parted) set 1 bios_grub on (from http://www.wensley.org.uk/gpt)
(parted) quit
something about fstab
Then GRUB install and FS is crashed.
P. S. http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/

stas730 (not verified)

P. P. S. I used only these parted commands from the first website.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

> Now I'm going to do dd if=/dev/zero of=/dev/sda, then another deleting data function (in install) and reinstall…

I assume you already did that before and during the first installation (the one that gave you the zombie fs), so, if the assumption is correct, why in the world would you do that again?
My guess is you really enjoy wasting time.

stas730 (not verified)

No, I successfully created full disk encryption without /boot on MBR. My first question is how to enable bios_grub without destroying the FS.
P. S. What is the best (as in freedom) partition table? And what is the best FS for SERVER (free as in freedom, too)?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

A partition table is just data that specifies where partitions begin and end. Whatever the type of partition table, the format is well-documented and tools like GNU parted can read/write it. All filesystems in Linux are under the GNU GPL.

stas730 (not verified)

How to install GRUB on GPT with BIOS without crashing FS?
P. S. Can I make UEFI firmware to replace BIOS? Or UEFI motherboards are different than BIOS?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I have never done that but that seems to be a solution: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/

stas730 (not verified)

Can I encrypt 1MB bootable BIOS partition? Can I include it in LVM group?
P. S. Reinstall again!

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I do not think a BIOS boot partition can be encrypted since it contains part of the bootloader (and only that).

stas730 (not verified)

Maybe, MBR?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

You cannot encrypt a MBR. But what is the point to encrypt a partition table or the code of a bootloader?

stas730 (not verified)

I want to encrypt all partitions.
I will not use BIOS passwords because this passwords can create problems with flashing Libreboot.
P. S. Is default Libreboot supports UEFI?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

https://libreboot.org/docs/hcl/index.html#supported_list

You can want an encrypted MBR as much as you want but it won't happen unless the encryption is hardware-based (and I doubt there are free disk firmware, so I would not trust those): https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption

I am pretty sure the same holds for a BIOS boot partition.

stas730 (not verified)

Ok, I will use MBR.
P. S. No free firmwares? Computers are evil.

stas730 (not verified)

Help me.

Mangy Dog

I am a member!

I am a translator!

Offline
Joined: 03/15/2015

Nope :)

...who sang...anarchy in the ...??

Internet_DDay.png
Mangy Dog

I am a member!

I am a translator!

Offline
Joined: 03/15/2015

PS : it doesn't hurt..
"\°v°/"

stas730 (not verified)

I will wait one day, then I will install OS on MBR.

stas730 (not verified)

Do I need to create FS on BIOS boot partition?
What is --root-directory (GRUB 2)? It's / or /boot?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

There is no filesystem (hence no file) on a BIOS boot partition. That concept is unknown to the BIOS. Your BIOS boot partition only has GRUB's stage 1.5 code, which includes drivers to read all the popular filesystems. In this way stage 2 can be in regular files in /boot/grub, kernel images can be loaded by their paths, etc.

'grub-install' has not had a --root-directory option since GRUB 1.99. It still has a --boot-directory option though. It specifies, well, the boot directory, i.e., /boot by default. It is useful when installing from a live system (otherwise 'grub-install' will consider the /boot of the live system).

stas730 (not verified)

And which partition is bootable?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

If by that you mean "which partition must have the boot flag", the answer is none. The BIOS boot partition must have the bios_grub flag though.

stas730 (not verified)

Oh no. I marked LVM as bootable.
Can GRUB_BIOS be in (encrypted) LVM?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

With GRUB in the MBR, the boot flag is not used. grub_bios is the BIOS boot partition: https://trisquel.info/forum/how-install-gpt-bios-full-disk-encryption-boot#comment-104804

stas730 (not verified)

Ok. The last questions:
1. Can bootable BIOS partition be in LVM
2. Can bootable BIOS partition be in encrypted LVM
3. If I will check "Yes" for /home encryption and then create big LVM with /boot, /home, / and swap — can I use Hibernate on my laptop after this?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I have already told you: unless we are talking about hardware-based encryption (we are not), the BIOS boot partition cannot be encrypted. And I see no reason to manage it with LVM (it is 1 MB large) or to encrypt it (it only contains GRUB's stage 1.5).

I have never used LVM but I doubt you can have logical volume inside logical volumes. There are ways to encrypt the swap and still be able to hibernate: https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap

Why not following https://trisquel.info/en/wiki/full-disk-encryption-install ?

stas730 (not verified)

I following Ubuntu guide: manual disk partitioning & data erase on.

stas730 (not verified)

Help me…

tdlnx

I am a member!

Offline
Joined: 04/09/2014

I'm pretty sure MagicBanana was helping you... by telling you what you want is not currently possible. It's obviously not what you want to hear but there's nothing we (or you) can do about it, unless you add designing an entirely new way for computers to function as we know it to your growing list of projects that is.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014
Mangy Dog

I am a member!

I am a translator!

Offline
Joined: 03/15/2015

Heres some mushrooms..

AttachmentSize
StasiCheckGameOver.ogg_.bz2 215.67 KB
stas730 (not verified)

Ok, my partition table is:
1. no fs biosgrub 1MB (do I need to set "Legacy BIOS bootable from gnome-disks?)
2. Encrypted LUKS LVM:
2.1. ext4 /boot 1GB
2.2. ext4 / 100GB
2.3. ext4 /home ~200 GB
2.4 swap 4 GB

stas730 (not verified)

I need help. This is my last question before installation.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Again: the "boot" flag is not used if GRUB is installed in the MBR.

100 GB for / looks far too much. You will probably end up using 10% of it (more if you install heavy video games). 1 GB for /boot is a lot too since a kernel requires about 50 MB and you do not need twenty different kernels (only the last one and another one that, for sure, drives well all your hardware). But, well, it only is 1 GB.

stas730 (not verified)

HELP ME. THIS IS LAST QUESTION.

stas730 (not verified)

Ok. I will try to install the OS.
Answer 1: 20 GB for root is not enough for me.
Answer 2: I want to try to install Hurd and (maybe) deblobbed *BSD.
*: RAM == 2 GB

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Hurd must be much smaller than Linux. And, I believe, so does BSD's kernel. You had better use Debian if you want to try such things because the packages must be ported to work with alternative kernels.

stas730 (not verified)

gNewSense?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

No.

stas730 (not verified)

Debian have non-free and contrib repos.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Yes. They are bad. Do not enable those.

ealltech
Offline
Joined: 09/30/2016

I do not think a BIOS boot partition can be encrypted since it contains part of the bootloader (and only that).