How to install GPT on BIOS & full disk encryption (with boot)?

41 respostas [Última entrada]
anonymous

How to install FULL disk encryption (including /boot) with GPT on BIOS?
I used text mode install, created /boot, /, /home and swap partitions on big encrypted bootable LVM, then added encryption option in GRUB, changed LVM partition type (GRUB BIOS) and installed it. After rebooting, GRUB cannot detect cryptodisk and FS is crashed. Now I'm going to do dd if=/dev/zero of=/dev/sda, then another deleting data function (in install) and reinstall…
In short words:
Bootable encrypted LVM with /boot and / partitons. I changed type to bios_grub:
$ sudo parted /dev/sda
(parted) set 1 bios_grub on (from http://www.wensley.org.uk/gpt)
(parted) quit
something about fstab
Then GRUB install and FS is crashed.
P. S. http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/

stas730 (non verificado)

P. P. S. I used only these parted commands from the first website.

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

> Now I'm going to do dd if=/dev/zero of=/dev/sda, then another deleting data function (in install) and reinstall…

I assume you already did that before and during the first installation (the one that gave you the zombie fs), so, if the assumption is correct, why in the world would you do that again?
My guess is you really enjoy wasting time.

stas730 (non verificado)

No, I successfully created full disk encryption without /boot on MBR. My first question is how to enable bios_grub without destroying the FS.
P. S. What is the best (as in freedom) partition table? And what is the best FS for SERVER (free as in freedom, too)?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

A partition table is just data that specifies where partitions begin and end. Whatever the type of partition table, the format is well-documented and tools like GNU parted can read/write it. All filesystems in Linux are under the GNU GPL.

stas730 (non verificado)

How to install GRUB on GPT with BIOS without crashing FS?
P. S. Can I make UEFI firmware to replace BIOS? Or UEFI motherboards are different than BIOS?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

I have never done that but that seems to be a solution: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/

stas730 (non verificado)

Can I encrypt 1MB bootable BIOS partition? Can I include it in LVM group?
P. S. Reinstall again!

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

I do not think a BIOS boot partition can be encrypted since it contains part of the bootloader (and only that).

stas730 (non verificado)

Maybe, MBR?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

You cannot encrypt a MBR. But what is the point to encrypt a partition table or the code of a bootloader?

stas730 (non verificado)

I want to encrypt all partitions.
I will not use BIOS passwords because this passwords can create problems with flashing Libreboot.
P. S. Is default Libreboot supports UEFI?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

https://libreboot.org/docs/hcl/index.html#supported_list

You can want an encrypted MBR as much as you want but it won't happen unless the encryption is hardware-based (and I doubt there are free disk firmware, so I would not trust those): https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption

I am pretty sure the same holds for a BIOS boot partition.

stas730 (non verificado)

Ok, I will use MBR.
P. S. No free firmwares? Computers are evil.

stas730 (non verificado)

Help me.

Mangy Dog

I am a member!

I am a translator!

Desconectado
Joined: 03/15/2015

Nope :)

...who sang...anarchy in the ...??

Internet_DDay.png
Mangy Dog

I am a member!

I am a translator!

Desconectado
Joined: 03/15/2015

PS : it doesn't hurt..
"\°v°/"

stas730 (non verificado)

I will wait one day, then I will install OS on MBR.

stas730 (non verificado)

Do I need to create FS on BIOS boot partition?
What is --root-directory (GRUB 2)? It's / or /boot?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

There is no filesystem (hence no file) on a BIOS boot partition. That concept is unknown to the BIOS. Your BIOS boot partition only has GRUB's stage 1.5 code, which includes drivers to read all the popular filesystems. In this way stage 2 can be in regular files in /boot/grub, kernel images can be loaded by their paths, etc.

'grub-install' has not had a --root-directory option since GRUB 1.99. It still has a --boot-directory option though. It specifies, well, the boot directory, i.e., /boot by default. It is useful when installing from a live system (otherwise 'grub-install' will consider the /boot of the live system).

stas730 (non verificado)

And which partition is bootable?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

If by that you mean "which partition must have the boot flag", the answer is none. The BIOS boot partition must have the bios_grub flag though.

stas730 (non verificado)

Oh no. I marked LVM as bootable.
Can GRUB_BIOS be in (encrypted) LVM?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

With GRUB in the MBR, the boot flag is not used. grub_bios is the BIOS boot partition: https://trisquel.info/forum/how-install-gpt-bios-full-disk-encryption-boot#comment-104804

stas730 (non verificado)

Ok. The last questions:
1. Can bootable BIOS partition be in LVM
2. Can bootable BIOS partition be in encrypted LVM
3. If I will check "Yes" for /home encryption and then create big LVM with /boot, /home, / and swap — can I use Hibernate on my laptop after this?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

I have already told you: unless we are talking about hardware-based encryption (we are not), the BIOS boot partition cannot be encrypted. And I see no reason to manage it with LVM (it is 1 MB large) or to encrypt it (it only contains GRUB's stage 1.5).

I have never used LVM but I doubt you can have logical volume inside logical volumes. There are ways to encrypt the swap and still be able to hibernate: https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap

Why not following https://trisquel.info/en/wiki/full-disk-encryption-install ?

stas730 (non verificado)

I following Ubuntu guide: manual disk partitioning & data erase on.

stas730 (non verificado)

Help me…

tdlnx

I am a member!

Desconectado
Joined: 04/09/2014

I'm pretty sure MagicBanana was helping you... by telling you what you want is not currently possible. It's obviously not what you want to hear but there's nothing we (or you) can do about it, unless you add designing an entirely new way for computers to function as we know it to your growing list of projects that is.

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014
Mangy Dog

I am a member!

I am a translator!

Desconectado
Joined: 03/15/2015

Heres some mushrooms..

AnexoTamaño
StasiCheckGameOver.ogg_.bz2 215.67 KB
stas730 (non verificado)

Ok, my partition table is:
1. no fs biosgrub 1MB (do I need to set "Legacy BIOS bootable from gnome-disks?)
2. Encrypted LUKS LVM:
2.1. ext4 /boot 1GB
2.2. ext4 / 100GB
2.3. ext4 /home ~200 GB
2.4 swap 4 GB

stas730 (non verificado)

I need help. This is my last question before installation.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Again: the "boot" flag is not used if GRUB is installed in the MBR.

100 GB for / looks far too much. You will probably end up using 10% of it (more if you install heavy video games). 1 GB for /boot is a lot too since a kernel requires about 50 MB and you do not need twenty different kernels (only the last one and another one that, for sure, drives well all your hardware). But, well, it only is 1 GB.

stas730 (non verificado)

HELP ME. THIS IS LAST QUESTION.

stas730 (non verificado)

Ok. I will try to install the OS.
Answer 1: 20 GB for root is not enough for me.
Answer 2: I want to try to install Hurd and (maybe) deblobbed *BSD.
*: RAM == 2 GB

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Hurd must be much smaller than Linux. And, I believe, so does BSD's kernel. You had better use Debian if you want to try such things because the packages must be ported to work with alternative kernels.

stas730 (non verificado)

gNewSense?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

No.

stas730 (non verificado)

Debian have non-free and contrib repos.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Yes. They are bad. Do not enable those.

ealltech
Desconectado
Joined: 09/30/2016

I do not think a BIOS boot partition can be encrypted since it contains part of the bootloader (and only that).