How to enable full disk encryption after install? #58

New Issue

Open

opened 2025-01-18 14:20:56 +01:00 by Benjamin_Loison · 114 comments

Benjamin_Loison commented 2025-01-18 14:20:56 +01:00

Owner

Copy Link

Would help Benjamin-Loison/cinnamon/issues/179.

Wikipedia: Linux Unified Key Setup (1239229939) may help.

Reading:

• Wikipedia: Comparison of disk encryption software
• Wikipedia: dm-crypt
• Wikipedia: Device mapper

would also help.

+9

Would help [Benjamin-Loison/cinnamon/issues/179](https://github.com/Benjamin-Loison/cinnamon/issues/179). [Wikipedia: Linux Unified Key Setup (1239229939)](https://en.wikipedia.org/w/index.php?title=Linux_Unified_Key_Setup&oldid=1239229939) may help. Reading: - [Wikipedia: Comparison of disk encryption software](https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software) - [Wikipedia: dm-crypt](https://en.wikipedia.org/wiki/Dm-crypt) - [Wikipedia: Device mapper](https://en.wikipedia.org/wiki/Device_mapper) would also help. +9

Benjamin_Loison referenced this issue 2025-01-18 14:22:30 +01:00

Convert BitLocker disks to LUKS #25

Benjamin_Loison commented 2025-01-18 14:24:03 +01:00

Author

Owner

Copy Link

Related to Benjamin_Loison/ecryptfs/issues/8.

Related to [Benjamin_Loison/ecryptfs/issues/8](https://codeberg.org/Benjamin_Loison/ecryptfs/issues/8).

Benjamin_Loison commented 2025-01-18 14:38:25 +01:00

Author

Owner

Copy Link

Wikipedia: Linux Unified Key Setup#Examples (1239229939) may help otherwise I read completely this article.

[Wikipedia: Linux Unified Key Setup#Examples (1239229939)](https://en.wikipedia.org/w/index.php?title=Linux_Unified_Key_Setup&oldid=1239229939#Examples) may help otherwise I read completely this article.

Benjamin_Loison commented 2025-01-18 14:38:58 +01:00

Author

Owner

Copy Link

gparted helps?

`gparted` helps?

Benjamin_Loison commented 2025-01-18 14:39:05 +01:00

Author

Owner

Copy Link

Can try in a virtual machine first.

Can try in a virtual machine first.

Benjamin_Loison commented 2025-01-18 15:15:45 +01:00

Author

Owner

Copy Link

Let us try from a fresh Linux Mint 22.1:

Screenshot_Linux_Mint_2025-01-18_15:58:46.png does not request an encryption password and rebooting leads to usual login prompt.

Let us try from a fresh Linux Mint 22.1: `Screenshot_Linux_Mint_2025-01-18_15:58:46.png` does not request an encryption password and rebooting leads to usual login prompt.

Screenshot_Linux_Mint_2025-01-18_15:08:36.png

146 KiB

Screenshot_Linux_Mint_2025-01-18_15:08:31.png

131 KiB

Screenshot_Linux_Mint_2025-01-18_15:10:25.png

152 KiB

Screenshot_Linux_Mint_2025-01-18_15:13:55.png

138 KiB

Screenshot_Linux_Mint_2025-01-18_15:42:15.png

47 KiB

Screenshot_Linux_Mint_2025-01-18_15:20:11.png

84 KiB

Screenshot_Linux_Mint_2025-01-18_15:47:53.png

44 KiB

Screenshot_Linux_Mint_2025-01-18_15:42:29.png

65 KiB

Screenshot_Linux_Mint_2025-01-18_15:48:04.png

74 KiB

Screenshot_Linux_Mint_2025-01-18_15:56:56.png

4.4 KiB

Screenshot_Linux_Mint_2025-01-18_15:55:56.png

120 KiB

Screenshot_Linux_Mint_2025-01-18_15:58:46.png

80 KiB

Screenshot_Linux_Mint_2025-01-18_16:00:28.png

75 KiB

Benjamin_Loison commented 2025-01-18 16:02:58 +01:00

Author

Owner

Copy Link

DuckDuckGo search Linux Mint enable full disk encryption after install.

DuckDuckGo search *Linux Mint enable full disk encryption after install*.

Benjamin_Loison commented 2025-01-18 16:03:59 +01:00

Author

Owner

Copy Link

Could investigate the documentation of:

• cryptsetup reencrypt
• cryptsetup-reencrypt

Could investigate the documentation of: - `cryptsetup reencrypt` - `cryptsetup-reencrypt`

Benjamin_Loison commented 2025-01-18 16:06:00 +01:00

Author

Owner

Copy Link

Backing up before encrypting seems safer.

As there is a decryption screen, there is no need to take screenshots how to access the disk from another system.

However, a final screenshot once encrypted of gparted to show that it is encrypted would be nice.

Backing up before encrypting seems safer. As there is a decryption screen, there is no need to take screenshots how to access the disk from another system. However, a final screenshot once encrypted of `gparted` to show that it is encrypted would be nice.

Benjamin_Loison commented 2025-01-18 16:07:42 +01:00

Author

Owner

Copy Link

https://forums.linuxmint.com/viewtopic.php?t=391261 seems more about not identical backup and restore.

https://forums.linuxmint.com/viewtopic.php?t=391261 seems more about not identical backup and restore.

Benjamin_Loison commented 2025-01-18 16:09:32 +01:00

Author

Owner

Copy Link

The Ask Ubuntu answer 369623 states quickly that it is not possible.

[The Ask Ubuntu answer 369623](https://askubuntu.com/a/369623) states quickly that it is not possible.

Benjamin_Loison commented 2025-01-18 16:12:22 +01:00

Author

Owner

Copy Link

I recommend switching to cryptsetup-reencrypt, which is properly maintained and tested upstream even when the format of the LUKS header changes (to my knowledge, this has at least happened twice and can cause luksipc to catastrophically fail, i.e., destroy all your data in the worst case).

Source: luksipc/blob/e222ca7ff89e7465345c8ae8786096130e06a30f/README.md?plain=1#L7-L11
Source: the Ask Ubuntu comment 2501628

> I recommend switching to cryptsetup-reencrypt, which is properly maintained and tested upstream even when the format of the LUKS header changes (to my knowledge, this has at least happened twice and can cause luksipc to catastrophically fail, i.e., destroy all your data in the worst case). Source: [luksipc/blob/e222ca7ff89e7465345c8ae8786096130e06a30f/README.md?plain=1#L7-L11](https://github.com/johndoe31415/luksipc/blob/e222ca7ff89e7465345c8ae8786096130e06a30f/README.md?plain=1#L7-L11) Source: [the Ask Ubuntu comment 2501628](https://askubuntu.com/questions/96870/is-there-a-way-to-do-full-disk-encryption-after-the-install#comment2501628_675543)

Benjamin_Loison commented 2025-01-18 16:15:56 +01:00

Author

Owner

Copy Link

Let us figure out why I faced above in https://gitea.lemnoslife.com/attachments/f3fda48c-04fc-4a5c-ac80-d884d6cde31c:

cryptosetup-reencrypt /dev/vda3

cryptosetup-reencrypt: command not found

Let us figure out why I faced above in https://gitea.lemnoslife.com/attachments/f3fda48c-04fc-4a5c-ac80-d884d6cde31c: ```bash cryptosetup-reencrypt /dev/vda3 ``` ``` cryptosetup-reencrypt: command not found ```

Benjamin_Loison commented 2025-01-18 16:16:55 +01:00

Author

Owner

Copy Link

sudo apt install -y cryptosetup-reencrypt

Output:

...
E: Unable to locate package cryptosetup-reencrypt

```bash sudo apt install -y cryptosetup-reencrypt ``` <details> <summary>Output:</summary> ``` ... E: Unable to locate package cryptosetup-reencrypt ``` </details>

Benjamin_Loison commented 2025-01-18 16:17:15 +01:00

Author

Owner

Copy Link

DuckDuckGo and Google search "cryptosetup-reencrypt" and "cryptosetup-reencrypt" "apt".

https://man7.org/linux/man-pages/man8/cryptsetup-reencrypt.8.html

DuckDuckGo and Google search `"cryptosetup-reencrypt"` and `"cryptosetup-reencrypt" "apt"`. https://man7.org/linux/man-pages/man8/cryptsetup-reencrypt.8.html

Benjamin_Loison commented 2025-01-18 16:18:18 +01:00

Author

Owner

Copy Link

On my Debian 12 GNOME work laptop:

command-not-found --ignore-installed cryptsetup-reencrypt

cryptsetup-reencrypt: command not found

On my Debian 12 GNOME work laptop: ```bash command-not-found --ignore-installed cryptsetup-reencrypt ``` ``` cryptsetup-reencrypt: command not found ```

Benjamin_Loison commented 2025-01-18 16:21:14 +01:00

Author

Owner

Copy Link

https://command-not-found.com/cryptsetup-reencrypt

https://command-not-found.com/cryptsetup-reencrypt

Benjamin_Loison commented 2025-01-18 16:24:05 +01:00

Author

Owner

Copy Link

cryptsetup

[cryptsetup](https://gitlab.com/cryptsetup/cryptsetup)

Benjamin_Loison commented 2025-01-18 16:24:43 +01:00

Author

Owner

Copy Link

The Ask Ubuntu question 1445879 faces the same issue as me.

[The Ask Ubuntu question 1445879](https://askubuntu.com/q/1445879) faces the same issue as me.

Benjamin_Loison commented 2025-01-18 16:26:30 +01:00

Author

Owner

Copy Link

https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2014228/comments/5 seems to recommend instead cryptsetup reencrypt.

https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2014228/comments/5 seems to recommend instead `cryptsetup reencrypt`.

Benjamin_Loison commented 2025-01-18 16:27:25 +01:00

Author

Owner

Copy Link

cryptsetup reencrypt

Command requires device as argument.

even if sudo.

```bash cryptsetup reencrypt ``` ``` Command requires device as argument. ``` even if `sudo`.

Benjamin_Loison commented 2025-01-18 16:28:06 +01:00

Author

Owner

Copy Link

On my Debian 12 GNOME work laptop:

cryptsetup reencrypt --help

Output:

cryptsetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI 
Usage: cryptsetup [OPTION...] <action> <action-specific>

Help options:
  -?, --help                            Show this help message
      --usage                           Display brief usage
  -V, --version                         Print package version
      --active-name=STRING              Override device autodetection of dm
                                        device to be reencrypted
      --align-payload=SECTORS           Align payload at <n> sector boundaries
                                        - for luksFormat
      --allow-discards                  Allow discards (aka TRIM) requests for
                                        device
  -q, --batch-mode                      Do not ask for confirmation
      --cancel-deferred                 Cancel a previously set deferred
                                        device removal
  -c, --cipher=STRING                   The cipher used to encrypt the disk
                                        (see /proc/crypto)
      --debug                           Show debug messages
      --debug-json                      Show debug messages including JSON
                                        metadata
      --deferred                        Device removal is deferred until the
                                        last user closes it
      --device-size=bytes               Use only specified device size (ignore
                                        rest of device). DANGEROUS!
      --decrypt                         Decrypt LUKS2 device (remove
                                        encryption).
      --disable-external-tokens         Disable loading of external LUKS2
                                        token plugins
      --disable-keyring                 Disable loading volume keys via kernel
                                        keyring
      --disable-locks                   Disable locking of on-disk metadata
      --disable-veracrypt               Do not scan for VeraCrypt compatible
                                        device
      --dump-json-metadata              Dump info in JSON format (LUKS2 only)
      --dump-volume-key                 Dump volume key instead of keyslots
                                        info
      --encrypt                         Encrypt LUKS2 device (in-place
                                        encryption).
      --force-password                  Disable password quality check (if
                                        enabled)
      --force-offline-reencrypt         Force offline LUKS2 reencryption and
                                        bypass active device detection.
  -h, --hash=STRING                     The hash used to create the encryption
                                        key from the passphrase
      --header=STRING                   Device or file with separated LUKS
                                        header
      --header-backup-file=STRING       File with LUKS header and keyslots
                                        backup
      --hotzone-size=bytes              Maximal reencryption hotzone size.
      --init-only                       Initialize LUKS2 reencryption in
                                        metadata only.
  -I, --integrity=STRING                Data integrity algorithm (LUKS2 only)
      --integrity-legacy-padding        Use inefficient legacy padding (old
                                        kernels)
      --integrity-no-journal            Disable journal for integrity device
      --integrity-no-wipe               Do not wipe device after format
  -i, --iter-time=msecs                 PBKDF iteration time for LUKS (in ms)
      --iv-large-sectors                Use IV counted in sector size (not in
                                        512 bytes)
      --json-file=STRING                Read or write the json from or to a
                                        file
      --keep-key                        Do not change volume key.
      --key-description=STRING          Key description
  -d, --key-file=STRING                 Read the key from a file
  -s, --key-size=BITS                   The size of the encryption key
  -S, --key-slot=INT                    Slot number for new key (default is
                                        first free)
      --keyfile-offset=bytes            Number of bytes to skip in keyfile
  -l, --keyfile-size=bytes              Limits the read from keyfile
      --keyslot-cipher=STRING           LUKS2 keyslot: The cipher used for
                                        keyslot encryption
      --keyslot-key-size=BITS           LUKS2 keyslot: The size of the
                                        encryption key
      --label=STRING                    Set label for the LUKS2 device
      --luks2-keyslots-size=bytes       LUKS2 header keyslots area size
      --luks2-metadata-size=bytes       LUKS2 header metadata area size
      --volume-key-file=STRING          Use the volume key from file.
      --new-keyfile=STRING              Read the key for a new slot from a file
      --new-key-slot=INT                Slot number for new key (default is
                                        first free)
      --new-keyfile-offset=bytes        Number of bytes to skip in newly added
                                        keyfile
      --new-keyfile-size=bytes          Limits the read from newly added
                                        keyfile
      --new-token-id=INT                Token number (default: any)
  -o, --offset=SECTORS                  The start offset in the backend device
      --pbkdf=STRING                    PBKDF algorithm (for LUKS2): argon2i,
                                        argon2id, pbkdf2
      --pbkdf-force-iterations=LONG     PBKDF iterations cost (forced,
                                        disables benchmark)
      --pbkdf-memory=kilobytes          PBKDF memory cost limit
      --pbkdf-parallel=threads          PBKDF parallel cost
      --perf-no_read_workqueue          Bypass dm-crypt workqueue and process
                                        read requests synchronously
      --perf-no_write_workqueue         Bypass dm-crypt workqueue and process
                                        write requests synchronously
      --perf-same_cpu_crypt             Use dm-crypt same_cpu_crypt
                                        performance compatibility option
      --perf-submit_from_crypt_cpus     Use dm-crypt submit_from_crypt_cpus
                                        performance compatibility option
      --persistent                      Set activation flags persistent for
                                        device
      --priority=STRING                 Keyslot priority: ignore, normal,
                                        prefer
      --progress-json                   Print progress data in json format
                                        (suitable for machine processing)
      --progress-frequency=secs         Progress line update (in seconds)
  -r, --readonly                        Create a readonly mapping
      --reduce-device-size=bytes        Reduce data device size (move data
                                        offset). DANGEROUS!
      --refresh                         Refresh (reactivate) device with new
                                        parameters
      --resilience=STRING               Reencryption hotzone resilience type
                                        (checksum,journal,none)
      --resilience-hash=STRING          Reencryption hotzone checksums hash
      --resume-only                     Resume initialized LUKS2 reencryption
                                        only.
      --sector-size=INT                 Encryption sector size (default: 512
                                        bytes)
      --serialize-memory-hard-pbkdf     Use global lock to serialize memory
                                        hard PBKDF (OOM workaround)
      --shared                          Share device with another
                                        non-overlapping crypt segment
  -b, --size=SECTORS                    The size of the device
  -p, --skip=SECTORS                    How many sectors of the encrypted data
                                        to skip at the beginning
      --subsystem=STRING                Set subsystem label for the LUKS2
                                        device
      --tcrypt-backup                   Use backup (secondary) TCRYPT header
      --tcrypt-hidden                   Use hidden header (hidden TCRYPT
                                        device)
      --tcrypt-system                   Device is system TCRYPT drive (with
                                        bootloader)
      --test-args                       Do not run action, just validate all
                                        command line parameters
      --test-passphrase                 Do not activate device, just check
                                        passphrase
  -t, --timeout=secs                    Timeout for interactive passphrase
                                        prompt (in seconds)
      --token-id=INT                    Token number (default: any)
      --token-only                      Do not ask for passphrase if
                                        activation by token fails
      --token-replace                   Replace the current token
      --token-type=STRING               Restrict allowed token types used to
                                        retrieve LUKS2 key
  -T, --tries=INT                       How often the input of the passphrase
                                        can be retried
  -M, --type=STRING                     Type of device metadata: luks, luks1,
                                        luks2, plain, loopaes, tcrypt, bitlk
      --unbound                         Create or dump unbound LUKS2 keyslot
                                        (unassigned to data segment) or LUKS2
                                        token (unassigned to keyslot)
      --use-random                      Use /dev/random for generating volume
                                        key
      --use-urandom                     Use /dev/urandom for generating volume
                                        key
      --uuid=STRING                     UUID for device to use
      --veracrypt                       Scan also for VeraCrypt compatible
                                        device
      --veracrypt-pim=INT               Personal Iteration Multiplier for
                                        VeraCrypt compatible device
      --veracrypt-query-pim             Query Personal Iteration Multiplier
                                        for VeraCrypt compatible device
  -v, --verbose                         Shows more detailed error messages
  -y, --verify-passphrase               Verifies the passphrase by asking for
                                        it twice
  -B, --block-size=MiB                  Reencryption block size
  -N, --new                             Create new header on not encrypted
                                        device
      --use-directio                    Use direct-io when accessing devices
      --use-fsync                       Use fsync after each block
      --write-log                       Update log file after every block
      --dump-master-key                 Alias for --dump-volume-key
      --master-key-file=STRING          Alias for --dump-volume-key-file

<action> is one of:
	open <device> [--type <type>] [<name>] - open device as <name>
	close <name> - close device (remove mapping)
	resize <name> - resize active device
	status <name> - show device status
	benchmark [--cipher <cipher>] - benchmark cipher
	repair <device> - try to repair on-disk metadata
	reencrypt <device> - reencrypt LUKS2 device
	erase <device> - erase all keyslots (remove encryption key)
	convert <device> - convert LUKS from/to LUKS2 format
	config <device> - set permanent configuration options for LUKS2
	luksFormat <device> [<new key file>] - formats a LUKS device
	luksAddKey <device> [<new key file>] - add key to LUKS device
	luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device
	luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device
	luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters
	luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device
	luksUUID <device> - print UUID of LUKS device
	isLuks <device> - tests <device> for LUKS partition header
	luksDump <device> - dump LUKS partition information
	tcryptDump <device> - dump TCRYPT device information
	bitlkDump <device> - dump BITLK device information
	fvault2Dump <device> - dump FVAULT2 device information
	luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen)
	luksResume <device> - Resume suspended LUKS device
	luksHeaderBackup <device> - Backup LUKS device header and keyslots
	luksHeaderRestore <device> - Restore LUKS device header and keyslots
	token <add|remove|import|export> <device> - Manipulate LUKS2 tokens

You can also use old <action> syntax aliases:
	open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open
	close: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close

<name> is the device to create under /dev/mapper
<device> is the encrypted device
<key slot> is the LUKS key slot number to modify
<key file> optional key file for the new key for luksAddKey action

Default compiled-in metadata format is LUKS2 (for luksFormat action).

LUKS2 external token plugin support is compiled-in.
LUKS2 external token plugin path: /lib/x86_64-linux-gnu/cryptsetup.

Default compiled-in key and passphrase parameters:
	Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2id
	Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4

Default compiled-in device cipher parameters:
	loop-AES: aes, Key 256 bits
	plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
	LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
	LUKS: Default keysize with XTS mode (two internal keys) will be doubled.

On my Debian 12 GNOME work laptop: ```bash cryptsetup reencrypt --help ``` <details> <summary>Output:</summary> ``` cryptsetup 2.6.1 flags: UDEV BLKID KEYRING KERNEL_CAPI Usage: cryptsetup [OPTION...] <action> <action-specific> Help options: -?, --help Show this help message --usage Display brief usage -V, --version Print package version --active-name=STRING Override device autodetection of dm device to be reencrypted --align-payload=SECTORS Align payload at <n> sector boundaries - for luksFormat --allow-discards Allow discards (aka TRIM) requests for device -q, --batch-mode Do not ask for confirmation --cancel-deferred Cancel a previously set deferred device removal -c, --cipher=STRING The cipher used to encrypt the disk (see /proc/crypto) --debug Show debug messages --debug-json Show debug messages including JSON metadata --deferred Device removal is deferred until the last user closes it --device-size=bytes Use only specified device size (ignore rest of device). DANGEROUS! --decrypt Decrypt LUKS2 device (remove encryption). --disable-external-tokens Disable loading of external LUKS2 token plugins --disable-keyring Disable loading volume keys via kernel keyring --disable-locks Disable locking of on-disk metadata --disable-veracrypt Do not scan for VeraCrypt compatible device --dump-json-metadata Dump info in JSON format (LUKS2 only) --dump-volume-key Dump volume key instead of keyslots info --encrypt Encrypt LUKS2 device (in-place encryption). --force-password Disable password quality check (if enabled) --force-offline-reencrypt Force offline LUKS2 reencryption and bypass active device detection. -h, --hash=STRING The hash used to create the encryption key from the passphrase --header=STRING Device or file with separated LUKS header --header-backup-file=STRING File with LUKS header and keyslots backup --hotzone-size=bytes Maximal reencryption hotzone size. --init-only Initialize LUKS2 reencryption in metadata only. -I, --integrity=STRING Data integrity algorithm (LUKS2 only) --integrity-legacy-padding Use inefficient legacy padding (old kernels) --integrity-no-journal Disable journal for integrity device --integrity-no-wipe Do not wipe device after format -i, --iter-time=msecs PBKDF iteration time for LUKS (in ms) --iv-large-sectors Use IV counted in sector size (not in 512 bytes) --json-file=STRING Read or write the json from or to a file --keep-key Do not change volume key. --key-description=STRING Key description -d, --key-file=STRING Read the key from a file -s, --key-size=BITS The size of the encryption key -S, --key-slot=INT Slot number for new key (default is first free) --keyfile-offset=bytes Number of bytes to skip in keyfile -l, --keyfile-size=bytes Limits the read from keyfile --keyslot-cipher=STRING LUKS2 keyslot: The cipher used for keyslot encryption --keyslot-key-size=BITS LUKS2 keyslot: The size of the encryption key --label=STRING Set label for the LUKS2 device --luks2-keyslots-size=bytes LUKS2 header keyslots area size --luks2-metadata-size=bytes LUKS2 header metadata area size --volume-key-file=STRING Use the volume key from file. --new-keyfile=STRING Read the key for a new slot from a file --new-key-slot=INT Slot number for new key (default is first free) --new-keyfile-offset=bytes Number of bytes to skip in newly added keyfile --new-keyfile-size=bytes Limits the read from newly added keyfile --new-token-id=INT Token number (default: any) -o, --offset=SECTORS The start offset in the backend device --pbkdf=STRING PBKDF algorithm (for LUKS2): argon2i, argon2id, pbkdf2 --pbkdf-force-iterations=LONG PBKDF iterations cost (forced, disables benchmark) --pbkdf-memory=kilobytes PBKDF memory cost limit --pbkdf-parallel=threads PBKDF parallel cost --perf-no_read_workqueue Bypass dm-crypt workqueue and process read requests synchronously --perf-no_write_workqueue Bypass dm-crypt workqueue and process write requests synchronously --perf-same_cpu_crypt Use dm-crypt same_cpu_crypt performance compatibility option --perf-submit_from_crypt_cpus Use dm-crypt submit_from_crypt_cpus performance compatibility option --persistent Set activation flags persistent for device --priority=STRING Keyslot priority: ignore, normal, prefer --progress-json Print progress data in json format (suitable for machine processing) --progress-frequency=secs Progress line update (in seconds) -r, --readonly Create a readonly mapping --reduce-device-size=bytes Reduce data device size (move data offset). DANGEROUS! --refresh Refresh (reactivate) device with new parameters --resilience=STRING Reencryption hotzone resilience type (checksum,journal,none) --resilience-hash=STRING Reencryption hotzone checksums hash --resume-only Resume initialized LUKS2 reencryption only. --sector-size=INT Encryption sector size (default: 512 bytes) --serialize-memory-hard-pbkdf Use global lock to serialize memory hard PBKDF (OOM workaround) --shared Share device with another non-overlapping crypt segment -b, --size=SECTORS The size of the device -p, --skip=SECTORS How many sectors of the encrypted data to skip at the beginning --subsystem=STRING Set subsystem label for the LUKS2 device --tcrypt-backup Use backup (secondary) TCRYPT header --tcrypt-hidden Use hidden header (hidden TCRYPT device) --tcrypt-system Device is system TCRYPT drive (with bootloader) --test-args Do not run action, just validate all command line parameters --test-passphrase Do not activate device, just check passphrase -t, --timeout=secs Timeout for interactive passphrase prompt (in seconds) --token-id=INT Token number (default: any) --token-only Do not ask for passphrase if activation by token fails --token-replace Replace the current token --token-type=STRING Restrict allowed token types used to retrieve LUKS2 key -T, --tries=INT How often the input of the passphrase can be retried -M, --type=STRING Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk --unbound Create or dump unbound LUKS2 keyslot (unassigned to data segment) or LUKS2 token (unassigned to keyslot) --use-random Use /dev/random for generating volume key --use-urandom Use /dev/urandom for generating volume key --uuid=STRING UUID for device to use --veracrypt Scan also for VeraCrypt compatible device --veracrypt-pim=INT Personal Iteration Multiplier for VeraCrypt compatible device --veracrypt-query-pim Query Personal Iteration Multiplier for VeraCrypt compatible device -v, --verbose Shows more detailed error messages -y, --verify-passphrase Verifies the passphrase by asking for it twice -B, --block-size=MiB Reencryption block size -N, --new Create new header on not encrypted device --use-directio Use direct-io when accessing devices --use-fsync Use fsync after each block --write-log Update log file after every block --dump-master-key Alias for --dump-volume-key --master-key-file=STRING Alias for --dump-volume-key-file <action> is one of: open <device> [--type <type>] [<name>] - open device as <name> close <name> - close device (remove mapping) resize <name> - resize active device status <name> - show device status benchmark [--cipher <cipher>] - benchmark cipher repair <device> - try to repair on-disk metadata reencrypt <device> - reencrypt LUKS2 device erase <device> - erase all keyslots (remove encryption key) convert <device> - convert LUKS from/to LUKS2 format config <device> - set permanent configuration options for LUKS2 luksFormat <device> [<new key file>] - formats a LUKS device luksAddKey <device> [<new key file>] - add key to LUKS device luksRemoveKey <device> [<key file>] - removes supplied key or key file from LUKS device luksChangeKey <device> [<key file>] - changes supplied key or key file of LUKS device luksConvertKey <device> [<key file>] - converts a key to new pbkdf parameters luksKillSlot <device> <key slot> - wipes key with number <key slot> from LUKS device luksUUID <device> - print UUID of LUKS device isLuks <device> - tests <device> for LUKS partition header luksDump <device> - dump LUKS partition information tcryptDump <device> - dump TCRYPT device information bitlkDump <device> - dump BITLK device information fvault2Dump <device> - dump FVAULT2 device information luksSuspend <device> - Suspend LUKS device and wipe key (all IOs are frozen) luksResume <device> - Resume suspended LUKS device luksHeaderBackup <device> - Backup LUKS device header and keyslots luksHeaderRestore <device> - Restore LUKS device header and keyslots token <add|remove|import|export> <device> - Manipulate LUKS2 tokens You can also use old <action> syntax aliases: open: create (plainOpen), luksOpen, loopaesOpen, tcryptOpen, bitlkOpen, fvault2Open close: remove (plainClose), luksClose, loopaesClose, tcryptClose, bitlkClose, fvault2Close <name> is the device to create under /dev/mapper <device> is the encrypted device <key slot> is the LUKS key slot number to modify <key file> optional key file for the new key for luksAddKey action Default compiled-in metadata format is LUKS2 (for luksFormat action). LUKS2 external token plugin support is compiled-in. LUKS2 external token plugin path: /lib/x86_64-linux-gnu/cryptsetup. Default compiled-in key and passphrase parameters: Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters) Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms) Default PBKDF for LUKS2: argon2id Iteration time: 2000, Memory required: 1048576kB, Parallel threads: 4 Default compiled-in device cipher parameters: loop-AES: aes, Key 256 bits plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160 LUKS: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom LUKS: Default keysize with XTS mode (two internal keys) will be doubled. ``` </details>

Benjamin_Loison commented 2025-01-18 16:31:52 +01:00

Author

Owner

Copy Link

Based on above Ask Ubuntu answer:

      --reduce-device-size=bytes        Reduce data device size (move data
                                        offset). DANGEROUS!
...
  -M, --type=STRING                     Type of device metadata: luks, luks1,
                                        luks2, plain, loopaes, tcrypt, bitlk
...
  -N, --new                             Create new header on not encrypted
                                        device

<details> <summary>Based on above Ask Ubuntu answer:</summary> ``` --reduce-device-size=bytes Reduce data device size (move data offset). DANGEROUS! ... -M, --type=STRING Type of device metadata: luks, luks1, luks2, plain, loopaes, tcrypt, bitlk ... -N, --new Create new header on not encrypted device ``` </details>

Benjamin_Loison commented 2025-01-18 16:41:03 +01:00

Author

Owner

Copy Link

wiki.archlinux.org: dm-crypt/Device encryption#Encrypt an existing unencrypted file system (824010)

[wiki.archlinux.org: dm-crypt/Device encryption#Encrypt an existing unencrypted file system (824010)](https://wiki.archlinux.org/index.php?title=Dm-crypt/Device_encryption&oldid=824010#Encrypt_an_existing_unencrypted_file_system)

Benjamin_Loison commented 2025-01-18 16:47:50 +01:00

Author

Owner

Copy Link


Screenshot_Linux_Mint_2025-01-18_16:23:12.png

94 KiB

Benjamin_Loison commented 2025-01-18 16:53:58 +01:00

Author

Owner

Copy Link

2fsck 2>&1 | grep '\-f'

 -f                   Force checking even if filesystem is marked clean

```bash 2fsck 2>&1 | grep '\-f' ``` ``` -f Force checking even if filesystem is marked clean ```

Benjamin_Loison commented 2025-01-18 16:55:27 +01:00

Author

Owner

Copy Link

Is not shrinking the most heavier than shrinking the least possible.

Is not shrinking the most heavier than shrinking the least possible.

Benjamin_Loison commented 2025-01-18 16:56:46 +01:00

Author

Owner

Copy Link

man resize2fs

Output:

...
       -M     Shrink the file system to minimize its size as much as possible, given the files stored in the file system.

       -p     Print out percentage completion bars for each resize2fs phase during an offline (non-trivial) resize operation, so that the user can keep track of what the program is doing.  (For  very  fast
              resize operations, no progress bars may be displayed.)
...

```bash man resize2fs ``` <details> <summary>Output:</summary> ``` ... -M Shrink the file system to minimize its size as much as possible, given the files stored in the file system. -p Print out percentage completion bars for each resize2fs phase during an offline (non-trivial) resize operation, so that the user can keep track of what the program is doing. (For very fast resize operations, no progress bars may be displayed.) ... ``` </details>

Benjamin_Loison commented 2025-01-18 17:05:16 +01:00

Author

Owner

Copy Link

 

Screenshot_Linux_Mint_2025-01-18_16:55:36.png

134 KiB

Screenshot_Linux_Mint_2025-01-18_17:04:47.png

132 KiB

Benjamin_Loison commented 2025-01-18 17:47:01 +01:00

Author

Owner

Copy Link

Create a initramfs hoock script which copies cryptestup via copy-exec

P.S The troubleshooting guide was written from memory, so there might be some missing pieces.

Should investigate:

https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

But as of Buster cryptsetup(8) defaults to a new LUKS header format version, which isn’t supported by GRUB as of 2.04. Hence the pre-Buster workarounds won’t work anymore. Until LUKS version 2 support is added to GRUB2, the device(s) holding /boot needs to be in LUKS format version 1 to be unlocked from the boot loader.

Guilhem Moulin guilhem@debian.org, Sun, 09 Jun 2019 16:35:20 +0200

> Create a initramfs hoock script which copies cryptestup via copy-exec > P.S The troubleshooting guide was written from memory, so there might be some missing pieces. Should investigate: https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html > But as of Buster cryptsetup(8) defaults to a new LUKS header format version, which isn’t supported by GRUB as of 2.04. Hence the pre-Buster workarounds won’t work anymore. Until LUKS version 2 support is added to GRUB2, the device(s) holding /boot needs to be in LUKS format version 1 to be unlocked from the boot loader. > Guilhem Moulin guilhem@debian.org, Sun, 09 Jun 2019 16:35:20 +0200

Screenshot_Linux_Mint_2025-01-18_17:08:39.png

5.3 KiB

Screenshot_Linux_Mint_2025-01-18_17:26:27.png

137 KiB

Screenshot_Linux_Mint_2025-01-18_17:32:26.png

115 KiB

Screenshot_Linux_Mint_2025-01-18_17:26:32.png

142 KiB

Screenshot_Linux_Mint_2025-01-18_17:40:34.png

128 KiB

Benjamin_Loison commented 2025-01-25 22:51:17 +01:00

Author

Owner

Copy Link

What about Debian 12 GNOME to just encrypt ext4 with LUKS without LVM?

This would help the person:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAkFeKpINt90ePvuqcXZWafRH9EcVJjujCtlJNuMMJBkww
Ji6igV8YIebX/NEDp87Tkd//6Yb7Wft+fyc4M5hNcxawx7DxW4HNwPAzK2O42bpx
0kABiurBTGj5rSV1ms7bUFaJIU5C3VcvAASllQIgAWMvlglob6XrvrPmaYPf3bXO
TmS/OCxBQfsKYQ0mfL7/yCnn
=kEFt
-----END PGP MESSAGE-----

See the Tchap message where the person states not needing it finally by proceeding to a reinstall:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdANT2B5VHY4tt0YWphixyQ9lEA66Khc/vHYlbxSDGUZxAw
p9RSsi9+D6/rVQemnwLDw2s+e2ZUS4DpsuCzOSPHni9zUAUzsl9PvPFvPgjP3pav
0qoB6CW2V8J4Z55AoXEaR6tX+oWf32UhkBXJqd79p/Thn1QORhF2mfkRKessR00o
Ah1QGgnIyH+0499RwGHT/gMKTppfaH2DcGAqSRkHS1YQkAjU6d2pjH3mxwaGWpJ8
f4rmAEIg5SL+MwBDDyiGWVjgtNEELLCBvlSzXX/fEkDPIY2y7sstXue4ERjZWPj1
pbl+fci+ddK/mEjq6I0jrinXvxIqBigyLILyUQ==
=kdpZ
-----END PGP MESSAGE-----

sudo fdisk -l

Output:

Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xfefb7d07

Device     Boot Start      End  Sectors Size Id Type
/dev/vda1  *     2048 62912511 62910464  30G 83 Linux

df -h

Output:

Filesystem      Size  Used Avail Use% Mounted on
udev            7.6G     0  7.6G   0% /dev
tmpfs           1.6G  1.4M  1.6G   1% /run
/dev/vda1        30G   11G   18G  37% /
tmpfs           7.7G     0  7.7G   0% /dev/shm
tmpfs           5.0M  8.0K  5.0M   1% /run/lock
tmpfs           1.6G   96K  1.6G   1% /run/user/1000

sudo gparted

Output:

GParted 1.3.1
configuration --enable-libparted-dmraid --enable-online-resize
libparted 3.5

sudo cryptsetup reencrypt /dev/vda

does not request a password or output anything, same for /dev/vda1 and it does not return change anything during reboot.

Let us try from a live ISO. Does not help cryptsetup reencrypt.

What about Debian 12 GNOME to just encrypt ext4 with LUKS without LVM? <details> <summary>This would help the person:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAkFeKpINt90ePvuqcXZWafRH9EcVJjujCtlJNuMMJBkww Ji6igV8YIebX/NEDp87Tkd//6Yb7Wft+fyc4M5hNcxawx7DxW4HNwPAzK2O42bpx 0kABiurBTGj5rSV1ms7bUFaJIU5C3VcvAASllQIgAWMvlglob6XrvrPmaYPf3bXO TmS/OCxBQfsKYQ0mfL7/yCnn =kEFt -----END PGP MESSAGE----- ``` </details> <details> <summary>See the Tchap message where the person states not needing it finally by proceeding to a reinstall:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdANT2B5VHY4tt0YWphixyQ9lEA66Khc/vHYlbxSDGUZxAw p9RSsi9+D6/rVQemnwLDw2s+e2ZUS4DpsuCzOSPHni9zUAUzsl9PvPFvPgjP3pav 0qoB6CW2V8J4Z55AoXEaR6tX+oWf32UhkBXJqd79p/Thn1QORhF2mfkRKessR00o Ah1QGgnIyH+0499RwGHT/gMKTppfaH2DcGAqSRkHS1YQkAjU6d2pjH3mxwaGWpJ8 f4rmAEIg5SL+MwBDDyiGWVjgtNEELLCBvlSzXX/fEkDPIY2y7sstXue4ERjZWPj1 pbl+fci+ddK/mEjq6I0jrinXvxIqBigyLILyUQ== =kdpZ -----END PGP MESSAGE----- ``` </details> ```bash sudo fdisk -l ``` <details> <summary>Output:</summary> ``` Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xfefb7d07 Device Boot Start End Sectors Size Id Type /dev/vda1 * 2048 62912511 62910464 30G 83 Linux ``` </details> ```bash df -h ``` <details> <summary>Output:</summary> ``` Filesystem Size Used Avail Use% Mounted on udev 7.6G 0 7.6G 0% /dev tmpfs 1.6G 1.4M 1.6G 1% /run /dev/vda1 30G 11G 18G 37% / tmpfs 7.7G 0 7.7G 0% /dev/shm tmpfs 5.0M 8.0K 5.0M 1% /run/lock tmpfs 1.6G 96K 1.6G 1% /run/user/1000 ``` </details> ```bash sudo gparted ``` <details> <summary>Output:</summary> ``` GParted 1.3.1 configuration --enable-libparted-dmraid --enable-online-resize libparted 3.5 ``` </details> ```bash sudo cryptsetup reencrypt /dev/vda ``` does not request a password or output anything, same for `/dev/vda1` and it does not return change anything during reboot. Let us try from a live ISO. Does not help `cryptsetup reencrypt`.

Screenshot_Debian_encryption_2025-01-26_00:46:54.png

73 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:16.png

73 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:21.png

64 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:25.png

83 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:29.png

62 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:33.png

63 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:37.png

56 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:41.png

75 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:48.png

83 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:52.png

69 KiB

Screenshot_Debian_encryption_2025-01-26_01:03:31.png

62 KiB

Screenshot_Debian_encryption_2025-01-26_00:47:57.png

69 KiB

Screenshot_Debian_encryption_2025-01-26_01:03:41.png

78 KiB

Screenshot_Debian_encryption_2025-01-26_01:03:36.png

77 KiB

Screenshot_Debian_encryption_2025-01-26_01:03:58.png

65 KiB

Screenshot_Debian_encryption_2025-01-26_01:03:49.png

68 KiB

Screenshot_Debian_encryption_2025-01-26_01:04:45.png

38 KiB

Screenshot_Debian_encryption_2025-01-26_01:04:11.png

86 KiB

Screenshot_Debian_encryption_2025-01-26_01:04:52.png

59 KiB

Screenshot_Debian_encryption_2025-01-26_01:09:25.png

67 KiB

Screenshot_Debian_encryption_2025-01-26_01:10:51.png

59 KiB

Screenshot_Debian_encryption_2025-01-26_01:09:28.png

82 KiB

Screenshot_Debian_encryption_2025-01-26_01:11:15.png

57 KiB

Screenshot_Debian_encryption_2025-01-26_01:11:10.png

72 KiB

Screenshot_Debian_encryption_2025-01-26_01:11:27.png

72 KiB

Benjamin_Loison commented 2025-01-25 23:15:09 +01:00

Author

Owner

Copy Link

sudo e2fsck -f /dev/vda1

Output:

e2fsck 1.47.0 (5-Feb-2023)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vda1: 314300/1966080 files (0.2% non-contiguous), 2815025/7863808 blocks

```bash sudo e2fsck -f /dev/vda1 ``` <details> <summary>Output:</summary> ``` e2fsck 1.47.0 (5-Feb-2023) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /dev/vda1: 314300/1966080 files (0.2% non-contiguous), 2815025/7863808 blocks ``` </details>

Benjamin_Loison commented 2025-01-25 23:16:26 +01:00

Author

Owner

Copy Link

sudo resize2fs -p -M /dev/vda1

Output:

resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/vda1 to 3039933 (4k) blocks.
Begin pass 2 (max = 1313608)
Relocating blocks             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 3 (max = 240)
Scanning inode table          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Begin pass 4 (max = 21658)
Updating inode references     XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The filesystem on /dev/vda1 is now 3039933 (4k) blocks long.

```bash sudo resize2fs -p -M /dev/vda1 ``` <details> <summary>Output:</summary> ``` resize2fs 1.47.0 (5-Feb-2023) Resizing the filesystem on /dev/vda1 to 3039933 (4k) blocks. Begin pass 2 (max = 1313608) Relocating blocks XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Begin pass 3 (max = 240) Scanning inode table XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Begin pass 4 (max = 21658) Updating inode references XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The filesystem on /dev/vda1 is now 3039933 (4k) blocks long. ``` </details>

Benjamin_Loison commented 2025-01-25 23:18:52 +01:00

Author

Owner

Copy Link

sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/vda1

Output:

WARNING!
========
This will overwrite data on LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new: 
Verify passphrase: 
Finished, time 01m10s,   29 GiB written, speed 434.1 MiB/s

```bash sudo cryptsetup reencrypt --encrypt --reduce-device-size 32M /dev/vda1 ``` <details> <summary>Output:</summary> ``` WARNING! ======== This will overwrite data on LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for LUKS2-temp-4ce57ca1-ca7c-4b06-abb8-eb0892d6897e.new: Verify passphrase: Finished, time 01m10s, 29 GiB written, speed 434.1 MiB/s ``` </details>

Benjamin_Loison commented 2025-01-25 23:19:53 +01:00

Author

Owner

Copy Link

sudo cryptsetup open /dev/vda1 recrypt

Enter passphrase for /dev/vda1:

sudo resize2fs /dev/mapper/recrypt

Output:

resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/mapper/recrypt to 7859712 (4k) blocks.
The filesystem on /dev/mapper/recrypt is now 7859712 (4k) blocks long.

```bash sudo cryptsetup open /dev/vda1 recrypt ``` ``` Enter passphrase for /dev/vda1: ``` ```bash sudo resize2fs /dev/mapper/recrypt ``` <details> <summary>Output:</summary> ``` resize2fs 1.47.0 (5-Feb-2023) Resizing the filesystem on /dev/mapper/recrypt to 7859712 (4k) blocks. The filesystem on /dev/mapper/recrypt is now 7859712 (4k) blocks long. ``` </details>

Benjamin_Loison commented 2025-01-25 23:23:33 +01:00

Author

Owner

Copy Link

sudo fdisk -l

Output:

Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xfefb7d07

Device     Boot Start      End  Sectors Size Id Type
/dev/vda1  *     2048 62912511 62910464  30G 83 Linux


Disk /dev/loop0: 2.73 GiB, 2934968320 bytes, 5732360 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

```bash sudo fdisk -l ``` <details> <summary>Output:</summary> ``` Disk /dev/vda: 30 GiB, 32212254720 bytes, 62914560 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xfefb7d07 Device Boot Start End Sectors Size Id Type /dev/vda1 * 2048 62912511 62910464 30G 83 Linux Disk /dev/loop0: 2.73 GiB, 2934968320 bytes, 5732360 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes ``` </details>

Benjamin_Loison commented 2025-01-25 23:26:17 +01:00

Author

Owner

Copy Link

df -h /mnt/

Output:

Filesystem           Size  Used Avail Use% Mounted on
/dev/mapper/recrypt   30G   11G   18G  37% /mnt

```bash df -h /mnt/ ``` <details> <summary>Output:</summary> ``` Filesystem Size Used Avail Use% Mounted on /dev/mapper/recrypt 30G 11G 18G 37% /mnt ``` </details>

Benjamin_Loison commented 2025-01-25 23:28:10 +01:00

Author

Owner

Copy Link

On my Debian 12 GNOME laptop:

/etc/fstab:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/nvme0n1p8_crypt /               ext4    errors=remount-ro 0       1
# /boot was on /dev/nvme0n1p9 during installation
UUID=457a754f-11ce-4fe8-8e3e-1fab836e1522 /boot           ext4    defaults        0       2
# /boot/efi was on /dev/nvme0n1p1 during installation
UUID=1CCC-5836  /boot/efi       vfat    umask=0077      0       1
/dev/mapper/cryptswap1 none swap sw 0 0

/etc/crypttab:

nvme0n1p8_crypt UUID=7acc5e49-df7d-48c2-a3a2-7c29c2fe88bd none luks,discard
cryptswap1   /dev/nvme0n1p10   none   luks

On my Debian 12 GNOME laptop: <details> <summary><code>/etc/fstab</code>:</summary> ``` # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # systemd generates mount units based on this file, see systemd.mount(5). # Please run 'systemctl daemon-reload' after making changes here. # # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/nvme0n1p8_crypt / ext4 errors=remount-ro 0 1 # /boot was on /dev/nvme0n1p9 during installation UUID=457a754f-11ce-4fe8-8e3e-1fab836e1522 /boot ext4 defaults 0 2 # /boot/efi was on /dev/nvme0n1p1 during installation UUID=1CCC-5836 /boot/efi vfat umask=0077 0 1 /dev/mapper/cryptswap1 none swap sw 0 0 ``` </details> <details> <summary><code>/etc/crypttab</code>:</summary> ``` nvme0n1p8_crypt UUID=7acc5e49-df7d-48c2-a3a2-7c29c2fe88bd none luks,discard cryptswap1 /dev/nvme0n1p10 none luks ``` </details>

Benjamin_Loison commented 2025-01-25 23:30:38 +01:00

Author

Owner

Copy Link

/mnt/etc/fstab:

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/vda1 during installation
UUID=0e9a3032-7390-4a7f-8073-e690fc58839a /               ext4    errors=remount-ro 0       1
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

/mnt/etc/crypttab:

# <target name>	<source device>		<key file>	<options>

<details> <summary><code>/mnt/etc/fstab</code>:</summary> ``` # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # systemd generates mount units based on this file, see systemd.mount(5). # Please run 'systemctl daemon-reload' after making changes here. # # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/vda1 during installation UUID=0e9a3032-7390-4a7f-8073-e690fc58839a / ext4 errors=remount-ro 0 1 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 ``` </details> <details> <summary><code>/mnt/etc/crypttab</code>:</summary> ``` # <target name> <source device> <key file> <options> ``` </details>

Benjamin_Loison commented 2025-01-25 23:31:59 +01:00

Author

Owner

Copy Link

sudo blkid

Output:

/dev/sr0: BLOCK_SIZE="2048" UUID="2025-01-11-10-25-55-00" LABEL="d-live 12.9.0 gn amd64" TYPE="iso9660" PTUUID="98418538" PTTYPE="dos"
/dev/loop0: TYPE="squashfs"
/dev/vda1: UUID="4ce57ca1-ca7c-4b06-abb8-eb0892d6897e" TYPE="crypto_LUKS" PARTUUID="fefb7d07-01"
/dev/mapper/recrypt: UUID="0e9a3032-7390-4a7f-8073-e690fc58839a" BLOCK_SIZE="4096" TYPE="ext4"

```bash sudo blkid ``` <details> <summary>Output:</summary> ``` /dev/sr0: BLOCK_SIZE="2048" UUID="2025-01-11-10-25-55-00" LABEL="d-live 12.9.0 gn amd64" TYPE="iso9660" PTUUID="98418538" PTTYPE="dos" /dev/loop0: TYPE="squashfs" /dev/vda1: UUID="4ce57ca1-ca7c-4b06-abb8-eb0892d6897e" TYPE="crypto_LUKS" PARTUUID="fefb7d07-01" /dev/mapper/recrypt: UUID="0e9a3032-7390-4a7f-8073-e690fc58839a" BLOCK_SIZE="4096" TYPE="ext4" ``` </details>

Screenshot_Debian_encryption_2025-01-26_01:23:51.png

38 KiB

Screenshot_Debian_encryption_2025-01-26_01:21:40.png

4.7 KiB

Screenshot_Debian_encryption_2025-01-26_01:23:57.png

59 KiB

Screenshot_Debian_encryption_2025-01-26_01:24:02.png

49 KiB

Screenshot_Debian_encryption_2025-01-26_01:24:16.png

38 KiB

Screenshot_Debian_encryption_2025-01-26_01:24:28.png

60 KiB

Screenshot_Debian_encryption_2025-01-26_01:24:35.png

81 KiB

Benjamin_Loison commented 2025-01-25 23:35:25 +01:00

Author

Owner

Copy Link

Replacing in /mnt/etc/fstab 0e9a3032-7390-4a7f-8073-e690fc58839a with 4ce57ca1-ca7c-4b06-abb8-eb0892d6897e does not help booting.

Replacing in `/mnt/etc/fstab` `0e9a3032-7390-4a7f-8073-e690fc58839a` with `4ce57ca1-ca7c-4b06-abb8-eb0892d6897e` does not help booting.

Benjamin_Loison commented 2025-01-25 23:49:48 +01:00

Author

Owner

Copy Link

Let us try:

/etc/fstab:

/dev/mapper/crypt /               ext4    errors=remount-ro 0       1

/etc/crypttab:

crypt UUID=4ce57ca1-ca7c-4b06-abb8-eb0892d6897e none luks,discard

Even if I ended up making it work the other person:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdASXJgMVKdFtUMDUXDlcgT7Xh9anL/r0e9IzjRD3qRkkkw
ZpkwedyIw6BDrAanQokG7n3O/VpSqSfh841p8TU29bZbjsSeIUI5f3cAAqd3JG1i
0kAB91sZ4apcbyw/MxP9f2k1ZJXjeatq1wfY8ncu7SsPq2jJ3R4+oSGVKhNnq99L
4ac40hEcUnSyVlcXwjlSM6FS
=6/of
-----END PGP MESSAGE-----

is not interested as I explain him the dis/advantages, see issues/22#issuecomment-2956.

Let us try: <details> <summary><code>/etc/fstab</code>:</summary> ``` /dev/mapper/crypt / ext4 errors=remount-ro 0 1 ``` </details> <details> <summary><code>/etc/crypttab</code>:</summary> ``` crypt UUID=4ce57ca1-ca7c-4b06-abb8-eb0892d6897e none luks,discard ``` </details> <details> <summary>Even if I ended up making it work the other person:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdASXJgMVKdFtUMDUXDlcgT7Xh9anL/r0e9IzjRD3qRkkkw ZpkwedyIw6BDrAanQokG7n3O/VpSqSfh841p8TU29bZbjsSeIUI5f3cAAqd3JG1i 0kAB91sZ4apcbyw/MxP9f2k1ZJXjeatq1wfY8ncu7SsPq2jJ3R4+oSGVKhNnq99L 4ac40hEcUnSyVlcXwjlSM6FS =6/of -----END PGP MESSAGE----- ``` </details> is not interested as I explain him the dis/advantages, see [issues/22#issuecomment-2956](issues/22#issuecomment-2956).

Benjamin_Loison referenced this issue 2025-01-25 23:50:14 +01:00

How to `shred` free disk slots? #22

Benjamin_Loison commented 2025-01-26 00:07:22 +01:00

Author

Owner

Copy Link

I may have an issue with the boot partition.

I may have an issue with the boot partition.

Benjamin_Loison commented 2025-01-26 00:25:21 +01:00

Author

Owner

Copy Link

Above configuration is still stuck on SeaBIOS.

Above configuration is still stuck on *SeaBIOS*.

Benjamin_Loison commented 2025-01-26 00:25:57 +01:00

Author

Owner

Copy Link

/mnt/etc/mkinitcpio.conf does not exist.

`/mnt/etc/mkinitcpio.conf` does not exist.

Benjamin_Loison commented 2025-01-26 00:55:02 +01:00

Author

Owner

Copy Link

Should test with:

/etc/mkinitcpio.conf:

HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)

wiki.archlinux.org: Mkinitcpio#Image creation and activation (823193) makes me believe that mkinitcpio is Arch specific.

Should test with: <details> <summary><code>/etc/mkinitcpio.conf</code>:</summary> ``` HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck) ``` </details> [wiki.archlinux.org: Mkinitcpio#Image creation and activation (823193)](https://wiki.archlinux.org/index.php?title=Mkinitcpio&oldid=823193#Image_creation_and_activation) makes me believe that `mkinitcpio` is Arch specific.

Benjamin_Loison commented 2025-01-26 00:56:26 +01:00

Author

Owner

Copy Link

wiki.archlinux.org: Dm-crypt/System configuration#Unlocking in late userspace (822797) may help.

[wiki.archlinux.org: Dm-crypt/System configuration#Unlocking in late userspace (822797)](https://wiki.archlinux.org/index.php?title=Dm-crypt/System_configuration&oldid=822797#Unlocking_in_late_userspace) may help.

Benjamin_Loison commented 2025-02-04 15:22:05 +01:00

Author

Owner

Copy Link

Improve_websites_thanks_to_open_source/issues/967 would help.

[Improve_websites_thanks_to_open_source/issues/967](https://codeberg.org/Benjamin_Loison/Improve_websites_thanks_to_open_source/issues/967) would help.

Benjamin_Loison commented 2025-02-04 15:23:32 +01:00

Author

Owner

Copy Link

See calendar event of 04/02/25 at 14:00 to encrypt my cloud VMs.

Could reinstall OVH VPS to activate encryption but this is too heavy.

See calendar event of 04/02/25 at 14:00 to encrypt my cloud VMs. Could reinstall OVH VPS to activate encryption but this is too heavy.

Benjamin_Loison commented 2025-03-26 16:11:25 +01:00

Author

Owner

Copy Link

The person:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAnjXfF610P10McbnJw0vpT6PVOPLQ4jctrNNlEgSbZR8w
I0m6u2Eyxb5//CUgyIfLvu+Kz3Ad2622hm8BC3HMwhbitXfHknKrvV2TWldHDjCG
0rIBUWeDYnkVuPHgM32AUZQOLxt6TkPA1uXObbwXW2EUqYxvYnGTdlvCEg/SxJaj
KB/z8p/H600DYm9Ni29kLWEWMtvXWghDSRnptWakQDaWXx1RRMtsWOvmowDaHhaL
ezB/7xYZ8Rg4eVg+dxxjcQ4hAvn5fh2A6TE49kBmR2E3m5mR5O2l/LHID7nmR6ZI
fHOyIZ236BTSiOwWnrtXprXRQ3C5xCrZi/oeknak1BT1889q
=SHs/
-----END PGP MESSAGE-----

does not know how to do so and would be interested in doing so. It is still the case as of 21/10/25, source: oral physically.

<details> <summary>The person:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAnjXfF610P10McbnJw0vpT6PVOPLQ4jctrNNlEgSbZR8w I0m6u2Eyxb5//CUgyIfLvu+Kz3Ad2622hm8BC3HMwhbitXfHknKrvV2TWldHDjCG 0rIBUWeDYnkVuPHgM32AUZQOLxt6TkPA1uXObbwXW2EUqYxvYnGTdlvCEg/SxJaj KB/z8p/H600DYm9Ni29kLWEWMtvXWghDSRnptWakQDaWXx1RRMtsWOvmowDaHhaL ezB/7xYZ8Rg4eVg+dxxjcQ4hAvn5fh2A6TE49kBmR2E3m5mR5O2l/LHID7nmR6ZI fHOyIZ236BTSiOwWnrtXprXRQ3C5xCrZi/oeknak1BT1889q =SHs/ -----END PGP MESSAGE----- ``` </details> does not know how to do so and would be interested in doing so. It is still the case as of 21/10/25, source: oral physically.

Benjamin_Loison commented 2025-03-26 16:12:26 +01:00

Author

Owner

Copy Link

Maybe can somehow access raw ext4 in encrypted container, then just copy with dd. Just copying files and folders from / does not seem very correct to me, but may be.

Maybe can somehow access raw ext4 in encrypted container, then just copy with `dd`. Just copying files and folders from `/` does not seem very correct to me, but may be.

Benjamin_Loison commented 2025-03-26 16:46:47 +01:00

Author

Owner

Copy Link

DuckDuckGo and Google search Ubuntu full disk encryption after install.

DuckDuckGo and Google search *Ubuntu full disk encryption after install*.

Benjamin_Loison commented 2025-03-26 16:55:04 +01:00

Author

Owner

Copy Link

I quickly have read johndoe31415/luksipc/issues/{13,12}. In the latter johndoe31415/luksipc/issues/12#issuecomment-256700470 may be especially useful. Other issues and pull requests do not seem relevant based on their titles and there is no wiki.

I quickly have read [johndoe31415/luksipc/issues/](https://github.com/johndoe31415/luksipc/issues){[13](https://github.com/johndoe31415/luksipc/issues/13),[12](https://github.com/johndoe31415/luksipc/issues/12)}. In the latter [johndoe31415/luksipc/issues/12#issuecomment-256700470](https://github.com/johndoe31415/luksipc/issues/12#issuecomment-256700470) may be especially useful. Other issues and pull requests do not seem relevant based on their titles and there is no wiki.

Benjamin_Loison commented 2025-03-26 16:56:10 +01:00

Author

Owner

Copy Link

https://johndoe31415.github.io/luksipc/testing.html may be interesting but does not manage root partition case.

https://johndoe31415.github.io/luksipc/testing.html may be interesting but does not manage root partition case.

Benjamin_Loison commented 2025-03-26 17:04:24 +01:00

Author

Owner

Copy Link

Ubuntu 18.04 and above offers to encrypt your hard disk in automated fashion during its installation using dm-crypt and LUKS [1]. However, this option forces you to wipe your entire disk, which is not an option if you already have another operating system installed, such as Windows. This tutorial describes in detail how to encrypt your existing root partition in Ubuntu preserving all disk data.

Source: https://opencraft.com/tutorial-encrypting-an-existing-root-partition-in-ubuntu-with-dm-crypt-and-luks/

On Debian 12 GNOME laptop Virtual Machine Manager Ubuntu (trust) virtual machine:

sudo fdisk -l /dev/vd*

Output:

Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 624E7316-27AA-4AD9-B30E-85B22404462C

Device     Start      End  Sectors Size Type
/dev/vda1   2048     4095     2048   1M BIOS boot
/dev/vda2   4096 52426751 52422656  25G Linux filesystem


Disk /dev/vda1: 1 MiB, 1048576 bytes, 2048 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/vda2: 25 GiB, 26840399872 bytes, 52422656 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

df -h

Output:

Filesystem      Size  Used Avail Use% Mounted on
tmpfs           794M  1.6M  793M   1% /run
/dev/vda2        25G   12G   12G  50% /
tmpfs           3.9G     0  3.9G   0% /dev/shm
tmpfs           5.0M  8.0K  5.0M   1% /run/lock
tmpfs           794M  124K  794M   1% /run/user/1000

> Ubuntu 18.04 and above offers to encrypt your hard disk in automated fashion during its installation using dm-crypt and LUKS [1]. However, this option forces you to wipe your entire disk, which is not an option if you already have another operating system installed, such as Windows. This tutorial describes in detail how to encrypt your existing root partition in Ubuntu preserving all disk data. Source: https://opencraft.com/tutorial-encrypting-an-existing-root-partition-in-ubuntu-with-dm-crypt-and-luks/ On Debian 12 GNOME laptop Virtual Machine Manager *Ubuntu (trust)* virtual machine: ```bash sudo fdisk -l /dev/vd* ``` <details> <summary>Output:</summary> ``` Disk /dev/vda: 25 GiB, 26843545600 bytes, 52428800 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: 624E7316-27AA-4AD9-B30E-85B22404462C Device Start End Sectors Size Type /dev/vda1 2048 4095 2048 1M BIOS boot /dev/vda2 4096 52426751 52422656 25G Linux filesystem Disk /dev/vda1: 1 MiB, 1048576 bytes, 2048 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk /dev/vda2: 25 GiB, 26840399872 bytes, 52422656 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes ``` </details> ```bash df -h ``` <details> <summary>Output:</summary> ``` Filesystem Size Used Avail Use% Mounted on tmpfs 794M 1.6M 793M 1% /run /dev/vda2 25G 12G 12G 50% / tmpfs 3.9G 0 3.9G 0% /dev/shm tmpfs 5.0M 8.0K 5.0M 1% /run/lock tmpfs 794M 124K 794M 1% /run/user/1000 ``` </details>

Benjamin_Loison commented 2025-03-26 17:04:43 +01:00

Author

Owner

Copy Link


image.png

143 KiB

Benjamin_Loison commented 2025-03-26 17:05:10 +01:00

Author

Owner

Copy Link

I doubt that it means UEFI being supported but let us try anyway.

I doubt that it means UEFI being supported but let us try anyway.

Benjamin_Loison commented 2025-03-26 17:05:53 +01:00

Author

Owner

Copy Link

ls /boot/efi/

ls: cannot access '/boot/efi/': No such file or directory

Well this is 2 red flags, so let us stop.

```bash ls /boot/efi/ ``` ``` ls: cannot access '/boot/efi/': No such file or directory ``` Well this is 2 red flags, so let us stop.

Benjamin_Loison commented 2025-03-26 17:06:25 +01:00

Author

Owner

Copy Link

Same Firmware on Debian (trust).

Same *Firmware* on *Debian (trust)*.

Benjamin_Loison commented 2025-03-26 17:09:58 +01:00

Author

Owner

Copy Link

 

image.png

108 KiB

image.png

90 KiB

Benjamin_Loison commented 2025-03-26 17:44:43 +01:00

Author

Owner

Copy Link

ssh root@overclock3000 ls /boot/efi/

ls: cannot access '/boot/efi/': No such file or directory

ssh overclock3000 '[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS'

BIOS

On Oracle Cloud free ARM VPS:

ssh ubuntu@129.151.245.17 sudo ls /boot/efi/

EFI

ssh ubuntu@129.151.245.17 '[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS'

UEFI

ssh root@lemnoslife.com ls /boot/efi/

ls: cannot access '/boot/efi/': No such file or directory

ssh lemnoslife.com '[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS'

BIOS

Source: the Ask Ubuntu answer 162896

                  ```bash ssh root@overclock3000 ls /boot/efi/ ``` ``` ls: cannot access '/boot/efi/': No such file or directory ``` ```bash ssh overclock3000 '[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS' ``` ``` BIOS ``` On Oracle Cloud free ARM VPS: ```bash ssh ubuntu@129.151.245.17 sudo ls /boot/efi/ ``` ``` EFI ``` ```bash ssh ubuntu@129.151.245.17 '[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS' ``` ``` UEFI ``` ```bash ssh root@lemnoslife.com ls /boot/efi/ ``` ``` ls: cannot access '/boot/efi/': No such file or directory ``` ```bash ssh lemnoslife.com '[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS' ``` ``` BIOS ``` Source: [the Ask Ubuntu answer 162896](https://askubuntu.com/a/162896)

Screenshot_Debian_UEFI_2025-03-26_17:28:28.png

75 KiB

Screenshot_Debian_UEFI_2025-03-26_17:29:56.png

82 KiB

Screenshot_Debian_UEFI_2025-03-26_17:30:05.png

62 KiB

Screenshot_Debian_UEFI_2025-03-26_17:30:09.png

63 KiB

Screenshot_Debian_UEFI_2025-03-26_17:30:13.png

75 KiB

Screenshot_Debian_UEFI_2025-03-26_17:30:19.png

85 KiB

Screenshot_Debian_UEFI_2025-03-26_17:30:27.png

59 KiB

Screenshot_Debian_UEFI_2025-03-26_17:33:49.png

66 KiB

Screenshot_Debian_UEFI_2025-03-26_17:33:53.png

63 KiB

Screenshot_Debian_UEFI_2025-03-26_17:33:56.png

71 KiB

Screenshot_Debian_UEFI_2025-03-26_17:34:01.png

90 KiB

Screenshot_Debian_UEFI_2025-03-26_17:34:12.png

66 KiB

Screenshot_Debian_UEFI_2025-03-26_17:34:22.png

76 KiB

Screenshot_Debian_UEFI_2025-03-26_17:34:31.png

88 KiB

Screenshot_Debian_UEFI_2025-03-26_17:34:38.png

69 KiB

Screenshot_Debian_UEFI_2025-03-26_17:34:43.png

72 KiB

Screenshot_Debian_UEFI_2025-03-26_17:40:15.png

103 KiB

Screenshot_Debian_UEFI_2025-03-26_17:40:28.png

6.1 KiB

Screenshot_Debian_UEFI_2025-03-26_17:41:05.png

101 KiB

Benjamin_Loison commented 2025-03-26 17:45:11 +01:00

Author

Owner

Copy Link

DuckDuckGo search Linux check if booted with UEFI.

DuckDuckGo search *Linux check if booted with UEFI*.

Benjamin_Loison commented 2025-03-26 17:59:16 +01:00

Author

Owner

Copy Link

https://www.ovh.com/manager/#/dedicated/vps/vps713872.ovh.net/dashboard does not seem to help switching to UEFI.

DuckDuckGo search OVH Boot UEFI.

https://www.ovh.com/manager/#/dedicated/vps/vps713872.ovh.net/dashboard does not seem to help switching to UEFI. DuckDuckGo search *OVH Boot UEFI*.

Benjamin_Loison commented 2025-03-26 18:03:32 +01:00

Author

Owner

Copy Link

On Debian UEFI virtual machine:

sudo ls /boot/efi/

EFI

[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS

UEFI

On *Debian UEFI* virtual machine: ```bash sudo ls /boot/efi/ ``` ``` EFI ``` ```bash [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS ``` ``` UEFI ```

Benjamin_Loison commented 2025-03-26 18:04:09 +01:00

Author

Owner

Copy Link

there is no way to encrypt a mounted partition in Linux and you cannot unmount the root partition from which you have booted, so you will have to boot from a live USB

> there is no way to encrypt a mounted partition in Linux and you cannot unmount the root partition from which you have booted, so you will have to boot from a live USB

Benjamin_Loison commented 2025-03-26 18:04:36 +01:00

Author

Owner

Copy Link

Reboot your workstation, enter your UEFI firmware, set the USB device to boot before the hard disk, save your changes, leave the firmware and boot in the live USB selecting the “Try Ubuntu without installing” in the GRUB menu

> Reboot your workstation, enter your UEFI firmware, set the USB device to boot before the hard disk, save your changes, leave the firmware and boot in the live USB selecting the “Try Ubuntu without installing” in the GRUB menu

Benjamin_Loison commented 2025-03-26 18:06:50 +01:00

Author

Owner

Copy Link

From a virtual live USB:

sudo fdisk -l

Output:

Disk /dev/vda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 5B1CB692-7905-475D-AECB-D7592E9161F7

Device       Start      End  Sectors  Size Type
/dev/vda1     2048  1050623  1048576  512M EFI System
/dev/vda2  1050624 39942143 38891520 18.5G Linux filesystem


Disk /dev/loop0: 2.73 GiB, 2934968320 bytes, 5732360 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

From a virtual live USB: ```bash sudo fdisk -l ``` <details> <summary>Output:</summary> ``` Disk /dev/vda: 20 GiB, 21474836480 bytes, 41943040 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: 5B1CB692-7905-475D-AECB-D7592E9161F7 Device Start End Sectors Size Type /dev/vda1 2048 1050623 1048576 512M EFI System /dev/vda2 1050624 39942143 38891520 18.5G Linux filesystem Disk /dev/loop0: 2.73 GiB, 2934968320 bytes, 5732360 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes ``` </details>

Benjamin_Loison commented 2025-03-26 18:07:47 +01:00

Author

Owner

Copy Link

sudo blkid -s UUID -o value /dev/vda2

8eb1534f-39c0-4ded-907e-aee490cb2f3f

```bash sudo blkid -s UUID -o value /dev/vda2 ``` ``` 8eb1534f-39c0-4ded-907e-aee490cb2f3f ```

Benjamin_Loison commented 2025-03-26 18:08:47 +01:00

Author

Owner

Copy Link

Face Benjamin_Loison/virt-manager/issues/84.

Face [Benjamin_Loison/virt-manager/issues/84](https://codeberg.org/Benjamin_Loison/virt-manager/issues/84).

Benjamin_Loison commented 2025-03-26 18:13:08 +01:00

Author

Owner

Copy Link

e2fsck -f /dev/vda2

bash: e2fsck: command not found

sudo e2fsck -f /dev/vda2

Output:

e2fsck 1.47.0 (5-Feb-2023)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/vda2: 314011/1215840 files (0.2% non-contiguous), 2783236/4861440 blocks

```bash e2fsck -f /dev/vda2 ``` ``` bash: e2fsck: command not found ``` ```bash sudo e2fsck -f /dev/vda2 ``` <details> <summary>Output:</summary> ``` e2fsck 1.47.0 (5-Feb-2023) Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information /dev/vda2: 314011/1215840 files (0.2% non-contiguous), 2783236/4861440 blocks ``` </details>

Benjamin_Loison commented 2025-03-26 18:14:04 +01:00

Author

Owner

Copy Link

man resize2fs | grep -E '^ +-M'

       -M     Shrink the file system to minimize its size as much as possible, given the files stored in the file system.

```bash man resize2fs | grep -E '^ +-M' ``` ``` -M Shrink the file system to minimize its size as much as possible, given the files stored in the file system. ```

Benjamin_Loison commented 2025-03-26 18:14:32 +01:00

Author

Owner

Copy Link

resize2fs

bash: resize2fs: command not found

```bash resize2fs ``` ``` bash: resize2fs: command not found ```

Benjamin_Loison commented 2025-03-26 18:14:55 +01:00

Author

Owner

Copy Link

sudo resize2fs -M /dev/vda2

Output:

resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/vda2 to 3049008 (4k) blocks.
The filesystem on /dev/vda2 is now 3049008 (4k) blocks long.

```bash sudo resize2fs -M /dev/vda2 ``` <details> <summary>Output:</summary> ``` resize2fs 1.47.0 (5-Feb-2023) Resizing the filesystem on /dev/vda2 to 3049008 (4k) blocks. The filesystem on /dev/vda2 is now 3049008 (4k) blocks long. ``` </details>

Benjamin_Loison commented 2025-03-26 18:17:30 +01:00

Author

Owner

Copy Link

cryptsetup reencrypt /dev/vda2 --new --reduce-device-size 16M --type=luks1

bash: cryptsetup: command not found

Should try without --type if it works fine.

```bash cryptsetup reencrypt /dev/vda2 --new --reduce-device-size 16M --type=luks1 ``` ``` bash: cryptsetup: command not found ``` Should try without `--type` if it works fine.

Benjamin_Loison commented 2025-03-26 18:18:36 +01:00

Author

Owner

Copy Link

sudo cryptsetup reencrypt /dev/vda2 --new --reduce-device-size 16M --type=luks1

Output:

Enter new passphrase: 
Verify passphrase: 
Finished, time 00m31s,   18 GiB written, speed 595.8 MiB/s

```bash sudo cryptsetup reencrypt /dev/vda2 --new --reduce-device-size 16M --type=luks1 ``` <details> <summary>Output:</summary> ``` Enter new passphrase: Verify passphrase: Finished, time 00m31s, 18 GiB written, speed 595.8 MiB/s ``` </details>

Benjamin_Loison commented 2025-03-26 18:19:08 +01:00

Author

Owner

Copy Link

sudo cryptsetup open /dev/vda2 rootfs

Enter passphrase for /dev/vda2:

```bash sudo cryptsetup open /dev/vda2 rootfs ``` ``` Enter passphrase for /dev/vda2: ```

Benjamin_Loison commented 2025-03-26 18:19:36 +01:00

Author

Owner

Copy Link

sudo resize2fs /dev/mapper/rootfs

Output:

resize2fs 1.47.0 (5-Feb-2023)
Resizing the filesystem on /dev/mapper/rootfs to 4857344 (4k) blocks.
The filesystem on /dev/mapper/rootfs is now 4857344 (4k) blocks long.

```bash sudo resize2fs /dev/mapper/rootfs ``` <details> <summary>Output:</summary> ``` resize2fs 1.47.0 (5-Feb-2023) Resizing the filesystem on /dev/mapper/rootfs to 4857344 (4k) blocks. The filesystem on /dev/mapper/rootfs is now 4857344 (4k) blocks long. ``` </details>

Benjamin_Loison commented 2025-03-26 18:20:12 +01:00

Author

Owner

Copy Link

mount /dev/mapper/rootfs /mnt

Output:

mount: /mnt: must be superuser to use mount.
       dmesg(1) may have more information after failed mount system call.

```bash mount /dev/mapper/rootfs /mnt ``` <details> <summary>Output:</summary> ``` mount: /mnt: must be superuser to use mount. dmesg(1) may have more information after failed mount system call. ``` </details>

Benjamin_Loison commented 2025-03-26 18:22:01 +01:00

Author

Owner

Copy Link

Bash script:

sudo mount /dev/mapper/rootfs /mnt
sudo mount /dev/vda1 /mnt/boot/efi
sudo mount --bind /dev /mnt/dev
sudo mount --bind /dev/pts /mnt/dev/pts
sudo mount --bind /sys /mnt/sys
sudo mount --bind /proc /mnt/proc

does not return anything.

Are all these mounts necessary?

<details> <summary>Bash script:</summary> ```bash sudo mount /dev/mapper/rootfs /mnt sudo mount /dev/vda1 /mnt/boot/efi sudo mount --bind /dev /mnt/dev sudo mount --bind /dev/pts /mnt/dev/pts sudo mount --bind /sys /mnt/sys sudo mount --bind /proc /mnt/proc ``` </details> does not return anything. Are all these mounts necessary?

Benjamin_Loison commented 2025-03-26 18:22:18 +01:00

Author

Owner

Copy Link

user@debian:~$ sudo chroot /mnt
root@debian:/#

``` user@debian:~$ sudo chroot /mnt root@debian:/# ```

Benjamin_Loison commented 2025-03-26 18:22:51 +01:00

Author

Owner

Copy Link

With the current setup, the system would ask the encryption passphrase twice: once to access the second-stage GRUB boot loader and once again for the Linux kernel to access the encrypted root partition when it boots. In order not to require typing the encryption passphrase the second time, a keyfile must be created, added to LUKS and set up in /etc/crypttab, which describes the encrypted block devices that are set up during system boot.

Let us verify this fact.

So this does not seem expected.

> With the current setup, the system would ask the encryption passphrase twice: once to access the second-stage GRUB boot loader and once again for the Linux kernel to access the encrypted root partition when it boots. In order not to require typing the encryption passphrase the second time, a keyfile must be created, added to LUKS and set up in /etc/crypttab, which describes the encrypted block devices that are set up during system boot. Let us verify this fact.  So this does not seem expected.

Screenshot_Debian_UEFI_2025-03-26_18:25:47.png

5.7 KiB

Benjamin_Loison commented 2025-03-26 18:29:04 +01:00

Author

Owner

Copy Link

mkdir /etc/luks
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1

Output:

1+0 records in
1+0 records out
4096 bytes (4.1 kB, 4.0 KiB) copied, 8.9458e-05 s, 45.8 MB/s

```bash mkdir /etc/luks dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1 ``` <details> <summary>Output:</summary> ``` 1+0 records in 1+0 records out 4096 bytes (4.1 kB, 4.0 KiB) copied, 8.9458e-05 s, 45.8 MB/s ``` </details>

Benjamin_Loison commented 2025-03-26 18:29:23 +01:00

Author

Owner

Copy Link

Should investigate the permissions given.

Should investigate the permissions given.

Benjamin_Loison commented 2025-03-26 18:30:11 +01:00

Author

Owner

Copy Link

cryptsetup luksAddKey /dev/vda2 /etc/luks/boot_os.keyfile

Enter any existing passphrase:

```bash cryptsetup luksAddKey /dev/vda2 /etc/luks/boot_os.keyfile ``` ``` Enter any existing passphrase: ```

Benjamin_Loison commented 2025-03-26 18:31:29 +01:00

Author

Owner

Copy Link

/etc/crypttab:

# ...
rootfs UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f /etc/luks/boot_os.keyfile luks,discard

should investigate discard meaning.

<details> <summary><code>/etc/crypttab</code>:</summary> ``` # ... rootfs UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f /etc/luks/boot_os.keyfile luks,discard ``` </details> should investigate `discard` meaning.

Benjamin_Loison commented 2025-03-26 18:33:08 +01:00

Author

Owner

Copy Link

Initial /etc/fstab:

...
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/vda2 during installation
UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f /               ext4    errors=remount-ro 0       1
# /boot/efi was on /dev/vda1 during installation
UUID=C7EA-42F5  /boot/efi       vfat    umask=0077      0       1
/dev/sr0        /media/cdrom0   udf,iso9660 user,noauto     0       0

I added:

/dev/mapper/rootfs / ext4 errors=remount-ro 0 1

<details> <summary>Initial <code>/etc/fstab</code>:</summary> ``` ... # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/vda2 during installation UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f / ext4 errors=remount-ro 0 1 # /boot/efi was on /dev/vda1 during installation UUID=C7EA-42F5 /boot/efi vfat umask=0077 0 1 /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0 ``` </details> I added: ``` /dev/mapper/rootfs / ext4 errors=remount-ro 0 1 ```

Benjamin_Loison commented 2025-03-26 18:34:33 +01:00

Author

Owner

Copy Link

In /etc/default/grub, remove the existing reference to the root partition from GRUB_CMDLINE_LINUX

there was no such reference.

> In /etc/default/grub, remove the existing reference to the root partition from GRUB_CMDLINE_LINUX there was no such reference.

Benjamin_Loison commented 2025-03-26 18:35:22 +01:00

Author

Owner

Copy Link

Initial /etc/default/grub:

...
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
...

I added:

GRUB_ENABLE_CRYPTODISK=y

<details> <summary>Initial <code>/etc/default/grub</code>:</summary> ``` ... GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="" ... ``` </details> I added: ``` GRUB_ENABLE_CRYPTODISK=y ```

Benjamin_Loison commented 2025-03-26 18:36:00 +01:00

Author

Owner

Copy Link

grub-install

Output:

Installing for x86_64-efi platform.
grub-install: warning: EFI variables are not supported on this system..
Installation finished. No error reported.

I guess that the second line is due to live USB key.

```bash grub-install ``` <details> <summary>Output:</summary> ``` Installing for x86_64-efi platform. grub-install: warning: EFI variables are not supported on this system.. Installation finished. No error reported. ``` </details> I guess that the second line is due to live USB key.

Benjamin_Loison commented 2025-03-26 18:36:45 +01:00

Author

Owner

Copy Link

In another shell:

ls /boot/efi/

ls: cannot access '/boot/efi/': No such file or directory

[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS

UEFI

In another shell: ```bash ls /boot/efi/ ``` ``` ls: cannot access '/boot/efi/': No such file or directory ``` ```bash [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS ``` ``` UEFI ```

Benjamin_Loison commented 2025-03-26 18:37:28 +01:00

Author

Owner

Copy Link

update-grub

Output:

Generating grub configuration file ...
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-6.1.0-32-amd64
Found initrd image: /boot/initrd.img-6.1.0-32-amd64
Found linux image: /boot/vmlinuz-6.1.0-29-amd64
Found initrd image: /boot/initrd.img-6.1.0-29-amd64
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
done

```bash update-grub ``` <details> <summary>Output:</summary> ``` Generating grub configuration file ... Found background image: /usr/share/images/desktop-base/desktop-grub.png Found linux image: /boot/vmlinuz-6.1.0-32-amd64 Found initrd image: /boot/initrd.img-6.1.0-32-amd64 Found linux image: /boot/vmlinuz-6.1.0-29-amd64 Found initrd image: /boot/initrd.img-6.1.0-29-amd64 Warning: os-prober will not be executed to detect other bootable partitions. Systems on them will not be added to the GRUB boot configuration. Check GRUB_DISABLE_OS_PROBER documentation entry. done ``` </details>

Benjamin_Loison commented 2025-03-26 18:39:24 +01:00

Author

Owner

Copy Link

/boot/grub/grub.cfg:

#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}
function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u feec2552ba7d4ad68ac8018e2f259b83
set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'  8eb1534f-39c0-4ded-907e-aee490cb2f3f
else
  search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f
fi
    font="/usr/share/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
  set timeout=30
else
  if [ x$feature_timeout_style = xy ] ; then
    set timeout_style=menu
    set timeout=5
  # Fallback normal timeout code in case the timeout_style feature is
  # unavailable.
  else
    set timeout=5
  fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_rijndael
insmod gcry_sha256
insmod ext2
cryptomount -u feec2552ba7d4ad68ac8018e2f259b83
set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'  8eb1534f-39c0-4ded-907e-aee490cb2f3f
else
  search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f
fi
insmod png
if background_image /usr/share/desktop-base/emerald-theme/grub/grub-4x3.png; then
  set color_normal=white/black
  set color_highlight=black/white
else
  set menu_color_normal=cyan/blue
  set menu_color_highlight=white/blue
fi
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
	set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-8eb1534f-39c0-4ded-907e-aee490cb2f3f' {
	load_video
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_gpt
	insmod cryptodisk
	insmod luks
	insmod gcry_rijndael
	insmod gcry_rijndael
	insmod gcry_sha256
	insmod ext2
	cryptomount -u feec2552ba7d4ad68ac8018e2f259b83
	set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'  8eb1534f-39c0-4ded-907e-aee490cb2f3f
	else
	  search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f
	fi
	echo	'Loading Linux 6.1.0-32-amd64 ...'
	linux	/boot/vmlinuz-6.1.0-32-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro  quiet
	echo	'Loading initial ramdisk ...'
	initrd	/boot/initrd.img-6.1.0-32-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-8eb1534f-39c0-4ded-907e-aee490cb2f3f' {
	menuentry 'Debian GNU/Linux, with Linux 6.1.0-32-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-32-amd64-advanced-8eb1534f-39c0-4ded-907e-aee490cb2f3f' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		cryptomount -u feec2552ba7d4ad68ac8018e2f259b83
		set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'  8eb1534f-39c0-4ded-907e-aee490cb2f3f
		else
		  search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f
		fi
		echo	'Loading Linux 6.1.0-32-amd64 ...'
		linux	/boot/vmlinuz-6.1.0-32-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro  quiet
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-6.1.0-32-amd64
	}
	menuentry 'Debian GNU/Linux, with Linux 6.1.0-32-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-32-amd64-recovery-8eb1534f-39c0-4ded-907e-aee490cb2f3f' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		cryptomount -u feec2552ba7d4ad68ac8018e2f259b83
		set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'  8eb1534f-39c0-4ded-907e-aee490cb2f3f
		else
		  search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f
		fi
		echo	'Loading Linux 6.1.0-32-amd64 ...'
		linux	/boot/vmlinuz-6.1.0-32-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro single 
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-6.1.0-32-amd64
	}
	menuentry 'Debian GNU/Linux, with Linux 6.1.0-29-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-29-amd64-advanced-8eb1534f-39c0-4ded-907e-aee490cb2f3f' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		cryptomount -u feec2552ba7d4ad68ac8018e2f259b83
		set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'  8eb1534f-39c0-4ded-907e-aee490cb2f3f
		else
		  search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f
		fi
		echo	'Loading Linux 6.1.0-29-amd64 ...'
		linux	/boot/vmlinuz-6.1.0-29-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro  quiet
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-6.1.0-29-amd64
	}
	menuentry 'Debian GNU/Linux, with Linux 6.1.0-29-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-29-amd64-recovery-8eb1534f-39c0-4ded-907e-aee490cb2f3f' {
		load_video
		insmod gzio
		if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
		insmod part_gpt
		insmod cryptodisk
		insmod luks
		insmod gcry_rijndael
		insmod gcry_rijndael
		insmod gcry_sha256
		insmod ext2
		cryptomount -u feec2552ba7d4ad68ac8018e2f259b83
		set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'
		if [ x$feature_platform_search_hint = xy ]; then
		  search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83'  8eb1534f-39c0-4ded-907e-aee490cb2f3f
		else
		  search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f
		fi
		echo	'Loading Linux 6.1.0-29-amd64 ...'
		linux	/boot/vmlinuz-6.1.0-29-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro single 
		echo	'Loading initial ramdisk ...'
		initrd	/boot/initrd.img-6.1.0-29-amd64
	}
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/35_fwupd ###
### END /etc/grub.d/35_fwupd ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg
fi
### END /etc/grub.d/41_custom ###

I have not verified the random part but there blue rectangles match above.

<details> <summary><code>/boot/grub/grub.cfg</code>:</summary> ``` # # DO NOT EDIT THIS FILE # # It is automatically generated by grub-mkconfig using templates # from /etc/grub.d and settings from /etc/default/grub # ### BEGIN /etc/grub.d/00_header ### if [ -s $prefix/grubenv ]; then set have_grubenv=true load_env fi if [ "${next_entry}" ] ; then set default="${next_entry}" set next_entry= save_env next_entry set boot_once=true else set default="0" fi if [ x"${feature_menuentry_id}" = xy ]; then menuentry_id_option="--id" else menuentry_id_option="" fi export menuentry_id_option if [ "${prev_saved_entry}" ]; then set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=true fi function savedefault { if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi } function load_video { if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi } if [ x$feature_default_font_path = xy ] ; then font=unicode else insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u feec2552ba7d4ad68ac8018e2f259b83 set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' 8eb1534f-39c0-4ded-907e-aee490cb2f3f else search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f fi font="/usr/share/grub/unicode.pf2" fi if loadfont $font ; then set gfxmode=auto load_video insmod gfxterm set locale_dir=$prefix/locale set lang=en_US insmod gettext fi terminal_output gfxterm if [ "${recordfail}" = 1 ] ; then set timeout=30 else if [ x$feature_timeout_style = xy ] ; then set timeout_style=menu set timeout=5 # Fallback normal timeout code in case the timeout_style feature is # unavailable. else set timeout=5 fi fi ### END /etc/grub.d/00_header ### ### BEGIN /etc/grub.d/05_debian_theme ### insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u feec2552ba7d4ad68ac8018e2f259b83 set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' 8eb1534f-39c0-4ded-907e-aee490cb2f3f else search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f fi insmod png if background_image /usr/share/desktop-base/emerald-theme/grub/grub-4x3.png; then set color_normal=white/black set color_highlight=black/white else set menu_color_normal=cyan/blue set menu_color_highlight=white/blue fi ### END /etc/grub.d/05_debian_theme ### ### BEGIN /etc/grub.d/10_linux ### function gfxmode { set gfxpayload="${1}" } set linux_gfx_mode= export linux_gfx_mode menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-8eb1534f-39c0-4ded-907e-aee490cb2f3f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u feec2552ba7d4ad68ac8018e2f259b83 set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' 8eb1534f-39c0-4ded-907e-aee490cb2f3f else search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f fi echo 'Loading Linux 6.1.0-32-amd64 ...' linux /boot/vmlinuz-6.1.0-32-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro quiet echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-6.1.0-32-amd64 } submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-8eb1534f-39c0-4ded-907e-aee490cb2f3f' { menuentry 'Debian GNU/Linux, with Linux 6.1.0-32-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-32-amd64-advanced-8eb1534f-39c0-4ded-907e-aee490cb2f3f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u feec2552ba7d4ad68ac8018e2f259b83 set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' 8eb1534f-39c0-4ded-907e-aee490cb2f3f else search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f fi echo 'Loading Linux 6.1.0-32-amd64 ...' linux /boot/vmlinuz-6.1.0-32-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro quiet echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-6.1.0-32-amd64 } menuentry 'Debian GNU/Linux, with Linux 6.1.0-32-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-32-amd64-recovery-8eb1534f-39c0-4ded-907e-aee490cb2f3f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u feec2552ba7d4ad68ac8018e2f259b83 set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' 8eb1534f-39c0-4ded-907e-aee490cb2f3f else search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f fi echo 'Loading Linux 6.1.0-32-amd64 ...' linux /boot/vmlinuz-6.1.0-32-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro single echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-6.1.0-32-amd64 } menuentry 'Debian GNU/Linux, with Linux 6.1.0-29-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-29-amd64-advanced-8eb1534f-39c0-4ded-907e-aee490cb2f3f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u feec2552ba7d4ad68ac8018e2f259b83 set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' 8eb1534f-39c0-4ded-907e-aee490cb2f3f else search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f fi echo 'Loading Linux 6.1.0-29-amd64 ...' linux /boot/vmlinuz-6.1.0-29-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro quiet echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-6.1.0-29-amd64 } menuentry 'Debian GNU/Linux, with Linux 6.1.0-29-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-6.1.0-29-amd64-recovery-8eb1534f-39c0-4ded-907e-aee490cb2f3f' { load_video insmod gzio if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi insmod part_gpt insmod cryptodisk insmod luks insmod gcry_rijndael insmod gcry_rijndael insmod gcry_sha256 insmod ext2 cryptomount -u feec2552ba7d4ad68ac8018e2f259b83 set root='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='cryptouuid/feec2552ba7d4ad68ac8018e2f259b83' 8eb1534f-39c0-4ded-907e-aee490cb2f3f else search --no-floppy --fs-uuid --set=root 8eb1534f-39c0-4ded-907e-aee490cb2f3f fi echo 'Loading Linux 6.1.0-29-amd64 ...' linux /boot/vmlinuz-6.1.0-29-amd64 root=UUID=8eb1534f-39c0-4ded-907e-aee490cb2f3f ro single echo 'Loading initial ramdisk ...' initrd /boot/initrd.img-6.1.0-29-amd64 } } ### END /etc/grub.d/10_linux ### ### BEGIN /etc/grub.d/20_linux_xen ### ### END /etc/grub.d/20_linux_xen ### ### BEGIN /etc/grub.d/30_os-prober ### ### END /etc/grub.d/30_os-prober ### ### BEGIN /etc/grub.d/30_uefi-firmware ### ### END /etc/grub.d/30_uefi-firmware ### ### BEGIN /etc/grub.d/35_fwupd ### ### END /etc/grub.d/35_fwupd ### ### BEGIN /etc/grub.d/40_custom ### # This file provides an easy way to add custom menu entries. Simply type the # menu entries you want to add after this comment. Be careful not to change # the 'exec tail' line above. ### END /etc/grub.d/40_custom ### ### BEGIN /etc/grub.d/41_custom ### if [ -f ${config_directory}/custom.cfg ]; then source ${config_directory}/custom.cfg elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then source $prefix/custom.cfg fi ### END /etc/grub.d/41_custom ### ``` </details> I have not verified the random part but there blue rectangles match above.

Benjamin_Loison commented 2025-03-26 18:40:29 +01:00

Author

Owner

Copy Link

update-initramfs -k all -c

Output:

update-initramfs: Generating /boot/initrd.img-6.1.0-29-amd64
update-initramfs: Generating /boot/initrd.img-6.1.0-32-amd64

Should verify these parameters.

```bash update-initramfs -k all -c ``` <details> <summary>Output:</summary> ``` update-initramfs: Generating /boot/initrd.img-6.1.0-29-amd64 update-initramfs: Generating /boot/initrd.img-6.1.0-32-amd64 ``` </details> Should verify these parameters.

Benjamin_Loison commented 2025-03-26 18:41:00 +01:00

Author

Owner

Copy Link

root@debian:/# exit
exit
user@debian:~$

``` root@debian:/# exit exit user@debian:~$ ```

Benjamin_Loison commented 2025-03-26 18:41:44 +01:00

Author

Owner

Copy Link

umount -a

Output:

umount: /mnt/dev: must be superuser to unmount.
umount: /mnt/boot/efi: must be superuser to unmount.
umount: /mnt: must be superuser to unmount.
umount: /run/user/1000/doc: must be superuser to unmount.
umount: /run/user/1000/gvfs: must be superuser to unmount.
umount: /run/user/1000: must be superuser to unmount.
umount: /proc/sys/fs/binfmt_misc: must be superuser to unmount.
umount: /run/credentials/systemd-tmpfiles-setup.service: must be superuser to unmount.
umount: /tmp: must be superuser to unmount.
umount: /run/credentials/systemd-sysctl.service: must be superuser to unmount.
umount: /run/credentials/systemd-tmpfiles-setup-dev.service: must be superuser to unmount.
umount: /run/credentials/systemd-sysusers.service: must be superuser to unmount.
umount: /sys/fs/fuse/connections: must be superuser to unmount.
umount: /sys/kernel/config: must be superuser to unmount.
umount: /sys/kernel/debug: must be superuser to unmount.
umount: /dev/mqueue: must be superuser to unmount.
umount: /sys/kernel/tracing: must be superuser to unmount.
umount: /dev/hugepages: must be superuser to unmount.
umount: /proc/sys/fs/binfmt_misc: must be superuser to unmount.
umount: /sys/fs/bpf: must be superuser to unmount.
umount: /sys/firmware/efi/efivars: must be superuser to unmount.
umount: /sys/fs/pstore: must be superuser to unmount.
umount: /sys/fs/cgroup: must be superuser to unmount.
umount: /run/lock: must be superuser to unmount.
umount: /dev/shm: must be superuser to unmount.
umount: /sys/kernel/security: must be superuser to unmount.
umount: /usr/lib/live/mount/overlay: must be superuser to unmount.
umount: /usr/lib/live/mount/rootfs/filesystem.squashfs: must be superuser to unmount.
umount: /usr/lib/live/mount/medium: must be superuser to unmount.
umount: /usr/lib/live/mount: must be superuser to unmount.
umount: /: must be superuser to unmount.
umount: /run/live/overlay: must be superuser to unmount.
umount: /run/live/rootfs/filesystem.squashfs: must be superuser to unmount.
umount: /run/live/medium: must be superuser to unmount.
umount: /run: must be superuser to unmount.
umount: /dev: must be superuser to unmount.

sudo umount -a

Output:

umount: /mnt/dev: target is busy.
umount: /mnt: target is busy.
umount: /run/user/1000: target is busy.
umount: /tmp: target is busy.
umount: /sys/fs/cgroup: target is busy.
umount: /: target is busy.
umount: /run/live/medium: target is busy.
umount: /run: target is busy.
umount: /dev: target is busy.

```bash umount -a ``` <details> <summary>Output:</summary> ``` umount: /mnt/dev: must be superuser to unmount. umount: /mnt/boot/efi: must be superuser to unmount. umount: /mnt: must be superuser to unmount. umount: /run/user/1000/doc: must be superuser to unmount. umount: /run/user/1000/gvfs: must be superuser to unmount. umount: /run/user/1000: must be superuser to unmount. umount: /proc/sys/fs/binfmt_misc: must be superuser to unmount. umount: /run/credentials/systemd-tmpfiles-setup.service: must be superuser to unmount. umount: /tmp: must be superuser to unmount. umount: /run/credentials/systemd-sysctl.service: must be superuser to unmount. umount: /run/credentials/systemd-tmpfiles-setup-dev.service: must be superuser to unmount. umount: /run/credentials/systemd-sysusers.service: must be superuser to unmount. umount: /sys/fs/fuse/connections: must be superuser to unmount. umount: /sys/kernel/config: must be superuser to unmount. umount: /sys/kernel/debug: must be superuser to unmount. umount: /dev/mqueue: must be superuser to unmount. umount: /sys/kernel/tracing: must be superuser to unmount. umount: /dev/hugepages: must be superuser to unmount. umount: /proc/sys/fs/binfmt_misc: must be superuser to unmount. umount: /sys/fs/bpf: must be superuser to unmount. umount: /sys/firmware/efi/efivars: must be superuser to unmount. umount: /sys/fs/pstore: must be superuser to unmount. umount: /sys/fs/cgroup: must be superuser to unmount. umount: /run/lock: must be superuser to unmount. umount: /dev/shm: must be superuser to unmount. umount: /sys/kernel/security: must be superuser to unmount. umount: /usr/lib/live/mount/overlay: must be superuser to unmount. umount: /usr/lib/live/mount/rootfs/filesystem.squashfs: must be superuser to unmount. umount: /usr/lib/live/mount/medium: must be superuser to unmount. umount: /usr/lib/live/mount: must be superuser to unmount. umount: /: must be superuser to unmount. umount: /run/live/overlay: must be superuser to unmount. umount: /run/live/rootfs/filesystem.squashfs: must be superuser to unmount. umount: /run/live/medium: must be superuser to unmount. umount: /run: must be superuser to unmount. umount: /dev: must be superuser to unmount. ``` </details> ```bash sudo umount -a ``` <details> <summary>Output:</summary> ``` umount: /mnt/dev: target is busy. umount: /mnt: target is busy. umount: /run/user/1000: target is busy. umount: /tmp: target is busy. umount: /sys/fs/cgroup: target is busy. umount: /: target is busy. umount: /run/live/medium: target is busy. umount: /run: target is busy. umount: /dev: target is busy. ``` </details>

Benjamin_Loison commented 2025-03-26 18:42:08 +01:00

Author

Owner

Copy Link

I disabled installing pending updates when requesting on graphical shutdown.

I disabled installing pending updates when requesting on graphical shutdown.

Benjamin_Loison commented 2025-03-26 18:49:22 +01:00

Author

Owner

Copy Link

no matter if I have provided the correct or incorrect password.

   no matter if I have provided the correct or incorrect password.

Screenshot_Debian_UEFI_2025-03-26_18:43:42.png

17 KiB

Screenshot_Debian_UEFI_2025-03-26_18:44:05.png

17 KiB

Screenshot_Debian_UEFI_2025-03-26_18:45:00.png

5.7 KiB

Benjamin_Loison commented 2025-03-26 20:14:25 +01:00

Author

Owner

Copy Link

Testing on an actual computer may help, can dd to ease resetting the unencrypted disk state.

Note that I have an ad-hoc SATA SSD for such tests on my computer Pegasus.

Testing on an actual computer may help, can `dd` to ease resetting the unencrypted disk state. Note that I have an ad-hoc SATA SSD for such tests on my computer Pegasus.

Benjamin_Loison commented 2025-03-26 20:34:52 +01:00

Author

Owner

Copy Link

Should investigate:

• https://help.ubuntu.com/community/FullDiskEncryptionHowto
• https://ubuntu.com/core/docs/full-disk-encryption

Should investigate: - https://help.ubuntu.com/community/FullDiskEncryptionHowto - https://ubuntu.com/core/docs/full-disk-encryption

Benjamin_Loison commented 2025-03-26 22:35:51 +01:00

Author

Owner

Copy Link

Does it actually preserve files and folders on ext4, once encrypt it? I would say so, see:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAptDpm7flAFMEqHMJY+2j8k/iHPRLkehboEtMzhH4KTIw
T2jXfJLe4T8jNbAh/PgwadtGWP5Rxg5B5ToSVk1noEsGjUz61/P3MzkIcObZ0b6q
0qoBymSEOE2RlTxzR1TttPz6n4Ry+mD3BvFCSFkKZLS7PVaQ9985rAZapO0TEjuE
DdQhaHlVfufF/NwoDzL1sVJr+6+6e7BUqHw9pLtXOdDUizsa/JqP75GSgdM+CpkS
2gBhRnzy8i+NypcSnwUktZ1m8ByXjQco5FMRxGHgpcfqAK/yyh4hL71To6fpU9cD
z/CA/WXyarqFwJvb4fDE+u1nfmYMb5BrcG3sTg==
=+afL
-----END PGP MESSAGE-----

<details> <summary>Does it actually preserve files and folders on ext4, once encrypt it? I would say so, see:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAptDpm7flAFMEqHMJY+2j8k/iHPRLkehboEtMzhH4KTIw T2jXfJLe4T8jNbAh/PgwadtGWP5Rxg5B5ToSVk1noEsGjUz61/P3MzkIcObZ0b6q 0qoBymSEOE2RlTxzR1TttPz6n4Ry+mD3BvFCSFkKZLS7PVaQ9985rAZapO0TEjuE DdQhaHlVfufF/NwoDzL1sVJr+6+6e7BUqHw9pLtXOdDUizsa/JqP75GSgdM+CpkS 2gBhRnzy8i+NypcSnwUktZ1m8ByXjQco5FMRxGHgpcfqAK/yyh4hL71To6fpU9cD z/CA/WXyarqFwJvb4fDE+u1nfmYMb5BrcG3sTg== =+afL -----END PGP MESSAGE----- ``` </details>

Benjamin_Loison commented 2025-03-30 13:25:56 +02:00

Author

Owner

Copy Link

Tracked at Benjamin_Loison/ext4/issues/5.

Tracked at [Benjamin_Loison/ext4/issues/5](https://codeberg.org/Benjamin_Loison/ext4/issues/5).

Benjamin_Loison commented 2025-03-31 13:38:47 +02:00

Author

Owner

Copy Link

Should read Wikipedia: Disk encryption.

Should read [Wikipedia: Disk encryption](https://en.wikipedia.org/wiki/Disk_encryption).

Benjamin_Loison commented 2025-04-13 13:29:22 +02:00

Author

Owner

Copy Link

Would help Benjamin_Loison/Ubuntu/issues/17.

Would help [Benjamin_Loison/Ubuntu/issues/17](https://codeberg.org/Benjamin_Loison/Ubuntu/issues/17).

Benjamin_Loison commented 2025-04-20 00:31:30 +02:00

Author

Owner

Copy Link

https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/ looks promising but use a snapshot according to https://discourse.ubuntu.com/t/24-04-disk-encryption-not-available-during-install-if-using-a-partition-and-not-full-disk/55238/8.

https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/ looks promising but use a snapshot according to https://discourse.ubuntu.com/t/24-04-disk-encryption-not-available-during-install-if-using-a-partition-and-not-full-disk/55238/8.

Benjamin_Loison commented 2025-04-20 00:53:43 +02:00

Author

Owner

Copy Link

https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/#comment-3758446 may help. However, above issue comments do not seem to face initramfs but grub.

https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/#comment-3758446 may help. However, above issue comments do not seem to face *initramfs* but *grub*.

Benjamin_Loison commented 2025-04-20 00:55:03 +02:00

Author

Owner

Copy Link

Both on my Debian 12 GNOME laptop the Ubuntu /boot/ does not seem to have its specific partition and the Virtual Machine Manager Ubuntu (trust) virtual machine does not seem to have a /boot/ partition too.

So maybe can first proceed in a virtual machine even if it asks twice the password, then I'll try to add a workaround, as mentioned in https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/#comment-3757645, not to.

Both on my Debian 12 GNOME laptop the Ubuntu `/boot/` does not seem to have its specific partition and the Virtual Machine Manager *Ubuntu (trust)* virtual machine does not seem to have a `/boot/` partition too. So maybe can first proceed in a virtual machine even if it asks twice the password, then I'll try to add a workaround, as mentioned in https://ubuntuhandbook.org/index.php/2024/08/encrypt-existing-ubuntu-system/#comment-3757645, not to.

Benjamin_Loison commented 2025-04-20 01:00:41 +02:00

Author

Owner

Copy Link

Well it does not seem to just be a question of asking twice the password but just following the tutorial.

https://ubuntuhandbook.org/wp-content/uploads/2024/08/encrypt-prepare.webp

Well it does not seem to just be a question of asking twice the password but just following the tutorial. https://ubuntuhandbook.org/wp-content/uploads/2024/08/encrypt-prepare.webp

Screenshot_Ubuntu_trust_2025-04-20_00:59:42.png

55 KiB

Benjamin_Loison commented 2025-04-20 01:08:35 +02:00

Author

Owner

Copy Link

Could search how to start using a partition as the tutorial for /boot/.

Could search how to start using a partition as the tutorial for `/boot/`.

Benjamin_Loison commented 2025-05-20 15:48:33 +02:00

Author

Owner

Copy Link

Would help:

-----BEGIN PGP MESSAGE-----

hF4DTQa9Wom5MBgSAQdAEQXKalwxK4UWb/acQYuYQhX4nm23RtBfdKSIC9rdNVAw
R7FcetdPi49RI2ewVDagw7VdqCuPrREv2tsi8EtIh5T1HjUekZMvK5ytsvT+yvbS
1F0BCQIQdrfnM4LwBZP7t2ZffpjjIqEgBwsFNolLAKqq8nI07S4xj+EiDqGYa4PA
W21plkjuTwXssbvszbgfwKiBh2nJ8tzlCW7/EUzd7xrEZF59fK3tKNr0EdQZaAM=
=9V7E
-----END PGP MESSAGE-----

<details> <summary>Would help:</summary> ``` -----BEGIN PGP MESSAGE----- hF4DTQa9Wom5MBgSAQdAEQXKalwxK4UWb/acQYuYQhX4nm23RtBfdKSIC9rdNVAw R7FcetdPi49RI2ewVDagw7VdqCuPrREv2tsi8EtIh5T1HjUekZMvK5ytsvT+yvbS 1F0BCQIQdrfnM4LwBZP7t2ZffpjjIqEgBwsFNolLAKqq8nI07S4xj+EiDqGYa4PA W21plkjuTwXssbvszbgfwKiBh2nJ8tzlCW7/EUzd7xrEZF59fK3tKNr0EdQZaAM= =9V7E -----END PGP MESSAGE----- ``` </details>

Benjamin_Loison commented 2025-06-23 16:26:27 +02:00

Author

Owner

Copy Link

Related to Improve_websites_thanks_to_open_source/issues/1828.

Related to [Improve_websites_thanks_to_open_source/issues/1828](https://codeberg.org/Benjamin_Loison/Improve_websites_thanks_to_open_source/issues/1828).

Benjamin_Loison commented 2025-07-29 19:42:21 +02:00

Author

Owner

Copy Link

il est difficile de chiffrer complètement un portable sous GNU/Linux après l'installation. Vous pouvez cependant créer un nouveau compte Unix sur le système, vous connecter et chiffrer le répertoire personnel de ce nouvel utilisateur à partir d'un autre compte, et enfin y copier les données que vous voulez mettre en sécurité

Source: https://wiki.extinctionrebellion.fr/books/securite-militante/page/securite-de-lordinateur-1-saisie-par-la-police

> il est difficile de chiffrer complètement un portable sous GNU/Linux après l'installation. Vous pouvez cependant créer un nouveau compte Unix sur le système, vous connecter et chiffrer le répertoire personnel de ce nouvel utilisateur à partir d'un autre compte, et enfin y copier les données que vous voulez mettre en sécurité Source: https://wiki.extinctionrebellion.fr/books/securite-militante/page/securite-de-lordinateur-1-saisie-par-la-police

Benjamin_Loison commented 2025-08-19 19:17:41 +02:00

Author

Owner

Copy Link

https://www.privacyguides.org/en/encryption/#picocrypt-file should be removed in my opinion, as:

This repository was archived by the owner on Aug 8, 2025. It is now read-only.

https://www.privacyguides.org/en/encryption/#picocrypt-file should be removed in my opinion, as: > This repository was archived by the owner on Aug 8, 2025. It is now read-only.

Benjamin_Loison commented 2025-08-19 19:20:49 +02:00

Author

Owner

Copy Link

https://www.privacyguides.org/en/encryption/#veracrypt-disk

https://veracrypt.fr/code rediretcs to https://veracrypt.io/Code.html while https://veracrypt.io/en/Code.html is the working URL.

https://www.privacyguides.org/en/encryption/#veracrypt-disk https://veracrypt.fr/code rediretcs to https://veracrypt.io/Code.html while https://veracrypt.io/en/Code.html is the working URL.

Benjamin_Loison commented 2025-09-24 15:58:03 +02:00

Author

Owner

Copy Link

Related to Benjamin_Loison/mintstick/issues/3.

Related to [Benjamin_Loison/mintstick/issues/3](https://codeberg.org/Benjamin_Loison/mintstick/issues/3).

Benjamin_Loison commented 2025-10-08 14:44:18 +02:00

Author

Owner

Copy Link

The person mentioned in https://pim.etesync.lemnoslife.com/pim/events/KZ_e7ykAkYyWD3ECaZgHyCYAweZhp_Rm|TFIQDQixnGy1vr5mjDZX9u2XL1IcBS8i is reinstalling Ubuntu for this reason, knowing the existence of ecryptfs-migrate-home.

The person mentioned in https://pim.etesync.lemnoslife.com/pim/events/KZ_e7ykAkYyWD3ECaZgHyCYAweZhp_Rm|TFIQDQixnGy1vr5mjDZX9u2XL1IcBS8i is reinstalling Ubuntu for this reason, knowing the existence of `ecryptfs-migrate-home`.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

No results found.

No results found.

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Benjamin_Loison

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Benjamin_Loison/linux#58