Because GRUB is installed directly as a payload of libreboot (or coreboot), you don't need an unencrypted /boot partition when setting up an encrypted system. This means that your machine can really secure data while powered off.

This works in Trisquel 7, and probably Trisquel 6. Boot the 'net installer' (Install Trisquel in Text Mode). How to boot a GNU/Linux installer.

Set a strong user password (ideally above 40 characters, of lowercase/uppercase, numbers and symbols) and when the installer asks you to setup encryption (ecryptfs) for your home directory, select 'Yes'.

Your user password should be different than the LUKS password which you will set later on. Your LUKS password should, like the user password, be secure.

Partitioning

Choose 'Manual' partitioning:

• Select drive and create new partition table
• Single large partition. The following are mostly defaults:
  • Use as: physical volume for encryption
  • Encryption: aes
  • key size: 256
  • IV algorithm: xts-plain64
  • Encryption key: passphrase
  • erase data: Yes (only choose 'No' if it's a new drive that doesn't contain your private data)
• Select 'configure encrypted volumes'
  • Create encrypted volumes
  • Select your partition
  • Finish
  • Really erase: Yes
  • (erase will take a long time. be patient)
• Select encrypted space:
  • use as: physical volume for LVM
  • Choose 'done setting up the partition'
• Configure the logical volume manager:
  • Keep settings: Yes
• Create volume group:
  • Name: buzz (you can use whatever you want here, this is just an example)
  • Select crypto partition
• Create logical volume
  • select buzz (or whatever you named it before)
  • name: distro (you can use whatever you want here, this is just an example)
  • size: default, minus 2048 MB
• Create logical volume
  • select buzz (or whatever you named it before)
  • name: swap (you can use whatever you want here, this is just an example)
  • size: press enter

Further partitioning

Now you are back at the main partitioning screen. You will simply set mountpoints and filesystems to use.

• LVM LV distro
  • use as: ext4
  • mount point: /
  • done setting up partition
• LVM LV swap
  • use as: swap area
  • done setting up partition
• Now you select 'Finished partitioning and write changes to disk'.

Kernel

Installation will ask what kernel you want to use. linux-generic is fine.

Tasksel

Just continue here, without selecting anything. You can install everything later (it's really easy).

Install the GRUB boot loader to the master boot record

Choose 'Yes'. It will fail, but don't worry. Then at the main menu, choose 'Continue without a bootloader'.

You do not need to install GRUB at all, since in libreboot you are using the GRUB payload (for libreboot) to boot your system directly.

Clock UTC

Just say 'Yes'.

Booting your system

At this point, you will have finished the installation. At your GRUB payload, press C to get to the command line.

Do that:
grub> cryptomount -a (ahci0,msdos1)
grub> set root='lvm/buzz-distro'
grub> linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro
grub> initrd /initrd.img
grub> boot

ecryptfs

Immediately after logging in, do that:
$ sudo ecryptfs-unwrap-passphrase

This will be needed in the future if you ever need to recover your home directory from another system, so write it down and keep the note somewhere secret. Ideally, you should memorize it and then burn the note (or not even write it down, and memorize it still)>

Modify grub.cfg (CBFS)

Now you need to set it up so that the system will automatically boot, without having to type a bunch of commands.

Modify your grub.cfg (in the firmware) using this tutorial; just change the default menu entry 'Load Operating System' to say this inside:

cryptomount -a (ahci0,msdos1)
set root='lvm/buzz-distro'
linux /vmlinuz root=/dev/mapper/buzz-distro cryptdevice=/dev/mapper/buzz-distro:root quiet splash ro
initrd /initrd.img

Additionally, you should set a GRUB password. This is not your LUKS password, but it's a password that you have to enter to see GRUB. This protects your system from an attacker simply booting a live USB and re-flashing your firmware. This should be different than your LUKS passphrase and user password.

The GRUB utility can be used like so:
$ grub-mkpasswd-pbkdf2

Give it a password (remember, it has to be secure) and it'll output something like:
grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711

Put that in the grub.cfg (the one for CBFS inside the ROM) before the 'Load Operating System' menu entry like so (example):

set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.711F186347156BC105CD83A2ED7AF1EB971AA2B1EB2640172F34B0DEFFC97E654AF48E5F0C3B7622502B76458DA494270CC0EA6504411D676E6752FD1651E749.8DD11178EB8D1F633308FD8FCC64D0B243F949B9B99CCEADE2ECA11657A757D22025986B0FA116F1D5191E0A22677674C994EDBFADE62240E9D161688266A711
		

Obviously, replace it with the correct hash that you actually got for the password that you entered. Meaning, not the hash that you see above!

After this, you will have a modified ROM with the menu entry for cryptomount, and the entry before that for the GRUB password. Flash the modified ROM using this tutorial.

Update Trisquel

$ sudo apt-get update
$ sudo apt-get upgrade

At the time of writing, Trisquel 7 had this bug from upstream. The workaround identified in this page was as follows:
$ sudo apt-get remove libpam-smbpass

Install a desktop (optional)

Installs the default desktop:
$ sudo apt-get install trisquel

It might ask for postfix configuration. I just choose 'No configuration'.

Next time you boot, it'll start lightdm and you can login. To start lightdm now, do:
$ sudo service lightdm start

Go back to the terminal (ctrl-alt-f1) and exit:
$ exit

Go back to lightdm (ctrl-alt-f7) and login.

Since you installed using net install and you only installed the base system, network-manager isn't controlling your eth0 but instead /etc/network/interfaces is. Comment out the eth0 lines in that file, and then do:
$ sudo /etc/init.d/networking stop
$ sudo service network-manager restart

Conclusion

If you followed all that correctly, you should now have a fully encrypted system.

Copyright © 2014 Francis Rowe <info@gluglug.org.uk>
This document is released under the Creative Commons Attribution-ShareAlike 4.0 International Public License and all future versions. A copy of the license can be found at ../license.txt.

This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See ../license.txt for more information.