Then fixing the setup so you will be able to boot from the installation after the conversion (given that a specific partitioning scheme is used).
I will not delve into writing reasons for doing this as I presume if you are reading this manual, you have them.
So, let’s head to it:
Prerequisites:
1.) Standard installation of Linux Mint (*buntu) (in time of writing this article it is *buntu base version 24.04 LTS or Mint 22.x, behaviour of the distro can change in the future)
2.) Your partitioning scheme has:
A.) EFI partition (unencrypted with mount point to “/boot/efi”
B.) Boot partition (unencrypted) with mount point to “/boot”
C.) Root partition (encrypted) with mount point to “/”
3.) Everything is on the same disk
4.) It is encrypted with LUKS2
5.) You backed up your important data or drive before following some random online manual.
1.) Standard installation of Linux Mint (*buntu) (in time of writing this article it is *buntu base version 24.04 LTS or Mint 22.x, behaviour of the distro can change in the future)
And so it did change, since Ubuntu 26.04 now uses Dracut for initramfs generation, so this article will not work for Ubuntu 26.04 or Mint 23 and newer.
(I haven’t tried it but the article for Fedora might work for this newer Ubuntu so try experimenting with that in VM if you need it.)
(I haven’t tried it but the article for Fedora might work for this newer Ubuntu so try experimenting with that in VM if you need it.)
A.) EFI partition (unencrypted with mount point to “/boot/efi”
B.) Boot partition (unencrypted) with mount point to “/boot”
C.) Root partition (encrypted) with mount point to “/”
3.) Everything is on the same disk
4.) It is encrypted with LUKS2
5.) You backed up your important data or drive before following some random online manual.
Manual:
1.)
First install your distro according to the prerequisites, normally through the live CD installer. That will install and encrypt it with the weaker SHA-256
2.)
Once the installation is finished do not leave the live cd/usb session.
3.)
Unmount all partitions on the disk you installed your distro to.
4.)
Now you will have to dump your master key for re-encryption which is done by:
(THIS IS VERY SENSITIVE DATA HANDLE IT ACCORDINGLY – IT IS THE KEY THAT ENCRYPTS YOUR DISK !!)
cryptsetup --dump-master-key luksDump /dev/(#partition encrypting root fs partition)This will give you output with many things including “MK Dump:” followed by hexadecimal characters, those HEX characters are your master key.
They should be 512 bits if you are using a new version of the distro (not to be confused with key derivation hash,
key derivation hash is not the master key).
5.)
This key needs to be formatted into a file, which is done by:
printf '\x00
\x00
\x00
\x00
\x00
\x00
\x00
\x00
' > /tmp/masterkey where
00
are your master key HEX characters and the leading part must always be\x
and whole string must be encapsulated in''
. You will have more of these HEX characters I just shortened this command for this manual, so it can fit into the page.This will result in creation of /tmp/masterkey file, which is in live cd/usb session saved in RAM (if in /tmp) and will vanish after a reboot so do not worry about it.
6.)
Now that we have our master key, we will re-encrypt the partition with it and with correct parameters for a stronger hash function. Like this:
cryptsetup --master-key-file=/tmp/masterkey --iter-time=60000 --hash=sha512 luksFormat /dev/(#partition encrypting root fs partition) Note that the --iter-time in the command describes how long the key hash should be calculated (on/for YOUR CPU) in this case it is set to one minute.
(That is the time you will need to wait at the boot screen for the partition to unlock after you type in your password. Longer time is more secure so do your research on it and see what fits you).
You will then be prompted for your password, so fill it in and go brew yourself a coffee or something, this will take some time.
7.)
Now if that is done, we need to fix the booting:
A.) Run lsblk -o +UUID and find all your partitions
B.) Unlock your newly encrypted root partition with:
cryptsetup luksOpen /dev/(#partition encrypting root fs partition) (
DO NOT UNLOCK IT THROUGH gnome-disks it will not be correct
, and you will not be able to regenerate the initramfs)C.) Now you will need to mount them for chrooting.
Run lsblk -o +UUID again to find your unlocked root partition then mount all of them like this:
mount (#unlocked root partition under luks partition) /mnt
mount (#boot partition) /mnt/boot
mount (#efi partition) /mnt/boot/efiand then mount necessities for our chroot operations with:
for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt/$i; doneD.) Find UUID of your LUKS partition with blkid or gnome-disks
(NOT the unlocked root partition under it but the one encrypting it)
E.) Chroot into the environment with:
chroot /mnt/ /bin/bash F.) Inside chroot environment edit file /etc/crypttab and replace the previous UUID with the correct new one found in sub-step D.
G.) Run commands:
update-initramfs -u -k -all to regenerate initramfs and
update-grub to regenerate bootloader settings.
H.) Type exit to exit the chroot and run command sync to be sure all changes are written to disks.
8.)
Now just restart the system from live CD into your installation.
That should be it, if you know a better way to do it or think some steps in this manual can or should be adjusted, please do not hesitate to write an email to legacy@wo.cz
Criticism is very welcome.