How to install Trisquel with Full Disk Encryption including the Boot Partition

You want your computer to be secure. You read about Full Disk Encryption and then, of course, you want your GNU/Linux Trisquel operating system installed that way.

What does the Full in Full Disk Encryption mean?

But then, just in your very first step, you stumble: There is not an unique Full Disk Encryption. Wait, what? Full means one hundred percent, right? Are there different kinds of one hundred percent out there? Well… yes.

To understand why there are different meanings for Full Disk Encryption, you need to know that drives storing operating systems are divided into three parts:
• Partition Table: A boot sector containing the table of partitions for the disk.
• Boot Partition: A partition containing the kernel image.
• Rest of the disk: One or more partitions containing the rest of the operating system, the user data, and the swap area if requested.

Now, you can understand the GNU/Linux start-up process that happens when the computer is switched on:
• First, the firmware stored in the Motherboard Flash Chip (BIOS or UEFI) gets executed. This firmware includes a boot loader. This boot loader identifies the drives, reads their Partition Tables (MBR or GPT), and loads the kernel image from the Boot Partition.
• Second, the kernel gets executed. The kernel performs the graphic initialization, mounts the rest of partitions onto the filesystem, and loads the rest of the operating system.

Now you can understand the historical evolution of the term Full Disk Encryption:
• At first, not boot loaders nor kernels can manage encrypted partitions. There is no Full Disk Encryption.
• Then, the kernel gains the ability to manage encrypted partitions. Remember, the kernel is executed only after the Partition Table is read and the kernel is loaded from the Boot Partition. Full Disk Encryption means to encrypt everything in the disk except for the Partition Table and the Boot Partition.
• Then, the boot loader present in some BIOS and UEFIs gain the ability to manage encrypted partitions as well. Remember, the partitions can only be accessed after the Partition Table is read. Full Disk Encryption means to encrypt everything in the disk except for the Partition Table.
• Then, some boot loaders gain the ability to manage encrypted Partition Tables as well. Full Disk Encryption means to encrypt everything in the disk without exception. Finally, Real Full Disk Encryption for once and for all.

So, ‘Full’ in this context is taken to mean ‘As full as possible at the moment’, and with the passage of time, that leads to three different meanings. As for GNU/Linux Trisquel, I know only of the first and second form of Full Disk Encryption being available, the Partition Table never being encrypted. So, we have two choices for Full Disk Encryption: with or without encrypting the Boot Partition. One is fuller than the other, but neither is fullest.

Searching for a reliable Secure Boot

In case you want to use GNU/Linux Trisquel with Full Disk Encryption including the Boot Partition, you need a computer with firmware capable to manage encrypted partitions. And if you want reliable firmware, you do not want the UEFI Secure Boot specification nor its proprietary, closed-source implementations. Instead, you search for a Libre alternative.

And such alternative exists since 2013: Secure libreBoot, a Libre Secure Boot alternative. It is implemented in Libreboot and Canoeboot, firmware replacements created by Leah Rowe for BIOS and UEFI.

Canoeboot and Libreboot

Canoeboot and Libreboot releases include the replacement ROMs together with the tools needed to prepare them and write them to the Motherboard Flash Chip:
1. A generic tool to write the Flash memory: flashrom or flashprog.
2. A generic tool to access the Core Boot File System (CBFS): cbfstool.
3. A specific tool to modify the MAC address for the Ethernet interface: ich9gen or nvmutil, specific for Lenovo Thinkpad models with chipset GM45 that use the e1000 Ethernet controller, X200, X200S, X200 Tablet, R400, T400, T400S, T500 and W500.
4. A specific tool to set the BackUp Control Top Swap bit, bucts, and variants of the flashrom tool, flashrom_lenovobios_sst and flashrom_lenovobios_macronix, all of them specific for the Lenovo Thinkpad models T60, X60, X60 Tablet and X60S.
5. Other tools.

These are the releases of Canoeboot and Libreboot:
• Canoeboot (www.canoeboot.org). Created in 2023, is just Libreboot without the choice to include blobs, so it is always Libre. These are its releases so far: 20231026, 20231101, 20231103, 20231107, 20240504, 20240510, 20240612, 20241102, 20241207, 20250107, 25.04, 25.06, 26.01rev1.
• Libreboot (www.libreboot.org). Created in 2013, these are its Libre releases: 20131212, 20131213, 20131214, 20140221, 20140622, 20140711, 20140716, 20140720, 20140729, 20140811, 20140903, 20140911, 20141015, 20150124, 20150126, 20150208, 20150518, 20160902, 20160907. However, when after a six-year hiatus Libreboot is continued from 2022 on, it offers choices that include blobs for device initialization and microcode updates, hence it is no longer Libre. These are its non-Libre releases so far: 20220710, 20230625, 20240612, 20241206, 25.06, 26.01rev1.

So, at present the one that is Libre is Canoeboot, not Libreboot. Yes, I agree that that is counterintuitive. Yes, I agree that the universe is imperfect.

Unfortunately, the range of computers compatible are limited, most of them being no longer in production – that means that if you really want to have a computer with an encrypted Boot Partition, you would need to find it second-hand. Check out the supported computer list for Canoeboot here:
Which systems are supported by Canoeboot?
https://canoeboot.org/docs/install/#which-systems-are-supported-by-canoeboot

What is like to have Full Disk Encryption for GNU/Linux Trisquel

Using a computer with Full Disk Encryption is just the same as any other computer. The only difference happens at start-up:
• Before graphical initialization, if you chose to have Full Disk Encryption with an encrypted Boot Partition, the bootloader will ask you for the LVM (Logical Volume Manager) passphrase so it can decrypt the boot partition.
• After graphical initialization, if you chose to have Full Disk Encryption, the kernel will ask you for the LVM passphrase - yes, even if you already introduced it to decrypt the Boot Partition. The bootloader does not pass the passphrase forward to the kernel. I suppose this is a feature caused by security reasons, not a bug.

Installing GNU/Linux Trisquel with Full Disk Encryption, including the Boot Partition

It’s 2016. You get yourself a Libreboot-compatible computer. You liberate it by replacing its firmware with Libreboot. You configure Libreboot in the optimal way for your computer. You install GNU/Linux Trisquel with Full Disk Encryption including the Boot Partition by following Libreboot’s guide for Trisquel. You finish. Libre Hardware. Libre Software. Libre Computer. Full Disk Encryption including the Boot Partition. Life is good.

It’s 2026. You get yourself a Libreboot-compatible computer. You try do to the same, but you keep coming across problems. There are obstacles on the way that weren’t there before. What is happening? Things are more difficult in 2026 than they were in 2016! You get acquainted with the First Rule of Internet: Whatever is online today, does not have to be online tomorrow. Veterans know to not rely on Internet and keep a copy of anything they need.

First problem: Tools included in Canoeboot and Libreboot are not included in binary format after Libreboot release 20160907. Canoeboot, that exists not at the time, never includes these tools in binary format. Dang. Current releases include tools only in source format and the users needs to compile them themselves. To compile is not difficult, just to navigate to the right directory and enter a simple command. However, compiling fails often because of dependencies to absent packages. Gosh. This is specifically problematic for Trisquel because, being a strictly Libre distribution, it has more restricted software sources than others distributions. Blast. To help to deal with this problem, from late 2024 on there is a script called mk included to help you by installing dependencies for many GNU/Linux distributions. You execute it as root by typing:
# ./mk dependencies trisquel
However, in the last releases of Canoeboot and Libreboot, 26.01rev1, the script no longer supports distributions Parabola, Popos… and Trisquel. Ouch. That hurts. In that case, this is what worked for me:
# ./mk dependencies ubuntu
Specifically for Trisquel 12, I recommend:
# ./mk dependencies ubuntu2404
Still, this workaround might not be enough and compiling still could fail!

First solution: I published a step-by-step guide to liberate old Thinkpad computers with Libreboot and Canoeboot where I deal with this problem by, spoiler alert, proposing a simple strategy: if compiling fails, keep trying with older releases until compiling is successful or reaching back Libreboot release 20160907, that includes the tools in binary format.

Nacho Agulló's Node in English: How to liberate an old Thinkpad
https://www.grafotema.com/agullo/articulos/thinkpad/How_to_liberate_an_old_thinkpad.html

Second problem: Specific tools for Lenovo Thinkpad models T60, X60, X60 Tablet and X60S are currently not included in Libreboot and Canoeboot releases, nor even in source format: bucts, flashrom_lenovobios_sst and flashrom_lenovobios_macronix. Again, the last release to include them was Libreboot 20160907. Again, Canoeboot, that did not exist at the time, never included these tools. If you visit the Canoeboot website and read the guide for installing Canoeboot in these computers, you will be told to just download that old release and get the tools from there. But instead of calling it Libreboot 20160907, it mistakenly calls it Canoeboot 20160907 - oh, the wonders of text replacement:
Canoeboot – Install Canoeboot Free BIOS/UEFI boot firmware
https://canoeboot.org/docs/install/#thinkpad-t60x60x60tabletx60s

So this old Libreboot release is not only necessary as a fallback strategy for obtaining the tools, but it is indispensable in particular for Lenovo Thinkpad models T60, X60, X60 Tablet and X60S. However, Libreboot’s official mirror at United Kingdom currently keeps only the four last releases, so at some point they dropped that old release in spite of being indispensable for some computers. And the other Libreboot mirrors, well, mirrored this one, so they lost that release too. Darn.

Second solution: There is an exception, an outdated mirror that does not include the most recent release but still has release Libreboot 20160907 - for now. If you are still not a veteran that knows Internet’s First Rule, become one right now. Download a copy while you still can.
HTTP German mirror in-berlin.de
http://mirror.helium.in-berlin.de/libreboot/stable/ .

Third problem: After installation of Canoeboot or Libreboot is successful, both include a filesystem called CBFS. This filesystem contains the GRUB boot loader that, besides to manage encrypted partitions, allows to edit the configuration script grub.cfg and the alternative script grubtest.cfg, and if memory serves me, also to rewrite them directly from GRUB. However, around 2025 the menu options for accessing grub.cfg and grubtest.cfg become missing. Jeez.

Third solution: No solution, just do without it.

Fourth problem: Canoeboot and Libreboot provide also a specific tool called cbfstool that, you guessed it, is not included in binary format after Libreboot release 20160907 so in case you need it you have to compile it. This cbfstool allows to modify the contents of the CBFS in the ROM written to the Motherboard Flash Chip, editing the grub.cfg and grubtest.cfg scripts.

However, accessing the CBFS for the current versions of Canoeboot and Libreboot finds neither of those files. Crap. This is what I get:

FMAP REGION: COREBOOT
Name Offset Type Size Comp
cbfs_master_header 0x0 cbfs header 32 none
cpu_microcode_blob.bin 0x80 microcode 135168 none
config 0x210c0 raw 3231 LZMA (10352 decompressed)
revision 0x21dc0 raw 760 none
build_info 0x22100 raw 90 none
fallback/dsdt.aml 0x22180 raw 15768 none
vbt.bin 0x25f80 raw 1412 LZMA (3863 decompressed)
cmos.default 0x26540 cmos_default 256 none
cmos_layout.bin 0x26680 cmos_layout 1840 none
fallback/postcar 0x26e00 stage 25960 none
etc/ps2-keyboard-spinup 0x2d3c0 raw 8 none
etc/pci-optionrom-exec 0x2d400 raw 8 none
etc/optionroms-checksum 0x2d440 raw 8 none
scan.cfg 0x2d480 raw 26 none
background.png 0x2d4c0 raw 3451 none
bootorder 0x2e280 raw 15 none
keymap.gkb 0x2e2c0 raw 492 none
(empty) 0x2e500 null 6756 none
fallback/romstage 0x2ff80 stage 65304 none
fallback/ramstage 0x3ff40 stage 115281 LZMA (242792 decompressed)
img/u-boot 0x5c200 simple elf 389958 none
fallback/payload 0xbb580 simple elf 72272 none
vgaroms/seavgabios.bin 0xcd000 raw 28160 none
img/memtest 0xd3e40 simple elf 143315 none
img/grub2 0xf6e40 simple elf 606467 none
(empty) 0x18af80 null 6676516 none
bootblock 0x7e8fc0 bootblock 24576 none


Fourth solution: Again, no solution, just do without it. Canoeboot and Libreboot automatically search for any available drives, then if the drives are encrypted they ask you the passphrases to decrypt them. Having a single encrypted drive, I could optimize the start-up by not wasting time searching for others - every start-up is currently taking 20 seconds from the GRUB menu to asking me the drive’s passphrase, and that time could be halved. Well, I guess I will be losing 10 seconds in every start-up.

Fifth problem: All right, Canoeboot or Libreboot is already installed and configured. At least, time for the actual Trisquel install with Full Disk Encryption, including the Boot Partition. You search for Canoeboot or Libreboot guide… and it is gone. In July 23rd, 2021, Leah Rowe decided to delete the guides because of being outdated and the effort to update them deemed ‘unsustainable’.

move distro FDE+/boot/ guides to distro wikis/manuals and don't host them on libreboot.org anymore - NotABug.org: Free code hosting
https://web.archive.org/web/20220704233400/https://notabug.org/libreboot/lbwww/issues/4

Fair enough, Canoeboot and Libreboot cannot maintain guides for installing all of the endless GNU/Linux distributions and the responsibility goes to the distribution themselves. So you open Trisquel’s documentation in search of an installation guide and, certainly, there is a documentation page for Full Disk Encryption Install since 2011. Good. Follow its instructions to the letter. Cheer yourself up as the installation is completed successfully. Are you done already?

However, when you start GNU/Linux Trisquel you are only asked for the passphrase once. Strange. So you open Gparted and check out the partitions in your drive and… the Boot Partition is not encrypted. Oh, for crying out loud! Is Trisquel documentation a fraud? Not really, it is just the good old misnaming. Trisquel’s documentation has Full Disk Encryption WITHOUT the Boot Partition.

Fifth solution: Be a veteran a keep an old copy of Libreboot’s website with the old installation guide. Alternatively, use the Internet Archive, cross your fingers and… yes, you are lucky:
Libreboot – Installing Trisquel GNU+Linux with Full-Disk Encryption (including /boot)
https://web.archive.org/web/20210511123917/libreboot.org/docs/gnulinux/encrypted_trisquel.html

Learn how to install Trisquel with Full Disk Encryption including the Boot Partition, then update Trisquel’s Full Disk Encryption documentation so it includes choices for both with and without Boot Partition. Done, there you have it:

Full Disk Encryption Install | Trisquel GNU/Linux - Run free!
https://trisquel.info/en/wiki/full-disk-encryption-install

Perform the installation, following the choice for encrypted Boot Partition. Check that this time Trisquel’s startup properly prompts you for passphrase twice, and Gparted confirms that all partitions are encrypted. At last you are done! Sing Chumbawamba’s Tubthumping. ‘I get knocked down, but I get up again, you’re never gonna keep me down’.

The End

It’s 2026. You get yourself a Libreboot-compatible computer. You liberate it by replacing its firmware with Canoeboot. You leave Canoeboot with the default configuration. You install GNU/Linux Trisquel with Full Disk Encryption including the Boot Partition by following Trisquel’s Full Disk Encryption Install guide. You finish. Libre Hardware. Libre Software. Libre Computer. Full Disk Encryption including the Boot Partition. Life is good. But heck, what a lot of extra effort does it take to make it in 2026.