Submitted by GNUtoo on Tue, 11/10/2009 - 14:51
Revision of Full Disk Encryption Install from Mon, 06/15/2026 - 04:26
The revisions let you track differences between multiple versions of a post.
This manual describes the steps to install Trisquel GNU/Linux onto an encrypted LVM. The goal is to enhance user security and protect your data from prying eyes. In June, 2026, a new choice is added to this guide: encrypting the boot partition too. In order to understand what this procedure does, as well as what the choice for encrypting the boot partition is, a few basics need to be explained beforehand in the simplest way.
What is the GNU/Linux start-up process?
This is an oversimplified description of the start-up process, following the software that gets executed when the computer is switched on:
- First, the firmware stored in the motherboard flash chip (BIOS or UEFI) gets executed. This firmware includes a bootloader. The bootloader identifies the storage units, reads their Master Boot Record (MBR), identifies their partitions, and loads the kernel image from the boot partition.
- Second, the kernel gets executed. The kernel performs the graphic initialization, mounts the rest of partitions into the filesystem, and loads the rest of the operating system.
Does Full Disk Encryption really mean to encrypt the full disk?
Almost, but no. The MBR is never encrypted. Also, the boot partition could be encrypted or not. So, we have two choices for Full Disk Encryption: with or without encrypting the boot partition. One is fuller than the other, but neither is fullest.
How come Full Disk Encryption means two different things, and how can the the choice with less encryption ever be called full?
This inaccurate naming happens because of historical reasons:
- At first, there is no Full Disk Encryption.
- Then, the kernel gains the ability to manage encrypted partitions, once the MBR is read and the kernel is loaded from the boot partition. This allows for a first form of Full Disk Encryption where everything in the disk is encrypted except for the MBR and the boot partition.
- Then, the bootloaders present in some BIOS and UEFIs gain the ability to manage encrypted partitions, once the MBR is read. This allows for a second form of Full Disk Encryption where everything in the disk is encrypted except for the MBR.
- In the future, bootloaders might get the ability to manage encrypted MBRs, so we could get a choice to encrypt MBR and have Real Full Disk Encryption for once and for all.
What is like to use a computer with Full Disk Encryption?
A computer with Full Disk Encryption work all the same as the rest. The only differences happen at start-up:
- Executing the firmware: if the bootloader in the firmware can manage encrypted partitions, and you choose to have an encrypted boot partition, the bootloader will notice that the boot partition is encrypted and ask you for the passphrase. This happens typically before graphical initialization, when the screen is still in text mode.
- Executing the kernel: the kernel will notice that the rest of the partitions are encrypted and ask you for the passphrase. This happens typically after graphical initialization, when the screen is already in graphical mode. Sadly, if you already introduced the passphrase to decrypt the boot partition, you still need to introduce it a second time for the rest of partitions. At present this happens because the kernel does not receive the passphrase from the bootloader, and in the future this will likely still happen, because the bootloader passing on the password to a kernel would mean a security risk.
New Instructions
- Boot into the liveCD environment and from the installation menu select Install Trisquel in text mode
- Select a language.
- Select your location.
- Decide if you want the installer to detect your keyboard.
- Choose the country of origin for your keyboard.
- Select your keyboard layout.
- Choose a hostname for your system.
- Choose a country for your preferred mirror.
- Select a Trisquel mirror.
- If you require a proxy to access the Internet enter the information here.
- Make sure the timezone the installer detected is correct.
- Choose the Guided - use entire disk and set up encrypted LVM option.
- Select the disk to install Trisquel on.
- Confirm that you are willing to write the changes to disk and configure the LVM.
- Enter an encryption passphrase.
- Resubmit the passphrase to verify it.
- Choose the amount of the volume group to use for guided partitioning.
- Confirm that you want to write changes to the disk.
- Select a kernel to install.
- Enter the full name for the use account that will be created.
- Choose a username for the user account.
- Choose a password for the user.
- Re-enter the password to verify it.
- Choose if you want to also encrypt your home directory. This can be useful for a computer with multiple users even if the LVM itself is encrypted.
- Decide how you want to manage upgrades on your system.
- Choose the software sets you want to install. For this tutorial we will be installing the default Trisquel desktop environment.
- Select continue to continue software configuration.
- Configure postfix (if you wish to have an email server).
- Decide if you want to install the GRUB boot loader to the master boot record.
- Select if your system clock is set to UTC.
- Remove the boot media (e.g. Trisquel CD) and press continue to reboot.
- Enter your encryption passphrase to decrypt the LVM.
- Login with your user credentials to enter your Trisquel GNU/Linux system.
Additional Information
- The steps outlines for this example system may differ based on your needs. For example if you live in Spain you should not select that you live in the United States.
- For instructions on how to accomplish this via terminal see the corresponding manual.
Revisions
10/18/2011 - 17:49
anonymous
