How to setup zero overhead full disk encryption with S3 sleep support

Background

Modern (NVMe) SSDs encrypt all data by default. Also called self-encrypting drive (SED). They just don’t require a password to access the data. Instead of adding an additional layer of encryption e.g. using LUKS (additional power usage), I opted to use the capabilities of the device to secure access to the stored data.

Disclaimer:
I use this setup for my installation of Pop! OS 21.04 – This guide is mostly for my own memory.

More information:

I use a fork of sedutil as that supports newer systems and for S3 sleep support
https://github.com/ChubbyAnt/sedutil, https://github.com/ratcashdev/sedutil/tree/badicsalex-s3-sleep-support
WARNING:
This fork of sedutil is not compatible with the original one, as it uses a different hashing algorithm

Very high level overview of the boot process

Cold boot:
The self encrypting device (SED) presents a (strangely) named read only ShadowMBR.
Those 128MB of memory contain the pre-boot authentication image (PBA) with tools to unlock the drive and after that chain-boot (or restart) to boot your real system. It is currently based on syslinux, but can hopefully be replaced by systemd-boot sometime in the future https://github.com/systemd/systemd/issues/16089.

S3 sleep:
Switching into S3 sleep shuts down the drive, locking it.
A systemd service is setup to store the unlock key in the kernel and unlock the drive on resume.

Preparations

Backup all your data!

Download the rescue image from https://github.com/ChubbyAnt/sedutil/releases/tag/1.15-5ad84d8

(For S3 sleep support) Checkout and build sedutil-cli from https://github.com/ratcashdev/sedutil/tree/badicsalex-s3-sleep-support, or use my self-compiled version

Setup full disk encryption

Follow: https://github.com/ChubbyAnt/sedutil#encrypting-your-drive

EFI Setup

Create and rearrange the following boot entries (I did this from within my EFI settings)

  1. The EFI boot file in the ShadowMBR
  2. Your normal EFI boot entry

Setup S3 Sleep Support

Based on https://github.com/ladar/sedutil/issues/4

Install sedutil-cli with S3 sleep support (see preparations).

Get your hashed password

sedutil-cli --printPasswordHash <password> /dev/nvme?

Create the systemd service file /etc/systemd/system/seds3sleep.service

(adjust the password hash and /dev/nvme0n1)

NOTE: The additional n1 is no error

[Service]
Type=oneshot
ExecStart=/opt/sedutil-1.15.1-87/sedutil-cli -n -x --prepareForS3Sleep 0 <Admin1 password hash> /dev/nvme0n1

[Install]
WantedBy=multi-user.target
Enable this service. # systemctl enable seds3sleep.service && systemctl start seds3sleep.service

HP ProBook 440 G4, Ubuntu 17.04 Nvidia Prime and SecureBoot

Short review:

The Display is way better than other reviews state.
Yes, it’s bad in direct sunlight, but I can live with that.

With the brightness turned up I’ll get about 8h of battery while writing in LATEX or Markdown and occasionally browsing in Chrome.

The HDD slot is a slim one (7mm height).

Secureboot with Nvidia Prime / Optimus / nvidia-prime

This will sign all your new modules automatically on a new kernel.

Reminder: keep your secret key save, e.g. encrypt your harddrive.

Based on: https://gist.github.com/Garoe/74a0040f50ae7987885a0bebe5eda1aa

# Place all files in ~/.ssl folder

mkdir ~/.ssl
cd ~/.ssl

# Generate custom keys with openssl

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -subj „/CN=Owner/“

Create file: sign-all-modules: (replace username with yours)

#!/bin/bash

echo „Signing the following modules“
for filename in /lib/modules/$(uname -r)/updates/dkms/*.ko; do
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /home/<USERNAME>/.ssl/MOK.priv /home/<USERNAME>/.ssl/MOK.der $filename

echo „$filename“
done

 

# INSTALL FILE TO RUN AFTER KERNEL UPGRADE

sudo install ~/.ssl/sign-all-modules /etc/kernel/postinst.d/

#Add the key to the trusted keys database

sudo apt-get install mokutil
sudo mokutil –import ~/.ssl/MOK.der

# install the nvidia driver

Follow https://help.ubuntu.com/community/BinaryDriverHowto/Nvidia, but don’t disable secure boot

# run the script once

cd /etc/kernel/postinst.d/

sudo  ./sign-all-modules

# reboot

and install keys in EFI

Switch Graphics Cards

Just install PRIME INDICATOR PLUS – http://www.webupd8.org/2016/10/prime-indicator-plus-makes-it-easy-to.html

sudo add-apt-repository ppa:nilarimogard/webupd8
sudo apt update
sudo apt install prime-indicator-plus

Activate Sleep/Standby on lid close

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1574120

edit your /etc/systemd/logind.conf
add: HandleLidSwitchDocked=suspend

Side effect: your laptop will sleep with the lid closed and an external monitor attached.

Three Finger as Middle Mouse Button

Klick the touchpad on the upper right corner.

OR:

run:

synclient ClickFinger3=2
and
synclient TapButton3=2

make it permanent:
add the commands to the file ~/.profile

Save Power

install laptop-mode-tools: https://wiki.ubuntuusers.de/laptop-mode-tools/

in English with gui: http://www.webupd8.org/2014/01/install-laptop-mode-tools-164-with.html

or you can use sudo powertop –auto-tune
and make those changes permanent: https://askubuntu.com/questions/112705/how-do-i-make-powertop-changes-permanent

 

Mute Button won’t change color

known bug, but a workaround exists for kernel >= 4.12

download and install kernel from: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13-rc1/

(sudo dpkg -i * in the kernel-dl folder)

then

add „options snd-hda-intel model=mute-led-gpio“ in „/etc/modprobe.d/alsa-base.conf

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1683277

bad.horse

Schaut mal vorbei 🙂

und noch wichtiger, macht ein traceroute/tracepath – geht leider nicht per ipv6 🙁

traceroute -m 60 bad.horse

Für die noch Unwissenden:
Dr Horrible’s Sing-Along Blog

traceroute to bad.horse (162.252.205.157), 60 hops max, 60 byte packets
1 * 2.994 ms 2.979 ms 2.965 ms
2 * 11.606 ms 18.897 ms 18.911 ms
3 * 18.918 ms 18.884 ms 18.891 ms
4 84.116.191.6 (84.116.191.6) 18.889 ms 18.922 ms 22.367 ms
5 de-fra01a-ri2-xe-5-1-1.aorta.net (84.116.133.114) 27.566 ms 84.116.132.193 (84.116.132.193) 25.131 ms de-fra01a-ri2-xe-5-1-1.aorta.net (84.116.133.114) 25.169 ms
6 de-fra01b-ri1-ae-0.aorta.net (84.116.134.6) 25.165 ms hu-bud02a-ra4-xe-3-0-0.aorta.net (84.116.134.10) 15.781 ms de-fra01b-ri1-ae-0.aorta.net (84.116.134.6) 15.682 ms
7 ge-3-0.ir1.frankfurt-he.de.xo.net (80.81.192.182) 18.409 ms 17.097 ms 22.760 ms
8 207.88.15.77.ptr.us.xo.net (207.88.15.77) 38.083 ms 32.522 ms 38.050 ms
9 vb1042.rar3.nyc-ny.us.xo.net (207.88.13.202) 120.580 ms 120.595 ms 120.557 ms
10 207.88.12.104.ptr.us.xo.net (207.88.12.104) 191.350 ms 191.308 ms 193.921 ms
11 207.88.12.138.ptr.us.xo.net (207.88.12.138) 196.560 ms 193.882 ms 196.488 ms
12 207.88.12.103.ptr.us.xo.net (207.88.12.103) 193.841 ms 201.349 ms 196.377 ms
13 te-4-1-0.rar3.denver-co.us.xo.net (207.88.12.22) 176.367 ms 178.996 ms 176.242 ms
14 216.156.16.3.ptr.us.xo.net (216.156.16.3) 176.253 ms 176.192 ms 176.059 ms
15 216.156.1.128.ptr.us.xo.net (216.156.1.128) 172.124 ms 171.795 ms 176.983 ms
16 ip65-46-51-50.z51-46-65.customer.algx.net (65.46.51.50) 176.517 ms 184.513 ms 184.457 ms
17 core.core.xmission.net (166.70.1.1) 191.710 ms 200.864 ms 178.603 ms
18 egw-xmission.saltv1.ut.us.sn11.net (166.70.8.31) 180.838 ms 178.556 ms 180.794 ms
19 sandwichnet.dmarc.lga1.atlanticmetro.net (208.68.168.214) 171.876 ms 174.847 ms 178.406 ms
20 bad.horse (162.252.205.130) 178.286 ms 178.324 ms 168.631 ms
21 bad.horse (162.252.205.131) 171.062 ms 181.741 ms 181.309 ms
22 bad.horse (162.252.205.132) 181.109 ms 174.201 ms 176.738 ms
23 bad.horse (162.252.205.133) 183.625 ms 185.334 ms 181.567 ms
24 he.rides.across.the.nation (162.252.205.134) 184.447 ms 187.110 ms 194.229 ms
25 the.thoroughbred.of.sin (162.252.205.135) 194.213 ms 192.691 ms 202.562 ms
26 he.got.the.application (162.252.205.136) 202.226 ms 199.733 ms 195.140 ms
27 that.you.just.sent.in (162.252.205.137) 199.724 ms 203.772 ms 206.303 ms
28 it.needs.evaluation (162.252.205.138) 210.492 ms 208.204 ms 210.609 ms
29 so.let.the.games.begin (162.252.205.139) 210.485 ms 209.062 ms 212.923 ms
30 a.heinous.crime (162.252.205.140) 220.206 ms 226.476 ms 216.340 ms
31 a.show.of.force (162.252.205.141) 229.920 ms 224.969 ms 223.082 ms
32 a.murder.would.be.nice.of.course (162.252.205.142) 230.455 ms 227.853 ms 231.353 ms
33 bad.horse (162.252.205.143) 235.653 ms 228.670 ms 232.637 ms
34 bad.horse (162.252.205.144) 235.531 ms 242.611 ms 239.582 ms
35 bad.horse (162.252.205.145) 249.041 ms 246.166 ms 248.955 ms
36 he-s.bad (162.252.205.146) 245.018 ms 247.421 ms 244.658 ms
37 the.evil.league.of.evil (162.252.205.147) 254.465 ms 257.244 ms 257.247 ms
38 is.watching.so.beware (162.252.205.148) 269.856 ms 259.916 ms 266.352 ms
39 the.grade.that.you.receive (162.252.205.149) 266.339 ms 266.331 ms 266.323 ms
40 will.be.your.last.we.swear (162.252.205.150) 277.056 ms 277.027 ms 273.451 ms
41 so.make.the.bad.horse.gleeful (162.252.205.151) 277.020 ms 277.013 ms 285.107 ms
42 or.he-ll.make.you.his.mare (162.252.205.152) 278.818 ms 282.077 ms 282.108 ms
43 o_o (162.252.205.153) 282.085 ms 282.059 ms 288.041 ms
44 you-re.saddled.up (162.252.205.154) 285.395 ms 292.051 ms 289.325 ms
45 there-s.no.recourse (162.252.205.155) 301.343 ms 301.342 ms 301.286 ms
46 it-s.hi-ho.silver (162.252.205.156) 304.323 ms 308.594 ms 304.308 ms
47 signed.bad.horse (162.252.205.157) 304.250 ms 298.667 ms 305.277 ms

Android Encryption with CustomROM

If you are using a CustomROM on your device and the Encryption process gets stuck at the nice little robot with the gears and adb-logcat only says:

E/Cryptfs ( 217): Bad magic for real block device /dev/block/platform/msm_sdcc.1/by-name/userdata
E/Cryptfs ( 217): Orig filesystem overlaps crypto footer region. Cannot encrypt in place.

it means that your userdata filesystems fills the whole partition.

Android needs a little space left at the end of the filesystem to store encryption-metadata.

But there is a fix for this: https://forum.xda-developers.com/showthread.php?t=2122702

Hurray 🙂

Beware: there is an issue with accessing your data with some recoveries
https://github.com/TeamWin/Team-Win-Recovery-Project/issues/334

—————-

Sollte euer Android mit Custom Rom, z.B. Cyanogenmod auf dem Verschlüsselungsbildschirm (Roboter mit Zahnrädern) hängen bleiben und im log nur:

E/Cryptfs ( 217): Bad magic for real block device /dev/block/platform/msm_sdcc.1/by-name/userdata
E/Cryptfs ( 217): Orig filesystem overlaps crypto footer region. Cannot encrypt in place.

stehen, dann gibt es hier einen fix: https://forum.xda-developers.com/showthread.php?t=2122702

Das Problem ist, dass das userdata-Dateisystem die komplette Partition füllt, Android aber ein wenig Platz am Ende benötigt um Metadaten für die Verschlüsselung zu speichern.

Aber Achtung: es scheint derzeit ein Problem mit verschiedenen Recoveries zu geben:
https://github.com/TeamWin/Team-Win-Recovery-Project/issues/334

Ubuntu chroot initrd

Sollte zufällig euer Softwareraid nach einer wiederherstellung nicht mehr booten und euch viel zu spät auffallen, dass unter / die symlinks auf initrd.img und vmlinuz fehlen, dann liegt es vielleicht daran, dass euer apt kleine probleme mit subskripten hat.

Softraid Rettung:

!!! Grub wiederherstellen aus chroot !!!

 

http://wiki.hRtzner.de/index.php/Festplattenaustausch_im_Software-RAID

 

http://wiki.hetzner.de/index.php/Hetzner_Rescue-System#Einbinden_von_LVM-Volumes

eine Lösung: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1325142

Für 64bit Systeme sind die Datenamen dann mit :amd64

my quick-fix work-around was to change the exit code errors into warnings:

apt-get -q update

# on 32bit version:
sed -i -e ’s/exit $?/exit 0/‘ \
„/var/lib/dpkg/info/libpam-systemd:i386.prerm“
service systemd-logind stop

apt-get –yes install systemd-services

sed -i -e ’s/exit $?/exit 0/‘ \
„/var/lib/dpkg/info/libpam-systemd:i386.postinst“

apt-get –yes install libpam-systemd
apt-get -f install –yes

sed -i -e ’s/exit $?/exit 0/‘ \
„/var/lib/dpkg/info/whoopsie.prerm“
apt-get –yes remove whoopsie libwhoopsie0

apt-get –yes upgrade

Hamish