Installing Kali with luks and /boot in encrypted lvm

[skepticnerdguy]

Hardware is an MSI G70 laptop.
Internal HDD is a Samsung msata 500gb SSD
Installing Kali Linux 64 Bit 2019.a on a USB drive.
Checksum on iso checks out.

I have made several attempts at installing kali 2019.a on a luks encrypted lvm and been met with no success. I am specifically attempting to install the OS with the /boot partition within the luks encrypted volumes. I have been met with failure and am now posting here.

The original setup and first attempt.
sda
|- sda1 fat32 esp partition (550MB)
|- sda2 ntfs OEM partition (450MB)
|- sda3 some windows proprietary partition (17MB)
|- sda4 ntfs Windows partition (~180GB)
|- sda5 ntfs Windows recovery partition (~don't remember the size that this was allocated, a few GB)
|- sda6
`-luks encrypted partition logical volume group 300GB
|- lvm 1 kali root (~278 GB)
`- lvm 2 kali swap area (~12 GB)

The above setup might not be perfectly accurate as it was the first attempt and did not document anything properly, I manually created the esp partition first, then installed windows leaving ~300GB free on the drive. Assume sda2-sda5 are the normal partitions windows creates during install. The windows install was creating five days ago using the Microsoft Media Creation Tool.
First attempt was to install windows 10 first then install kali in the left over space, windows installed perfectly fine, but when installing kali I ran into the "Executing grub-install dummy failed" error. I attempted multiple times to re-install to see if my install method was wrong but it still failed in the same manner. I saw the procedures listed here and here and they did not work for me. I got as far as booting into grub after inputting the passphrase but was unsure how to proceed. When I exited grub, it booted straight into windows. I gave up on dual boot and wanted to try to install Kali on encrypted LVMs on its own to start so i can at least get a better understanding of the process. So i deleted all the partitions and proceeded.

Next attempt looked like this
sda
|- sda1 fat32 esp partition (550MB)
|- sda2
`-luks "crypto" encrypted partition logical volume group 300GB
|- lvm 1 kali ext4 root (~278 GB)
`- lvm 2 kali swap area (~12 GB)
Free space left over is for windows 10 install after (never got that far)

It again gave me the "Executing grub-install dummy failed" error. I attempted the fix linked above again, and again it it half worked and put me into grub. (it asks me for the encryption passphrase and goes into grub command line)

So for the sake of experimentation, i installed Kali with no encryption on the entire disk (using guided partition/use entire disk) and it worked fine, no errors. Not what I am looking for and not what I am trying to do, so I deleted the partitions and went again to try the encrypted route.

Lastly I tried again but with the /boot partition outside the encrypted lvm.

sda
|- sda1 fat32 esp partition (550MB)
|- sda2 ext2 /boot partition (250MB)
|- sda3
`-luks "crypto" encrypted partition logical volume group 300GB
|- lvm 1 kali ext4 root (~278 GB)
`- lvm 2 kali swap area (~12 GB)

This worked, but is not what I want to do, I have the system installed like this for now but plan on re-attempting the first or second method to keep /boot in the encrypted volume.

I do want to dive a bit into what I tried to do for the fix that @_default listed a few times in the forum.
I tried the below commands, this will be listed for the second scenario's drive structure

sda
|- sda1 fat32 esp partition (550MB)
|- sda2
`-luks "crypto" encrypted partition logical volume group 300GB
|- lvm 1 kali ext4 root (~278 GB)
`- lvm 2 kali swap area (~12 GB)
I got as far as "Executing grub-install dummy failed" error, then proceeded with no boot loader.
I booted into Kali live off the USB install drive.
I unlocked the encrypted partitions in the drive manager, they were listed as so.
/dev/crypto/root
/dev/crypto/swap

I proceded with the instructions @_default had listed in this forum post I modified them to adhere to my drive structure.

mount /dev/crypto/root /mnt
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount /dev/sda1 /mnt/boot/efi
mount -o remount,rw /dev/sda1 /mnt/boot/efi
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun
chroot /mnt
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm
grub-install /dev/sda
<------------------------------------------------------see note 1
update-grub
<------------------------------------------------------see note 2
exit
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount /mnt/boot/efi
umount /mnt/hostrun
umount /mnt/run/lvm
umount /mnt

Note 1:
During grub-install I got several warnings listing all the drives and partitions, below is an example.

"WARNING: Device /dev/loop0 not initialized in udev database even after waiting 10000000 microseconds."

following about 10 minutes of these warnings i got the error about changing "GRUB_ENABLE_CRYPTODISK=y" in /etc/default/grub
I did so and initiated the grub-install again.
This time it proceded to show the warnings again for about 10+ Minutes but this time it finished saying it succeed in installing the "x86_64-efi platform"

Note 2:
update-grub has something else going on, it hangs forever. I don't know what its doing but I left the laptop for over an hour and it does not complete.
I cancelled the operation (CTL+X) and wasnt sure what to do from here. I tried it several times and it hangs indefinitely. Eventually I give up, cancel the operation again and restart.


After all of this, I see the grubs screen asking for a passphrase, so I enter it and I am met with a black screen with a GNU GRUB version 2.02 and a short intro and "grub>" command line option.
Does this mean I have a partial fix? I am not sure what to do here as I am unfamiliar with grub command line.

I am fairly new to linux, i have been teaching myself here and there with my homelab setup, installing various flavors of linux into VMs but have not tried anything with encryption. I am trying to setup linux (specifically Kali) onto this laptop and would like to secure it with encryption. I plan on encrypting the windows partition as well using veracrypt. I know that will also break things within the esp partition, but the fix for that looks simple enough from what I have seen. First I want to tackle the issue with encrypting linux in order to build an understanding and educate myself.

I appreciate any and all help with this, this has been frustrating, but educational. I hope to be able to resolve this and also get a better understanding of what is going on.

[Synectik]

I am on the same boat as you, it has been a nightmare this past couple of days to figure this out - it's ridiculous how challenging it is to do a full install to USB with encryption and UEFI support - something that linux mint does automatically within a few minutes. I'm even more surprised to take so long to find the solution - I'm imagining most people end up just giving up on this.

The steps to do this are as follows:

1. Unplug all hard drives from the computer so you don't mess up existing OS and plug both USB sticks you will be using (one with the live install and the other formatted as GPT)

2, Install Kali as you would normally do - for UEFI you will need two unencrypted partitions - The EFI partition (that has the boot flag) and a separate boot partition (I use ext2 and mounted on /boot); In the remaining space create volume for encryption and configure the logical volumes as you see fit (I use a small swap and root logical volumes); continue the installation until the end;

EDIT: At this point I find that if I do not remove the USB after install, while the boot configuration is still stored in Nvram, I can easily boot directly into the newly installed system - in that case there is no need to mount anything, just log in, edit the '/etc/default/grub' as in step 7 and run:

Code:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=<whatever name> --boot-directory=/boot --removable --recheck --debug

update-grub

After that reboot into the system - you will be asked the encryption password twice - to prevent that just comment out or delete the "GRUB_ENABLE_CRYPTODISK=y" in '/etc/default/grub' and run 'update-grub' again.

# If needed to install grub after removed from nvram (when it's not recognized as UEFI disk) carry on bellow

3. Boot again from the live OS to rebuild the EFI bootloader

4. In the live session, open the encrypted root partition on the usb so you can mount it (use Disk or "cryptsetup open" in shell)

5. Find out which one is your root volume with lvscan command and confirm that it is active;

6. Mount the necessary partitions - For the sake of this tutorial I'll assume your USB is partitioned with sdX1 (the EFI system partition), sdX2 (the /boot partition) and sdX3 (the LUKS encrypted Volume) and that "vgkali" is your encrypted volume group and "lvroot" is your root logical volume name:

7. edit your "/etc/default/grub" and add the entry "GRUB_ENABLE_CRYPTODISK=y";

8. Open Terminal and run:

Code:

mount /dev/mapper/vgkali-lvroot /mnt
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys
mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars
mount /dev/sdX2 /mnt/boot
mount /dev/sdX1 /mnt/boot/efi
mount -o remount,rw /dev/sdX1 /mnt/boot/efi
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun
chroot /mnt
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=<whatever name> --boot-directory=/boot --removable --recheck --debug
update-grub

(At this stage it seems like it hangs - it took about 10 minutes for it to answer "generating configuration file" and probably another 10 minutes until it started outputting udev errors; at this time i interrupt with ctrl+c and continue unmounting)

Code:

exit
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys/firmware/efi/efivars
umount /mnt/sys
umount /mnt/boot/efi
umount /mnt/boot
umount /mnt/hostrun
umount /mnt/run/lvm
umount /mnt

Turn off the computer, remove the USB and insert it into another UEFI computer and it should be recognized as a UEFI device and you will be able to boot it. It is also recognized as UEFI in a macbook.

edit: to avoid inputting the encryption password twice edit the /etc/deafults/grub and comment out/delete the "GRUB_ENABLE_CRYPTODISK=y" option and run update-grub again.

Note: when running update-grub, it will pick-up on other UEFI OS that can find and list the entries in the grub menu - to avoid this run update-grub without any other drive attached.


The "--removable" argument in the "install-grub" above is the key to force the EFI installation to the USB EFI partition and make it recognized as UEFI and bootable from other computers.


I can't believe this is not done by the default installer when recognizing a USB device and that it took me the best of two days to finally figure it out.

Hopefully it will help you save some time.

[Synectik]

Note 2:
update-grub has something else going on, it hangs forever. I don't know what its doing but I left the laptop for over an hour and it does not complete.
I cancelled the operation (CTL+X) and wasnt sure what to do from here. I tried it several times and it hangs indefinitely. Eventually I give up, cancel the operation again and restart.


After all of this, I see the grubs screen asking for a passphrase, so I enter it and I am met with a black screen with a GNU GRUB version 2.02 and a short intro and "grub>" command line option.
Does this mean I have a partial fix? I am not sure what to do here as I am unfamiliar with grub command line.

I am fairly new to linux, i have been teaching myself here and there with my homelab setup, installing various flavors of linux into VMs but have not tried anything with encryption. I am trying to setup linux (specifically Kali) onto this laptop and would like to secure it with encryption. I plan on encrypting the windows partition as well using veracrypt. I know that will also break things within the esp partition, but the fix for that looks simple enough from what I have seen. First I want to tackle the issue with encrypting linux in order to build an understanding and educate myself.

Although my specific scenario was to install Kali encrypted on a USB, it can help you manually installing it to the disc after you have installed windows;

Windows 10 Pro has bitlocker built into that you can/should use to encrypt the entire system partition. I would install windows 10 first and let part of the hard drive unformatted to manually install kali afterwards; If you will not be removing the hard drive you shouldn't need to install grub to the partition as you can use nvram (if your laptop has it); The errors you are getting are specifically linked to the fact that you haven't mounted the /boot partition before chrooting.

If you are new to Linux and do not have a specific reason to install Kali I would much more recommend an easier distribution such as linux mint which is ubuntu based and better suited for a daily-use system;