LUKS without LVM (for Dropbox)

Since Dropbox fucked us all over by dropping support for filesystems that aren’t ext4, all the cool things you used to be able to do like encrypting your home folder dead easily with ecryptfs, snapshots with btrfs, LVM etc. are all stuffed. Now the OS must only see a pure ext4 file system, otherwise the Dropbox client will detect it and refuse to synchronise.

There is a solution using loopback mounting to create an ext4 specific to Dropbox; that’s fine but it means you are setting aside a certain amount of space to dedicate to Dropbox, and if your Dropbox gets bigger than that you’re going to have a pain resizing it. Instead I wanted to encrypt the root partition as well, and I want the simplicity and flexibility of one home directory not carved up into special partitions for Dropbox. So this is how I used LUKS to encrypt all my partitions, but without putting LVM in the middle.

This was tested with Mint 19. Should work on Ubuntu and probably Debian.

Intended audience


  • Have some experience with Linux so don’t need total hand holding
  • Don’t want to run a script to configure all this as you want to see/learn what’s going on
  • Aren’t in super-paranoid security mode
  • Want to dual boot
  • Not bothered about hibernation
  • Happy with a swap file instead of a swap partition (default in recent ubuntus)

Windows preparation


  1. Boot new laptop into Windows
  2. Perform all Windows updates
  3. Perform all manufacturer driver updates, especially BIOS
  4. Create a recovery drive (allows us to delete the recovery partition and get that space back)
  5. Run Manage BitLocker and switch off BitLocker (needed so that the Linux installer can safely resize it).
  6. Run Disk management and make sure you understand what partitions exist and what they are all for.
  7. Use the BIOS to disable Secure Boot. You can switch it back on later and it’s just going to cause you a problem in the short term.

Partition preparation and OS installation

  1. Boot from Linux live USB (in my case Mint 19)
  2. Confirm that you have booted in UEFI mode (and not legacy mode). Open a terminal and run:

    It should return a list of bootable devices and the current boot order. If it returns an error about EFI variables not being supported, then you are booted in legacy mode and need to fix that first.

  3. Run gparted (you can’t do this using the partitioning tool built in to the installer, because the moment it has finished creating the partitions it will then try to start installing to them. You need to insert the encryption set up in between these steps, so we’ll do it before even running the installer).
  4. Delete recovery partitions you have decided you don’t want; you won’t need these if you made the recovery drive above. The partition that was called WINRETOOLS in Windows (about 1Gb) can go.
  5. Resize the main Windows partition as small as you dare to without making it unusable. These days I’d recommend at least 90Gb if it’s a secondary OS. Mine’s 55Gb after updates are all applied and before I’ve installed any apps or put any data on it. Yikes.
  6. In the free space you now have, create your desired Linux partitions as ext4. Make sure you set labels and partitions names. You WILL need a separate /boot partition, and GRUB has to be able to find the kernel image in an unencrypted form in order to then access then other encrypted partitions.Here’s my choice for a 512Gb drive:
    New size (Mb) Mount point File system type File system label
    800 /boot ext4 BOOT
    50000 / ext4 ROOT
    Rest /home ext4 HOME

    I separate root and home so that I can reduce the reserved space on /home to 0 whilst maintaining it at 5% on /; I can fill my home drive to the tippy-top without destabilising the system.

    50Gb might seem a lot for the root partition but Linux distributions are getting as big as Windows. I’ve been running a 25Gb root partition for the last few years and I’m getting bored with having to keep tidying it up so that I’ve got room to download updates.

  7. Open a terminal, and enter
    sudo bash

    to switch to a root prompt.

  8. Next enter
    fdisk -l

    list all your new partitions, and note the Device names for them.

  9. Now we’ll encrypt the non-boot partitions. You’ll need to invent some secure passphrases for them. For the root partition you’ll be entering this every time you turn the computer on, so make this secure but typeable. For the others they’ll just be emergency backups so you can make them a bit weirder if you like. To encrypt:
    cryptsetup luksFormat 

    once for each partition that is NOT /boot. So for me:

    cryptsetup luksFormat /dev/sda5
    cryptsetup luksFormat /dev/sda6

    You’ll get prompted for your chosen passphrase for each. Beware keyboard layouts; the live USB may have chosen a US keyboard layout, so if your chosen passphrase contains any characters that would be different on a US keyboard then you will not be setting the password to what you think you are. Remember that in future if something has gone wrong during boot and you are dropped to a root prompt or even being prompted by the kernel for the passphrase for the root paritition, you may not have the luxury of selecting they keyboard layout. So probably choose a passphrase with just letters and numbers. Or even just letters: making it longer is much better than using a bigger character set.

  10. Now we’ll unlock them so that the installer can see them and use them as partitions. To unlock:
    cryptsetup open  

    once for each partition that is NOT /boot. So for me:

    cryptsetup open /dev/sda5 cryptroot
    cryptsetup open /dev/sda6 crypthome

    This creates the two pseudo-partitions /dev/mapper/cryptroot and /dev/mapper/crypthome which the installer can treat as unencrypted partitions and write to normally.

  11. Now we’ll format them:
    mkfs.ext4 -L  /dev/mapper/

    once for each partition that is NOT /boot. So for me:

    mkfs.ext4 -L ROOT /dev/mapper/cryptroot
    mkfs.ext4 -L HOME /dev/mapper/crypthome
  12. All is now ready for OS installation. You’ll need at some point to override the installer’s partitioning scheme, choosing Custom or Something else or whatever option allows you to specify what partitions are used and where. Then set the unencrypted boot partition to be mounted at /boot, and the new /dev/mapper/cryptroot and other partitions to have their appropriate mount points. You don’t need to format them as they are new. Make sure the boot loader is configured to be installed on /dev/sda. Don’t select any options for encryption in the installer – you’ve already done it. Once installation is complete, don’t reboot. There’s more to do yet.

Post installation fiddling

From this point onwards I’m going to assume that you are capable of substituting your device names, map names, labels etc. if you have used different values to me, and I’ll just show you what I used.

  1. Now we’ll mount the newly-populated partitions to do some fiddling. Run
    swapoff -a
    umount /dev/mapper/cryptroot
    umount /dev/mapper/crypthome
    mkdir -p /mnt/root/boot/efi
    mount /dev/mapper/cryptroot /mnt/root
    mount /dev/mapper/crypthome /mnt/root/home
    mount /dev/sda4 /mnt/root/boot
    mount /dev/sda1 /mnt/root/boot/efi
    mount --bind /dev /mnt/root/dev
    mount --bind /proc /mnt/root/proc
    mount --bind /sys /mnt/root/sys

    /dev/sda4 is my boot partition, and /dev/sda1 is my EFI partition (created by Windows). Consult your fdisk -l output from earlier to see which ones yours are.

  2. Now we’ll grab the UUIDs of the encrypted partitions we made:
    lsblk --paths --output=NAME,UUID | grep -v mapper

    You’ll need the UUIDs of your root and home and any other partitions.

  3. Now we’ll tell the OS to unlock our encrypted drives while it is booting. Add lines like this to the new file /mnt/root/etc/crypttab:
    cryptroot UUID=756125d1-7845-ab56-cd56-780a-4a45cb56d4cb none luks,discard,noearly
    crypthome UUID=aa54bc47-2356-554d-d5c6-41ac-4a45cb5456a8 none luks,discard,noearly

    Note that these are the UUIDs of /dev/sda5 etc., not the UUIDs of /dev/mapper/cryptroot etc

  4. Improve the security on this file for when we later embed passphrases into it:
    chmod -rw /mnt/root/etc/crypttab
  5. Set these values in /mnt/root/etc/default/grub:

    Again this is the UUID of the underlying root device such as /dev/sda5.

  6. Now re-configure the Grub menu entries:
  7. That’s it. You can reboot. Your OS should now boot. You’ll get prompted twice to enter the passwords for your encrypted partition, once for your root partition and once for your home (and more for any others you made). In the next section we’ll eliminate some of those. For now, give yourself a pat on the back for getting this far.

Fewer passphrases

All well and good so far, but having to unlock each partition separately is a bit of a pain in the bum. Time to rectify that. Each partition can have up to eight passphrases associated with it, and those passphrases can be files as well as typed-in passphrases. So next we’ll let the root partition auto-mount the /home partition without us having to type in the passphrase.

  1. Open a terminal on your new installation. Type:
    sudo bash
    dd if=/dev/urandom of=/etc/crypt.home count=1 bs=512
    cryptsetup luksAddKey /dev/sda6 /etc/crypt.home

    This puts 512 bytes of randomness into the file /etc/crypt.home, and stores it as a second password for the /home partition.

  2. Next we open the file /etc/crypttab. Against the home partition where we had none (which causes it to prompt you for a passphrase), we will now specify a keyfile instead:
    crypthome UUID=aa54bc47-2356-554d-d5c6-41ac-4a45cb5456a8 /etc/crypt.home luks,discard,noearly
  3. Reboot. Now you should only be prompted for the password for your root partition, and home should auto-mount.

Should something ever go wrong, the password you originally set for the home partition is still valid, so you can use that as a recovery password for getting in to it. Store it safely.

No passphrases

By now you’re thinking “Why don’t I do this for the root partition too?”. You’d have to store it somewhere else that wasn’t the (not-yet-unlocked) root partition. That couldn’t be the /boot partition, as that isn’t encrypted (the way we’ve done it), so you’d be storing the keys to the kingdom in the clear for your laptop thief to recover. Instead, here’s a nicer way – store it on a USB drive. If the drive is plugged in, use it to open the root partition automatically. If it isn’t prompt for a password. If you leave this drive plugged in to a USB hub at home, then whenever you are at home it will be there and unlock automatically, but if you take the laptop elsewhere the drive won’t be attached and the passphrase will be requested. Automatic security the moment you leave the house!

  1. Get a sacrificable USB drive. You will erase all its content, and probably never use it for anything else again. I would recommend one with a clearly visible light, and without any fancy retraction mechanisms. You don’t want there to be iffiness about whether it’s plugged in or not. Smaller is better, it really only needs to be a few Mb in size.
  2. plug in the drive and open a terminal again:
    sudo bash

    Look at the end of the output from dmesg to see what device name your drive has been given. If you only have one internal drive and this is the only stick plugged in it will probably be sdb, but it’s best to check.

  3. Destroy the contents of the stick by filling it with random data:
    dd if=/dev/urandom of=/dev/sdb bs=1

    The bigger the stick the longer this will take.

  4. Extract a key from the randomness written to the drive and add it as a passphrase for the root partition:
    dd if=/dev/sdb of=/etc/crypt.root bs=1 count=512
    cryptsetup luksAddKey /dev/sda5 /etc/crypt.root
  5. Note down the path to the USB drive:
    ls /dev/disk/by-id

    If it’s not obvious which one it is, you can pull the stick out and ls again to see which entry has disappeared. Copy this into your clipboard.

  6. Create this file as _/usr/local/sbin/unlockusbkey.sh_:
    # flag tracking key-file availability
    # give the system time to settle and open the USB device
    sleep 2
    # check for the specific USB key
    if [ -b $USBKEY ]; then
    # if device exists then output the keyfile from the usb key
    dd if=$USBKEY bs=1 count=512 | cat
    if [ $OPENED -ne 0 ]; then
    echo "FAILED to get USB key file ..." >&2
    if [ -x /bin/plymouth ] && plymouth --ping; then
    plymouth ask-for-password --prompt "Enter passphrase"
    /lib/cryptsetup/askpass "Enter passphrase"
    echo "Success loading key file. Moving on." >&2
    sleep 1
    exit 0
  7. Modify the root partition entry of _/etc/crypttab_ to add the keyscript option on to the end:
    cryptroot UUID=756125d1-7845-ab56-cd56-780a-4a45cb56d4cb none luks,discard,noearly,keyscript=/usr/local/sbin/unlockusbkey.sh_
  8. Finally, rebuild initramfs:
    update-initramfs -u

All done. Now if you boot with the stick in the root partition should be unlocked automatically, and if you boot without you’ll be promptd for its password. Enjoy!

HMRC form CT600 on Linux

In 2011, CT600 worked on Linux if you followed some complicated steps to manually import the SSL certificates from Companies House and HMRC websites. In 2012, it broke, with no amount of manual importing resolving the error

SSL Error!!!. Please install the CA Certificate(s) for SSL communication. If certificate resides on local disk, try "acroread -installCertificate [-PEM|-DER] [pathname]" on the command line. If certificate resides on the server, try "acroread -installCertificate 443" on command line.

HMRC helpdesk were clueless, sending me back the forum link I had sent them, and asking me to make sure that I was using Adobe Reader. The good news is that I attempted to use it again yesterday, and it all just worked without any fiddling. I used Adobe Reader 9.5.3 32-bit on Ubuntu 12.10 64-bit. Just follow HMRC’s instuctions on fiddling with Adobe Reader’s security settings, and all should be well.

Also see my post on Adobe Reader on 64-bit Linux.

Ubuntu 12.04 CD or DVD fails to boot on UEFI machines with ‘error: “prefix” not set’

Downloaded the Ubuntu 12.04 ISO? Failed to boot from it with this error? Checked the hash of the ISO and it seems correct? Thoroughly confused? grkrishna1984 is your man. Whilst I was sceptical at first, his advice proved good. There is indeed a file called “ubuntu” in the root of the ISO, and removing it seems to solve the problem.

The ISO Master program he refers to is available on Linux and Windows. Simply use it to open up the ISO file, and remove the offending file:

Then File > Save As and burn to CD.

Sony Vaio S1511 hard disk swap for SSD

Yes, you too can do it, and with one screwdriver.

I spent a fair while browsing laptops to find one that would suit my needs. What I wanted was a 15″ 1080p ultrabook. What I discovered is that there weren’t many. Many Spring 2012 blogs were predicting them, but in Aug 2012 there were just a few to choose from. Anyhoo, I ended up with a Sony Vaio S 15. My previous (now blown up) laptop was an i7, and in the two years it was alive, it was hardly ever pushed beyond 3%, so I decided not to waste the money and dropped down to i5. Extra memory I can get anywhere cheaply, so I didn’t see the need to pay Sony a premium for that either. What I did want was an SSD, as in other computers I work on it has introduced a step change in the speed I work at. Problem was, Sony wanted £400 for a 256Gb SSD. I beg your pardon? £400? Not sure what planet they’re on, when a very well reviewed SSD can be bought on Amazon for £150. So I wanted to know before I bought the Vaio if it would be easy to swap the HDD for an SSD I bought myself. Answer – it is.

Making the change

You’ll need one Phillips Head size 1 screwdriver. Here’s the laptop:

Flip it over and you’ll see there’s a user removable section on the base. Remove the two screws that hold it in and pull towards the edge of the laptop.

The two screws to remove are in the foreground in this photo

You can now access the battery, the spare memory slot and the hard disk. You’ll see the hard disk has four screws holding it down. Remove these and unplug the hard disk.

The hard disk has two metal mounting strips attached to each side. Swap these over to the SSD.

And screw back in

That’ll be £250, please

Moving the data
If the two disks were equal in size, or the SSD was bigger, you could clone the HD to the SSD and then expand the partitions. Instead the SSD is smaller than the HD, so some juggling is required. The retail version of the SSD linked above comes with a USB SATA cable and software to help you do this, but I had the OEM version and was installing Ubuntu, so my steps were more complicated than yours might be. My steps were:

  1. Make a bootable Ubuntu USB drive
  2. Boot from it
  3. Connect the old drive to the computer with a USB SATA adaptor
  4. Run gparted
  5. Created a new GPT partition table on the SSD (time to move in to the 21st century)
  6. Shrink the NTFS partition to 50000Mb
  7. Used dd to copy the partition from the old drive to the SSD
  8. Ran the Ubuntu installer
  9. Added a 1Mb “Reserved for boot” partition in the space at the beginning of the drive (needed to store the boot loader under GPT)
  10. Added a 2Gb swap partition
  11. Added a 15Gb ext4 root partition
  12. Used the rest as a btrfs home partition
  13. Installed Ubuntu


Since I am switching a lot between distributions at the moment, I will start building this list of equivalent commands.

Note that the repoquery command is only available once you have installed yum-utils, apt-file is only available once you have installed apt-file

Objective APT RPM
Install package from repository apt-get install <package-name> yum install <package-name>
Remove package apt-get remove <package-name> (remove leaving config files)
dpkg -e <package-name> (remove leaving config files)
dpkg -P <package-name> (remove purging config files)
yum remove <package-name>
rpm -e <package-name>
List installed packages dpkg -l rpm -qa
Find package owning file dpkg -S <file> rpm -qf <file>
Search for package name in repository apt-cache search <package-name> repoquery ‘*<package-name>*’
Find which repository a package came from sudo grep <package-name> /var/lib/apt/lists/* | grep “Filename:” repoquery -i <package-name>
Find which package would provide a file if it was installed apt-file search bin/grep repoquery –whatprovides ‘*bin/grep’

Installing the Rhythmbox equaliser

In the absence of any instructions being provided, here’s how to install the equalizer plugin referred to here

The goal is to copy the equalizer folder into one of Rhythymbox’s plugin search paths. To find out where your copy of Rhythymbox looks for plugins, run Rhythymbox from the command line like this:

rhythmbox -d 2>&1 | grep "plugin search path"

You should get some output like this:

user@work:/usr/share/rhythmbox/plugins$ rhythmbox -d 2>&1 | grep "plugin search path"
(10:02:33) [0xf93090] [construct_plugins] rb-shell.c:983: plugin search path: /home/user/.local/share/rhythmbox/plugins
(10:02:33) [0xf93090] [construct_plugins] rb-shell.c:991: plugin search path: /usr/lib/rhythmbox/plugins / /usr/share/rhythmbox/plugins

Use the /home location to install just for you, and the /usr/share location (or /usr/local/share location if there is one in your list), to install for all users. For /usr locations, you should in theory put some of the files in /usr/share, and some in /usr/lib, but since no instructions are available as to which files are supposed to go where, I just copy the whole directory into both locations. Assuming you are copying into your home directory:

git clone
cd rhythmbox-plugins
mkdir ~/.local/share/rhythmbox/plugins
sudo cp -r equalizer ~/.local/share/rhythmbox/plugins

Now run Rhythymbox again. Go to Edit > Plugins and you should see Equalizer in the list. You should now be able to enable it. If it fails to enable it, and you are running Ubuntu 12.04 64-bit, then you have hit this issue. Do this to resolve it:

sudo apt-get install gir1.2-gconf-2.0

Once enabled, you will find a new button in the main toolbar: