The Dell XPS and Precision laptops with Linux pre-installed are great for personal and business use. Unfortunately, they lack an important feature: their disks have been factory pre-installed without encryption. Read below how to add that to the system without having to reinstall.<\/p>\n\n\n\n\n\n\n\n
The factory setup for Dell XPS and Precision with Linux is using just plain \/dev\/nvm0n1p1, p2 and p3 unencrypted partitions. So no matter how fancy your password is – all of your data may be exposed, should your laptop fall in the wrong hands. Fixing this is a relatively straight forward job, which I’ll describe below. You will need a large micro SD card – large enough to contain all of your data, plus an Ubuntu live CD (another 4Gb). I used a 256G micro SD card. (In the example a much smaller micro SD card is used).<\/p>\n\n\n\n
What we’ll do is: 1) prepare your system for LVM2 and LUKS, and make a backup; 2) prepare the micro SD card; 3) start the system from this card; 4) copy the root file system to an LVM2 volume on this card. 5) We’ll check – double-check; 6) then erase \/dev\/nvm0n1p3; make a new p3 and a p4; 7) we’ll prepare p4 to be an LVM2 physical volume and finally use pvmove to put the root file system back.<\/p>\n\n\n\n
Step 1. Install lvm2 and cryptsetup on your laptop. (Should you happen to have an Ubuntu minimal<\/em> install, then these packages have not been installed, so we better make sure they are there). So go apt-get install lvm2 cryptsetup.<\/em> Then make a proper backup. Doesn’t matter where you put it, but do make a backup. I personally use “rsync” a lot, something like sudo rsync -ax –numeric-ids –delete \/ \/media\/….\/something should do the job.<\/p>\n\n\n\n Step 2. Download an installer CD for Ubuntu. Write it to your micro SD card using the Startup Disk Creator. This will create a 3Gb “iso9660” filesystem (a “DVD”), and an EFI partition of 4Mb. In the example below, our SD card can be found in \/dev\/mmcblk0<\/em>.<\/p>\n\n\n\n Now use “fdisk” to add an extra partition. Please note the “wipe” option – seemingly necessary to prevent fdisk from removing the iso9660 signature.<\/p>\n\n\n\n Let’s make this an LVM2 physical volume right away:<\/p>\n\n\n\n As you can see, I am not encrypting the SD card. This means that you should properly wipe your copy once you’re done, because all of your files will be readable from this micro SD card. You could argue that an encrypted \/dev\/mmcblk0p3 is better, feel free to implement that, it’s not hard (cryptsetup luksFormat, then luksOpen and finally make the lvm disk on the luks opened device).<\/p>\n\n\n\n 3) Now start your laptop from this live Ubuntu system on the new SD card. That will probably involve some BIOS setup trickery, telling your laptop to “boot from sd card” and turning “fast bios” off. Please ask the internet how to proceed, it’s not in this blog post.<\/p>\n\n\n\n Select “Try Ubuntu” once the graphical desktop is visible. Then start a terminal and type “sudo -i” to become root.<\/p>\n\n\n\n 4) mount both the original root-filesystem from your laptop and the newly made LVS partition. Proceed as follows:<\/p>\n\n\n\n You are now ready to copy everything from source to destination. Choose your favourite copying program. You can use “cp” (but mind any hidden directories that your root fs could theoretically have) or use “rsync”:<\/p>\n\n\n\n So let’s assume you copied everything and are ready to try start your new root filesystem. This is going to be a bit tricky: we are going to tell the operating system to start from our new \/dev\/vg42\/root, but in order to do that, we must change files in the original<\/em> root directory.<\/p>\n\n\n\n Yes, you read that right: the boot sequence of the laptop will, for now, be unchanged and it will first try to start a boot loader from the EFI partition; and in turn, this bootloader will fetch its configuration from the \/boot directory inside \/dev\/nvm0n1p3. So here is our next step:<\/p>\n\n\n\n Find menuentry “Ubuntu” and change the root filesystem from UUID=….<\/em> to \/dev\/vg42\/root:<\/p>\n\n\n\n Also, to not annoy the OS too much, we’ll change \/etc\/fstab to be in sync with our new setup: our root filesystem now is on LVM2, and is called \/dev\/vg42\/root.<\/p>\n\n\n\n If you’re feeling confident, adventurous or simply irresponsible, you could use sed<\/em> to change the file for you, replace the nano<\/em> command above with:<\/p>\n\n\n\n Unmount \/mnt\/source and reboot the laptop. It should now boot with \/dev\/vg42\/root as its root filesystem. (However, beware: if you run “update-grub”, your change will be gone and the original \/dev\/nvm0n1p3 will be used for root filesystem). We’re half way now, and ready to encrypt the disk.<\/p>\n\n\n\n This is the tricky part: removal of the original root filesystem, repartitioning the hard drive and setting up the encrypted filesystem. Oh, for reasons too complicated to explain, my example doesn’t use a GPT partition table. That is why the question about a “primary” or “extended” partition comes up. Please ignore this.<\/p>\n\n\n\n We will use fdisk to remove the original \/dev\/nvm0n1p3, add a small 500Mb boot partition \/dev\/nvm0n1p3 and an encrypted \/dev\/nvm0n1p4:<\/p>\n\n\n\n$ sudo fdisk --wipe never<\/strong> \/dev\/mmcblk0\n Welcome to fdisk (util-linux 2.34).\n Changes will remain in memory only, until you decide to write them.\n Be careful before using the write command.\n Command (m for help): n<\/strong>\n Partition type\n p primary (2 primary, 0 extended, 2 free)\n e extended (container for logical partitions)\n Select (default p): p<\/strong>\n Partition number (3,4, default 3): <enter><\/strong>\n First sector (5999872-30277631, default 6000640): <enter><\/strong>\n Last sector, +\/-sectors or +\/-size{K,M,G,T,P} (6000640-30277631, default 30277631): <enter><\/strong>\n Created a new partition 3 of type 'Linux' and of size 11,6 GiB.\n Command (m for help): w<\/strong>\n The partition table has been altered.\n Syncing disks.\n \n$ sudo fdisk -l \/dev\/mmcblk0<\/strong>\n Disk \/dev\/mmcblk0: 14,45 GiB, 15502147584 bytes, 30277632 sectors\n Units: sectors of 1 * 512 = 512 bytes\n Sector size (logical\/physical): 512 bytes \/ 512 bytes\n I\/O size (minimum\/optimal): 512 bytes \/ 512 bytes\n Disklabel type: dos\n Disk identifier: 0x2cf4ba3a\n Device Boot Start End Sectors Size Id Type\n \/dev\/mmcblk0p1 * 0 5999871 5999872 2,9G 0 Empty\n \/dev\/mmcblk0p2 5271500 5279499 8000 3,9M ef EFI (FAT-12\/16\/32)\n \/dev\/mmcblk0p3 6000640 30277631 24276992 11,6G 83 LinuxDisk \/dev\/mmcblk0: 14,45<\/pre>\n\n\n\n$ sudo pvcreate \/dev\/mmcblk0p3 <\/strong>\n Physical volume \"\/dev\/mmcblk0p3\" successfully created.\n$ sudo vgcreate vg42 \/dev\/mmcblk0p3<\/strong>\n Volume group \"vg42\" successfully created\n$ sudo lvcreate -l 100%FREE -n root vg42<\/strong>\n Logical volume \"root\" created.\n$ sudo mkfs -t ext4 \/dev\/vg42\/root<\/strong>\n mke2fs 1.45.5 (07-Jan-2020)\n Discarding device blocks: done \n Creating filesystem with 3034112 4k blocks and 758880 inodes\n Filesystem UUID: 6fe69999-5ee7-46ae-9c82-a4352806dd36\n Superblock backups stored on blocks: \n 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208\n Allocating group tables: done \n Writing inode tables: done \n Creating journal (16384 blocks): done\n Writing superblocks and filesystem accounting information: done <\/pre>\n\n\n\n
# mkdir \/mnt\/source \/mnt\/target<\/strong>\n# mount -o ro \/dev\/nvm0n1p3 \/mnt\/source<\/strong>\n# mount \/dev\/vg42\/root \/mnt\/target<\/strong><\/pre>\n\n\n\n
# cp -a \/mnt\/source\/* \/mnt\/target\/<\/strong>\nor use\n# rsync -a \/mnt\/source\/ \/mnt\/target\/<\/strong>\n... or when you are resuming an aborted copy, you might want to\n# rsync -a --delete \/mnt\/source\/ \/mnt\/target\/<\/strong> <\/pre>\n\n\n\n
# mount -o remount,rw \/mnt\/source\/<\/strong>\nFire up your favourite editor and edit grub.cfg\n# nano \/mnt\/source\/boot\/grub\/grub.cfg<\/strong><\/pre>\n\n\n\n
menuentry 'Ubuntu' --class ubuntu --class [...] {\n[...]\n fi\n linux \/vmlinuz-5.11.0-43-generic root=\/dev\/vg42\/root<\/strong> ro quiet splash $vt_handoff\n initrd \/initrd.img-5.11.0-43-generic\n }<\/pre>\n\n\n\n# nano \/mnt\/target\/etc\/fstab<\/strong>\nchange UUID=...... to \/dev\/vg42\/root\n# umount \/mnt\/target<\/strong><\/pre>\n\n\n\n
# sed -i 's#^UUID.* \/ #\/dev\/vg42\/root \/ #' \/mnt\/target\/etc\/fstab<\/strong>(<\/pre>\n\n\n\n
~# fdisk \/dev\/nvm0n1<\/strong>\nCommand (m for help): d<\/strong>\n Partition number (1-3, default 3): 3<\/strong>\n Partition 3 has been deleted.\n Command (m for help): n<\/strong>\n Partition type\n p primary (2 primary, 0 extended, 2 free)\n e extended (container for logical partitions)\n Select (default p): p<\/strong>\n Partition number (3,4, default 3): 3<\/strong>\n First sector (10741760-488397167, default 10741760): <enter><\/strong>\n Last sector, +\/-sectors or +\/-size{K,M,G,T,P} (10741760-488397167, default 488397167): +500M<\/strong>\n Created a new partition 3 of type 'Linux' and of size 500 MiB.\n Partition #3 contains a ext4 signature.\n Do you want to remove the signature? [Y]es\/[N]o: y<\/strong>\n The signature will be removed by a write command.\n Command (m for help): n<\/strong>\n Partition type\n p primary (3 primary, 0 extended, 1 free)\n e extended (container for logical partitions)\n Select (default e): p<\/strong>\n Selected partition 4\n First sector (11765760-488397167, default 11765760): <enter><\/strong>\n Last sector, +\/-sectors or +\/-size{K,M,G,T,P} (11765760-488397167, default 488397167): <enter><\/strong>\n Created a new partition 4 of type 'Linux' and of size 227,3 GiB.\n Command (m for help): w<\/strong>\n The partition table has been altered.\n Syncing disks.\n~# mkfs -t ext4 \/dev\/nvm0n1p3 <\/strong>\n mke2fs 1.45.5 (07-Jan-2020)\n Discarding device blocks: done \n Creating filesystem with 128000 4k blocks and 128000 inodes\n Filesystem UUID: 61094874-5c78-4688-b1b2-133314347e6e\n Superblock backups stored on blocks: \n 32768, 98304\n Allocating group tables: done \n Writing inode tables: done \n Creating journal (4096 blocks): done\n Writing superblocks and filesystem accounting information: done<\/pre>\n\n\n\n