XPS 13 9370 Ubuntu full disk encryption

I have made a CloneZilla image before performing the apt-get autoremove command.
No worry about this.

But I cannot post here the output command that shows the modules removed.
Each time I am posting the log, the message is not saved and posted (no error is returned).
So I am sending it to you in a private message.

I very much appreciate all of the effort that folks in this thread have put into trying to get FDE to work. It still seems as if the process is a bit buggy and complex, and I definitely don't want to run the risk of an autoremove completely locking me out. I have been using LUKS encryption on my previous XPS (which was originally a Windows machine) for years, and this is one feature that I don't really consider optional.

Given that I really need my XPS to be stable and I also want FDE, I'm considering:

• Backing up my system and trying the steps listed here, although the fact that they don't seem to produce a 100% stable system is worrisome.
• Updating to 18.10 and trying to get home directory encryption to work there (which also seems dicey).
• Wiping everything and installing Mint 19 with FDE and trying to use the Dell-specific drivers with that (is there a tutorial for using Dell drivers in Mint?).

I have enjoyed vanilla Gnome Ubuntu for the last few weeks on my new XPS, but I've been a happy and productive Mint MATE user on my old XPS for years and wouldn't mind switching back to that (or perhaps a different DE) as long as I won't lose Dell driver support.

Suggestions?

Hi Michael,

I fully agree with you : I consider Full Disk Encryption support by Dell a must have !

Kind regards

Indeed. It's really a shame that this is not possible with Dell's official installation media. I can imagine that it might complicate support requests occasionally, but it would also be a huge selling point for many security-minded customers.

I need to decide what to do to to resolve this on my system, since I definitely don't plan to travel again without FDE. I don't think that home directory encryption is an acceptable substitute really, so I'm going to strike that option from my list. I'm a long-time Linux user and fairly technical, and I'd be happy to write up a tutorial for others (like the steps that you've worked through so far), and if it turns out that the only reliable solution is to do a fresh installation, I'd probably switch to Mint and write up the steps for doing that instead.

I hope that I can get FDE working with the official Dell Gnome installation. A lot of effort seems to have been put into getting everything working smoothly and I like the idea of participating in Sputnik. So I'll probably try to back up everything, reformat with FDE, and then restore it all first and see how that goes (and if it can be done that way, then I'll post steps for that).

One way or another, we'll get over this bump!

So regarding the current workaround that lets FDE work, can someone who has applied it show what apt autoremove shows?  Don't actually hit "yes" to remove it given the issue that was reported that it removes packages that are needed.

Hopefully it's obvious which package is marked incorrectly and then it's as simple as running

apt install $package

and it is no longer marked as auto-removable.

Thanks for sharing.  Looking at that list I would expect it's caused by three of those packages.

If you can please run the following command, I would expect that you would have no more problems with autoremove after:

# apt install cryptsetup cryptsetup-bin lvm2

Hi @dell-mario l,

When I am posting the full log, the following error is now returned:

"This reply was marked as spam and has been removed. If you believe this is an error, submit an abuse report."

So, I am posting part 1 (in French):

$ sudo apt-get autoremove

[sudo] Mot de passe de xxx :
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Les paquets suivants seront ENLEVÉS :
apt-clone archdetect-deb btrfs-tools cryptsetup cryptsetup-bin dmeventd
dmraid gir1.2-timezonemap-1.0 gir1.2-xkl-1.0 kpartx kpartx-boot
libdebian-installer4 libdevmapper-event1.02.1 libdmraid1.0.0.rc16
libido3-0.1-0 liblvm2app2.2 liblvm2cmd2.02 libreadline5 libtimezonemap-data
libtimezonemap1 linux-oem-headers-4.15.0-1006 lvm2 python3-icu python3-pamrdate
0 mis à jour, 0 nouvellement installés, 25 à enlever et 4 non mis à jour.
Après cette opération, 93,7 Mo d'espace disque seront libérés.

The former.

apt install cryptsetup cryptsetup-bin lvm2

Hi @dell-mario l

I will back up the whole system with CloneZilla before testing and I will do this during this weekend.

In a previous message you mentioned apt install $package.

So is it apt install cryptsetup cryptsetup-bin lvm2 or or apt install $cryptsetup $cryptsetup-bin $lvm2 ?

It took me a bit longer than I planned to do this on my XPS (busy time at work, plus I realized that before I reinstalled from scratch I might want to try out XFCE on this machine for a while). But yesterday I made the new USB installation image and today I went ahead and reinstalled Ubuntu with FDE. The process was straightforward and quick, so I definitely encourage others to do it also.

I have only one bit of advice for people planning to do this: If possible, do this as soon as you receive your new laptop (before you install or configure anything, copy files, etc.). By far the majority of the time that I spent finishing this off today was setting up my system the way that I wanted it again and copying all of my files back over. This is partly because I did not make an image of my system and restore it (instead I just used grsync to copy my home directory to an external drive, since I thought that would allow my to avoid any cruft in the new system). But nevertheless it's a seamless experience if you encrypt and reinstall first and then set everything up. It works either way, but you save some time and effort if you start with FDE. Plus you won't be tempted to wipe all of the blank space when encrypting your drive (which takes much longer), since you will never have had any of your own data on it.

These are the steps as I followed them (based on steps that others posted here):

1. Download dell-recovery_1.60_all.deb
2. Mount the recovery partition of your internal SSD disk (e.g., sudo mount /dev/nvme0n1p2 /mnt/ )
3. Copy the downloaded deb file into the /debs/main folder of the mounted recovery partition (e.g., sudo cp dell-recovery_1.60_all.deb /mnt/debs/main/ )
4. Unmount the recovery SSD partition (e.g., sudo umount /mnt/ )
5. Create a new ISO recovery image using the pre-installed Dell recovery tool (save the image to Downloads)
6. Insert a blank USB flash drive and create a bootable recovery key using the Ubuntu "Startup Disk Creator"
7. Back up everything that you need from this system, either by creating a backup image or copying your home directory and a list of all the software that you have installed somewhere else.
8. Reboot your computer, press F12 to show the startup menu, and select the USB key to boot in UEFI mode.
9. At the beginning of the setup, there should be two options: "Restore Entire HD" and "Restore Only Linux" choose the second ("Restore Only Linux").
10. Choose "Erase Disk and Install Ubuntu" and mark "Encrypt the new Ubuntu", this will auto-mark also the LVM option.
11. When asked for an encryption password, pick any password (some users with non-QWERTY keyboards have reported issues, so watch out for this!).
12. Save the USB recovery key to a safe place in case you want to do this again.
13. Run sudo apt-get update && sudo apt-get upgrade.
14. Then run sudo apt install cryptsetup cryptsetup-bin lvm2 to be sure that these FDE libraries are not removed (without them, your system will be unbootable).
15. Then you can safely run sudo apt autoremove to clean up leftovers.
16. Install software and restore your files.

For reference, I completed steps 8-15 in less than an hour this morning, but the last step took me about three hours. YMMV.

Hopefully future systems can be shipped with these packages in the standard recovery partition and include instructions for how to do this (which would be a whole lot easier than modifying the encryption method so that users can choose what they want when they receive their systems, although of course that would be ideal).

Thanks very much to the Dell devs who made this possible and to the community members who tested and debugged this!

FYI, there is a fix in dell-recovery 1.61 on Github that should prevent the automatic removal from happening.

https://github.com/dell/dell-recovery/releases/tag/1.61

I agree that a KB article would be useful soon.  Before checking how to make that happen, I would like someone to be able to comment if this QWERTY issue is "real".  I suspect it's related to setting up the passphrase in the installer before the keyboard locale was selected.  (OEM installs don't do that until the OEM config out of box pages).

This means that the installer might still need modification to unset preseeds and show the keyboard locale selection page to correct it.

Thanks!

So perhaps all that needs to be done for now is to have a KB article on Dell.com about how to reinstall Ubuntu with FDE (and ideally to ship these packages with future systems, but that may not be as quick to implement). Oh and I guess I don't know the status of how non-QWERTY keyboards might behave when setting the password. So that may require a warning and/or more testing.

If you do a KB article, one thing that I always try to remember to mention to anyone who is doing this type of encryption is that no one can help them if they forget their FDE password, so they should make sure that won't happen.

I followed the steps in michaelzap's post to reinstall ubuntu with FDE
on my brand new XPS 13 9380 as of yesterday. It did not work with the
latest version dell-recovery_1.62_all.deb: cryptsetup did not
recognize the passphrase 'eeee' after reboot. In the live installer I
could mount the encrypted volume alright with the same passphrase.
Following the recipe with the older version dell-recovery_1.60_all.deb
worked without problems. My keyboard has got US-English layout.