after recently installing arch linux on my laptop (a thinkpad x230), i was first quite happy. but after some time, i noticed some flaws. first of all, having to do so many things by hand is somewhat annoying. if it would be just about installing software: no big deal (for me). but it is also about configuring stuff, like deciding between networkmanager and the arch-specific command line wireless setup, which is installed by default. switching to networkmanager was quite annoying, and in the end didn’t work very well (one anecdote: at some point, i had to reboot to get plain eth0 working again – reconfiguring by hand might have worked, but you don’t always have time to do that). and also power management was not so good, after trying some things i finally had a system which, coming back from suspend, waited a few seconds (usually enough to enter my password and unlock the computer) and sent it back to suspend. after the next unsuspend, there was no password protection left…
the final kick came when i tried to install hugin: it simply didn’t work. at all. pacman always gave up without an understandable error message. great, eh? at that point i decided to try linux mint another time.
last weekend, i first tried to install linux mint debian edition (lmde) on my laptop. it has the advantage of being a rolling release distribution. well, the installer doesn’t support harddisk encryption, but it allows you to do that by yourself. after having managed that with arch linux, i tried it. basically, at two points during the installation process, the installer lets you do some stuff – set up and mount partitions in the first stop, and installing packages/modules and setting up stuff for the first boot in the second stop – and waits for you to press the “forward” button. unfortunately, during the second stop, the “forward” button was grayed out. i hoped that maybe the installer enables it when time comes, but after doing everything (hopefully) and waiting, nothing happened. great, eh? well, i searched around the net, but found nothing. the only thing i found was a blog entry announcing lmde 201303 (which i was trying to install) with the note “please use this blog to report bugs”, which is nice, but not when you notice that comments are disabled. at that point, i gave up and downloaded a linux mint 15 image instead…
installing that one went quite smoothly. of course, again, the installer didn’t support using my encrypted setup (seems to be implemented nowhere, except in the old ubuntu alternate installer which is discontinued. yay, the good old times when stuff just worked out of the box!). mounting stuff before starting the installer (i also had to install the lvm2 package), the install went well, before rebooting, though, i had to do some new tricks. after trying around unsuccessfully for some time, i finally found a question on askubuntu.com, whose accepted answer provided the solution for me: it explains how to set up /etc/crpyttab, initramfs and grub to ask for a password on boot-up and unlock the encrypted disks (see also below in this post). with these steps, i was able to boot the newly installed linux mint 15, and from that point on, everything went well.
most stuff worked out of the box, and all packages i wanted to install actually existed (arch linux doesn’t have mmv by default, for example), and both wine and hugin did work out of the box. the only very annoying part was that linux mint screwed up my firefox profile. it created a new profile and changed the .mozilla/firefox/profiles.ini to only use the new profile. after modifying that file, i had my old profile back. after that, i was happy, and after a couple of days with wlan/vpn field test (i never even got so far to try vpn on arch linux), i’m opting to keep linux mint 15 for some while. i guess i’ll also install it on my desktop (replacing ubuntu 12.04 lts).
(actually, for desktop machines, arch linux will function much better, since there you don’t need fancy stuff like wireless setup, power saving etc. nonetheless, after the experience i had i won’t try it again for some time…)

quick conclusion: how to set up luks/lvm encryption manually on ubuntu/mint.

before i forget how this was done, or maybe askubuntu gets rid of the question and answer, i’ll document the necessary steps i had to do here (all paths are relative to the installed system’s root):

1. create /etc/crypttab with a line like this:
   sda2_crypt UUID=... none luks
   to find out the correct uuid, try ls -la /dev/disk/by-uuid/. then you can see which uuid is mapped to which device. another (somewhat unrelated) useful tool is lsblk, which shows your current device and filesystem topology.
2. create /etc/initramfs-tools/conf.d/cryptroot containing a similar line:
   CRYPTROOT=target=sda2_crypt,source=/dev/disk/by-uuid/...
   again, use the correct uuid instead of the “…”.
3. mount /dev into the new environment by running
   mount -o bind /dev /target/dev
   (replace target with the path to the new system’s root directory.)
   then chroot the environment, and run the following commands:
   

   1mount -t proc proc /proc
   2mount -t sysfs sys /sys
   3mount -t devpts devpts /dev/pts
   4locale-gen --purge --no-archive
   5update-initramfs -k all -c
   

   
   this will set up the ram disk correctly so that it will deal with the encrypted root partition. (note that it usually will complain about an “invalid line” in /etc/crypttab. you can usually ignore this.)
4. change GRUB_CMDLINE_LINUX in /etc/default/grub to something like
   GRUB_CMDLINE_LINUX="cryptopts=target=sda2_crypt,source=/dev/disk/by-uuid/...,lvm=sda2_crypt"
   again, think of replacing sda2_crypt if necessary and filling in the correct uuid.
5. in the chroot environment, run update-grub.

after this, it should work. maybe you also have to install cryptsetup and/or lvm2 in the chroot environment, if it wasn’t already done by the installer.
anyway, i’m really looking forward to the moment when most distribution installers know how to (again!) deal with existing luks/lvm installations. i hope it won’t take as long as it took for basic hdd encryption find its way into the graphical installers in the first place. (that was, like, forever! and without an initiative of the eff, it might really have taken forever.)

today, i finally got around to try arch linux with xfce4 on my laptop. and considering how it looks, i will also install it on my desktop computer on the next reinstall. (currently, it still has ubuntu with xfce4 installed. and in case you wonder why i decided to try out a new system on my laptop: i’ve been using linux mint 14 the last couple of months, and was pretty unhappy both during install – setting up full disk encryption was somewhat annoying – and finally when trying to install wine recently, which simply didn’t work.)

i followed the beginner’s guide, which essentially told me what to enter on the console to set up arch linux. (note that arch linux does not come with a graphical install, you have to type a lot of commands in yourself. but apart from that, it actually works like a charm. so if you’re not scared by using the command line, it’s worth a try.)

there’s also a arch wiki entry about encrypting a lvm setup, which is what i was doing and wanted to continue doing – for example, to not again restart by copying all my data to the machine, but by simply re-using the encrypted partitions layout set up before. for the way i (and ubuntu) was doing it, that wiki entry pointed to a blog post by simon dittlmann, which explains how to set up a huge encrypted partition, which will contain a lvm (logical volume manager) group with root, home and swap partition. unfortunately, the blog post is somewhat older, and apparently the whole installation procedure of arch linux changed somewhat, so i had to improvise.

in order to create an up to date documentation on how to install arch linux with full disk encryption, both discussing how to create such a setup and how to install arch linux in an already existing such setup.

beginning installation: creating the encrypted partition.

first, follow the beginner’s guide up to the step “prepare the storage drive”. at this step, you have to do something else.

(in case you already have a working set-up, skip the next steps until the mark.)

follow the steps described in the beginner’s guide, create a small boot partition – this one will not be encrypted. i assume that it will be /dev/sda1. it should be a simple ext3/ext4 partition. (i usually give it 256 or 512 megabytes.)

then, create another partition (i assume it will be /dev/sda2), which consumes the whole left-over space on the hard disk. first, you should clear everything on that partition, preferably with random bits. you can for example do:
dd if=/dev/urandom of=/dev/sda2
this will take quite some time, though. alternatively, you can skip this step, and later, after encrypting the partition, overwrite the encrypted partition with zeros. (look down below for that.) afterwards, set up encryption on /dev/sda2:

1modprobe dm-crypt
2cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --verify-passphrase luksFormat /dev/sda2

(edit: since there is now a successful attack on the aes-cbc-essiv encryption mentioned here earlier, i changed it to aes-xts-plain64, using a different approach.)

(mark: skip until here if you already have a working set-up.)

now you can unlock the encrypted disk:
cryptsetup luksOpen /dev/sda2 lvm

setting up the logical volumes.

(skip almost everything of this section if you already have a working set-up. the only thing you should not skip is the mounting below and enabling swap with swapon.)

after unlocking the encrypted volume, you have to create a volume group and logical volumes inside it. first, begin by creating a physical volume, which will contain the logical volumes. for that, we use the encrypted partition /dev/sda2, whose contents can be accessed by /dev/mapper/lvm. do the following:

1lvm pvcreate /dev/mapper/lvm
2lvm vgcreate vgroup /dev/mapper/lvm

1lvm lvcreate -L 16GB -n root vgroup
2lvm lvcreate -L 16GB -n swap vgroup
3lvm lvcreate -l 100%FREE -n home vgroup

1mkfs.ext4 /dev/mapper/vgroup-root
2mkfs.ext4 /dev/mapper/vgroup-home

1mkswap /dev/mapper/vgroup-swap
2swapon /dev/mapper/vgroup-swap

finally, let us mount the partitions to install arch linux on them:

1mount /dev/mapper/vgroup-root /mnt
2mkdir -p /mnt/home /mnt/boot
3mount /dev/mapper/vgroup-home /mnt/home
4mount /dev/sda1 /mnt/boot

(you only need the mkdir if you created a new set-up. also, in case you created more logical volumes, you have to adjust the commands above.)

continue arch linux installation.

from this point on, you can follow the beginner’s guide to install arch linux from this point on. continue until the point of creating an initial ramdisk environment. there, you must edit /etc/mkinitcpio.conf and modify the HOOKS statement from
HOOKS="base udev autodetect modconf block filesystems keyboard fsck"
(or something similar) to
HOOKS="base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck"
note that you must insert encrypt lvm2 in precisely this order somewhere before filesystems. afterwards, continue with running mkinitcpio -p linux (or continue editing the config file if necessary).

now you can continue with setting the root password.

the next step where you have to pay attention is the step where you set up the boot loader. i chose grub here. set it (or syslinux) up as described in the beginner’s guide. in the case of syslinux, you have to modify /boot/syslinux/syslinux.cfg, and in the case of grub, you have to modify /boot/grub/grub.cfg. in the case of syslinux, you should have two entries (regular system and fallback)
APPEND root=/dev/mapper/vgroup-root ro
for syslinux and
linux /vmlinuz-linux root=/dev/mapper/vgroup-root ro quiet
for grub, or something similar. for all such entries, insert cryptdevice=/dev/sda2:vgroup between root=… and ro; that is, the entries should look like
APPEND root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro
for syslinux and
linux /vmlinuz-linux root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro quiet
for grub.

change (2014/04/13): in case you want to use grub, it is better to proceed as follows. edit the line GRUB_CMDLINE_LINUX in /etc/default/grub and add cryptdevice=/dev/sda2:vgroup there. then, run grub-mkconfig -o /boot/grub/grub.cfg as described in the beginner’s guide. this automatically adds this to all entries in grub.cfg. end of change.

afterwards, continue with the beginner’s guide. after the next reboot, you should be asked for a password to unlock the volumes. after entering it correctly, the system should boot up as normal.

today i discovered why sometimes, some of my latex output contains tildes (~) in the dvi/pdf version. usually, if you use a tilde in a tex file, it is interpreted as a non-breakable space (except in special circumstances, such as verbatim environments or in \url{…}). but thanks to a “bugfix” to texi2dvi/texi2pdf, which is a wonderful tool as it runs (pdf)latex often enough together with bibtex, makeindex etc., tildes appearing in tex files are now shown as tildes in the dvi/pdf output. which is absolutely inacceptable behaviour.
it seems that this already was reported (see here, here, here), but it is still around. i don’t really know what to think of this – is nobody responsible for working on texi2dvi/texi2pdf? or did people stop using it as it is broken?
anyway, i fixed my local installed version (/usr/bin/texi2dvi) by chaning the line catcode_special=true to catcode_special=false. a more sophisticated version would be nice, which only changes catcode_special for tex files (and not for texinfo files), but i don’t have time for that now.

something which annoys the heck out of me, already for some time, which i wanted to mention here but never managed to.
its about the current (official) version of ubuntu: natty. (yeah, another ubuntu rant. yay.)
this distribution contains at least two packages which are broken. i.e. the programs contained in the packages are useless, they just don’t work. by default. since the release (in april), nothing changed. (yes, i checked the backports and the proposed updates.) needless to say that you can find out which source code lines to modify in many web forums, as well as bug reports here and there.
the packuages in question are xpdf and sshpass. two programs i used a lot. used, because now they are broken. xpdf crashes when you open a pdf file. and sshpass just hangs. for xpdf, i now use evince as a quick drop-in, but it is different. i want xpdf back. and for sshpass, i use… well, the keyboard.
i really don’t understand how something like this can happen. that packages break is ok. but that months after bugs have been reported, fixes have been described in the report’s discussions, that after this time, nothing happens? that’s just not acceptable.
of course, i can just fix the issue by deinstalling the packages, downloading the source, and compiling the programs myself. but then, i’m responsible to check for updates and security fixes myself. auto update will just ignore the programs. i’m not really willing to do that anymore. i have better things to do with my time.
maybe i should just install arch linux the next time i want to set up a new machine. or i should even just reinstall a machine and install arch linux instead of ubuntu. cannot get worse.

when installing a new ubuntu, i had essentially two programs which were replaced by alternatives i had trouble with – amarok1 was replaced by amarok2, and gqview was replaced by geeqie. compared to amarok2 pretty much not working at all, geeqie is working, though partially not as expected. the worst part of it is getting confused with directories. assume you store your photos in a more complex directory structure, say

photos/
photos/canada/
photos/finland/
photos/germany/
photos/germany/2010-04-23
photos/germany/2010-05-01
photos/germany/2010-06-02
photos/switzerland/

now you go into the photos/germany/2010-05-01/ directory, look at some pictures, and decide to go one directory up. as expected, the current marked directory is 2010-05-01. so, when you go another directory up, you’d except the current marked directory to be germany. but well, as opposed to any sane program (such as gqview), geeqie selects the first in the list. this is really, really annoying, and i have no idea who implemented something like this…
anyway, i just found a forum post describing how to install gqview and make sure ubuntu won’t automatically update to geeqie for you… in case this annoys you as well, follow the instructions :)

well. the thinkpad i ordered some more time ago has arrived some time ago, and finally i got around to set it up. well, with the newest release candidate of ubuntu. the 64 bit version, of course. even after all the trouble i had last year, i couldn’t think of a better linux distro… (i want apt, and i don’t want to compile everything by myself – which rules out fedora and gentoo.)
anyway. i installed it. and: it worked. everything’s fine. well, so far, of course, i don’t know if this will change. and even setting up the hdd realtime encryption on installation worked like a charm.
well. let’s see how it continues… :)

turns out that upgrading to the newest version of ubuntu was not a good idea. not because of the visual effects, not because of the tracker, (probably) not because of ubuntu itself, but because of a very strange and annoying bug which is really killing my productivity: at random points, in particular if i’m using firefox, it “forgets” that i released a key, like the short cut for closing a tab or for switching to the next tab. and there’s basically no way to stop it except killing firefox. the problem also appeared in other applications, though almost never. i’d guess that it is connected to how much the program keeps the cpu busy, and firefox is pretty good at doing that… so, what to do? i don’t know… a first few google searches haven’t helped me a bit… probably i have to spend even more time digging out information on this… i really hate wasting time like this.

just upgraded to newest ubuntu. upgrading went pretty smooth, smoother than i expected after last time’s experience. i tried the new visual effects (seeing this screenshot, i’m wondering why i didn’t had this custom choice), and disabled them after a few minutes. for me, most of them are too annoying (i’m switching between windows and desktops all the time). well. the user interface feels slower than before (even after deactivating the visual effects), but it’s still ok. the tracker is annoying, eating up system performance and it’s ignoring the preferences (which say: don’t run), but after deinstalling it, everything’s fine. for now.
now i have to find out how to install a local version of apache with php, and of mysql, to make working on my project a bit easier…