Repository: https://github.com/x0prc/FDE-Turbo
Full Disk Encryption Made Simple
Setting up full disk encryption shouldn’t require a PhD in cryptography. FDE-Turbo provides GUI installers and automation scripts for Ubuntu, Fedora, Kali Linux (including Raspberry Pi), and Windows—because securing your data shouldn’t be harder than using it.
What It Does
- Linux: Automated LUKS encryption with USB keyfile support
- Windows: BitLocker activation with recovery key management
- Raspberry Pi: Remote SSH unlock for headless encrypted systems
- Cross-platform: Same workflow, native tools underneath
The Code
Linux Boot Script (fde.sh)
This runs during initramfs (before your system boots) to fetch encryption keys from USB:
#!/bin/sh
MountPoint=/tmp-keydisk-mount
KeyFileName=LinuxPassPhraseFileName
echo "Scanning for key file..." >&2
mkdir -p $MountPoint
# Load USB filesystem drivers
modprobe vfat ntfs >/dev/null 2>&1
sleep 2 # Wait for USB enumeration
OPENED=0
cd /sys/block
# Try every USB drive for the key file
for DEV in sd*; do
mount -t vfat -r /dev/${DEV}1 $MountPoint >/dev/null 2>&1 || \
mount -t ntfs -r /dev/${DEV}1 $MountPoint >/dev/null 2>&1
if [ -f $MountPoint/$KeyFileName ]; then
cat $MountPoint/$KeyFileName # Output key to stdout
umount $MountPoint 2>/dev/null
OPENED=1
break
fi
umount $MountPoint 2>/dev/null
done
# Fallback to manual password
if [ $OPENED -eq 0 ]; then
echo -n "Enter password: " >&2
read -s -r A </dev/console
echo -n "$A"
fiThe script outputs the passphrase to stdout—that’s how initramfs feeds it to cryptsetup.
GUI Launcher (exec.py)
Tkinter wrapper that runs the encryption setup:
import tkinter as tk
from tkinter import scrolledtext
import subprocess
import os
shell_script = """#!/bin/sh
# [fde.sh content here]
"""
def run_script():
# Write temp script and execute
with open("temp_script.sh", "w") as f:
f.write(shell_script)
os.chmod("temp_script.sh", 0o755)
process = subprocess.Popen(
["./temp_script.sh"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
stdout, stderr = process.communicate()
# Update GUI with results
output_text.delete(1.0, tk.END)
output_text.insert(tk.END, stdout.decode())
output_text.insert(tk.END, stderr.decode())
# Simple GUI setup
root = tk.Tk()
root.title("FDE-Turbo")
tk.Button(root, text="Run Setup", command=run_script).pack(pady=10)
output_text = scrolledtext.ScrolledText(root, width=80, height=20)
output_text.pack(padx=10, pady=10)
root.mainloop()Raspberry Pi Encryption (kali-rasp.py)
Full disk encryption for ARM devices with remote unlock:
import subprocess
# Mount target system for chroot
subprocess.run(["sudo", "mkdir", "-p", "/mnt/chroot/"])
subprocess.run(["sudo", "mount", "/dev/sdX2", "/mnt/chroot/"])
subprocess.run(["sudo", "mount", "/dev/sdX1", "/mnt/chroot/boot/"])
# Bind mount virtual filesystems
for fs in ["proc", "sys", "dev", "dev/pts"]:
subprocess.run(["sudo", "mount", "--bind", f"/{fs}", f"/mnt/chroot/{fs}"])
# Install ARM emulation if building on x86
subprocess.run(["sudo", "apt", "install", "-y", "qemu-user-static"])
subprocess.run(["sudo", "cp", "/usr/bin/qemu-aarch64-static", "/mnt/chroot/usr/bin/"])
# Enter chroot and install encryption tools
subprocess.run(["sudo", "chroot", "/mnt/chroot/"])
subprocess.run(["apt", "install", "-y", "cryptsetup", "dropbear-initramfs", "lvm2"])
# Configure LUKS
subprocess.run([
"bash", "-c",
"echo 'crypt PARTUUID=xxx none luks' > /etc/crypttab"
])
# Setup remote SSH unlock
subprocess.run(["ssh-keygen", "-t", "rsa", "-b", "4096"])
subprocess.run(["cp", "~/.ssh/id_rsa.pub", "/etc/dropbear/initramfs/authorized_keys"])Key points:
- Chroot lets you modify the Pi’s filesystem from another Linux system
- Dropbear in initramfs = SSH into your Pi during boot to enter the passphrase
PARTUUIDis more reliable than device names like/dev/sda2
Windows BitLocker (win_exec.py)
Enable BitLocker via Python + PowerShell:
import subprocess
ps_script = """
$Drive = "C:"
$KeyPath = "C:\\RecoveryKey.txt"
$Status = Get-BitLockerVolume -MountPoint $Drive
if ($Status.ProtectionStatus -eq 'Off') {
Enable-BitLocker `
-MountPoint $Drive `
-RecoveryKeyPath $KeyPath `
-EncryptionMethod Aes256 `
-UsedSpaceOnly
Write-Host "Encryption started"
} else {
Write-Host "Already encrypted"
}
"""
# Save and execute
with open(r"C:\temp\EnableBitLocker.ps1", "w") as f:
f.write(ps_script)
subprocess.run([
"powershell", "-ExecutionPolicy", "Bypass",
"-File", r"C:\temp\EnableBitLocker.ps1"
], capture_output=True)Notes:
-ExecutionPolicy Bypassoverrides default script restrictions-UsedSpaceOnlyskips empty sectors (much faster)- Recovery key is your backup—store it somewhere safe, not just on C:
Windows Batch Alternative
If you prefer batch files:
@echo off
set "Drive=C:"
set "KeyPath=C:\RecoveryKey.txt"
powershell -Command "& {
$s = Get-BitLockerVolume -MountPoint '%Drive%'
if ($s.ProtectionStatus -eq 'Off') {
Enable-BitLocker -MountPoint '%Drive%' -RecoveryKeyPath '%KeyPath%' -EncryptionMethod Aes256
Write-Host 'Done'
} else {
Write-Host 'Already enabled'
}
}"
if %errorlevel% neq 0 echo "Failed"Architecture
┌────────────────────────────────────┐
│ GUI / CLI Interface │
│ (Tkinter, .exe, terminal) │
├────────────────────────────────────┤
│ Python Wrappers │
│ (subprocess, file I/O) │
├────────────────────────────────────┤
│ System Tools │
│ (shell, PowerShell, chroot) │
├────────────────────────────────────┤
│ Crypto Layer │
│ (LUKS/cryptsetup, BitLocker) │
└────────────────────────────────────┘
Usage
Linux:
sudo dpkg -i FDETurbo.deb
# Script installs to /usr/local/sbin/
# Update /etc/crypttab to use the keyscript
sudo update-initramfs -u -k allWindows:
Run FDESetup.exe as Administrator.
Raspberry Pi:
sudo python3 kali-rasp.py
# Edit boot/cmdline.txt to add cryptdevice parameter
# Reboot with USB key insertedSecurity Tips
- Backup your LUKS header:
cryptsetup luksHeaderBackup /dev/sdX --header-backup-file luks-header.bin - Store recovery keys offline—USB drive in a safe, printed copy, etc.
- Test the recovery process before you need it
- Remove USB keyfile after boot—the script auto-unmounts, but physically removing it is safer