David.
Here is what you need to do, but BEFORE ANYTHING ELSE PHYSICALLY DISCONNECT ANY OTHER HDD/SSD's on your rig, so that you only have your blank, unpartiotioned, unformatted SSD to experiment without risking losing any data on your other drives:
I.a) CHECK WHETHER OR NOT YOUR SSD IS A SED (Self-Encrypting Drive):
I.b) IF YOUR SSD IS A SED:
enable encryption on the drive, but because your rig is a LENOVO THINKPAD it is better to enable encryption via "hdparm" as per instructions at the end of the same answer to the same post above to prevent your Thinkpad from bricking your SSD.
partition your SSD to install Windows 10: boot your rig from the latest gparted Live-CD or from the Linux Mint Live-CD or from the Ubuntu 18.04 Live-CD (and you will be prompted for your SED password at boot-up) and partition your SED drive to GPT, create /dev/sda1 (512MiB, EFI) and /dev/sda2 (100GiB, NTFS)
reboot to BIOS (you will be now asked for the SSD password to unlock your SED) and:
A) enable the TPM module;
B) enable UEFI ONLY (NO LEGACY BIOS);
C) enable SECURE BOOT and install the PKgub, KEK and dbx keys
boot from your Windows 10 installation disk and choose to install it on the 100 GiB partition
if everything is OK so far and your TPM is working you won't be prompted for a Windows login password when you boot your Windows 10 OS (because your boot process will be authenticated by the TPM module and thus no password - in Microsoft's vision! - are requested to allow your rig to boot)
go to Control Panel > BitLocker > "turn BitLocker on", taking care of saving a copy of the BitLocker key to a USB drive: when you done, reboot; your Windows partition is now SOFTWARE-ENCRYPTED by BitLocker and you will now be asked for your Windows / BitLocker password at the Windows Login.
now, if everything is alright, you will have a SED drive encrypting on-the-fly ALL THE DATA IN ALL PARTITIONS on that drive + a BitLocker encrypted Windows 10 OS with the TPM monitoring your Windows 10 boot sequence to prevent "evil maid" attacks to your Windows 10 OS and it is time now to install your Linux OS (and by the way, it is my humble opinion that Linux Mint 18.3 Xfce and Linux Mint 19 Xfce are FAR SUPERIOR to Ubuntu 18.04 when it comes to security issues, so maybe you should consider it to have a tight rig).
I.c) IF YOUR SSD IS NOT A SED:
- disregard the "enable encryption on the drive" and proceed with the same steps as above. The only difference is that you will not be protected against brute force attacks ("dictionary" attacks) to crack your BitLocker password on that SSD, in case your laptop is stolen, especially if you left in "suspended" or "hibernated" mode... (and by the way, if you want to make it a little more time-consuming to crack that BitLocker password, disable hibernation on the Windows 10 OS and delete any hibernation files that may be present, because the BitLocker password is actually stored on that hibernation file, making it a 5 minutes job to crack your BitLocker password).
II.a) HOW TO INSTALL YOUR UBUNTU/LINUX MINT OS WITHOUT SECURE BOOT
reboot, go to BIOS and DISABLE SECURE BOOT.
now, you have to decide which kind of Linux OS installation you want to pursue. Here are your main options:
A) EASY - Standard Encrypted Ubuntu/Linux install with /boot and /root partitions NOT ENCRYPTED (very susceptible to "evil maid" attacks due to the fact that the whole /boot and /root partitions being left uncrypted): boot from your Ubuntu/Mint install disk/USB, choose "install Ubuntu/Mint alongside Windows 10" and choose to encrypt your /home partition.
B) INTERMEDIATE - Full-Disk-Encryption ("FDE") including an encrypted /boot partition WITHOUT AN ENCRYPTED LVM+LUKS container (somewhat less susceptible to "evil maid" attacks as only the "bootx64.efi" file will be left unencrypted on the SSD at the unencrypted /boot/EFI folder): follow the instructions from user linux22 at his tutorial, at https://community.linuxmint.com/tutorial/view/2061
C) EXPERT - Full-Disk-Encryption ("FDE") including an encrypted /boot partition WITH AN ENCRYPTED LVM+LUKS container (allowing you to afterwards install your Kali OS inside your encrypted LVM+LUKS container, but you must remember to install your Kali equivalent of the /boot partition to the UNENCRYPTED /boot partition): user linux22 used to have a tutorial at the same address above, but it is now superseeded with the one without a LVM container. However, you can still follow (for the time being) an automated script created by Callom Cameron to install user linux22 old tutorial, at https://github.com/CallumCameron/mint-encrypted-install or if that script is already updated to the new tutorial, then you can PM here at superuser as I have saved as a file the original linux22 FDE tutorial with LVM+LUKS webpage and I will send it to you via Email.
Remember NOT to allocate all of your free space on the SSD to the Ubuntu/Linux LVM, so that you can later further partition your drive OUTSIDE of the LVM+LUKS container to create your Linux/Windows Data partition.
- D) CRYPTOMASTER - consists of the "Expert" install above WITH LVM+LUKS where you modify the commands above, pointing the installation of the /boot to an USB drive (for example /dev/sdc), thus extending the encrypted LVM+LUKS container to this encrypted USB drive, which you must plug to your rig in order for your system to boot (but leave the GRUB2 boot-loader to be installed at the SSD!). To use this option, before you start the Ubuntu/Mint installation, as above, simply partition your USB drive to GPT (without creating any partition) with gparted and use your Ubuntu/Mint LiveDVD to find the assigned /dev to this USB drive using, from the terminal, the command "blkid" (for example USB is /dev/sdc) and afterwards, during the installation of the OS, change all references on the commands from /dev/sda for the /boot partition to the new USB /dev.
II.b) HOW TO INSTALL YOUR UBUNTU/LINUX MINT OS WITH SECURE BOOT
- BEFORE installing the Ubuntu/Mint OS using the "CryptoMaster" option above, follow this tutorial from user linux22 at https://community.linuxmint.com/tutorial/view/2360 but instead of the default method use the METHOD 1 ("Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform") instructions contained at the "Appendix A - How to set up your Custom keys and Microsoft keys together"
II.c) PASSWORD PROTECT THE GRUB2 BOOT-LOADER
to further protect your rig against most "code injection" and some "evil maid" attacks, you must password protect your grub2 boot-loader.
follow the instructions on this tutorial https://www.thegeekstuff.com/2011/09/grub-password-command/
NOW, test your (almost) finalized installation and from the GRUB2 menu boot first from the "Windows Boot Manager" to boot your Windows 10 OS. In case your Windows 10 fails to boot and GRUB2 throws you an error message saying "error: device name required", you must reboot to the Ubuntu/Mint OS and edit AS ROOT the "grub.cfg" file in your directory "/boot/grub" (OR "/boot/grub/efi/EFI/boot") and search for the menuentry 'Windows Boot Manager' and comment out the line 'cryptomount -u' with a #
sudo xed /boot/grub/grub.cfg
or
sudo xed /boot/grub/efi/EFI/boot/grub.cfg
BE WISE and test this solution with a BLANK, UNPARTITIONED HDD or SSD as the ONLY drive physically present on the rig, so as to NOT jeopardy the data in your other drives. I only tested this hardware + software encryption scheme using the OLD (LVM+LUKS) tutorial from linux22 on DELL mobile workstations (models M6400, M6600 and M6800) with i7 processors, 16 GB or more of RAM and Samsung Evo 960/970 1 TiB SED SSD's.
