nedos.net

So after recently migrating my backup server to a Debian LUKS set up, i decided to move my Ubuntu desktop to such a setup as well. If there are so many great free open-source encryption solutions, why doesn’t everyone use them?

In any case setting up a LUKS + LVM root on Debian is a breeze, in fact the installer does everything for you. And the Ubuntu Desktop CD? Well, not so much, unfortunately. You could use the alternate or server CD, but this was not possible for me, I only had the desktop CD on a USB Stick. In any case, since Ubuntu also uses apt, its really just more or less a matter of installing what’s missing, dpkg will do the rest!

It goes a little something like this…

Pre-flight

Before we begin…

1. Boot the Ubuntu Karmic CD into the “LiveCD” mode this is the one called, “Try Ubuntu without any change to your computer”.
2. You will need an internet connection to download the latest versions of the missing programs, make sure you have connectivity from the LiveCD.
3. Make sure you know what the drive name is of the drive you are installing to in this howto it will be /dev/sda
4. You will need a separate unencrypted boot partition, it is entirely possible to have this on a different device, such as a USB Stick, however here we assume that the boot partition is the first partition of the internal harddrive, i.e. /dev/sda1
5. Open up a Terminal (Man up sissy boy – Applications > Accessories > Terminal)
6. (Optional) fill your drive with random data dd if=/dev/urandom of=/dev/sda. This prevents people from seeing how much data, but not what data has been written to the drive. This will take forever, especially if you have a large drive, like a 1TB.

Getting the tools

Now we need to get the tools, this is relatively simple to do. Since we will need root privileges for almost the entire process, i recommend dropping to root immediately. To do this, simply type:

sudo su -l


We will assume that you are root for all commands below!!!

Now we need to update the packages and install cryptsetup and lvm2. To do this first type in:

1. apt-get update
2. apt-get install cryptsetup lvm2

Setting up the encrypted volume

Partitioning the disk

First we need to create a partition table, to do this we fire up fdisk. In this tutorial the disk we will partitioning is /dev/sda.

1. type: fdisk /dev/sda
2. Type in p to print the current partition table and use d to delete any existing partitions: Command (m for help): p
3. Create the first, primary, bootable, 250MB partition.
   1. type: n
   2. then: p
   3. then: 1
   4. then hit enter
   5. then type: +250M
   6. then: a
   7. then: 1
   8. and type: p, you should get something like:
      
Device Boot Start End Blocks Id System
/dev/sda1 * 1 33 265041 83 Linux

4. Now create a single partition, taking up the rest of the space:
   1. type: n
   2. then: p
   3. then: 2
   4. then hit enter
   5. then hit enter again
   6. and type: p, you should get something like:
      
Device Boot Start End Blocks Id System
/dev/sda1 * 1 33 265041 83 Linux
/dev/sda2 34 2610 20699752+ 83 Linux

5. now press w

Create the encrypted Volume

Next step is to setup the encrypted volume. We “luksFormat” the partition we want to be our encrypted volume, in this example this is /dev/sda2. To encrypt the volume, you should select a nice password. If you are not good at making your own pseudo-random passwords, download pwgen AND DON’T LOSE THIS PASSWORD!!!

1. apt-get install pwgen
2. pwgen 20

Now we wipe the partition. Enter your super-duper password at the prompt for the LUKS volume.

cryptsetup luksFormat /dev/sda2


Mount the encrypted volume

Now all that is left is mounting the encrypted volume. The first parameter of the command is the physical partition or device that the encrypted volume resides on, the second parameter is the alias for the decrypted volume in /dev/mapper. In this example I called my decrypted volume sda2_crypt (this happens to also be the Debian naming scheme) however you can chose whatever you want. Enter the LUKS volume password at the prompt.

cryptsetup luksOpen /dev/sda2 sda2_crypt


Now that we should have the encrypted volume up and running, we can check by typing cryptsetup status /dev/mapper/sda2_crypt. You should see a similar output.


/dev/mapper//dev/mapper/sda2_crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 128 bits
device: /dev/sda2
offset: 1032 sectors
size: 41398473 sectors
mode: read/write


Setting up LVM

Perfect, now we can make this a physical volume for LVM. If you have never used LVM before, its about time! I’m not gonna go into great detail about how it works, there are plenty of resources online explaining the differences between physical volumes, volume groups and logical volumes. Very briefly though, each logical volume resides on a single volume group which reside on one or more physical volumes. So a volume group is a pool of physical devices which we can use to create logical volumes. In our case we will have one physical volume (/dev/mapper/sda2_crypt), one volume group (i called mine crypto in this example) and several logical volumes.

Create the Physical Volume

Lets go! Create the physical volume with:

pvcreate /dev/mapper/sda2_crypt


Create the Volume Group

Create a volume group with:

vgcreate crypto /dev/mapper/sda2_crypt


Create the Logical Volumes

And now create your logical volumes. You need at least a root and a swap, but you can create more. In this example i also created a /home and a /tmp partition (albeit pretty small). To create a logical volume use lvcreate -n<volume_name> -L<volume_size> crypto, where <volume_name> is the name of the volume (i.e. root), where <volume_size> is size of the volume (i.e 10G or 512M) and where crypto is, of course, the example name of our volume group from the previous step.

root@ubuntu:~# lvcreate -nroot -L10G crypto
Logical volume "root" created
root@ubuntu:~# lvcreate -nswap -L1G crypto
Logical volume "swap" created
root@ubuntu:~# lvcreate -nhome -L4G crypto
Logical volume "home" created
root@ubuntu:~# lvcreate -ntmp -L4G crypto
Logical volume "tmp" created


Now we’re ready to install!

Installation

The installation should be completely normal, the only changes you have to make are at the Partitioning screen.

Partitioning

Select: Specify Partitions manually at this screen

Formatting

At the next screen remember to set mountpoints for your partitions and for them to be formatted. I chose to use ext2 for my boot partition (/dev/sda1), mostly for legacy reasons. Make sure the swap logical volume is formatted swap, otherwise format the other partitions (i.e. root, tmp and home) whatever you want, i chose ext4. Again, MAKE SURE YOU ARE SETTING MOUNTPOINTS and DO NOT format /dev/sda2!!!

Remember to select mountpoints, filesystems and format the partitions at this screen.

Finishing the Installation

Now click forward and let the installer finish. Remember to NOT RESTART at the very end, select “Continue Testing”.

Select "Continue Testing" here!

Getting the missing bits and pieces

Now, fire up a Terminal again, drop to root (sudo su -l). We will need to mount the new system, create an /etc/crypttab entry and install some missing packages.

Mount the new system

To mount the partitions do the following

1. create a mount point: mkdir -p /mnt/newroot
2. mount the root: mount /dev/crypto/root /mnt/newroot
3. mount proc: mount /proc /mnt/newroot/proc -t proc
4. mount your boot partition: mount /dev/sda1 /mnt/newroot/boot
5. mount any other partitions (i.e. /tmp, /home, /var…): mount /dev/crypto/<vol_name> /mnt/newroot/<mount_name>

chroot into the new environment

Now we are going to chroot into this environment, to do this type: chroot /mnt/newroot if you got no errors, and the command pwd returns /, you should be good.

Create an /etc/crypttab

Now we need to create the /etc/crypttab entry and install the missing packages:

To create an entry in /etc/crypttab simply (replacing any discrepancies in naming) do:

echo "sda2_crypt /dev/sda2 none luks" >> /etc/crypttab


Your /etc/crypttab should now look something like this, when you type cat /etc/crypttab.

# <target name> <source device> <key file> <options>
sda2_crypt /dev/sda2 none luks


Install the missing packages

Now we only need to install the missing packages, the rest will be done by dpkg’s scripts.

1. apt-get update
2. apt-get install lvm2 cryptsetup

Unmount the partitions

Thats it! Now exit chroot and unmount all the volumes

1. to exit chroot simply type: exit
2. to unmount all the mountpoints within /mnt/newroot, type comma-seperated in curly-brackets what you want to unmount: umount /mnt/newroot/{boot,home,tmp,proc}
3. you should now be able to unmount /mnt/newroot, if not check if you unmounted all partitions in step 2: umount /mnt/newroot

Reboot… pray

Now type in reboot and cross your fingers! Hopefully you are welcomed by a screen like this:

If all went well, Ubuntu's splash screen should ask you for the password

Troubleshooting

Ideally it all went well, and you don’t have any complaints, however, I will create a troubleshooting section as comments rain in, so please do comment.

Thanks for reading, can’t wait to see some comments.