Writing

Ubuntu 9.10 Karmic LUKS + LVM Root Encryption with Desktop or Netinstall CD

Posted 21. Jan, 2010 in *nix, crypto, linux, privacy, ubuntu

So after recently migrating my backup server to a Debian LUKS set up, i decided to move my Ubuntu desktop to such a setup as well. If there are so many great free open-source encryption solutions, why doesn’t everyone use them?

In any case setting up a LUKS + LVM root on Debian is a breeze, in fact the installer does everything for you. And the Ubuntu Desktop CD? Well, not so much, unfortunately. You could use the alternate or server CD, but this was not possible for me, I only had the desktop CD on a USB Stick. In any case, since Ubuntu also uses apt, its really just more or less a matter of installing what’s missing, dpkg will do the rest!

It goes a little something like this…

Pre-flight

Before we begin…

  1. Boot the Ubuntu Karmic CD into the “LiveCD” mode this is the one called, “Try Ubuntu without any change to your computer”.
  2. You will need an internet connection to download the latest versions of the missing programs, make sure you have connectivity from the LiveCD.
  3. Make sure you know what the drive name is of the drive you are installing to in this howto it will be /dev/sda
  4. You will need a separate unencrypted boot partition, it is entirely possible to have this on a different device, such as a USB Stick, however here we assume that the boot partition is the first partition of the internal harddrive, i.e. /dev/sda1
  5. Open up a Terminal (Man up sissy boy – Applications > Accessories > Terminal)
  6. (Optional) fill your drive with random data dd if=/dev/urandom of=/dev/sda. This prevents people from seeing how much data, but not what data has been written to the drive. This will take forever, especially if you have a large drive, like a 1TB.

Getting the tools

Now we need to get the tools, this is relatively simple to do. Since we will need root privileges for almost the entire process, i recommend dropping to root immediately. To do this, simply type:

sudo su -l

We will assume that you are root for all commands below!!!

Now we need to update the packages and install cryptsetup and lvm2. To do this first type in:

  1. apt-get update
  2. apt-get install cryptsetup lvm2

Setting up the encrypted volume

Partitioning the disk

First we need to create a partition table, to do this we fire up fdisk. In this tutorial the disk we will partitioning is /dev/sda.

  1. type: fdisk /dev/sda
  2. Type in p to print the current partition table and use d to delete any existing partitions: Command (m for help): p
  3. Create the first, primary, bootable, 250MB partition.
    1. type: n
    2. then: p
    3. then: 1
    4. then hit enter
    5. then type: +250M
    6. then: a
    7. then: 1
    8. and type: p, you should get something like:

      Device Boot Start End Blocks Id System
      /dev/sda1 * 1 33 265041 83 Linux
  4. Now create a single partition, taking up the rest of the space:
    1. type: n
    2. then: p
    3. then: 2
    4. then hit enter
    5. then hit enter again
    6. and type: p, you should get something like:

      Device Boot Start End Blocks Id System
      /dev/sda1 * 1 33 265041 83 Linux
      /dev/sda2 34 2610 20699752+ 83 Linux
  5. now press w

Create the encrypted Volume

Next step is to setup the encrypted volume. We “luksFormat” the partition we want to be our encrypted volume, in this example this is /dev/sda2. To encrypt the volume, you should select a nice password. If you are not good at making your own pseudo-random passwords, download pwgen AND DON’T LOSE THIS PASSWORD!!!

  1. apt-get install pwgen
  2. pwgen 20

Now we wipe the partition. Enter your super-duper password at the prompt for the LUKS volume.

cryptsetup luksFormat /dev/sda2

Mount the encrypted volume

Now all that is left is mounting the encrypted volume. The first parameter of the command is the physical partition or device that the encrypted volume resides on, the second parameter is the alias for the decrypted volume in /dev/mapper. In this example I called my decrypted volume sda2_crypt (this happens to also be the Debian naming scheme) however you can chose whatever you want. Enter the LUKS volume password at the prompt.

cryptsetup luksOpen /dev/sda2 sda2_crypt

Now that we should have the encrypted volume up and running, we can check by typing cryptsetup status /dev/mapper/sda2_crypt. You should see a similar output.


/dev/mapper//dev/mapper/sda2_crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 128 bits
device: /dev/sda2
offset: 1032 sectors
size: 41398473 sectors
mode: read/write

Setting up LVM

Perfect, now we can make this a physical volume for LVM. If you have never used LVM before, its about time! I’m not gonna go into great detail about how it works, there are plenty of resources online explaining the differences between physical volumes, volume groups and logical volumes. Very briefly though, each logical volume resides on a single volume group which reside on one or more physical volumes. So a volume group is a pool of physical devices which we can use to create logical volumes. In our case we will have one physical volume (/dev/mapper/sda2_crypt), one volume group (i called mine crypto in this example) and several logical volumes.

Create the Physical Volume

Lets go! Create the physical volume with:

pvcreate /dev/mapper/sda2_crypt

Create the Volume Group

Create a volume group with:

vgcreate crypto /dev/mapper/sda2_crypt

Create the Logical Volumes

And now create your logical volumes. You need at least a root and a swap, but you can create more. In this example i also created a /home and a /tmp partition (albeit pretty small). To create a logical volume use lvcreate -n<volume_name> -L<volume_size> crypto, where <volume_name> is the name of the volume (i.e. root), where <volume_size> is size of the volume (i.e 10G or 512M) and where crypto is, of course, the example name of our volume group from the previous step.

root@ubuntu:~# lvcreate -nroot -L10G crypto
Logical volume "root" created
root@ubuntu:~# lvcreate -nswap -L1G crypto
Logical volume "swap" created
root@ubuntu:~# lvcreate -nhome -L4G crypto
Logical volume "home" created
root@ubuntu:~# lvcreate -ntmp -L4G crypto
Logical volume "tmp" created

Now we’re ready to install!

Installation

The installation should be completely normal, the only changes you have to make are at the Partitioning screen.

Partitioning

Select: Specify Partitions manually at this screen

Select: Specify Partitions manually at this screen

Formatting

At the next screen remember to set mountpoints for your partitions and for them to be formatted. I chose to use ext2 for my boot partition (/dev/sda1), mostly for legacy reasons. Make sure the swap logical volume is formatted swap, otherwise format the other partitions (i.e. root, tmp and home) whatever you want, i chose ext4. Again, MAKE SURE YOU ARE SETTING MOUNTPOINTS and DO NOT format /dev/sda2!!!

Remember to select mountpoints, filesystems and format the partitions at this screen.

Remember to select mountpoints, filesystems and format the partitions at this screen.

Finishing the Installation

Now click forward and let the installer finish. Remember to NOT RESTART at the very end, select “Continue Testing”.

Select "Continue Testing" here!

Select "Continue Testing" here!

Getting the missing bits and pieces

Now, fire up a Terminal again, drop to root (sudo su -l). We will need to mount the new system, create an /etc/crypttab entry and install some missing packages.

Mount the new system

To mount the partitions do the following

  1. create a mount point: mkdir -p /mnt/newroot
  2. mount the root: mount /dev/crypto/root /mnt/newroot
  3. mount proc: mount /proc /mnt/newroot/proc -t proc
  4. mount your boot partition: mount /dev/sda1 /mnt/newroot/boot
  5. mount any other partitions (i.e. /tmp, /home, /var…): mount /dev/crypto/<vol_name> /mnt/newroot/<mount_name>

chroot into the new environment

Now we are going to chroot into this environment, to do this type: chroot /mnt/newroot if you got no errors, and the command pwd returns /, you should be good.

Create an /etc/crypttab

Now we need to create the /etc/crypttab entry and install the missing packages:

To create an entry in /etc/crypttab simply (replacing any discrepancies in naming) do:

echo "sda2_crypt /dev/sda2 none luks" >> /etc/crypttab

Your /etc/crypttab should now look something like this, when you type cat /etc/crypttab.

# <target name> <source device> <key file> <options>
sda2_crypt /dev/sda2 none luks

Install the missing packages

Now we only need to install the missing packages, the rest will be done by dpkg’s scripts.

  1. apt-get update
  2. apt-get install lvm2 cryptsetup

Unmount the partitions

Thats it! Now exit chroot and unmount all the volumes

  1. to exit chroot simply type: exit
  2. to unmount all the mountpoints within /mnt/newroot, type comma-seperated in curly-brackets what you want to unmount: umount /mnt/newroot/{boot,home,tmp,proc}
  3. you should now be able to unmount /mnt/newroot, if not check if you unmounted all partitions in step 2: umount /mnt/newroot

Reboot… pray

Now type in reboot and cross your fingers! Hopefully you are welcomed by a screen like this:

If all went well, Ubuntu's splash screen should ask you for the password

If all went well, Ubuntu's splash screen should ask you for the password

Troubleshooting

Ideally it all went well, and you don’t have any complaints, however, I will create a troubleshooting section as comments rain in, so please do comment.

Thanks for reading, can’t wait to see some comments.

8 Responses to “Ubuntu 9.10 Karmic LUKS + LVM Root Encryption with Desktop or Netinstall CD”

  1. D Yi

    27 January 2010 at 07:33

    The only problem I ran into was during mounting where I would get an “already mounted” or “busy” error. For some reason I had duplicate /dev/mapper partitions (e.g. /dev/mapper/crypto-root and /dev/mapper/crypto-rootp2).

    I got around this by “preformating” (i.e. mkfs.ext4 /dev/crypto/root, etc.) before installation. Then during the installation I specify mountpoints and format only the boot partition.

  2. Martin

    1 February 2010 at 14:35

    Thanks !

    Love this tutorial, Thanks ,

    Find this tutorial too bee more easy then other tutorials witch offen involves long script code too make initfs images I guess ubuntus initfs already is prepender for this ?

  3. Henrik M.

    25 February 2010 at 21:38

    Now create a single partition, taking up the rest of the space:

    1. type: n
    2. then: p
    3. then: 1 <———– not 1 but 2, or am i wrong ?
    4. then hit enter
    5. then hit enter again
    6. and type: p, you should get something like:

    Device Boot Start End Blocks Id System
    /dev/sda1 * 1 33 265041 83 Linux
    /dev/sda2 34 2610 20699752+ 83 Linux

  4. russo.

    25 February 2010 at 21:42

    yes, n, p, 2 thanks for the correction :)

  5. Sean

    28 February 2010 at 19:25

    Worked great! Thanks!!

    Thanks also to Yi. I had the same “already mounted” error, and did what he described to work around it.

  6. craig0927

    4 April 2010 at 05:10

    I get to the install step, and it won’t allow me to format or set any of the lvms mount points. I’ve tried it twice now.

    I can see the volumes, but the “change” button is grayed out.

  7. craig0927

    4 April 2010 at 07:41

    P.S.
    I had to load these modules before running the install, then everything worked as expected.
    modprobe dm-crypt
    modprobe sha256
    modprobe aes

  8. Ruben

    18 April 2010 at 15:07

    Thanks for this great howto!
    I only had to use this for crypttab, otherwise it wouldn’t be unlocked:
    root /dev/sda2 none luks
    home /dev/sda2 none luks
    cryptoswap swap /dev/urandom swap
    Hope this helps others.