Archive for September, 2012

LUKS Full disk encryption with Ubuntu 12.04 using the Ubiquity installer.

Posted in Uncategorized on September 1, 2012 by voline

As noted before, there are plenty of articles on installing Ubuntu with full disk encryption. But they all recommend using the alternative install cd, which is not using Ubuntu’s ubiquity installer. If you want an Ubuntu desktop install exactly as Ubuntu developer’s intended, as I did, then read on.  Note: This is written based on the 12.04LTS installer, but much of the process may work with other versions.

  1. Boot into desktop live cd.
  2. apt-get install lvm2
    • If you don’t want to stuff your filesystem inside an LVM container, you may ignore this
  3. cryptsetup luksFormat -c twofish-xts-plain64 -s 512 <partition>
  4. cryptsetup luksOpen <partition> <luks dm device name>
    • Keep in mind that the luks device name must be the same name as the one in your crypttab that we create later.  Otherwise update-initramfs will not pick it up (that one bit me hard).
  5. vgcreate <vol group name> <luks dm device path>
  6. lvcreate -n <logical vol name> -l 100%VG <vol group name>
  7. mkfs.<desired fs> <logical volume device path>
    • This is actually an important step.  Currently the Ubiquity installer will not install a filesystem on a raw logical volume.  Without this step, you will later be compelled by the installer to install a partition table on the logical volume, which at best is a waste of space an additional unnecessary complexity.
  8. ubiquity [-b]
    • Note that you can not use the luks device as the boot device, when at the manual partitioning step below.  In most cases you don’t want this anyway because you run into the chicken-egg problem when booting (how to decrypt the boot loader at boot time when you need to boot loader to decrypt the device?)  I get around that by having an unencrypted chicken on a USB device.   However, without the ‘-b’ option, ubiquity forces me to choose a boot device and errors when I set the boot device to the luks device (there’s no other device that I want the boot partition to be).
    1. Choose manual partitioning.  You should see a line with the logical volume with the filesystem on it.
    2. Edit the logical volume, setting the label to ‘/’  and be sure that “Use as” is set to the correct filesystem.
    3. Continue with the installer until it finishes, but do not restart.
  9. Chroot into the newly installed target filesystem and prepare for updating grub.
    1. mount --bind /dev /target/dev
    2. sudo chroot /target
    3. apt-get install lvm2 — again if needed
    4. mount /proc
  10. create /etc/crypttab
    • Remember the source device name must match the current /dev/mapper name.
  11. update_initramfs -u
  12. update_grub
  13. boot into your new system.

LVM is entirely optional here, but I’ve included it because I find it to be a more flexible setup.  Also there does exist similar instructions on ubuntu’s help site that predate’s this post.  However, there’s no mention of the work around above to not having to install a partition table on the luks/lvm device.  As such, it would not precisely work for me.  This issue may be recent as of 12.04.