How-To: encrypted partitions over LVM with LUKS

Even though new distros installers tend to support filesystem encryption out of the box, most of the time, it might be interesting to actually understand how it works, mainly when it happens that your system fails to boot :).

Most literature found on the Internet tend to cover how to set up LVM over a partition encrypted with LUKS, this tutorial takes another approach and will explain how to create LUKS encrypted partitions over LVM. The reason for this.... I wanted to have unencrypted partitions :D.

This tutorial was done using an Ubuntu 8.04 livecd, but the process should be approximately the same with other distros.

As we are gong to play with partitions, and thus possible data loss... I guess the following is worth reminding:

Back up your data before reading any further!!!!

1. Getting started:

Boot up your PC from a live CD and make sure you choose "Try ubuntu without installing". Once the desktop is loaded, start a terminal and get root credentials:

$ sudo su -

Then, install the packages required to set up lvm and make encryption setup easier:

# apt-get install cryptsetup lvm2

Finally load the kernel modules that handle lvm and luks encryption:

# modprobe dm-crypt

2. Setting up the partitions

Here, we are going to partition the disk as follow:

a boot partition of 200M which will be on a standard ext3 filesystem
a LVM volume that will take the rest of the disk.

the lvmvolume will then be divided in 3 other partitions:

/ of 5G and encrypted
/home 2G and encrypted
swap of 512M and unencrypted

2.1. The physical partitions: fdisk

So, in the first place, let create the physical partition with fdisk. Those are going to be the place holder of our boot partition and lvm volume:

# fdisk /dev/sda
##/boot
n
p
1

+200M
## lvm volume
n
p
2

#set the type to lvm
t
2
8e
w
q
###

2.2. The logical volumes: lvm tools

Now that we have our LVM placeholder, we need to set it up. To do this, we need to: create the physical volume, create the volume group and then create the logical volumes on this volume group.

If you already have your LVM set up, run: # lvchange -ay lvmvolume to see your partitions.

Let's create this physical volume first:

# pvcreate /dev/sda2

then, the volume group:

# vgcreate lvmvolume /dev/sda2

finally, we create the logical partitions:

# lvcreate -L 5G -n encryptedroot lvmvolume
# lvcreate -L 512M -n swap lvmvolume
# lvcreate -L 2G -n encryptedhome lvmvolume

Ok, now we got our partition layout almost set up, we just need to encrypt the partitions, and format them...

How-To: encrypted partitions over LVM with LUKS -- page 2 -- encrypting the partitions

3. Encrypting the partitions

3.1. Filling the partition with random data

Now that we have our partition layout, we need to encrypt /home and /. The first thing we are going to do is to fill those partitions with random data. There is 2 ways of doing it. A fairly fast one or a really slow but efficient one.

3.1.1. using badblocks

By using badblocks you will verify that your physical disk is fine and at the ame time, fill with some random data.

# badblocks -c 10240 -s -w -t random -v /dev/lvmvolume/encryptedhome
# badblocks -c 10240 -s -w -t random -v /dev/lvmvolume/encryptedroot

3.1..2. using dd

We can use dd to read random data from /dev/urandom and write them to the "to be" encrypted partitions:

Note that this is really long and slow, but it will make it harder to find the key that lock your partition.

# dd if=/dev/urandom of=/dev/lvmvolume/encryptedroot
# dd if=/dev/urandom of=/dev/lvmvolume/encryptedhome

For an ETA, Ubuntu community encryption tutorial mentions:

Fill the partitions with random data. This may take MANY hours for the large partitions, on average 1.6M/sec of data is written to disk, so a 10GB partition might take around 2 hours, and 100GB partition might take a bit under 20 hours.

In the meantime you can wish that the tutorial is going to work :)

3.2. Setting up the LUKS encryption

Ok, now that our partitions are full of random bytes, we can set up our encryption mechanism wtih the help of cryptsetup.

# cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/lvmvolume/encryptedroot

WARNING!
========
This will overwrite data on /dev/lvmvolume/encryptedroot irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.

And the same for encryptedhome:

# cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/lvmvolume/encryptedhome

3.3. Mounting the encrypted partitions:

Now, encryptedhome and encryptedroot are LUKS enabled, from there, we can use cryptsetup again to mount those encrypted partitions:

root@ubuntu:~# cryptsetup luksOpen /dev/lvmvolume/encryptedroot rootvolume
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@ubuntu:~# cryptsetup luksOpen /dev/lvmvolume/encryptedhome homevolume
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.

3.4. Formatting the partitions

Finally, we now have all our partition pseudo devices available. we can now format them so Ubuntu installer sees the partition we want to install our system on, e.g the encrypted ones.

How-To: encrypted partitions over LVM with LUKS -- page 3 -- install and config

4. Installing the system

we are now going to install the distro over our layout. Start the installer and make sure you choose manual partitioning. Then set up your filesystem like the one on the screenshot.luks encryption over lvm ubuntu installer.

When the installer has finished, do not reboot yet

5. Configuring the installed system

As we force the system to be installed on our custom partitions, and because Ubuntu desktop livecd is not aware of lvm and encryption, we need to customize the system that has just been installed. To achieve this, we will chroot into our future system and mount the required partitions.

# mkdir /target
# mount /dev/mapper/rootvolume /target/
# mount /dev/mapper/homevolume /target/home
# mount /dev/sda1 /target/boot
# chroot /target
# mount -t proc proc /proc
# mount -t sysfs sys /sys

Now, we will install the required software to be able to handle encryption and lvm:

# apt-get install lvm2 cryptsetup

then, we need to inform cryptsetup on how to mount our encrypted partitions. The settings happens in /etc/crypttab:

#
rootvolume /dev/lvmvolume/encryptedroot none luks,retry=1
homevolume /dev/lvmvolume/encryptedhome none luks,retry=1

Also, if we want our system to be able to mount the partitions, the initrd needs to contains modules for lvm, and encryption. This is handled by /etc/initramfs-tools/modules. So edit it and add:

aes-i586
dm-crypt
dm-mod
sha256

And finally, another last step: editing fstab

This next step has to be done, otherwise, your system won't boot!!!

It looks like the kernel is not match the UUID with the actual logical device. So, for each of your encrypted partition, change the UUID=asas-asa-sasas by the actual device: /dev/mapper/mydevice. For instance, in this tutorial, my final /etc/fstab looked like this:

# /etc/fstab: static file system information.
#
#                
proc            /proc           proc    defaults        0       0
# /dev/mapper/rootvolume
#UUID=af21a76e-3a85-4ca5-a6b9-e362d97892ba 
/dev/mapper/rootvolume /               ext3    relatime,errors=remount-ro 0       1
# /dev/sda1
UUID=2de459f5-306a-4d57-bd5c-76eb50c81179 /boot           ext2    relatime        0       2
# /dev/mapper/homevolume
#UUID=443a67f1-2ee1-43bc-b248-882b5068cc24
/dev/mapper/homevolume /home           ext3    relatime        0       2
# /dev/mapper/lvmvolume-swap
UUID=d4f44b82-0d73-4269-af68-a613f11876fe none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec,utf8 0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

And regenerate the initrd file with:

# update-initramfs -k all -c

you can verify that the initrd contains the correct information to mount the encrypted partition:

# mkdir /tmp/tmp
# cd /tmp/tmp
# zcat /boot/initrd.img-`uname -r` | cpio -iv
# cat conf/conf.d/cryptroot
target=rootvolume,source=/dev/lvmvolume/encryptedroot,key=none

Well, that's about it, you should now reboot your computer, and hopefully you will get a screen like the screenshot prompting you for a password. If the progress bar seems to hang for quite some time, chances that either /etc/fstab or /etc/crypttab is not properly set up. In that case, you will need to boot on the live cd again, install the packages lvm2 and cryptsetup, run lvchange -ay , reopen the partitions and mount them..... and find what is wrong... a lot of pleasure. If you are lucky enough :), type your password to unlock / first then another time for /home and voila, you are running ubuntu on an encrypted filesystem.lukfs over lvm boot password prompt

There is ways to plug in a removable media containing a key file to unlock the partitions. This will be covered in another tutorial.