How-To: encrypted partitions over LVM with LUKS — page 3 — install and config

2 minute read

4. Installing the system

we are now going to install the distro over our layout. Start the installer and make sure you choose manual partitioning. Then set up your filesystem like the one on the screenshot. luks encryption over-lvm ubuntu installer

When the installer has finished, do not reboot yet

5. Configuring the installed system

As we force the system to be installed on our custom partitions, and because Ubuntu desktop livecd is not aware of lvm and encryption, we need to customize the system that has just been installed. To achieve this, we will chroot into our future system and mount the required partitions.

# mkdir /target
# mount /dev/mapper/rootvolume /target/
# mount /dev/mapper/homevolume /target/home
# mount /dev/sda1 /target/boot
# chroot /target
# mount -t proc proc /proc
# mount -t sysfs sys /sys

Now, we will install the required software to be able to handle encryption and lvm:

# apt-get install lvm2 cryptsetup

then, we need to inform cryptsetup on how to mount our encrypted partitions. The settings happens in /etc/crypttab:

# <target name> <source device> <key file> <options>
rootvolume /dev/lvmvolume/encryptedroot none luks,retry=1
homevolume /dev/lvmvolume/encryptedhome none luks,retry=1

Also, if we want our system to be able to mount the partitions, the initrd needs to contains modules for lvm, and encryption. This is handled by /etc/initramfs-tools/modules. So edit it and add:

aes-i586
dm-crypt
dm-mod
sha256

And finally, another last step: editing fstab

This next step has to be done, otherwise, your system won’t boot!!!

It looks like the kernel is not match the UUID with the actual logical device. So, for each of your encrypted partition, change the UUID=asas-asa-sasas by the actual device: /dev/mapper/mydevice. For instance, in this tutorial, my final /etc/fstab looked like this:

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# /dev/mapper/rootvolume
#UUID=af21a76e-3a85-4ca5-a6b9-e362d97892ba
/dev/mapper/rootvolume /               ext3    relatime,errors=remount-ro 0       1
# /dev/sda1
UUID=2de459f5-306a-4d57-bd5c-76eb50c81179 /boot           ext2    relatime        0       2
# /dev/mapper/homevolume
#UUID=443a67f1-2ee1-43bc-b248-882b5068cc24
/dev/mapper/homevolume /home           ext3    relatime        0       2
# /dev/mapper/lvmvolume-swap
UUID=d4f44b82-0d73-4269-af68-a613f11876fe none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec,utf8 0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

And regenerate the initrd file with:

# update-initramfs -k all -c

you can verify that the initrd contains the correct information to mount the encrypted partition:

# mkdir /tmp/tmp
# cd /tmp/tmp
# zcat /boot/initrd.img-`uname -r` | cpio -iv
# cat conf/conf.d/cryptroot
target=rootvolume,source=/dev/lvmvolume/encryptedroot,key=none

Well, that’s about it, you should now reboot your computer, and hopefully you will get a screen like the screenshot prompting you for a password. If the progress bar seems to hang for quite some time, chances that either /etc/fstab or /etc/crypttab is not properly set up. In that case, you will need to boot on the live cd again, install the packages lvm2 and cryptsetup, run lvchange -ay , reopen the partitions and mount them….. and find what is wrong… a lot of pleasure. If you are lucky enough :), type your password to unlock / first then another time for /home and voila, you are running ubuntu on an encrypted filesystem.

lukfs over lvm boot password prompt

There is ways to plug in a removable media containing a key file to unlock the partitions. This will be covered in another tutorial.