How-To: encrypted partitions over LVM with LUKS

2 minute read

Even though new distros installers tend to support filesystem encryption out of the box, most of the time, it might be interesting to actually understand how it works, mainly when it happens that your system fails to boot :).

Most literature found on the Internet tend to cover how to set up LVM over a partition encrypted with LUKS, this tutorial takes another approach and will explain how to create LUKS encrypted partitions over LVM. The reason for this…. I wanted to have unencrypted partitions :D.

This tutorial was done using an Ubuntu 8.04 livecd, but the process should be approximately the same with other distros.

As we are gong to play with partitions, and thus possible data loss… I guess the following is worth reminding:

Back up your data before reading any further!!!!

1. Getting started:

Boot up your PC from a live CD and make sure you choose “Try ubuntu without installing”. Once the desktop is loaded, start a terminal and get root credentials:

$ sudo su -

Then, install the packages required to set up lvm and make encryption setup easier:

# apt-get install cryptsetup lvm2

Finally load the kernel modules that handle lvm and luks encryption:

# modprobe dm-crypt

2. Setting up the partitions

Here, we are going to partition the disk as follow:

  • a boot partition of 200M which will be on a standard ext3 filesystem
  • a LVM volume that will take the rest of the disk.

the lvmvolume will then be divided in 3 other partitions:

  • / of 5G and encrypted
  • /home 2G and encrypted
  • swap of 512M and unencrypted

2.1. The physical partitions: fdisk

So, in the first place, let create the physical partition with fdisk. Those are going to be the place holder of our boot partition and lvm volume:

# fdisk /dev/sda
accept default
## lvm volume
accept default
accept default
#set the type to lvm

2.2. The logical volumes: lvm tools

Now that we have our LVM placeholder, we need to set it up. To do this, we need to: create the physical volume, create the volume group and then create the logical volumes on this volume group.

If you already have your LVM set up, run: # lvchange -ay lvmvolume to see your partitions.

Let’s create this physical volume first:

# pvcreate /dev/sda2

then, the volume group:

# vgcreate lvmvolume /dev/sda2

finally, we create the logical partitions:

# lvcreate -L 5G -n encryptedroot lvmvolume
# lvcreate -L 512M -n swap lvmvolume
# lvcreate -L 2G -n encryptedhome lvmvolume

Ok, now we got our partition layout almost set up, we just need to encrypt the partitions, and format them…