4

I've had some success with manually partitioning and installing LVM & LUKs.

The partitions are created - home, root, swap and boot, the pv and vg's were all created and set up correctly.

I installed from Live and everything in the file system installed to the right places.

I chroot and mounted and set up /etc/crypttab with the correct UUID and /etc/fstab is pointing to the right mapper and UUIDs (based on blkid output).

At this point I try a couple of approaches to try and get the bootloader and grub to give me a password login screen that will decrypt what I referenced in /etc/crypttab.

First approach - 

mount -t proc proc /proc 
mount -t sysfs sys /sys 
update-initramfs -u

running this tells me 

/usr/sbin/iucode_tool: cpuid kernel driver unavailable, cannot scan system processor signatures

Second approach -

Checking for /etc/mkinitcpio.conf to add lvm2 and encrypt and then followed by 

mkinitcpio -p linux

This doesnt work either because mkinitcpio doesnt exist.

After some research I was thinking that /etc/crypttab perhaps is enough for the existing init processes?

Third approach -

Editing /etc/default/grub to add

GRUB_ENABLE_CRYPTODISK=y

and then running 

grub mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda1

The problem I am getting with this I am getting 

/usr/sbin/grub-probe: error: failed to get canonical path of `/dev/mapper/ubuntu-rootvol'

I know it should be fairly simple to get this boot screen with password sorted out but I'm out of options. Please can you tell me the correct method for having Ubuntu reference /etc/crypttab

Thanks for your help!

user81084
  • 41
  • Ubuntu's installer didn't do all that for you automatically? Tried comparing your setup to one that Ubuntu has done automatically? – Xen2050 Feb 14 '16 at 13:57
  • Thanks Xen2050 I have tried this a couple of times, the /boot directory appears to be the same, /etc/defaults/grub does too. I learnt a lot about partitioning, crypt tab and stab by doing this. – user81084 Feb 14 '16 at 22:25
  • It would be good to know how to open up the boot image to check what is inside and what files link through to it. I heard about mkinitramfs but apparently that is for another version of Linux. I tried a zcat command but it gave me an error about format of archive. It would be really interesting to see some kind of process flow diagram/analysis breaking down files in the root drive used at boot time with linkages. I will repeat again as you suggest but any pointers appreciated. – user81084 Feb 14 '16 at 22:36
  • I'd try searching for Debian help, they have pretty extensive docs, tons of packages originate there and Ubuntu's based on it – Xen2050 Feb 15 '16 at 12:56

2 Answers2

2

I found a way to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below.

  1. Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows :
    • sda1: /boot (1G)
    • sda2: LUKS partition (the rest of the disk)
  2. Setup LUKS
    • sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda2
    • sudo cryptsetup luksOpen /dev/sda2 CryptDisk
    • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
  3. Setup LVM on /dev/mapper/CryptDisk
    • sudo pvcreate /dev/mapper/CryptDisk
    • sudo vgcreate vg0 /dev/mapper/CryptDisk
    • sudo lvcreate -n swap -L 2G vg0
    • sudo lvcreate -n root -L 10G vg0
    • sudo lvcreate -n home -l +100%FREE vg0
  4. Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sda1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sda, and continue with installation.
  5. When installation is complete, don't reboot! Choose the option to "Continue Testing".
  6. In a terminal, type the following and look for the UUID of /dev/sda2. Take note of that UUID for later.
    • sudo blkid
    • The important line on my machine reads /dev/sda2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
  7. Next lets get the newly installed system mounted again so we can make some more changes.
    • sudo mount /dev/vg0/root /mnt
    • sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
    • sudo mount /dev/sda1 /mnt/boot
    • If you have an EFI partition, mount it at /mnt/boot/efi
    • sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
    • sudo mount --bind /run/lvm /mnt/run/lvm
  8. Now run sudo chroot /mnt to access the installed system
  9. From the chroot, mount a couple more things
    • mount -t proc proc /proc
    • mount -t sysfs sys /sys
    • mount -t devpts devpts /dev/pts
  10. Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
    • CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
  11. Lastly, rebuild some boot files.
    • update-initramfs -k all -c
    • update-grub
  12. Reboot, and the system should ask for a password to decrypt on boot!

Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.

I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm

b_laoshi
  • 4,660
  • 4
  • 25
  • 46
  • I wish I would've come across this yesterday... great writeup though, thanks! – Preston Garno Jun 22 '17 at 07:41
  • @PrestonGarno, glad it's finally almost been of use to someone other than me. – b_laoshi Jun 22 '17 at 08:31
  • Step 11 fails for me on 21.04 because /dev is not accessible. – Rick-777 Apr 08 '21 at 17:41
  • @Rick-777, did you run sudo mount --bind /dev /mnt/dev outside of the chroot? I haven't tried this on anything but LTS versions, but if you bound /dev to /mnt/dev before chroot-ing to /mnt, it should definitely be accessible. – b_laoshi Apr 16 '21 at 01:33
  • This worked for me. Thanks for the detailed directions. (I also used the grub/EFI followup bits posted by @ceshaz.) I wanted to note that I was able to pull this off on Ubuntu 22.04, but it will not work with 23.04; they have redone the installer and it no longer gives the option to choose LVM partitions when in the GUI "advanced" partition selection. I did an 22.04 install to get the partition layout set up and then did a Timeshift restore of an 23.04 install. That worked fine. I had to fix the "fstab" file and then basically run through step 6 through the end again to make it boot properly. – Truisms Hounds Jun 20 '23 at 12:41
0

Many thanks for this guide. I tried recently for 18.04 and worked perfectly. In order to fix grub installation and deal with EFI, I included some more steps based on Unable to install Ubuntu on Acer Aspire ES1-533. After "update-initramfs -k all -c", I used the following steps:

1- Load efivars by:

sudo modprobe efivars

2- Reinstall grub-install for a 64-bit version:

sudo apt-get install --reinstall grub-efi-amd64

sudo grub-install --no-nvram --root-directory=/mnt

3- Change root to /mnt and update grub

sudo chroot /mnt

update-grub

(In my case, there is an issue regarding grub-prob (not found in sda1). But it didn't affect my installation)

4- Move and rename the installed bootloader

cd /boot/efi/EFI

cp -R ubuntu/* BOOT/

cd BOOT

cp grubx64.efi bootx64.efi

And finally, reboot!

ceshaz
  • 1