34

My computer runs Ubuntu. I want to install Ubuntu on another medium. I wish to enable encryption, yet as the ubuntu installer's default choices (erase/alongside/etc...) only concerns the default drive, I have to choose "something else" and create the partitions on the other drive manually, I create ~128mb part for boot, then I'm lost, if I make an encrytped partition with the rest of the space I'm unable to split it, so I have no swap; if instead I create two encrypted partitions, it doesn't seems right because it want to set up two different passwords...

How can I set up the swap then? (During or after install).

Zanna
  • 70,465
Yvain
  • 544
  • 1
  • 4
  • 12
  • See also https://askubuntu.com/questions/293028/how-can-i-install-ubuntu-encrypted-with-luks-with-dual-boot – Flimm Nov 10 '18 at 06:16

4 Answers4

47

Update 2020-07-16: This may not work with Ubuntu flavors that have moved away from the Ubiquity installer (eg. Lubuntu which now uses Calamares) because some of those installers go so far as to deactivate LVM partitions that they did not, themselves, configure in the pre-installation process. Thus, making unavailable the partitions that were configured for system installation.

How to accomplish this with LVM and a single encrypted partition##

Warning

First of all 128M is too small for boot! I use 1G. Otherwise, what is bound to happen is that you may forget to remove old kernels and /boot will fill up, and you'll have to deal with the pain of trying to remove old kernels from the system so that you can get apt or apt-get to work again. Even with 1G, make sure you remove old kernels from time to time.

The next steps are not intended for novice users.
UPDATE: I have created a script that will perform the following operations for you and more! All you have to do is run it from the Live OS before installation. You can find a write-up on my blog.

Pre-installation from live OS

You want to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2 / 18.04 / 20.04

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below. Let's assume you're installing to /dev/sdb.

  1. Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows:
    • other partitions: existing OSs -- we don't care about these
    • sdb1: /boot (1G)
    • sdb2: LUKS partition (the rest of the disk)
  2. Setup LUKS
    • sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb2
    • sudo cryptsetup luksOpen /dev/sdb2 CryptDisk
    • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
  3. Setup LVM on /dev/mapper/CryptDisk
    • sudo pvcreate /dev/mapper/CryptDisk
    • sudo vgcreate vg0 /dev/mapper/CryptDisk
    • sudo lvcreate -n swap -L 2G vg0
    • sudo lvcreate -n root -L 10G vg0
    • sudo lvcreate -n home -l +100%FREE vg0

Installation from live OS

  1. Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sdb1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sdb, and continue with installation.
  2. When installation is complete, don't reboot! Choose the option to "Continue Testing".

Post-installation configuration from live OS

This bit is really important if you want your system to boot! I spent quite a bit of time researching this to figure out these post-installation steps. In my case I was actually doing it because I wanted to customize the size of /boot on /dev/sda, but all that work should carry over to your situation as well.

  1. In a terminal, type the following and look for the UUID of /dev/sdb2. Take note of that UUID for later.

    • sudo blkid | grep LUKS
    • The important line on my machine reads /dev/sdb2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"

  2. Next lets get the newly installed system mounted again so we can make some more changes.

    • sudo mount /dev/vg0/root /mnt
    • sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
    • sudo mount /dev/sdb1 /mnt/boot
    • sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
    • sudo mount --bind /run/lvm /mnt/run/lvm
    • (Only if you're using EFI): sudo mount /dev/sd*/your/efi/partition /mnt/boot/efi

  3. Now run sudo chroot /mnt to access the installed system

  4. From the chroot, mount a couple more things

    • mount -t proc proc /proc
    • mount -t sysfs sys /sys
    • mount -t devpts devpts /dev/pts

  5. Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.

  • CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
  1. Lastly, rebuild some boot files.
  • update-initramfs -k all -c - update-grub
  1. Reboot, and the system should ask for a password to decrypt on boot!

Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.

I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm

b_laoshi
  • 4,660
  • 4
  • 25
  • 46
  • Many thanks, yet I'm stuck at the beginning where i need to setup the luks partition. Cannot find it within fdisk -L output. – Yvain May 24 '17 at 09:01
  • And when I try to setup the crypt I get and error: failed to remove headers – Yvain May 24 '17 at 09:04
  • I see you marked this as a solution. Did you get it working? If not, what tool did you use to create your partitions? You must partition the disk first with a tool like Gparted or fdisk, making a partition for /boot and one for encryption (EFI would require a third non-encrypted partition). I wasn't using EFI in my setup. Only after you have created the partition for encryption can you actually run the cryptsetup luksFormat command to encrypt it. Upon creating /dev/sdb2, you can format it with a filesystem or not. cryptsetup will erase any existing filesystem. – b_laoshi May 25 '17 at 00:39
  • Could you add output of sudo fdisk -l /dev/sdb to your question? – b_laoshi May 25 '17 at 00:40
  • It's working, the only thing that is not correct in your commands is the hash type for the luks partitioning which should be sha1, also I could not mount the lvm directory /var/lvm it doesn't exist, I skipped that it still works. thanks a lot. – Yvain Jun 06 '17 at 12:18
  • 1
    @Yvain - I believe this is wrong. Sha1 is no longer considered secure. Something more secure (such as the sha512 option suggested) should definitely be used. – some bits flipped Jun 06 '17 at 16:09
  • I'm not saying about security, I constantly got errors while creating and opening the partitions, in the cryptsetup manual i read that luks format should be used with sha1 algorythm and i did so, it worked. I hope it's still a good thing.. – Yvain Jun 07 '17 at 01:25
  • @Yvain, mike is right. Sha1 is broken and should be avoided if possible. I'm not sure why you would be getting errors when trying to use sha512. It might be worth posting a new question with details of your setup, the exact commands you ran, and the error messages you got to see if anyone can help you get sha512 working. – b_laoshi Jun 07 '17 at 01:31
  • @Yvain, if you didn't need to mount the lvm dir, that's fine. For anyone reading these comments, the directory should be /run/lvm, not /var/lvm. I suspect that may be why Yvain got error messages saying the directory didn't exist. – b_laoshi Jun 07 '17 at 01:36
  • I broke my install already, so reset a cryptsetup and sha512 works as you expected, sha1 is only mentionned as the default hash for luks in the help. – Yvain Jun 07 '17 at 19:10
  • Also I was not able to set the OS after install if I reboot in my other os(on main drive), from there I tried a lot of combinations of the commands you specified just to test which could be skipped but nothing worked (contrasting with reboot on livecd to finish the install -> that works). I think it is because when I created the crypttab file, I had not mounted sysfs yet. Btw if I understand well, after chrooting the folders that we are mounting are just themselves on themselves but you give them their type so that they'r understood by the system ? Cheers – Yvain Jun 07 '17 at 19:18
  • Yes, the chroot needs to know the types. – b_laoshi Jun 08 '17 at 00:28
  • 1
    +1 @b_laoshi Thanks a lot for the answer, it's helping me a lot :) – Tummala Dhanvi Dec 13 '17 at 08:54
  • Thanks for the awesome script. One thing did not work through the script: Setting up the LUKS partition.

    The command always failed with "Failed to initialize device signature probes", an error I couldn't find anything useful about in the web. However, executing the constructed command manually in a separate shell worked. So I put another "press enter" step here and everything worked fine then.

    And finally a little suggestion: How about adding set -e at the beginning of the script?

     – Jonas Jan 16 '19 at 22:08
  • When I try to edit /etc/crypttab, it says "sudo: unable to resolve host lubuntu: Connection refused" but the edit goes through. What does that mean for me? – Nickolai Leschov Jul 08 '19 at 20:45
  • @NickolaiLeschov, that is not really related to this post, but I think I may still be able to help you. The problem you describe is something you typically see when you change your system name in the /etc/hostname file while failing to update it in the /etc/hosts file as well – b_laoshi Jul 15 '19 at 06:26
  • 2
    @b_laoshi Fantastic work, however sudo mount --bind /dev /mnt/dev was required, otherwise update-initramfs -k all -c fails – Nathan Oct 22 '19 at 09:14
  • @Nathan, that's curious. The script checks to see if it is root when it runs and re-runs itself with sudo if it's not running as root. You should have needed to add sudo to any commands. – b_laoshi Oct 24 '19 at 02:48
  • You saved my day. I took the liberty of adding a warning to the update-initramfs section. Took me a while to figure that out. – phipsgabler Feb 17 '20 at 17:43
  • Great guide, thanks. Just ran through this with 20.04 on a Dell XPS 13 with Windows 10. Used the Ubuntu installer's GUI for partition management instead of fdisk or similar which also meant skipping step 2, and didn't have to pvcreate in step 3. Went great! – bernhof May 07 '20 at 11:10
  • I had to re-run sudo cryptsetup luksOpen /dev/sdb2 CryptDisk once the installer finished to start the post-installation mounting – Zach Jul 03 '20 at 00:07
  • Thanks for the script! Such a feature should be included with the installation media. – Joe D Jul 16 '20 at 11:29
  • Is there a way to do this without needing an extra /boot partition as there already is an efi partition? – My1 Jul 07 '22 at 14:14
4

This is the answer for those who keep bumping into this question wanting to just slightly change the default partitioning of Ubuntu. For example, remove the swap partition and increase the /boot size. I think many people would be discouraged to follow b_laoshi's instruction, because of the amount of steps required.

So for simple custom partitioning with encryption I suggest to use "Erase disk and install Ubuntu" with "Encrypt the new Ubuntu installation for security" option. What we will change is the config for this default partitioning.

This configs are contained in /lib/partman/recipes[-arch]/. For myself, I've been changing /lib/partman/recipes-amd64-efi/30atomic. To get 538M for efi, 1024M for /boot, and the rest for / with ext4, I edited the file to

1024 1024 1024 fat32
    $iflabel{ gpt }
    $reusemethod{ }
    method{ efi }
    format{ } .

4096 4096 4096 ext4
    $defaultignore{ }
    $lvmignore{ }
    method{ format }
    format{ }
    use_filesystem{ }
    filesystem{ ext4 }
    mountpoint{ /boot } .


900 10000 -1 ext4
    $lvmok{ }
    method{ format }
    format{ }
    use_filesystem{ }
    filesystem{ ext4 }
    mountpoint{ / } .

Note, that once you choose the disk to erase in the installer, it will prompt you with the summary of the partitioning, so you can check if the trick worked and you are getting the desired partitioning. See also https://askubuntu.com/a/678074/47073.

Yrogirg
  • 371
3

How to accomplish this multiple encrypted partitions and no LVM

Because my previous answer was so long, I'm posting a second answer that takes a different approach if you do not want to use LVM.

You can create multiple encrypted partitions and use the decrypt_derived script so that you only need to enter the password once. Check out this blog post for step-by-step instructions. The author uses a keyfile, but the decrypt_derived LUKS script would be sufficient as well.

Community
  • 1
b_laoshi
  • 4,660
  • 4
  • 25
  • 46
2

One way to do the task is to use the ubuntu network installer https://www.ubuntu.com/download/alternative-downloads

It is not a graphical installer. But it offers you the explicit choice of disk after you choose the full disk installation with encryption.

ernstkl
  • 394