0

I already have a full disk encryption setup and functioning perfectly with my xubuntu 17.10. Now i have gotten myself a second harddrive, and i wish to enable a full disk encryption with it.

In the perfect world both drives would be mounted at boot time.

v010dya
  • 1,472
  • Start here https://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/ . Then https://askubuntu.com/questions/450895/mount-luks-encrypted-hard-drive-at-boot for /etc/cryptsetup and /etec/fsatb . You can skip the key parts , or make a key if you prefer. Post a specific question of you get stuck at any part. – Panther Jan 13 '18 at 15:58
  • I actually found this on my own by now. I will write up how i did this step by step a little later as a self-answer so that it can help others – v010dya Jan 13 '18 at 18:13

1 Answers1

2

I have managed to set everything up. I have done several things, some of which are documented on the internet quite well, while others ... not quite as well. Here i will describe what i did, in hopes that it will be useful to others.

Keep in mind that almost every command here needs administrator privileges, sudo -i is your friend.

First of all i needed to create the empty partition table and a single partition that took the entire drive, the partition needed to be without any filesystem. I did this with GParted, but any other tool would work as well.

Then i needed to make that partition encrypted:

cryptsetup --iter-time 5000 --use-random luksFormat --type luks2 /dev/sdb1
cryptsetup open /dev/sdb1 large_crypt

"large" in this case is just what i have decided to name that particular drive.

After that comes putting LVM on top of that encrypted partition:

pvcreate /dev/mapper/large_crypt
vgcreate largevg /dev/mapper/largevg

Now is the time to create logical volumes inside the created volume group (here largevg), i wanted to have 20G swap and the rest as ext4.

vgdisplay --units B

This gives the sizes of virtual groups in bytes. I took the note of the one i have created and subtracted 20G from it manually

The following commands were executed from /dev/mapper/ so that i wouldn't have to write the path all the time

lvcreate -L 1980393601024B -n work largevg
mkfs.ext4 largevg-work
lvcreate -l 100%FREE -n swap largevg 
mkswap largevg-swap

In order to mount everything at boot, i did a well documented trick:

dd if=/dev/random of=/root/.large-keyfile bs=1024 count=4
chmod 0400 /root/.large-keyfile 
cryptsetup luksAddKey /dev/sdb1 /root/.large-keyfile

Finally i need to actually ensure that everything gets mounted at the boot time:

blkid

Then take a note of the block device partition UUID (/dev/sdb1 in my case). This will go into /etc/crypttab as so:

large_crypt UUID=[whatever uuid of sdb1 was] /root/.large-keyfile luks,discard

And then added this into /etc/fstab:

/dev/mapper/largevg-work    /some/path  ext4    errors=remount-ro   0   2
/dev/mapper/largevg-swap    none    swap    sw  0   0

Just in case i did:

update-initramfs -u

Now everything works almost perfectly. The only issue is that for whatever reason XUbuntu thinks that the drive is external and puts the icon on the desktop as well as tries to allow me to dismount it (which i then cannot do), however, it's a minor nuisance, which i'll fix later.

v010dya
  • 1,472
  • Why use LVM? It's just one partition, sounds like an extra headache layer. Maybe related to the looks-external issue too. – Xen2050 Jan 20 '18 at 14:51
  • @Xen2050 Two partitions are not "just one partition" – v010dya Jan 21 '18 at 07:09
  • Ah, work & swap were buried in there. In that case, why are you permanently encrypting swap? Just use a random swap encryption key & forget it on reboot, then throw away all the lvm headache layer. – Xen2050 Feb 21 '18 at 04:02