Monday, November 7, 2011

Encrypted Ubuntu filesystem on a logical volume (without alternate install)

Ubuntu with LVM and an encrypted filesystem does not require the Alternative installation media. It can be done via the official one.

My setup is what is usually called full-encryption (although I would not call it full, because the /boot partition is not encrypted and thus it can be backdoored by someone who has physical access to the machine). The root filesystem is located on a logical volume and encrypted (unlike in other setups and how-tos where the whole LVM is encrypted). The boot partition is on the /dev/sda3 partition; it can boot other systems where I do not want to install LVM support.

If a newly installed system does not boot after a reboot and drops out into a busybox shell, it can be because the initramfs is unable to find root partition to mount and boot the rest of the system. This is what I have done to finalize the installation:

1. Boot another system (e.g. Ubuntu from the installation media)

2. Open the new (encrypted) target Ubuntu root filesystem
(cryptsetup luksOpen /dev/vg/new cryptroot)
Of course you have not given your volume group a name like "vg" and your logical volume the name "new". (If yes... Do you like that all volume groups on your and your friend's USB drives have the same name "vg"? And do you want to have a logical volume that is old for many years but it is called "new", because you do not want to rename it?)

3. Mount it
(mount /dev/mapper/cryptroot /mnt)
4. Mount the /boot partition.
(mount /dev/sda3 /mnt/boot)
 Change the device number accordingly. This is the unencrypted boot partition. Kernel image and initramfs (initrd) boot files are located here.

5. Chroot to it
(chroot /mnt)
6. Install LVM and cryptsetup
(apt-get install lvm2 cryptsetup)
Once you install these packages, they will update the initramfs automagically. That is why it is important to have the boot partition mounted.

7. Edit the file /etc/default/grub and add kernel command line options

(GRUB_CMDLINE_LINUX="root=/dev/mapper/cryptroot cryptopts=source=/dev/vg/new")

so that after propagating the changes (update-grub) the generated grub configuration file (/mnt/boot/grub.cfg) has the line

(linux..... root=/dev/mapper/cryptroot cryptopts=source=/dev/vg/new)

You can omit the first option if root= option gets added automatically. You could omit the latter one (until 12/2011 in Ubuntu 11.10), but if the boot drops you to a" busybox initramfs shell" with an error that it cannot find /dev/mapper/cryptroot, this might be the useful.

8. Edit /etc/fstab

(/dev/mapper/cryptroot  /      ext3    errors=remount-ro 0       1)
9. Enjoy!

You can comment and ask, maybe I forgot some steps that were also needed. Consider also encrypting swap.

No comments:

Post a Comment