My computer runs Ubuntu. I want to install Ubuntu on another medium. I wish to enable encryption, yet as the ubuntu installer's default choices (erase/alongside/etc…) only concerns the default drive, I have to choose "something else" and create the partitions on the other drive manually, I create ~128mb part for boot, then I'm lost, if I make an encrytped partition with the rest of the space I'm unable to split it, so I have no swap; if instead I create two encrypted partitions, it doesn't seems right because it want to set up two different passwords…
How can I set up the swap then? (During or after install).
Best Answer
Update 2020-07-16: This may not work with Ubuntu flavors that have moved away from the Ubiquity installer (eg. Lubuntu which now uses Calamares) because some of those installers go so far as to deactivate LVM partitions that they did not, themselves, configure in the pre-installation process. Thus, making unavailable the partitions that were configured for system installation.
How to accomplish this with LVM and a single encrypted partition##
Warning
First of all 128M is too small for boot! I use 1G. Otherwise, what is bound to happen is that you may forget to remove old kernels and /boot will fill up, and you'll have to deal with the pain of trying to remove old kernels from the system so that you can get
apt
orapt-get
to work again. Even with 1G, make sure you remove old kernels from time to time.The next steps are not intended for novice users.
UPDATE: I have created a script that will perform the following operations for you and more! All you have to do is run it from the Live OS before installation. You can find a write-up on my blog.
Pre-installation from live OS
You want to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2 / 18.04 / 20.04
Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below. Let's assume you're installing to /dev/sdb.
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb2
sudo cryptsetup luksOpen /dev/sdb2 CryptDisk
sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M
BEWARE, this could take a really long time!sudo pvcreate /dev/mapper/CryptDisk
sudo vgcreate vg0 /dev/mapper/CryptDisk
sudo lvcreate -n swap -L 2G vg0
sudo lvcreate -n root -L 10G vg0
sudo lvcreate -n home -l +100%FREE vg0
Installation from live OS
Post-installation configuration from live OS
This bit is really important if you want your system to boot! I spent quite a bit of time researching this to figure out these post-installation steps. In my case I was actually doing it because I wanted to customize the size of /boot on /dev/sda, but all that work should carry over to your situation as well.
In a terminal, type the following and look for the UUID of /dev/sdb2. Take note of that UUID for later.
sudo blkid | grep LUKS
/dev/sdb2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
Next lets get the newly installed system mounted again so we can make some more changes.
sudo mount /dev/vg0/root /mnt
sudo mount /dev/vg0/home /mnt/home
# this is probably not necessarysudo mount /dev/sdb1 /mnt/boot
sudo mount --bind /dev /mnt/dev
# I'm not entirely sure this is necessarysudo mount --bind /run/lvm /mnt/run/lvm
sudo mount /dev/sd*/your/efi/partition /mnt/boot/efi
Now run
sudo chroot /mnt
to access the installed systemFrom the chroot, mount a couple more things
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
update-initramfs -k all -c
-update-grub
Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.
I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was
sudo mount --bind /run/lvm /mnt/run/lvm