Ubuntu – Encrypted custom install

encryptionlukssystem-installation

My computer runs Ubuntu. I want to install Ubuntu on another medium. I wish to enable encryption, yet as the ubuntu installer's default choices (erase/alongside/etc…) only concerns the default drive, I have to choose "something else" and create the partitions on the other drive manually, I create ~128mb part for boot, then I'm lost, if I make an encrytped partition with the rest of the space I'm unable to split it, so I have no swap; if instead I create two encrypted partitions, it doesn't seems right because it want to set up two different passwords…

How can I set up the swap then? (During or after install).

Best Answer

Update 2020-07-16: This may not work with Ubuntu flavors that have moved away from the Ubiquity installer (eg. Lubuntu which now uses Calamares) because some of those installers go so far as to deactivate LVM partitions that they did not, themselves, configure in the pre-installation process. Thus, making unavailable the partitions that were configured for system installation.

How to accomplish this with LVM and a single encrypted partition##

Warning

First of all 128M is too small for boot! I use 1G. Otherwise, what is bound to happen is that you may forget to remove old kernels and /boot will fill up, and you'll have to deal with the pain of trying to remove old kernels from the system so that you can get apt or apt-get to work again. Even with 1G, make sure you remove old kernels from time to time.

The next steps are not intended for novice users.
UPDATE: I have created a script that will perform the following operations for you and more! All you have to do is run it from the Live OS before installation. You can find a write-up on my blog.

Pre-installation from live OS

You want to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2 / 18.04 / 20.04

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below. Let's assume you're installing to /dev/sdb.

  1. Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows:
    • other partitions: existing OSs -- we don't care about these
    • sdb1: /boot (1G)
    • sdb2: LUKS partition (the rest of the disk)
  2. Setup LUKS
    • sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb2
    • sudo cryptsetup luksOpen /dev/sdb2 CryptDisk
    • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
  3. Setup LVM on /dev/mapper/CryptDisk
    • sudo pvcreate /dev/mapper/CryptDisk
    • sudo vgcreate vg0 /dev/mapper/CryptDisk
    • sudo lvcreate -n swap -L 2G vg0
    • sudo lvcreate -n root -L 10G vg0
    • sudo lvcreate -n home -l +100%FREE vg0

Installation from live OS

  1. Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sdb1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sdb, and continue with installation.
  2. When installation is complete, don't reboot! Choose the option to "Continue Testing".

Post-installation configuration from live OS

This bit is really important if you want your system to boot! I spent quite a bit of time researching this to figure out these post-installation steps. In my case I was actually doing it because I wanted to customize the size of /boot on /dev/sda, but all that work should carry over to your situation as well.

  1. In a terminal, type the following and look for the UUID of /dev/sdb2. Take note of that UUID for later.

    • sudo blkid | grep LUKS
    • The important line on my machine reads /dev/sdb2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"

  2. Next lets get the newly installed system mounted again so we can make some more changes.

    • sudo mount /dev/vg0/root /mnt
    • sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
    • sudo mount /dev/sdb1 /mnt/boot
    • sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
    • sudo mount --bind /run/lvm /mnt/run/lvm
    • (Only if you're using EFI): sudo mount /dev/sd*/your/efi/partition /mnt/boot/efi

  3. Now run sudo chroot /mnt to access the installed system

  4. From the chroot, mount a couple more things

    • mount -t proc proc /proc
    • mount -t sysfs sys /sys
    • mount -t devpts devpts /dev/pts

  5. Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.

  • CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
  1. Lastly, rebuild some boot files.
  • update-initramfs -k all -c - update-grub
  1. Reboot, and the system should ask for a password to decrypt on boot!

Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.

I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm

Related Question