Ubuntu – How to preseed encrypting just the root partition

encryptionpartitioningpreseed

I have 3 partitions: EFI (/boot/efi), boot (/boot) and root (/). I want to encrypt just /. I can do this manually via the installer, but I want to preseed it.

How do I define it? My (non-encrypted) recipe looks something like the below. It is something of a mishmash of suggestions for EFI System Partitions I have found (found no clear guide).

boot-root ::
  100 100 100 fat32
    $primary
    $iflabel{ gpt }
    $reusemethod( }
    use_filesystem{ } filesystem{ vfat }
    method{ efi } format{ }
    mountpoint{ /boot/efi }
  .
  300 300 300 ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ /boot }
  .
  100% 3000 100% ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ / }
  .

How do I make sda3 be a physical partition for LUKS-encryption and then have a filesystem on top of that?

UPDATE:

I discovered that I can set the partition to be crypto as below, but there are still 3 issues:

I still need to create and activate the encrypted volumes on the chosen partition
I still need to set the correct ext4 filesystem on the encrypted volume after created and activated
The recipe doesn't select the encryption type to dm-crypt which is required for creating and activating the encrypted volumes.

Still struggling mightily

boot-root ::
  100 100 100 fat32
    $primary
    $iflabel{ gpt }
    $reusemethod( }
    use_filesystem{ } filesystem{ vfat }
    method{ efi } format{ }
    mountpoint{ /boot/efi }
  .
  300 300 300 ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ /boot }
  .
  100% 3000 100% ext4
    method{ crypto } format{ }
  .

Best Answer

At first, open a root terminal:

sudo -i

Then fill the partition, which should be encrypted, with random data using a command like this:

openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy

You have to replace sdxy with the partition which will be encrypted. Then type

cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy

to encrypt the partition sdxy. Open the volume and name it root:

cryptsetup luksOpen /dev/sdxy root

Use this command to make an ext4 filesystem inside it:

mkfs.ext4 /dev/mapper/root

Next you can start the installer. Chose "Something else" when being asked what you would like to do. Then chose the mount points for all your not-encrypted partitions. For your root partition, select /dev/mapper/root, click "Change". Then select ext4 for the filesystem type and set the mount point to /. Then click "Install now" and install Ubuntu normally.

When finished installing click "Continue testing". Open a terminal and type:

sudo -i
cd /mnt
mkdir root
mount /dev/mapper/root root
mount /dev/sdyz root/boot

sdyz should be replaced with your boot partition. Next, type:

chroot root
mount -t proc proc /proc
mount -t sysfs sys /sys
nano /etc/crypttab

Open a second terminal and type sudo blkid. Find the UUID for root (the one that says crypto_luks in the end) and paste it into /etc/crypttab. Then the file /etc/crypttab should look something like this:

root UUID=d68911dd-172a-4608-86d4-084eb72f409c none luks

Close the file with Ctrl+x, y and Enter. Type nano /etc/fstab in the terminal and check if everything looks right (e.g. the UUIDs).

At last, quit the chroot environment and type:

cryptsetup luksHeaderBackup /dev/sdxy --header-backup-file /root/root.img

This puts an image of the header of the encrypted partition into the folder /root and names it root.img. Then move the image to an external drive (in case of forgetting the password). Now you can reboot into your newly installed Ubuntu.

Source: http://thesimplecomputer.info/full-disk-encryption-with-ubuntu

An overview of the process

We use EFI mode.
We install to an unencrypted /boot partition and an encrypted btrfs / using the standard installer.
After the installer finishes, we chroot, make some important configuration changes, and re-install grub to the EFI System Partition and re-create initrd.

The detailed steps

Boot from Ubuntu 16.04 install disk (tested with Xubuntu).
Connect to the Internet and run sudo apt update && sudo apt upgrade to update the installer components
Use fdisk, gparted, or another tool to create 3 partitions:
- A GPT partition table
- A 200MB partition that we will use for the EFI System Partition
- A multi-gigabyte partition that we will eventually use as our encrypted swap partition, but which will function as our temporary unencrypted /boot
- An encrypted partition that uses the rest of the space

Prepare the encrypted partition

sudo cryptsetup luksFormat /dev/sda3
sudo cryptsetup luksOpen --allow-discards /dev/sda3 sda3_crypt
sudo mkfs.btrfs /dev/mapper/sda3_crypt

Install Ubuntu
- Choose "Something else" when asked about installation type.
- Configure /dev/sda1 as EFI System Partition
- Configure /dev/sda2 as ext2, formatted, with mount point of /boot
- Configure /dev/mapper/sda3_crypt as btrfs with mount point of /
- Continue with the installation.
- After it finishes, choose to stay in the live system (no reboot).

Copy the contents of /boot and do a chroot

sudo mount -o subvol=@ /dev/mapper/sda3_crypt /target
sudo mount /dev/sda2 /mnt
# (Watch those trailing slashes! rsync is very sensitive to them.)
sudo rsync -aXAH /mnt/ /target/boot/
sudo mount /dev/sda1 /target/boot/efi
sudo mount --bind /dev /target/dev
sudo mount --bind /proc /target/proc
sudo mount --bind /sys /target/sys
sudo chroot /target

(Everything is now happening as chroot inside your new system.)
Add line to /etc/default/grub
```
GRUB_ENABLE_CRYPTODISK=y
```
Add line to /etc/crypttab. You will need to first run sudo blkid to find the UUID of /dev/sda3 (NOT /dev/mapper/sda3_crypt).
```
sda3_crypt UUID=<UUID of /dev/sda3> none luks,discard
```
Edit /etc/fstab and delete the line for /boot. The other entries are correct.

Install grub to the EFI System Partition, generate a new grub.cfg, and prepare initrd.

sudo grub-install --target=x86_64-efi --efi-directory /boot/efi --bootloader=ubuntu --boot-directory=/boot/efi/EFI/ubuntu --recheck
sudo grub-mkconfig -o /boot/efi/EFI/ubuntu/grub/grub.cfg
sudo update-initramfs -c -k all

Optional double-check: Double-check that /boot/efi/EFI/ubuntu/grub/grub.cfg contains lines that include insmod luks, cryptomount -u <UUID>, the correct boot entries, etc. And double-check that your initrd contains the cryptsetup binary. If these things are missing, it is because grub-mkconfig and/or update-initrd couldn't figure out how the volumes that you've mounted or specified in fstab relate to the encrypted volume in crypttab. (There's a lot of magic autoconfiguration that they do.) This may happen if you diverge from this guide by, for example, using ZFS or by trying to partition sda3_crypt.
(If using ZFS instead of btrfs) grub-mkconfig and update-initrd won't recognize ZFS. The workaround involves (during chroot, prior to grub-mkconfig/update-initrd) editing /usr/sbin/grub-mkconfig to add || true to line 139 (which starts with GRUB_DEVICE=), adding GRUB_DEVICE="/dev/mapper/sda3_crypt" to /etc/default/grub, creating file /usr/share/initramfs-tools/conf-hooks.d/forcecryptsetup with contents export CRYPTSETUP=y and file /etc/initramfs-tools/conf.d/cryptroot with contents target=sda3_crypt,source=UUID=<UUID of sda3>,key=none,discard. All of this is in addition to steps that you would take if you were not encrypting the ZFS partiion (like installing zfs userspace utils in both the live system and during chroot and deleting the line that mounts / in fstab).

Exit chroot and reboot into your new system

exit
sudo umount /target/boot/efi
sudo umount /target/dev
sudo umount /target/proc
sudo umount /target/sys
sudo umount /target
sudo reboot

You should see grub asking for your password. Then you'll get the boot menu. After choosing Ubuntu you'll be asked for your password again. Then you'll be in your system. Read more about how Ubuntu uses BTRFS.
TODO: Create encrypted swap (hint: it involves editing crypttab, fstab, and re-running update-initrd).
TODO: Save your password so you only need to enter it once into grub. This is detailed here.

Upgrades

Every time you install a new kernel, you should run the custom grub-mkconfig command.
Every time you update grub, you should run the custom grub-installcommand.

Other notes

It's tempting to create a single encrypted volume and partition it to create the swap partition (and possibly others), but this does not work. Both grub-mkconfig and update-initrd will misbehave. However, I haven't tried LVM.
It may be tempting to use a swapfile on top of btrfs, but it's probably a bad idea because of performance.

Best Answer

Related Solutions

Ubuntu – Ubuntu preseed partman gets partition type and size wrong

Ubuntu – Ubuntu full disk encryption with encrypted /boot

An overview of the process

The detailed steps

Upgrades

Other notes

Related Question