I have 3 partitions: EFI (/boot/efi
), boot (/boot
) and root (/
). I want to encrypt just /
. I can do this manually via the installer, but I want to preseed it.
How do I define it? My (non-encrypted) recipe looks something like the below. It is something of a mishmash of suggestions for EFI System Partitions I have found (found no clear guide).
boot-root ::
100 100 100 fat32
$primary
$iflabel{ gpt }
$reusemethod( }
use_filesystem{ } filesystem{ vfat }
method{ efi } format{ }
mountpoint{ /boot/efi }
.
300 300 300 ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ /boot }
.
100% 3000 100% ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ / }
.
How do I make sda3
be a physical partition for LUKS-encryption and then have a filesystem on top of that?
UPDATE:
I discovered that I can set the partition to be crypto as below, but there are still 3 issues:
- I still need to create and activate the encrypted volumes on the chosen partition
- I still need to set the correct ext4 filesystem on the encrypted volume after created and activated
- The recipe doesn't select the encryption type to
dm-crypt
which is required for creating and activating the encrypted volumes.
Still struggling mightily
boot-root ::
100 100 100 fat32
$primary
$iflabel{ gpt }
$reusemethod( }
use_filesystem{ } filesystem{ vfat }
method{ efi } format{ }
mountpoint{ /boot/efi }
.
300 300 300 ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ /boot }
.
100% 3000 100% ext4
method{ crypto } format{ }
.
Best Answer
At first, open a root terminal:
Then fill the partition, which should be encrypted, with random data using a command like this:
You have to replace
sdxy
with the partition which will be encrypted. Then typeto encrypt the partition
sdxy
. Open the volume and name itroot
:Use this command to make an ext4 filesystem inside it:
Next you can start the installer. Chose "Something else" when being asked what you would like to do. Then chose the mount points for all your not-encrypted partitions. For your
root
partition, select/dev/mapper/root
, click "Change". Then selectext4
for the filesystem type and set the mount point to/
. Then click "Install now" and install Ubuntu normally.When finished installing click "Continue testing". Open a terminal and type:
sdyz
should be replaced with yourboot
partition. Next, type:Open a second terminal and type
sudo blkid
. Find the UUID forroot
(the one that sayscrypto_luks
in the end) and paste it into/etc/crypttab
. Then the file/etc/crypttab
should look something like this:Close the file with Ctrl+x, y and Enter. Type
nano /etc/fstab
in the terminal and check if everything looks right (e.g. the UUIDs).At last, quit the chroot environment and type:
This puts an image of the header of the encrypted partition into the folder
/root
and names itroot.img
. Then move the image to an external drive (in case of forgetting the password). Now you can reboot into your newly installed Ubuntu.Source: http://thesimplecomputer.info/full-disk-encryption-with-ubuntu