Ubuntu – LVM & LUKS manual partitioned but issues with loader/init/grub

bootencryptionlukslvmsystem-installation

I've had some success with manually partitioning and installing LVM & LUKs.

The partitions are created – home, root, swap and boot, the pv and vg's were all created and set up correctly.

I installed from Live and everything in the file system installed to the right places.

I chroot and mounted and set up /etc/crypttab with the correct UUID and /etc/fstab is pointing to the right mapper and UUIDs (based on blkid output).

At this point I try a couple of approaches to try and get the bootloader and grub to give me a password login screen that will decrypt what I referenced in /etc/crypttab.

First approach – 

mount -t proc proc /proc 
mount -t sysfs sys /sys 
update-initramfs -u

running this tells me 

/usr/sbin/iucode_tool: cpuid kernel driver unavailable, cannot scan system processor signatures

Second approach –

Checking for /etc/mkinitcpio.conf to add lvm2 and encrypt and then followed by 

mkinitcpio -p linux

This doesnt work either because mkinitcpio doesnt exist.

After some research I was thinking that /etc/crypttab perhaps is enough for the existing init processes?

Third approach –

Editing /etc/default/grub to add

GRUB_ENABLE_CRYPTODISK=y

and then running 

grub mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda1

The problem I am getting with this I am getting 

/usr/sbin/grub-probe: error: failed to get canonical path of `/dev/mapper/ubuntu-rootvol'

I know it should be fairly simple to get this boot screen with password sorted out but I'm out of options. Please can you tell me the correct method for having Ubuntu reference /etc/crypttab

Thanks for your help!

Best Answer

I found a way to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below.

  1. Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows :
    • sda1: /boot (1G)
    • sda2: LUKS partition (the rest of the disk)
  2. Setup LUKS
    • sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda2
    • sudo cryptsetup luksOpen /dev/sda2 CryptDisk
    • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
  3. Setup LVM on /dev/mapper/CryptDisk
    • sudo pvcreate /dev/mapper/CryptDisk
    • sudo vgcreate vg0 /dev/mapper/CryptDisk
    • sudo lvcreate -n swap -L 2G vg0
    • sudo lvcreate -n root -L 10G vg0
    • sudo lvcreate -n home -l +100%FREE vg0
  4. Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sda1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sda, and continue with installation.
  5. When installation is complete, don't reboot! Choose the option to "Continue Testing".
  6. In a terminal, type the following and look for the UUID of /dev/sda2. Take note of that UUID for later.
    • sudo blkid
    • The important line on my machine reads /dev/sda2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
  7. Next lets get the newly installed system mounted again so we can make some more changes.
    • sudo mount /dev/vg0/root /mnt
    • sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
    • sudo mount /dev/sda1 /mnt/boot
    • If you have an EFI partition, mount it at /mnt/boot/efi
    • sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
    • sudo mount --bind /run/lvm /mnt/run/lvm
  8. Now run sudo chroot /mnt to access the installed system
  9. From the chroot, mount a couple more things
    • mount -t proc proc /proc
    • mount -t sysfs sys /sys
    • mount -t devpts devpts /dev/pts
  10. Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
    • CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
  11. Lastly, rebuild some boot files.
    • update-initramfs -k all -c
    • update-grub
  12. Reboot, and the system should ask for a password to decrypt on boot!

Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.

I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm

Related Question