Ubuntu – Ubuntu Server 20.04 RAID1 + LVM encrypted partition: problem with GRUB


On the new Ubuntu Server 20.04 I was unable to create an encrypted partition with "RAID + LVM". The installation process finished correctly, but at the startup GRUB wasn't found, and I was redirected in the "GRUB minimal bash".

Here I will describe how I proceeded during the installation.
First, I have prepared both the hard drives (SSD in my case) using "GParted Live" (I created a bootable USB with the GParted ISO):

  1. 512 MB partition, named "/bios/efi", fat32, flagged as "boot, esp";
  2. 10 GB / partition, named "/", ext4, flagged as "raid";
  3. /home partition, named "/home", ext4, flagged as "raid";

Then, using the "Custom storage layout" during the Ubuntu Server 20.04 installation:

  1. I checked both disks to be "added as a boot disk"

  2. and then using the "Create software RAID (md)" I have created a new "md0" volume (always active)

  3. and then I created another "RAID md" volume (always active)

  4. At this time I selected the "Create Volume LVM" and I choose the "md0" partition and I assigned a passphrase to it.

  5. I selected again the "Create Volume LVM" and I choose the "md1" partition and I assigned a passphrase.

  6. Now I selected the "vg0" partition and choose "Add GPT Partition", and than I selected "Create logical volume" and mount on "/"

  7. Similar things for the "vg1" partition where I choose "Add GPT Partition", and than I selected "Create logical volume" and mount on "/home"

  8. After that I choose "done" and I completed the installation

  9. After the reboot the OS entered in the "GRUB minimal bash"

What's is wrong?

Thank you

Best Answer

I experienced a similar problem. After no luck with various permutations in a VM I stumbled across this thread on Reddit, where user wRAR_ says '[Debian installer] currently doesn't support encrypted /boot'. Ubuntu is based on Debian; I don't know to what extent the installers are similar, but I tested both in a VM, with and without encrypted /boot. Both failed to boot, presenting the GRUB shell you describe in your question.

NOTE: Designating an encrypted area as the mount point for /, and not designating a separate /boot mount point, means that /boot will reside under that encrypted /.

Broadly this means, if we want some kind of encrypted LVM ontop of RAID, there are two options:

Option 1 - what I chose to do, and is more beginner-friendly since it can be accomplished with the standard Ubuntu installer.

Encrypt everything except /boot and /boot/efi

All user data will be encrypted, but the entire contents of /boot (not just /boot/efi) will not. The partition scheme you describe is different, but the key thing is that - for this to work - /boot should not reside on an encrypted partition.

I used the following partition scheme:

My encrypted LVM on RAID1 partition scheme

I was able to accomplish it all in the installer:

sda1: 512M /boot/efi

sdb1: 512M /boot

sda2 & sdb2: RAID1 array md0

md0: Encrypted volume dm_crypt-0

dm-_crypt-0: logical volume vg0-lv--0 for /

dm-_crypt-0: logical volume vg0-lv--1 for /srv

Of course you can choose whatever logical volumes you like inside the volume group: I have a separate /srv for a server setup.

One small advantage of this setup is it makes use of both the 512M unencrypted spaces - unlike the typical scheme of encrypted LVM on RAID1 - with just the efi partition unencrypted. It's not ideal, but I tested it and it worked for me.*

Option 2: There may be a way to circumvent the installer not supporting encrypted /boot by dropping-out to a shell, editing some configuration files and reinstalling GRUB among other things. This blog post seems to have some instructions but I haven't followed them.

*(Although I must say I found the installer's partitioning menu a little awkward in places - it seems to automatically grab certain unformatted space assuming it can use it as the EFI partition; but with a little 'gaming' of the options I got there in the end)