On the new Ubuntu Server 20.04 I was unable to create an encrypted partition with "RAID + LVM". The installation process finished correctly, but at the startup GRUB wasn't found, and I was redirected in the "GRUB minimal bash".
Here I will describe how I proceeded during the installation.
First, I have prepared both the hard drives (SSD in my case) using "GParted Live" (I created a bootable USB with the GParted ISO):
- 512 MB partition, named "/bios/efi", fat32, flagged as "boot, esp";
- 10 GB / partition, named "/", ext4, flagged as "raid";
- /home partition, named "/home", ext4, flagged as "raid";
Then, using the "Custom storage layout" during the Ubuntu Server 20.04 installation:
-
I checked both disks to be "added as a boot disk"
-
and then using the "Create software RAID (md)" I have created a new "md0" volume (always active)
-
and then I created another "RAID md" volume (always active)
-
At this time I selected the "Create Volume LVM" and I choose the "md0" partition and I assigned a passphrase to it.
-
I selected again the "Create Volume LVM" and I choose the "md1" partition and I assigned a passphrase.
-
Now I selected the "vg0" partition and choose "Add GPT Partition", and than I selected "Create logical volume" and mount on "/"
-
Similar things for the "vg1" partition where I choose "Add GPT Partition", and than I selected "Create logical volume" and mount on "/home"
-
After that I choose "done" and I completed the installation
-
After the reboot the OS entered in the "GRUB minimal bash"
What's is wrong?
Thank you
Best Answer
I experienced a similar problem. After no luck with various permutations in a VM I stumbled across this thread on Reddit, where user wRAR_ says '[Debian installer] currently doesn't support encrypted /boot'. Ubuntu is based on Debian; I don't know to what extent the installers are similar, but I tested both in a VM, with and without encrypted
/boot
. Both failed to boot, presenting the GRUB shell you describe in your question.NOTE: Designating an encrypted area as the mount point for
/
, and not designating a separate/boot
mount point, means that/boot
will reside under that encrypted/
.Broadly this means, if we want some kind of encrypted LVM ontop of RAID, there are two options:
Option 1 - what I chose to do, and is more beginner-friendly since it can be accomplished with the standard Ubuntu installer.
Encrypt everything except /boot and /boot/efi
All user data will be encrypted, but the entire contents of
/boot
(not just/boot/efi
) will not. The partition scheme you describe is different, but the key thing is that - for this to work -/boot
should not reside on an encrypted partition.I used the following partition scheme:
My encrypted LVM on RAID1 partition scheme
I was able to accomplish it all in the installer:
sda1: 512M /boot/efi
sdb1: 512M /boot
sda2 & sdb2: RAID1 array md0
md0: Encrypted volume dm_crypt-0
dm-_crypt-0: logical volume vg0-lv--0 for /
dm-_crypt-0: logical volume vg0-lv--1 for /srv
Of course you can choose whatever logical volumes you like inside the volume group: I have a separate /srv for a server setup.
One small advantage of this setup is it makes use of both the 512M unencrypted spaces - unlike the typical scheme of encrypted LVM on RAID1 - with just the efi partition unencrypted. It's not ideal, but I tested it and it worked for me.*
Option 2: There may be a way to circumvent the installer not supporting encrypted
/boot
by dropping-out to a shell, editing some configuration files and reinstalling GRUB among other things. This blog post seems to have some instructions but I haven't followed them.*(Although I must say I found the installer's partitioning menu a little awkward in places - it seems to automatically grab certain unformatted space assuming it can use it as the EFI partition; but with a little 'gaming' of the options I got there in the end)