Ubuntu – What name to use in activation of encrypted root partition

bootboot-repairencryptionkubuntuluks

I am trying to run the Boot Repair tool on a Kubuntu 16.04 system with an encrypted (LUKS) root partition. This post tells me to "activate the encrypted drive using the correct name". That name should be given by /etc/crypttab in the live system.

My /etc/crypttab in the live system has no entries. The live system is also Kubuntu 16.04.

How can I identify/find the name I need?

Best Answer

How to identify the name originally assigned to LUKS partition?

Identify your root partition in the broken system when booted to Live USB

We will assume the encrypted partition is /dev/sdXY where X is a letter and Y is a number.

Decrypt the root partition so we can look inside

Open a terminal by pressing Ctrl+Alt+T and enter:

sudo cryptsetup luksOpen /dev/sdXY temp_name

First, you will be asked for your sudo password. Type the password and press Enter. Next it will say:

Enter passphrase for /dev/sdXY:

Type the passphrase and press Enter. Neither the password nor the passphrase will show and the cursor will not move. This is normal. This will create /dev/mapper/temp_name

Mount the decrypted partition and see whats inside

sudo mkdir /mnt/temp_dir
sudo mount /dev/mapper/temp_name /mnt/temp_dir
sudo cat /mnt/temp_dir/etc/crypttab

The last line should show you the contents of the crypttab file which should look like:

correct_name UUID=78base79-8463-4046-a2b1-3a36b14cf42d none luks,timeout=30

Write down the correct_name to continue with the tutorial.

Undo all the steps

Type the following commands to return everything as they were before:

sudo umount /mnt/temp_dir            # Un-mounts /dev/mapper/temp_name
sudo rmdir /mnt/temp_dir             # Deletes the temp_dir
sudo cryptsetup luksClose temp_name  # Un-maps the LUKS partition from tem_name

Hope this helps

Mount your crypt

This assumes your crypt is called crypt, the physical partition is /dev/sda1 , and the root partition partition in /dev/mapper is called root, adjust accordingly to your setup.

Boot the live (Desktop) CD and install lvm2 and cryptsetup.

sudo apt-get update && sudo apt-get install lvm2 cryptsetup

Load the cryptsetup module.
```
sudo modprobe dm-crypt
```

Decrypt your file system.

sudo cryptsetup luksOpen /dev/sda1 crypt

Get the live CD to recognize (activate) your LVM.
```
sudo vgscan --mknodes
sudo vgchange -ay
```

You can now access / mount the crypt

sudo mkdir /media/crypt_root
sudo mount /dev/mapper/root /media/crypt_root

Installing into the encrypted partition

I have not done this manually from an Ubuntu live CD and honestly I am not sure it will work, sort of depends on how much you already know, and how much I forget. This is going to be a long post, so I may not cover each and every detail ;).

You can try running the graphical installer and try to use /dev/mapper/root as your root ( / ) partition. You will need to unmount it first.

If that fails , you can install the long way with chroot

Installing into a chroot is fairly easy, you need to make any other partitions you are using , including /boot (you already have), swap, and if you so desire /home

You then install a base system with debootstrap, use /media/crypt_root as the chroot.

Typing all the commands for a chroot is going to be too long for an already long post, but DebootstrapChroot will walk you through how to do this step - by - step

After installing the base with debootstrap, we will chroot in and install / configure the rest.

Note: After following the above link, you should have configured the chroot , /media/crypt_root , including resolv.conf, and you should have proc, sys, and dev mounted in the chroot. All that is covered, but just making sure ;)

sudo -i

#mount your boot partition in the chroot
mount /dev/sda2 /media/chroot_root/boot

#mount home also if you have a separate home
#If you do not have a separate home, skip this
mount /dev/your_home_partition

chroot /media/crypt_root

RUN THESE COMMANDS IN THE CHROOT

apt-get install ubuntu-desktop lvm2 cryptsetup linux-generic grub2

# Add and configure your user
useradd your_user 
passwd your_user
usermod usermod -a -G admin,users

Configure the chroot. You will need to edit /etc/fstab , /etc/crypttab

In /etc/crypttab define your crypt

crypt  /dev/sda1  none  luks

In /etc/fstab make sure you define your partitions, swap, etc

/dev/mapper/crypt_root  /  ext4  defaults,errors=remount-ro  0  1

MAKE SURE YOUR FSTAB IS COMPLETE , including swap, proc, home (if you use a separate home, tmpfs, etc. Use the live desktop cd as a template if needed.

Exit the chroot

exit

EXIT Chroot

You now need to install grub, run this command from the live CD

sudo grub-install --root-directory=/media/crypt_root /dev/sda

That is about it, I do not think I forgot anything major. I can not fill in all the details of all your partitions as I do not know your layout and do not know how much or how little you know about /etc/fstab.

If you need further assistance or I forgot something post back or perhaps someone will chime in.

If all the seems overwhelming , well that is why people use the alternate CD, it automates the process.

Additional references:

http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS

Those links will have gentoo and arch specific information, which you can ignore as you are on Ubuntu. But they contain more detailed descriptions on how to set up LVM and your crypt, including examples of crypttab and fstab.

Hope that helps.

Ubuntu – LVM & LUKS manual partitioned but issues with loader/init/grub

I found a way to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below.

Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows :
- sda1: /boot (1G)
- sda2: LUKS partition (the rest of the disk)
Setup LUKS
- sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda2
- sudo cryptsetup luksOpen /dev/sda2 CryptDisk
- While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
Setup LVM on /dev/mapper/CryptDisk
- sudo pvcreate /dev/mapper/CryptDisk
- sudo vgcreate vg0 /dev/mapper/CryptDisk
- sudo lvcreate -n swap -L 2G vg0
- sudo lvcreate -n root -L 10G vg0
- sudo lvcreate -n home -l +100%FREE vg0
Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sda1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sda, and continue with installation.
When installation is complete, don't reboot! Choose the option to "Continue Testing".
In a terminal, type the following and look for the UUID of /dev/sda2. Take note of that UUID for later.
- sudo blkid
- The important line on my machine reads /dev/sda2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
Next lets get the newly installed system mounted again so we can make some more changes.
- sudo mount /dev/vg0/root /mnt
- sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
- sudo mount /dev/sda1 /mnt/boot
- If you have an EFI partition, mount it at /mnt/boot/efi
- sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
- sudo mount --bind /run/lvm /mnt/run/lvm
Now run sudo chroot /mnt to access the installed system
From the chroot, mount a couple more things
- mount -t proc proc /proc
- mount -t sysfs sys /sys
- mount -t devpts devpts /dev/pts
Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
- CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
Lastly, rebuild some boot files.
- update-initramfs -k all -c
- update-grub
Reboot, and the system should ask for a password to decrypt on boot!

Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.

I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm