John Wiersba
July 6th, 2009, 04:52 AM
Introduction
This HOWTO describes how to encrypt your entire hard disk (except for the /boot partition) with separate partitions for swap, root, and /home. Also described is a procedure for reinstalling the operating system without overwriting the separate /home partition.
Whole-disk encryption is especially useful for protecting personal data on a laptop, since a laptop can be easily stolen. Once stolen, all the data on an unencrypted hard disk is easily recoverable by the thief. The method shown here creates a LUKS-encrypted hard disk partition and uses LVM to create logical partitions within the encrypted physical partition for swap, root, and /home. The encrypted partition is unlocked at boot time by GRUB running from a separate, unencrypted /boot partition.
For data security, it is important that the entire hard disk be encrypted (except for /boot), including the swap and root partitions. This avoids problems associated with unencrypted confidential data leaking into swap or, for example, /tmp. Having an LVM-managed swap partition inside the LUKS-encrypted partition is easier to setup and maintain than having separately-encrypted swap and root partitions.
Rather than upgrading the operating system when a new version is released, many people like to reinstall the entire operating system from scratch. When reinstalling the operating system, there are two common choices:
Reinstall the complete workstation
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the entire workstation from scratch
- Restore the user data to /home
- Restore the system configuration settings
Reinstall the operating system only
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the root partition only, not the /home partition
- Restore the system configuration settings
Choice #1 (reinstalling the complete workstation) is simpler in concept, but may be slower than choice #2 if there is a lot of user data in /home, and it places 100% reliance on the system used to backup /home. Choice #2 (reinstalling only the root partition) may be faster than choice #1 if there is a lot of user data in /home, and it places slightly less stress on the system used to backup /home, since it is not used during the reinstallation.
This HOWTO is a guide for those people who want to reinstall the operating system only, without restoring /home from backup (choice #2 above). This requires creating a separate partition for /home, so that it is independent from the operating system contained in the root partition.
The current Ubuntu installers do not directly support reinstalling the operating system into a pre-existing encrypted partition. This HOWTO shows you how to reinstall the operating system into a separate, LVM-managed root partition, while keeping the LVM-managed /home partition intact.
This HOWTO is based on MaddMatt's post at HOWTO: re-install / upgrade over existing dm-crypt / LUKS system (http://ubuntuforums.org/showthread.php?t=1034910), which gives a similar process, but without some of the specific details. I created this detailed list while testing MaddMatt's instructions in preparation for upgrading my laptop from Ubuntu 8.10 to 9.04. The instructions have been tested on Ubuntu 8.10, 9.04, 9.10, 10.04 and are substantially the same.
NOTE: Whenever you perform a major alteration to your installation, such as reinstalling the operating system, you really MUST be prepared for accidental failure. This means that you MUST back up your data before reinstalling! This HOWTO shows you how to avoid restoring your home directory from backup, but it does not remove the need to back up your irreplacible data!
Original install of Ubuntu 8.10, 9.04, 9.10, 10.04
Boot from Alternate Installer CD (not Desktop Installer)
Language: English
Main Menu: Install Ubuntu
Choose language: English
Choose a country: United States
Detect keyboard layout: No
Origin of the keyboard: USA
Keyboard layout: USA
[INSTALLATION CONTINUES]
Hostname: ubuntu
Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently
Partition disks
Select: Manual
Display shows:
- Guided partitioning
- ...
- SCSI1 (0,0,0) (sda) - 80.0 GB ...
- pri/log 80.0 GB FREE SPACE
- ...
Select: pri/log 80.0 GB FREE SPACE
Select: Create a new partition
New parition size: 200 MB
Select: Primary
Select: Beginning
Options for partition #1 of SCSI1 (0,0,0) (sda)
Use as: Ext3 (or Ext4)
Format the partition: yes, format it
- [10.04] Sometimes, this choice is not available
Mount point: /boot
Label: boot
Select: Done setting up the partition
Select: pri/log 79.8 GB FREE SPACE
Select: Create a new partition
New parition size: 79.8 GB (i.e. all the rest of the space)
Select: Logical
Options for partition #5 of SCSI1 (0,0,0) (sda)
Use as: Physical volume for encryption
Select: Done setting up the partition
Select: Configure encrypted volumes
Write the changes to disk and configure encrypted volumes: Yes
- [9.10, 10.04] Encrypted configuration actions: Finish
Encryption passphrase: [YOUR PASSPHRASE HERE]
Re-enter passphrase to verify: [YOUR PASSPHRASE HERE]
Select: "#1 79.8 GB" under "Encrypted volume (sda5_crypt)"
Use as: Physical volume for LVM
Select: Done setting up the partition
Select: Configure the Logical Volume Manager
[10.04] Keep current partition layout and configure LVM: Yes
Select: Create volume group
Volume group name: vg1
Devices for the new volume group:
- use [SPACEBAR] to select /dev/mapper/sda5_crypt
Select: Create logical volume
Select: vg1
Logical volume name: lvswap
Logical volume size: 2048 MB
Select: Create logical volume
Select: vg1
Logical volume name: lvroot
Logical volume size: 10240 MB
Select: Create logical volume
Select: vg1
Logical volume name: lvhome
Logical volume size: 66936 MB (i.e. all the rest)
Select: Finish
Select: "#1 66.9 GB" under "LVM VG vg1, LV lvhome"
Use as: Ext3 (or Ext4)
Mount point: /home
Label: home
Select: Done setting up the partition
Select: "#1 10.7 GB" under "LVM VG vg1, LV lvroot"
Use as: Ext3 (or Ext4)
Mount point: / (root)
Label: root
Select: Done setting up the partition
Select: "#1 2.1 GB" under "LVM VG vg1, LV lvswap"
Use as: swap area
Select: Done setting up the partition
Select: Finish partitioning and write changes to disk
Write the changes to disks: Yes
This will create
- /dev/sda1: /boot
- /dev/sda2: extended partition
- /dev/sda5: encrypted logical partition
- /dev/mapper/vg1-lvswap: swap
- /dev/mapper/vg1-lvroot: / (root)
- /dev/mapper/vg1-lvhome: /home
[INSTALLATION CONTINUES]
Full name for the new user: [YOUR NAME HERE]
Username for your account: [YOUR USERNAME HERE]
Choose a password for the new user: [YOUR PASSWORD HERE]
Re-enter password to verify: [YOUR PASSWORD HERE]
Set up an encrypted private directory: No
[INSTALLATION CONTINUES]
HTTP proxy information: [LEAVE BLANK]
[INSTALLATION CONTINUES]
[10.04] Install the GRUB boot loader to the master boot record: Yes
Is the system clock set to UTC: Yes
Installation is complete: Continue
[REBOOT]
Enter passphrase to unlock ... (sda5_crypt): [YOUR PASSPHRASE HERE]
- [10.04] Unlocking the disk /dev/disk/by-uuid/... (sda5_crypt)
- [10.04] Enter passphrase: [YOUR PASSPHRASE HERE]
Enjoy your Ubuntu installation!
Reinstall Ubuntu 9.04, 9.10, 10.04 over existing encrypted LUKS/LVM partitions
Following your encrypted LUKS/LVM installation (above), you decide to reinstall the operating system, perhaps to upgrade to a different version. In order to avoid restoring your /home directory from backup, you can use the following procedure. This procedure will overwrite the root and /boot partitions, but will not overwrite /home. Of course, you still MUST make a backup (or two!) of /home before proceeding, just in case.
Before proceeding with the reinstallation, you need to know which physical partition is your encrypted partition. In the sample installation above, it is sda5. This information is available to you in the prompt, during the boot process, when you are asked to enter the passphrase. For example, if sda5_crypt is being unlocked by GRUB during the boot process, sda5 is the encrypted partition.
Ultimately, you will need to know the UUID corresponding to the encrypted partition (sda5 in this case), in order to generate an entry in /etc/crypttab. The easiest way to prepare to generate the /etc/crypttab entry is shown in the steps below, which must be completed before starting the reinstallation. An alternate way to generate the entry in /etc/crypttab is shown in step 15 of the Repair section below, but you still need to know the name of your encrypted partition in order to use it.
First, boot your current installation, in order to save a copy of /etc/crypttab, which will be restored after the reinstall. Since /etc/crypttab is kept in the root partition, and the root partition is overwritten during the reinstall, this step needs to be completed before reinstalling. The contents of crypttab look like:
# <target name> <source device> <key file> <options>
sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks
Run the following command line from a Terminal window (Applications -> Accessories -> Terminal):
$ sudo cp /etc/crypttab /home/crypttab_copy
This file (/home/crypttab_copy) can be deleted once the reinstallation is complete.
Now, start the reinstallation. Boot from the Alternate Installer CD (not the desktop Installer) for the new version you want to install (e.g. 10.04)
Language: English
Main Menu: Rescue a broken system
Choose language: English
Choose a country: United States
Detect keyboard layout: No
Origin of the keyboard: USA
Keyboard layout: USA
Hostname: ubuntu
Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently
Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
Device to use as root file system: /dev/vg1/lvroot
Rescue operations: [Go Back]
Device to use as root file system: [Go Back]
Select: Partition disks
Select: Manual
Select: "#1 primary 197.4 MB B ext3" under SCSI1 (0,0,0) (sda)"
Use as: Ext4
Mount point: /boot
Label: boot
Select: Done setting up the partition
Select: "#1 10.7 GB ext3" under "LVM VG vg1, LV lvroot"
Use as: Ext4
[10.04] Format the partition, if necessary
Mount point: / (root)
Label: root
Select: Done setting up the partition
Select: "#1 66.9 GB ext3" under "LVM VG vg1, LV lvhome"
Note the current filesystem type: Ext3 or Ext4
Use as: (Select the same current value: Ext3 or Ext4)
Format the partition: no, keep existing data !!
Do not format your existing /home partition !!
Mount point: /home
Select: Done setting up the partition
Finish partitioning and write changes to disk
Write the changes to disks: Yes
[INSTALLATION CONTINUES]
Full name for the new user: [YOUR NAME HERE]
Username for your account: [YOUR USERNAME HERE]
Choose a password for the new user: [YOUR PASSWORD HERE]
Re-enter password to verify: [YOUR PASSWORD HERE]
[INSTALLATION CONTINUES]
HTTP proxy information: [LEAVE BLANK]
[INSTALLATION CONTINUES]
Choose software to install: use [SPACEBAR] to select Ubuntu desktop
[INSTALLATION CONTINUES]
Install GRUB: Yes
Is the system clock set to UTC: Yes
[INSTALLATION COMPLETE]
Alternate Installer CD is ejected, but do not remove it
Select: Continue with reboot
Repair the boot image after reinstallation to unlock LUKS encrypted partition
Now it is time to repair the /boot/initrd image to automatically unlock the encrypted partition during the GRUB boot process. In step 15 below, you will need to modify /etc/crypttab with the data kept in /home/crypttab_copy, which was created above before starting the reinstallation. If you did not make a copy of /etc/crypttab, you can regenerate it by following the alternate procedure given in step 15.
Boot from the Alternate Installer CD again (not desktop Installer)
Language: English
Main Menu: Rescue a broken system
Choose language: English
Choose a country: United States
Detect keyboard layout: No
Origin of the keyboard: USA
Keyboard layout: USA
Hostname: ubuntu
Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently
Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
Device to use as root file system: /dev/vg1/lvroot
Rescue operations: Execute a shell in /dev/vg1/lvroot
Select: Continue
Enter the following commands (running as root):
# mount
# NOTE: Depending on the version of the installer, the
# output may show that:
# - /boot is mounted from /dev/sda1, and
# - /home is mounted from /dev/mapper/vg1-lvhome
# However, they might NOT be mounted, so ...
# ls -l /boot # shows no files, so not really mounted
# mount /boot # may "fail" if already mounted; that's ok
# mount /home # may "fail" if already mounted; that's ok
# NOTE: if you did not save a copy of crypttab in a
# previous step, follow the instructions given just below
# to recreate the entry in /etc/crypttab
# cat /home/crypttab_copy >>/etc/crypttab # restore from backup
# cat /etc/crypttab # to check the contents of crypttab
# update-initramfs -k all -c -v
# watch the output to make sure update-initramfs succeeded
# exit # exit busybox back to the Rescue menu
If you did not save a copy of /etc/crypttab before reinstallation, you can still recreate it, if you know the name of the encrypted partition (e.g. sda5).
# ls -l /dev/disk/by-uuid | grep sda5
lrwxrwxrwx 1 root root 10 May 19 09:10 [HEX UUID] -> ../../sda5
# This hex UUID is what is needed to recreate /etc/crypttab
# crypttab_entry="sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks"
# echo $crypttab_entry # to check that you've typed it right
# echo $crypttab_entry >>/etc/crypttab
# cat /etc/crypttab # to check the contents of crypttab
Select: Reboot the system
Quickly remove the Alternate Installer CD, since it won't be released before rebooting
After rebooting, you can delete /home/crypttab_copy
How to manually unlock and mount an encrypted LUKS/LVM partition
This procedure might come in handy if you have to rescue your data from an encrypted backup or from your workstation, if it won't boot properly.
Boot from an Ubuntu Live CD (Desktop Installer) with a working connection to the internet
Open a Terminal window (Applications -> Accessories -> Terminal). Use the Terminal window to type the following commands
$ sudo apt-get install cryptsetup lvm2
# - This requires a live internet connection
# - Answer yes to continue if prompted
$ sudo cryptsetup luksOpen /dev/sda5 MYTAG
# - This command opens the encrypted partition
# - Enter your passphrase when prompted
$ sudo vgchange -ay
# - Makes all volume groups active
# - If you don't want to make them all active, you can run vgscan to get the
# name of your volume group, followed by vgchange for a specific volume group.
# $ sudo vgscan
# $ sudo vgchange -ay [VOLUME GROUP NAME]
$ sudo lvscan
# - Note the name of the logical volume containing the partition you want to mount
$ sudo mount /dev/[VOLUME GROUP NAME]/[LOGICAL VOLUME NAME] /mnt
Now you can explore the mounted partition under /mnt. When you are done, you can unmount it by typing the following commands in a Terminal window
$ sudo umount /mnt
$ sudo vgchange -an
# - Makes all volume groups inactive
# - Or use a specific volume group name if you want:
# $ sudo vgchange -an [VOLUME GROUP NAME]
$ sudo cryptsetup luksClose MYTAG
# - This command closes the encrypted partition
This HOWTO describes how to encrypt your entire hard disk (except for the /boot partition) with separate partitions for swap, root, and /home. Also described is a procedure for reinstalling the operating system without overwriting the separate /home partition.
Whole-disk encryption is especially useful for protecting personal data on a laptop, since a laptop can be easily stolen. Once stolen, all the data on an unencrypted hard disk is easily recoverable by the thief. The method shown here creates a LUKS-encrypted hard disk partition and uses LVM to create logical partitions within the encrypted physical partition for swap, root, and /home. The encrypted partition is unlocked at boot time by GRUB running from a separate, unencrypted /boot partition.
For data security, it is important that the entire hard disk be encrypted (except for /boot), including the swap and root partitions. This avoids problems associated with unencrypted confidential data leaking into swap or, for example, /tmp. Having an LVM-managed swap partition inside the LUKS-encrypted partition is easier to setup and maintain than having separately-encrypted swap and root partitions.
Rather than upgrading the operating system when a new version is released, many people like to reinstall the entire operating system from scratch. When reinstalling the operating system, there are two common choices:
Reinstall the complete workstation
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the entire workstation from scratch
- Restore the user data to /home
- Restore the system configuration settings
Reinstall the operating system only
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the root partition only, not the /home partition
- Restore the system configuration settings
Choice #1 (reinstalling the complete workstation) is simpler in concept, but may be slower than choice #2 if there is a lot of user data in /home, and it places 100% reliance on the system used to backup /home. Choice #2 (reinstalling only the root partition) may be faster than choice #1 if there is a lot of user data in /home, and it places slightly less stress on the system used to backup /home, since it is not used during the reinstallation.
This HOWTO is a guide for those people who want to reinstall the operating system only, without restoring /home from backup (choice #2 above). This requires creating a separate partition for /home, so that it is independent from the operating system contained in the root partition.
The current Ubuntu installers do not directly support reinstalling the operating system into a pre-existing encrypted partition. This HOWTO shows you how to reinstall the operating system into a separate, LVM-managed root partition, while keeping the LVM-managed /home partition intact.
This HOWTO is based on MaddMatt's post at HOWTO: re-install / upgrade over existing dm-crypt / LUKS system (http://ubuntuforums.org/showthread.php?t=1034910), which gives a similar process, but without some of the specific details. I created this detailed list while testing MaddMatt's instructions in preparation for upgrading my laptop from Ubuntu 8.10 to 9.04. The instructions have been tested on Ubuntu 8.10, 9.04, 9.10, 10.04 and are substantially the same.
NOTE: Whenever you perform a major alteration to your installation, such as reinstalling the operating system, you really MUST be prepared for accidental failure. This means that you MUST back up your data before reinstalling! This HOWTO shows you how to avoid restoring your home directory from backup, but it does not remove the need to back up your irreplacible data!
Original install of Ubuntu 8.10, 9.04, 9.10, 10.04
Boot from Alternate Installer CD (not Desktop Installer)
Language: English
Main Menu: Install Ubuntu
Choose language: English
Choose a country: United States
Detect keyboard layout: No
Origin of the keyboard: USA
Keyboard layout: USA
[INSTALLATION CONTINUES]
Hostname: ubuntu
Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently
Partition disks
Select: Manual
Display shows:
- Guided partitioning
- ...
- SCSI1 (0,0,0) (sda) - 80.0 GB ...
- pri/log 80.0 GB FREE SPACE
- ...
Select: pri/log 80.0 GB FREE SPACE
Select: Create a new partition
New parition size: 200 MB
Select: Primary
Select: Beginning
Options for partition #1 of SCSI1 (0,0,0) (sda)
Use as: Ext3 (or Ext4)
Format the partition: yes, format it
- [10.04] Sometimes, this choice is not available
Mount point: /boot
Label: boot
Select: Done setting up the partition
Select: pri/log 79.8 GB FREE SPACE
Select: Create a new partition
New parition size: 79.8 GB (i.e. all the rest of the space)
Select: Logical
Options for partition #5 of SCSI1 (0,0,0) (sda)
Use as: Physical volume for encryption
Select: Done setting up the partition
Select: Configure encrypted volumes
Write the changes to disk and configure encrypted volumes: Yes
- [9.10, 10.04] Encrypted configuration actions: Finish
Encryption passphrase: [YOUR PASSPHRASE HERE]
Re-enter passphrase to verify: [YOUR PASSPHRASE HERE]
Select: "#1 79.8 GB" under "Encrypted volume (sda5_crypt)"
Use as: Physical volume for LVM
Select: Done setting up the partition
Select: Configure the Logical Volume Manager
[10.04] Keep current partition layout and configure LVM: Yes
Select: Create volume group
Volume group name: vg1
Devices for the new volume group:
- use [SPACEBAR] to select /dev/mapper/sda5_crypt
Select: Create logical volume
Select: vg1
Logical volume name: lvswap
Logical volume size: 2048 MB
Select: Create logical volume
Select: vg1
Logical volume name: lvroot
Logical volume size: 10240 MB
Select: Create logical volume
Select: vg1
Logical volume name: lvhome
Logical volume size: 66936 MB (i.e. all the rest)
Select: Finish
Select: "#1 66.9 GB" under "LVM VG vg1, LV lvhome"
Use as: Ext3 (or Ext4)
Mount point: /home
Label: home
Select: Done setting up the partition
Select: "#1 10.7 GB" under "LVM VG vg1, LV lvroot"
Use as: Ext3 (or Ext4)
Mount point: / (root)
Label: root
Select: Done setting up the partition
Select: "#1 2.1 GB" under "LVM VG vg1, LV lvswap"
Use as: swap area
Select: Done setting up the partition
Select: Finish partitioning and write changes to disk
Write the changes to disks: Yes
This will create
- /dev/sda1: /boot
- /dev/sda2: extended partition
- /dev/sda5: encrypted logical partition
- /dev/mapper/vg1-lvswap: swap
- /dev/mapper/vg1-lvroot: / (root)
- /dev/mapper/vg1-lvhome: /home
[INSTALLATION CONTINUES]
Full name for the new user: [YOUR NAME HERE]
Username for your account: [YOUR USERNAME HERE]
Choose a password for the new user: [YOUR PASSWORD HERE]
Re-enter password to verify: [YOUR PASSWORD HERE]
Set up an encrypted private directory: No
[INSTALLATION CONTINUES]
HTTP proxy information: [LEAVE BLANK]
[INSTALLATION CONTINUES]
[10.04] Install the GRUB boot loader to the master boot record: Yes
Is the system clock set to UTC: Yes
Installation is complete: Continue
[REBOOT]
Enter passphrase to unlock ... (sda5_crypt): [YOUR PASSPHRASE HERE]
- [10.04] Unlocking the disk /dev/disk/by-uuid/... (sda5_crypt)
- [10.04] Enter passphrase: [YOUR PASSPHRASE HERE]
Enjoy your Ubuntu installation!
Reinstall Ubuntu 9.04, 9.10, 10.04 over existing encrypted LUKS/LVM partitions
Following your encrypted LUKS/LVM installation (above), you decide to reinstall the operating system, perhaps to upgrade to a different version. In order to avoid restoring your /home directory from backup, you can use the following procedure. This procedure will overwrite the root and /boot partitions, but will not overwrite /home. Of course, you still MUST make a backup (or two!) of /home before proceeding, just in case.
Before proceeding with the reinstallation, you need to know which physical partition is your encrypted partition. In the sample installation above, it is sda5. This information is available to you in the prompt, during the boot process, when you are asked to enter the passphrase. For example, if sda5_crypt is being unlocked by GRUB during the boot process, sda5 is the encrypted partition.
Ultimately, you will need to know the UUID corresponding to the encrypted partition (sda5 in this case), in order to generate an entry in /etc/crypttab. The easiest way to prepare to generate the /etc/crypttab entry is shown in the steps below, which must be completed before starting the reinstallation. An alternate way to generate the entry in /etc/crypttab is shown in step 15 of the Repair section below, but you still need to know the name of your encrypted partition in order to use it.
First, boot your current installation, in order to save a copy of /etc/crypttab, which will be restored after the reinstall. Since /etc/crypttab is kept in the root partition, and the root partition is overwritten during the reinstall, this step needs to be completed before reinstalling. The contents of crypttab look like:
# <target name> <source device> <key file> <options>
sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks
Run the following command line from a Terminal window (Applications -> Accessories -> Terminal):
$ sudo cp /etc/crypttab /home/crypttab_copy
This file (/home/crypttab_copy) can be deleted once the reinstallation is complete.
Now, start the reinstallation. Boot from the Alternate Installer CD (not the desktop Installer) for the new version you want to install (e.g. 10.04)
Language: English
Main Menu: Rescue a broken system
Choose language: English
Choose a country: United States
Detect keyboard layout: No
Origin of the keyboard: USA
Keyboard layout: USA
Hostname: ubuntu
Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently
Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
Device to use as root file system: /dev/vg1/lvroot
Rescue operations: [Go Back]
Device to use as root file system: [Go Back]
Select: Partition disks
Select: Manual
Select: "#1 primary 197.4 MB B ext3" under SCSI1 (0,0,0) (sda)"
Use as: Ext4
Mount point: /boot
Label: boot
Select: Done setting up the partition
Select: "#1 10.7 GB ext3" under "LVM VG vg1, LV lvroot"
Use as: Ext4
[10.04] Format the partition, if necessary
Mount point: / (root)
Label: root
Select: Done setting up the partition
Select: "#1 66.9 GB ext3" under "LVM VG vg1, LV lvhome"
Note the current filesystem type: Ext3 or Ext4
Use as: (Select the same current value: Ext3 or Ext4)
Format the partition: no, keep existing data !!
Do not format your existing /home partition !!
Mount point: /home
Select: Done setting up the partition
Finish partitioning and write changes to disk
Write the changes to disks: Yes
[INSTALLATION CONTINUES]
Full name for the new user: [YOUR NAME HERE]
Username for your account: [YOUR USERNAME HERE]
Choose a password for the new user: [YOUR PASSWORD HERE]
Re-enter password to verify: [YOUR PASSWORD HERE]
[INSTALLATION CONTINUES]
HTTP proxy information: [LEAVE BLANK]
[INSTALLATION CONTINUES]
Choose software to install: use [SPACEBAR] to select Ubuntu desktop
[INSTALLATION CONTINUES]
Install GRUB: Yes
Is the system clock set to UTC: Yes
[INSTALLATION COMPLETE]
Alternate Installer CD is ejected, but do not remove it
Select: Continue with reboot
Repair the boot image after reinstallation to unlock LUKS encrypted partition
Now it is time to repair the /boot/initrd image to automatically unlock the encrypted partition during the GRUB boot process. In step 15 below, you will need to modify /etc/crypttab with the data kept in /home/crypttab_copy, which was created above before starting the reinstallation. If you did not make a copy of /etc/crypttab, you can regenerate it by following the alternate procedure given in step 15.
Boot from the Alternate Installer CD again (not desktop Installer)
Language: English
Main Menu: Rescue a broken system
Choose language: English
Choose a country: United States
Detect keyboard layout: No
Origin of the keyboard: USA
Keyboard layout: USA
Hostname: ubuntu
Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently
Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
Device to use as root file system: /dev/vg1/lvroot
Rescue operations: Execute a shell in /dev/vg1/lvroot
Select: Continue
Enter the following commands (running as root):
# mount
# NOTE: Depending on the version of the installer, the
# output may show that:
# - /boot is mounted from /dev/sda1, and
# - /home is mounted from /dev/mapper/vg1-lvhome
# However, they might NOT be mounted, so ...
# ls -l /boot # shows no files, so not really mounted
# mount /boot # may "fail" if already mounted; that's ok
# mount /home # may "fail" if already mounted; that's ok
# NOTE: if you did not save a copy of crypttab in a
# previous step, follow the instructions given just below
# to recreate the entry in /etc/crypttab
# cat /home/crypttab_copy >>/etc/crypttab # restore from backup
# cat /etc/crypttab # to check the contents of crypttab
# update-initramfs -k all -c -v
# watch the output to make sure update-initramfs succeeded
# exit # exit busybox back to the Rescue menu
If you did not save a copy of /etc/crypttab before reinstallation, you can still recreate it, if you know the name of the encrypted partition (e.g. sda5).
# ls -l /dev/disk/by-uuid | grep sda5
lrwxrwxrwx 1 root root 10 May 19 09:10 [HEX UUID] -> ../../sda5
# This hex UUID is what is needed to recreate /etc/crypttab
# crypttab_entry="sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks"
# echo $crypttab_entry # to check that you've typed it right
# echo $crypttab_entry >>/etc/crypttab
# cat /etc/crypttab # to check the contents of crypttab
Select: Reboot the system
Quickly remove the Alternate Installer CD, since it won't be released before rebooting
After rebooting, you can delete /home/crypttab_copy
How to manually unlock and mount an encrypted LUKS/LVM partition
This procedure might come in handy if you have to rescue your data from an encrypted backup or from your workstation, if it won't boot properly.
Boot from an Ubuntu Live CD (Desktop Installer) with a working connection to the internet
Open a Terminal window (Applications -> Accessories -> Terminal). Use the Terminal window to type the following commands
$ sudo apt-get install cryptsetup lvm2
# - This requires a live internet connection
# - Answer yes to continue if prompted
$ sudo cryptsetup luksOpen /dev/sda5 MYTAG
# - This command opens the encrypted partition
# - Enter your passphrase when prompted
$ sudo vgchange -ay
# - Makes all volume groups active
# - If you don't want to make them all active, you can run vgscan to get the
# name of your volume group, followed by vgchange for a specific volume group.
# $ sudo vgscan
# $ sudo vgchange -ay [VOLUME GROUP NAME]
$ sudo lvscan
# - Note the name of the logical volume containing the partition you want to mount
$ sudo mount /dev/[VOLUME GROUP NAME]/[LOGICAL VOLUME NAME] /mnt
Now you can explore the mounted partition under /mnt. When you are done, you can unmount it by typing the following commands in a Terminal window
$ sudo umount /mnt
$ sudo vgchange -an
# - Makes all volume groups inactive
# - Or use a specific volume group name if you want:
# $ sudo vgchange -an [VOLUME GROUP NAME]
$ sudo cryptsetup luksClose MYTAG
# - This command closes the encrypted partition