HOWTO: install/reinstall encrypted LUKS/LVM system with separate home partition
Introduction
This HOWTO describes how to encrypt your entire hard disk (except for the /boot partition) with separate partitions for swap, root, and /home. Also described is a procedure for reinstalling the operating system without overwriting the separate /home partition.
Whole-disk encryption is especially useful for protecting personal data on a laptop, since a laptop can be easily stolen. Once stolen, all the data on an unencrypted hard disk is easily recoverable by the thief. The method shown here creates a LUKS-encrypted hard disk partition and uses LVM to create logical partitions within the encrypted physical partition for swap, root, and /home. The encrypted partition is unlocked at boot time by GRUB running from a separate, unencrypted /boot partition.
For data security, it is important that the entire hard disk be encrypted (except for /boot), including the swap and root partitions. This avoids problems associated with unencrypted confidential data leaking into swap or, for example, /tmp. Having an LVM-managed swap partition inside the LUKS-encrypted partition is easier to setup and maintain than having separately-encrypted swap and root partitions.
Rather than upgrading the operating system when a new version is released, many people like to reinstall the entire operating system from scratch. When reinstalling the operating system, there are two common choices:
- Reinstall the complete workstation
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the entire workstation from scratch
- Restore the user data to /home
- Restore the system configuration settings
- Reinstall the operating system only
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the root partition only, not the /home partition
- Restore the system configuration settings
Choice #1 (reinstalling the complete workstation) is simpler in concept, but may be slower than choice #2 if there is a lot of user data in /home, and it places 100% reliance on the system used to backup /home. Choice #2 (reinstalling only the root partition) may be faster than choice #1 if there is a lot of user data in /home, and it places slightly less stress on the system used to backup /home, since it is not used during the reinstallation.
This HOWTO is a guide for those people who want to reinstall the operating system only, without restoring /home from backup (choice #2 above). This requires creating a separate partition for /home, so that it is independent from the operating system contained in the root partition.
The current Ubuntu installers do not directly support reinstalling the operating system into a pre-existing encrypted partition. This HOWTO shows you how to reinstall the operating system into a separate, LVM-managed root partition, while keeping the LVM-managed /home partition intact.
This HOWTO is based on MaddMatt's post at HOWTO: re-install / upgrade over existing dm-crypt / LUKS system, which gives a similar process, but without some of the specific details. I created this detailed list while testing MaddMatt's instructions in preparation for upgrading my laptop from Ubuntu 8.10 to 9.04. The instructions have been tested on Ubuntu 8.10, 9.04, 9.10, 10.04 and are substantially the same.
NOTE: Whenever you perform a major alteration to your installation, such as reinstalling the operating system, you really MUST be prepared for accidental failure. This means that you MUST back up your data before reinstalling! This HOWTO shows you how to avoid restoring your home directory from backup, but it does not remove the need to back up your irreplacible data!
Original install of Ubuntu 8.10, 9.04, 9.10, 10.04
- Boot from Alternate Installer CD (not Desktop Installer)
- Language: English
- Main Menu: Install Ubuntu
- Choose language: English
- Choose a country: United States
- Detect keyboard layout: No
- Origin of the keyboard: USA
- Keyboard layout: USA
- [INSTALLATION CONTINUES]
- Hostname: ubuntu
- Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently - Partition disks
- Select: Manual
- Display shows:
- Guided partitioning
- ...
- SCSI1 (0,0,0) (sda) - 80.0 GB ...
- pri/log 80.0 GB FREE SPACE
- ... - Select: pri/log 80.0 GB FREE SPACE
- Select: Create a new partition
- New parition size: 200 MB
- Select: Primary
- Select: Beginning
- Options for partition #1 of SCSI1 (0,0,0) (sda)
- Use as: Ext3 (or Ext4)
- Format the partition: yes, format it
- [10.04] Sometimes, this choice is not available - Mount point: /boot
- Label: boot
- Select: Done setting up the partition
- Select: pri/log 79.8 GB FREE SPACE
- Select: Create a new partition
- New parition size: 79.8 GB (i.e. all the rest of the space)
- Select: Logical
- Options for partition #5 of SCSI1 (0,0,0) (sda)
- Use as: Physical volume for encryption
- Select: Done setting up the partition
- Select: Configure encrypted volumes
- Write the changes to disk and configure encrypted volumes: Yes
- [9.10, 10.04] Encrypted configuration actions: Finish - Encryption passphrase: [YOUR PASSPHRASE HERE]
- Re-enter passphrase to verify: [YOUR PASSPHRASE HERE]
- Select: "#1 79.8 GB" under "Encrypted volume (sda5_crypt)"
- Use as: Physical volume for LVM
- Select: Done setting up the partition
- Select: Configure the Logical Volume Manager
- [10.04] Keep current partition layout and configure LVM: Yes
- Select: Create volume group
- Volume group name: vg1
- Devices for the new volume group:
- use [SPACEBAR] to select /dev/mapper/sda5_crypt
- Select: Create logical volume
- Select: vg1
- Logical volume name: lvswap
- Logical volume size: 2048 MB
- Select: Create logical volume
- Select: vg1
- Logical volume name: lvroot
- Logical volume size: 10240 MB
- Select: Create logical volume
- Select: vg1
- Logical volume name: lvhome
- Logical volume size: 66936 MB (i.e. all the rest)
- Select: Finish
- Select: "#1 66.9 GB" under "LVM VG vg1, LV lvhome"
- Use as: Ext3 (or Ext4)
- Mount point: /home
- Label: home
- Select: Done setting up the partition
- Select: "#1 10.7 GB" under "LVM VG vg1, LV lvroot"
- Use as: Ext3 (or Ext4)
- Mount point: / (root)
- Label: root
- Select: Done setting up the partition
- Select: "#1 2.1 GB" under "LVM VG vg1, LV lvswap"
- Use as: swap area
- Select: Done setting up the partition
- Select: Finish partitioning and write changes to disk
- Write the changes to disks: Yes
- This will create
- /dev/sda1: /boot
- /dev/sda2: extended partition
- /dev/sda5: encrypted logical partition
- /dev/mapper/vg1-lvswap: swap
- /dev/mapper/vg1-lvroot: / (root)
- /dev/mapper/vg1-lvhome: /home - [INSTALLATION CONTINUES]
- Full name for the new user: [YOUR NAME HERE]
- Username for your account: [YOUR USERNAME HERE]
- Choose a password for the new user: [YOUR PASSWORD HERE]
- Re-enter password to verify: [YOUR PASSWORD HERE]
- Set up an encrypted private directory: No
- [INSTALLATION CONTINUES]
- HTTP proxy information: [LEAVE BLANK]
- [INSTALLATION CONTINUES]
- [10.04] Install the GRUB boot loader to the master boot record: Yes
- Is the system clock set to UTC: Yes
- Installation is complete: Continue
- [REBOOT]
- Enter passphrase to unlock ... (sda5_crypt): [YOUR PASSPHRASE HERE]
- [10.04] Unlocking the disk /dev/disk/by-uuid/... (sda5_crypt)
- [10.04] Enter passphrase: [YOUR PASSPHRASE HERE] - Enjoy your Ubuntu installation!
Reinstall Ubuntu 9.04, 9.10, 10.04 over existing encrypted LUKS/LVM partitions
Following your encrypted LUKS/LVM installation (above), you decide to reinstall the operating system, perhaps to upgrade to a different version. In order to avoid restoring your /home directory from backup, you can use the following procedure. This procedure will overwrite the root and /boot partitions, but will not overwrite /home. Of course, you still MUST make a backup (or two!) of /home before proceeding, just in case.
Before proceeding with the reinstallation, you need to know which physical partition is your encrypted partition. In the sample installation above, it is sda5. This information is available to you in the prompt, during the boot process, when you are asked to enter the passphrase. For example, if sda5_crypt is being unlocked by GRUB during the boot process, sda5 is the encrypted partition.
Ultimately, you will need to know the UUID corresponding to the encrypted partition (sda5 in this case), in order to generate an entry in /etc/crypttab. The easiest way to prepare to generate the /etc/crypttab entry is shown in the steps below, which must be completed before starting the reinstallation. An alternate way to generate the entry in /etc/crypttab is shown in step 15 of the Repair section below, but you still need to know the name of your encrypted partition in order to use it.
- First, boot your current installation, in order to save a copy of /etc/crypttab, which will be restored after the reinstall. Since /etc/crypttab is kept in the root partition, and the root partition is overwritten during the reinstall, this step needs to be completed before reinstalling. The contents of crypttab look like:
Code:
# <target name> <source device> <key file> <options>
sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks
Run the following command line from a Terminal window (Applications -> Accessories -> Terminal):
Code:
$ sudo cp /etc/crypttab /home/crypttab_copy
This file (/home/crypttab_copy) can be deleted once the reinstallation is complete.
- Now, start the reinstallation. Boot from the Alternate Installer CD (not the desktop Installer) for the new version you want to install (e.g. 10.04)
- Language: English
- Main Menu: Rescue a broken system
- Choose language: English
- Choose a country: United States
- Detect keyboard layout: No
- Origin of the keyboard: USA
- Keyboard layout: USA
- Hostname: ubuntu
- Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently - Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
- Device to use as root file system: /dev/vg1/lvroot
- Rescue operations: [Go Back]
- Device to use as root file system: [Go Back]
- Select: Partition disks
- Select: Manual
- Select: "#1 primary 197.4 MB B ext3" under SCSI1 (0,0,0) (sda)"
- Use as: Ext4
- Mount point: /boot
- Label: boot
- Select: Done setting up the partition
- Select: "#1 10.7 GB ext3" under "LVM VG vg1, LV lvroot"
- Use as: Ext4
- [10.04] Format the partition, if necessary
- Mount point: / (root)
- Label: root
- Select: Done setting up the partition
- Select: "#1 66.9 GB ext3" under "LVM VG vg1, LV lvhome"
- Note the current filesystem type: Ext3 or Ext4
- Use as: (Select the same current value: Ext3 or Ext4)
- Format the partition: no, keep existing data !!
Do not format your existing /home partition !!
- Mount point: /home
- Select: Done setting up the partition
- Finish partitioning and write changes to disk
- Write the changes to disks: Yes
- [INSTALLATION CONTINUES]
- Full name for the new user: [YOUR NAME HERE]
- Username for your account: [YOUR USERNAME HERE]
- Choose a password for the new user: [YOUR PASSWORD HERE]
- Re-enter password to verify: [YOUR PASSWORD HERE]
- [INSTALLATION CONTINUES]
- HTTP proxy information: [LEAVE BLANK]
- [INSTALLATION CONTINUES]
- Choose software to install: use [SPACEBAR] to select Ubuntu desktop
- [INSTALLATION CONTINUES]
- Install GRUB: Yes
- Is the system clock set to UTC: Yes
- [INSTALLATION COMPLETE]
- Alternate Installer CD is ejected, but do not remove it
- Select: Continue with reboot
Repair the boot image after reinstallation to unlock LUKS encrypted partition
Now it is time to repair the /boot/initrd image to automatically unlock the encrypted partition during the GRUB boot process. In step 15 below, you will need to modify /etc/crypttab with the data kept in /home/crypttab_copy, which was created above before starting the reinstallation. If you did not make a copy of /etc/crypttab, you can regenerate it by following the alternate procedure given in step 15.
- Boot from the Alternate Installer CD again (not desktop Installer)
- Language: English
- Main Menu: Rescue a broken system
- Choose language: English
- Choose a country: United States
- Detect keyboard layout: No
- Origin of the keyboard: USA
- Keyboard layout: USA
- Hostname: ubuntu
- Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently - Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
- Device to use as root file system: /dev/vg1/lvroot
- Rescue operations: Execute a shell in /dev/vg1/lvroot
- Select: Continue
- Enter the following commands (running as root):
Code:
# mount
# NOTE: Depending on the version of the installer, the
# output may show that:
# - /boot is mounted from /dev/sda1, and
# - /home is mounted from /dev/mapper/vg1-lvhome
# However, they might NOT be mounted, so ...
# ls -l /boot # shows no files, so not really mounted
# mount /boot # may "fail" if already mounted; that's ok
# mount /home # may "fail" if already mounted; that's ok
# NOTE: if you did not save a copy of crypttab in a
# previous step, follow the instructions given just below
# to recreate the entry in /etc/crypttab
# cat /home/crypttab_copy >>/etc/crypttab # restore from backup
# cat /etc/crypttab # to check the contents of crypttab
# update-initramfs -k all -c -v
# watch the output to make sure update-initramfs succeeded
# exit # exit busybox back to the Rescue menu
If you did not save a copy of /etc/crypttab before reinstallation, you can still recreate it, if you know the name of the encrypted partition (e.g. sda5).
Code:
# ls -l /dev/disk/by-uuid | grep sda5
lrwxrwxrwx 1 root root 10 May 19 09:10 [HEX UUID] -> ../../sda5
# This hex UUID is what is needed to recreate /etc/crypttab
# crypttab_entry="sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks"
# echo $crypttab_entry # to check that you've typed it right
# echo $crypttab_entry >>/etc/crypttab
# cat /etc/crypttab # to check the contents of crypttab
- Select: Reboot the system
- Quickly remove the Alternate Installer CD, since it won't be released before rebooting
- After rebooting, you can delete /home/crypttab_copy
How to manually unlock and mount an encrypted LUKS/LVM partition
This procedure might come in handy if you have to rescue your data from an encrypted backup or from your workstation, if it won't boot properly.
- Boot from an Ubuntu Live CD (Desktop Installer) with a working connection to the internet
- Open a Terminal window (Applications -> Accessories -> Terminal). Use the Terminal window to type the following commands
Code:
$ sudo apt-get install cryptsetup lvm2
# - This requires a live internet connection
# - Answer yes to continue if prompted
$ sudo cryptsetup luksOpen /dev/sda5 MYTAG
# - This command opens the encrypted partition
# - Enter your passphrase when prompted
$ sudo vgchange -ay
# - Makes all volume groups active
# - If you don't want to make them all active, you can run vgscan to get the
# name of your volume group, followed by vgchange for a specific volume group.
# $ sudo vgscan
# $ sudo vgchange -ay [VOLUME GROUP NAME]
$ sudo lvscan
# - Note the name of the logical volume containing the partition you want to mount
$ sudo mount /dev/[VOLUME GROUP NAME]/[LOGICAL VOLUME NAME] /mnt
- Now you can explore the mounted partition under /mnt. When you are done, you can unmount it by typing the following commands in a Terminal window
Code:
$ sudo umount /mnt
$ sudo vgchange -an
# - Makes all volume groups inactive
# - Or use a specific volume group name if you want:
# $ sudo vgchange -an [VOLUME GROUP NAME]
$ sudo cryptsetup luksClose MYTAG
# - This command closes the encrypted partition
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
Very well organized lists. :) Approved, and thank you for contributing to Tutorials & Tips.
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
http://sunoano.name/ws/public_xhtml/dm-crypt_luks.html is also quite good; there is also a link to page that shows howto setup ecryptfs
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
I am trying to follow the second set of instructions, "Install Ubuntu 9.04 (Jaunty Jackalope) over existing encrypted LUKS/LVM partitions" to install over partitions created by Fedora. I can't get past step 12 however, it keeps prompting me for the passphrase over and over.
I know that these partitions were set up with cryptsetup cypher aes-cbc-essiv:sha256. I also notice that if I drop into installer shell and issue cat /proc/crypto, it only reports stdrng and md5. By comparison, my Fedora 11 box reports: sha256, sha224, cbc(aes), ecb(arc4), arc4, xts(aes), aes, stdrng, crc32c, sha1, md5.
Could this be the problem? The kernel included with 9.04 alternate cd does not include the crypto modules I need?
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
My procedure was tested as written on an encrypted partition from Hardy. I don't know how that may be different from what Fedora has. As you suggest, it's probably different crypto/cipher settings. Maybe dmesg from the command line would tell you (or you could look at the logs in /var/log). Here's my Jaunty /proc/crypto:
$ cat /proc/crypto
name : ecb(arc4)
driver : ecb(arc4-generic)
module : ecb
priority : 0
refcnt : 3
selftest : passed
type : blkcipher
blocksize : 1
min keysize : 1
max keysize : 256
ivsize : 0
geniv : <default>
name : arc4
driver : arc4-generic
module : arc4
priority : 0
refcnt : 3
selftest : passed
type : cipher
blocksize : 1
min keysize : 1
max keysize : 256
name : sha256
driver : sha256-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : digest
blocksize : 64
digestsize : 32
name : sha224
driver : sha224-generic
module : sha256_generic
priority : 0
refcnt : 1
selftest : passed
type : digest
blocksize : 64
digestsize : 28
name : cbc(aes)
driver : cbc(aes-asm)
module : kernel
priority : 200
refcnt : 2
selftest : passed
type : givcipher
async : yes
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : chainiv
name : cbc(aes)
driver : cbc(aes-asm)
module : cbc
priority : 200
refcnt : 2
selftest : passed
type : blkcipher
blocksize : 16
min keysize : 16
max keysize : 32
ivsize : 16
geniv : <default>
name : aes
driver : aes-asm
module : aes_i586
priority : 200
refcnt : 3
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : aes
driver : aes-generic
module : aes_generic
priority : 100
refcnt : 1
selftest : passed
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : stdrng
driver : krng
module : kernel
priority : 200
refcnt : 2
selftest : passed
type : rng
seedsize : 0
name : md5
driver : md5-generic
module : kernel
priority : 0
refcnt : 1
selftest : passed
type : digest
blocksize : 64
digestsize : 16
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
could someone update this thread for lucid?
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
BE VERY CAREFUL when using this guide with Ubuntu 10.04. If you have a hardware RAID controller attached to your system that doesn't allow booting off arrays, this is important for you.
The Ubuntu installer may assign the RAID controller device as /dev/sda. If that happens you will need to pay careful attention to the last step when running the manual installer.
Once you come to the final steps of John's guide, in Ubuntu 10.04 a grub2 prompt will appear. You are forced with choosing yes/no to "install grub on master boot record" Choose NO.
The issue here is that choosing yes causes Ubuntu installer to automatically write Grub2 to the MBR on the first recognized device which in this case was the RAID controller array(/dev/sda). If your RAID controller does not allow for booting from an array, you're now caught in a situation where grub2 entry in the MBR located on /dev/sda (RAID controller, which can't be used a boot device). This results in the bootloader being inaccessible and a black screen on every reboot.
The solution here is...
1. write down the device (/dev/sdb etc) you will install Ubuntu on.
2. when you get to the final step where the installer asks if you want to install to the MBR, choose NO. This will put you at a screen "configuring grub-pc".
3. Here you will enter the the device you installed Ubuntu on. In this case it was "/dev/sdb".
4. continue install, Ubuntu will finish, then reboot.
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
The procedure remains essentially the same with Lucid 10.04 as with previous versions. I will update this post soon to include the minor changes.
I will also add a note to be careful if you're using a RAID configuration (which I haven't tested).
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
Could someone direct me to info on how to change the boot password for whole disk encryption on Lucid Lynx? This is the encryption installed from the text based installer.
Best Regards
Steve.
Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system
Quote:
Originally Posted by
holocene
Could someone direct me to info on how to change the boot password for whole disk encryption on Lucid Lynx? This is the encryption installed from the text based installer.
Steve, I believe this is what you're talking about (from my notes):
To change encryption passphrase:
# note: the device name is whatever shows up as /dev/mapper/sda2_crypt
# add a key
sudo cryptsetup -y luksAddKey /dev/sda2
# remove a key
sudo cryptsetup luksRemoveKey /dev/sda2