Page 1 of 2 12 LastLast
Results 1 to 10 of 38

Thread: HOWTO: install and reinstall on an encrypted LUKS/LVM system

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Location
    Ann Arbor, MI, USA
    Beans
    55
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Post HOWTO: install/reinstall encrypted LUKS/LVM system with separate home partition

    Introduction

    This HOWTO describes how to encrypt your entire hard disk (except for the /boot partition) with separate partitions for swap, root, and /home. Also described is a procedure for reinstalling the operating system without overwriting the separate /home partition.

    Whole-disk encryption is especially useful for protecting personal data on a laptop, since a laptop can be easily stolen. Once stolen, all the data on an unencrypted hard disk is easily recoverable by the thief. The method shown here creates a LUKS-encrypted hard disk partition and uses LVM to create logical partitions within the encrypted physical partition for swap, root, and /home. The encrypted partition is unlocked at boot time by GRUB running from a separate, unencrypted /boot partition.

    For data security, it is important that the entire hard disk be encrypted (except for /boot), including the swap and root partitions. This avoids problems associated with unencrypted confidential data leaking into swap or, for example, /tmp. Having an LVM-managed swap partition inside the LUKS-encrypted partition is easier to setup and maintain than having separately-encrypted swap and root partitions.

    Rather than upgrading the operating system when a new version is released, many people like to reinstall the entire operating system from scratch. When reinstalling the operating system, there are two common choices:

    1. Reinstall the complete workstation
      - Backup the user data in /home
      - Backup various system configuration settings
      - Reinstall the entire workstation from scratch
      - Restore the user data to /home
      - Restore the system configuration settings

    2. Reinstall the operating system only
      - Backup the user data in /home
      - Backup various system configuration settings
      - Reinstall the root partition only, not the /home partition
      - Restore the system configuration settings

    Choice #1 (reinstalling the complete workstation) is simpler in concept, but may be slower than choice #2 if there is a lot of user data in /home, and it places 100% reliance on the system used to backup /home. Choice #2 (reinstalling only the root partition) may be faster than choice #1 if there is a lot of user data in /home, and it places slightly less stress on the system used to backup /home, since it is not used during the reinstallation.

    This HOWTO is a guide for those people who want to reinstall the operating system only, without restoring /home from backup (choice #2 above). This requires creating a separate partition for /home, so that it is independent from the operating system contained in the root partition.

    The current Ubuntu installers do not directly support reinstalling the operating system into a pre-existing encrypted partition. This HOWTO shows you how to reinstall the operating system into a separate, LVM-managed root partition, while keeping the LVM-managed /home partition intact.

    This HOWTO is based on MaddMatt's post at HOWTO: re-install / upgrade over existing dm-crypt / LUKS system, which gives a similar process, but without some of the specific details. I created this detailed list while testing MaddMatt's instructions in preparation for upgrading my laptop from Ubuntu 8.10 to 9.04. The instructions have been tested on Ubuntu 8.10, 9.04, 9.10, 10.04 and are substantially the same.

    NOTE: Whenever you perform a major alteration to your installation, such as reinstalling the operating system, you really MUST be prepared for accidental failure. This means that you MUST back up your data before reinstalling! This HOWTO shows you how to avoid restoring your home directory from backup, but it does not remove the need to back up your irreplacible data!

    Original install of Ubuntu 8.10, 9.04, 9.10, 10.04

    1. Boot from Alternate Installer CD (not Desktop Installer)
    2. Language: English
    3. Main Menu: Install Ubuntu
    4. Choose language: English
    5. Choose a country: United States
    6. Detect keyboard layout: No
    7. Origin of the keyboard: USA
    8. Keyboard layout: USA
    9. [INSTALLATION CONTINUES]
    10. Hostname: ubuntu
    11. Time Zone: Eastern (or whatever)
      - [10.04] The time zone is detected slightly differently
    12. Partition disks
      1. Select: Manual
      2. Display shows:
        - Guided partitioning
        - ...
        - SCSI1 (0,0,0) (sda) - 80.0 GB ...
        - pri/log 80.0 GB FREE SPACE
        - ...
      3. Select: pri/log 80.0 GB FREE SPACE
      4. Select: Create a new partition
        1. New parition size: 200 MB
        2. Select: Primary
        3. Select: Beginning
        4. Options for partition #1 of SCSI1 (0,0,0) (sda)
          1. Use as: Ext3 (or Ext4)
          2. Format the partition: yes, format it
            - [10.04] Sometimes, this choice is not available
          3. Mount point: /boot
          4. Label: boot
          5. Select: Done setting up the partition
        5. Select: pri/log 79.8 GB FREE SPACE
          1. Select: Create a new partition
          2. New parition size: 79.8 GB (i.e. all the rest of the space)
          3. Select: Logical
          4. Options for partition #5 of SCSI1 (0,0,0) (sda)
            1. Use as: Physical volume for encryption
            2. Select: Done setting up the partition
        6. Select: Configure encrypted volumes
          1. Write the changes to disk and configure encrypted volumes: Yes
            - [9.10, 10.04] Encrypted configuration actions: Finish
          2. Encryption passphrase: [YOUR PASSPHRASE HERE]
          3. Re-enter passphrase to verify: [YOUR PASSPHRASE HERE]
        7. Select: "#1 79.8 GB" under "Encrypted volume (sda5_crypt)"
          1. Use as: Physical volume for LVM
          2. Select: Done setting up the partition
        8. Select: Configure the Logical Volume Manager
          1. [10.04] Keep current partition layout and configure LVM: Yes
          2. Select: Create volume group
            1. Volume group name: vg1
            2. Devices for the new volume group:
              - use [SPACEBAR] to select /dev/mapper/sda5_crypt
          3. Select: Create logical volume
            1. Select: vg1
            2. Logical volume name: lvswap
            3. Logical volume size: 2048 MB
          4. Select: Create logical volume
            1. Select: vg1
            2. Logical volume name: lvroot
            3. Logical volume size: 10240 MB
          5. Select: Create logical volume
            1. Select: vg1
            2. Logical volume name: lvhome
            3. Logical volume size: 66936 MB (i.e. all the rest)
          6. Select: Finish
        9. Select: "#1 66.9 GB" under "LVM VG vg1, LV lvhome"
          1. Use as: Ext3 (or Ext4)
          2. Mount point: /home
          3. Label: home
          4. Select: Done setting up the partition
        10. Select: "#1 10.7 GB" under "LVM VG vg1, LV lvroot"
          1. Use as: Ext3 (or Ext4)
          2. Mount point: / (root)
          3. Label: root
          4. Select: Done setting up the partition
        11. Select: "#1 2.1 GB" under "LVM VG vg1, LV lvswap"
          1. Use as: swap area
          2. Select: Done setting up the partition
        12. Select: Finish partitioning and write changes to disk
        13. Write the changes to disks: Yes
      5. This will create
        - /dev/sda1: /boot
        - /dev/sda2: extended partition
        - /dev/sda5: encrypted logical partition
        - /dev/mapper/vg1-lvswap: swap
        - /dev/mapper/vg1-lvroot: / (root)
        - /dev/mapper/vg1-lvhome: /home
      6. [INSTALLATION CONTINUES]
      7. Full name for the new user: [YOUR NAME HERE]
      8. Username for your account: [YOUR USERNAME HERE]
      9. Choose a password for the new user: [YOUR PASSWORD HERE]
      10. Re-enter password to verify: [YOUR PASSWORD HERE]
      11. Set up an encrypted private directory: No
      12. [INSTALLATION CONTINUES]
      13. HTTP proxy information: [LEAVE BLANK]
      14. [INSTALLATION CONTINUES]
      15. [10.04] Install the GRUB boot loader to the master boot record: Yes
      16. Is the system clock set to UTC: Yes
      17. Installation is complete: Continue
      18. [REBOOT]
      19. Enter passphrase to unlock ... (sda5_crypt): [YOUR PASSPHRASE HERE]
        - [10.04] Unlocking the disk /dev/disk/by-uuid/... (sda5_crypt)
        - [10.04] Enter passphrase: [YOUR PASSPHRASE HERE]
      20. Enjoy your Ubuntu installation!

    Reinstall Ubuntu 9.04, 9.10, 10.04 over existing encrypted LUKS/LVM partitions

    Following your encrypted LUKS/LVM installation (above), you decide to reinstall the operating system, perhaps to upgrade to a different version. In order to avoid restoring your /home directory from backup, you can use the following procedure. This procedure will overwrite the root and /boot partitions, but will not overwrite /home. Of course, you still MUST make a backup (or two!) of /home before proceeding, just in case.

    Before proceeding with the reinstallation, you need to know which physical partition is your encrypted partition. In the sample installation above, it is sda5. This information is available to you in the prompt, during the boot process, when you are asked to enter the passphrase. For example, if sda5_crypt is being unlocked by GRUB during the boot process, sda5 is the encrypted partition.

    Ultimately, you will need to know the UUID corresponding to the encrypted partition (sda5 in this case), in order to generate an entry in /etc/crypttab. The easiest way to prepare to generate the /etc/crypttab entry is shown in the steps below, which must be completed before starting the reinstallation. An alternate way to generate the entry in /etc/crypttab is shown in step 15 of the Repair section below, but you still need to know the name of your encrypted partition in order to use it.

    1. First, boot your current installation, in order to save a copy of /etc/crypttab, which will be restored after the reinstall. Since /etc/crypttab is kept in the root partition, and the root partition is overwritten during the reinstall, this step needs to be completed before reinstalling. The contents of crypttab look like:

      Code:
      # <target name>   <source device>   <key file>   <options>
      sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks
      Run the following command line from a Terminal window (Applications -> Accessories -> Terminal):

      Code:
      $ sudo cp /etc/crypttab /home/crypttab_copy
      This file (/home/crypttab_copy) can be deleted once the reinstallation is complete.

    2. Now, start the reinstallation. Boot from the Alternate Installer CD (not the desktop Installer) for the new version you want to install (e.g. 10.04)
    3. Language: English
    4. Main Menu: Rescue a broken system
    5. Choose language: English
    6. Choose a country: United States
    7. Detect keyboard layout: No
    8. Origin of the keyboard: USA
    9. Keyboard layout: USA
    10. Hostname: ubuntu
    11. Time Zone: Eastern (or whatever)
      - [10.04] The time zone is detected slightly differently
    12. Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
    13. Device to use as root file system: /dev/vg1/lvroot
    14. Rescue operations: [Go Back]
    15. Device to use as root file system: [Go Back]
    16. Select: Partition disks
      1. Select: Manual
      2. Select: "#1 primary 197.4 MB B ext3" under SCSI1 (0,0,0) (sda)"
        1. Use as: Ext4
        2. Mount point: /boot
        3. Label: boot
        4. Select: Done setting up the partition
      3. Select: "#1 10.7 GB ext3" under "LVM VG vg1, LV lvroot"
        1. Use as: Ext4
        2. [10.04] Format the partition, if necessary
        3. Mount point: / (root)
        4. Label: root
        5. Select: Done setting up the partition
      4. Select: "#1 66.9 GB ext3" under "LVM VG vg1, LV lvhome"
        1. Note the current filesystem type: Ext3 or Ext4
        2. Use as: (Select the same current value: Ext3 or Ext4)
        3. Format the partition: no, keep existing data !!

          Do not format your existing /home partition !!
        4. Mount point: /home
        5. Select: Done setting up the partition
      5. Finish partitioning and write changes to disk
      6. Write the changes to disks: Yes
    17. [INSTALLATION CONTINUES]
    18. Full name for the new user: [YOUR NAME HERE]
    19. Username for your account: [YOUR USERNAME HERE]
    20. Choose a password for the new user: [YOUR PASSWORD HERE]
    21. Re-enter password to verify: [YOUR PASSWORD HERE]
    22. [INSTALLATION CONTINUES]
    23. HTTP proxy information: [LEAVE BLANK]
    24. [INSTALLATION CONTINUES]
    25. Choose software to install: use [SPACEBAR] to select Ubuntu desktop
    26. [INSTALLATION CONTINUES]
    27. Install GRUB: Yes
    28. Is the system clock set to UTC: Yes
    29. [INSTALLATION COMPLETE]
    30. Alternate Installer CD is ejected, but do not remove it
    31. Select: Continue with reboot

    Repair the boot image after reinstallation to unlock LUKS encrypted partition

    Now it is time to repair the /boot/initrd image to automatically unlock the encrypted partition during the GRUB boot process. In step 15 below, you will need to modify /etc/crypttab with the data kept in /home/crypttab_copy, which was created above before starting the reinstallation. If you did not make a copy of /etc/crypttab, you can regenerate it by following the alternate procedure given in step 15.

    1. Boot from the Alternate Installer CD again (not desktop Installer)
    2. Language: English
    3. Main Menu: Rescue a broken system
    4. Choose language: English
    5. Choose a country: United States
    6. Detect keyboard layout: No
    7. Origin of the keyboard: USA
    8. Keyboard layout: USA
    9. Hostname: ubuntu
    10. Time Zone: Eastern (or whatever)
      - [10.04] The time zone is detected slightly differently
    11. Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
    12. Device to use as root file system: /dev/vg1/lvroot
    13. Rescue operations: Execute a shell in /dev/vg1/lvroot
    14. Select: Continue
    15. Enter the following commands (running as root):

      Code:
      # mount
      
               # NOTE: Depending on the version of the installer, the
               # output may show that:
               #  - /boot is mounted from /dev/sda1, and
               #  - /home is mounted from /dev/mapper/vg1-lvhome
               # However, they might NOT be mounted, so ...
      
      # ls -l /boot     # shows no files, so not really mounted
      # mount /boot     # may "fail" if already mounted; that's ok
      # mount /home     # may "fail" if already mounted; that's ok
      
               # NOTE: if you did not save a copy of crypttab in a
               # previous step, follow the instructions given just below
               # to recreate the entry in /etc/crypttab
      
      # cat /home/crypttab_copy >>/etc/crypttab    # restore from backup
      # cat /etc/crypttab              # to check the contents of crypttab
      # update-initramfs -k all -c -v
      
               # watch the output to make sure update-initramfs succeeded
      
      # exit   # exit busybox back to the Rescue menu
      If you did not save a copy of /etc/crypttab before reinstallation, you can still recreate it, if you know the name of the encrypted partition (e.g. sda5).

      Code:
      # ls -l /dev/disk/by-uuid | grep sda5
      lrwxrwxrwx 1 root root 10 May 19 09:10 [HEX UUID] -> ../../sda5
      
               # This hex UUID is what is needed to recreate /etc/crypttab
      
      # crypttab_entry="sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks"
      # echo $crypttab_entry  # to check that you've typed it right
      # echo $crypttab_entry >>/etc/crypttab
      # cat /etc/crypttab     # to check the contents of crypttab
    16. Select: Reboot the system
    17. Quickly remove the Alternate Installer CD, since it won't be released before rebooting
    18. After rebooting, you can delete /home/crypttab_copy

    How to manually unlock and mount an encrypted LUKS/LVM partition

    This procedure might come in handy if you have to rescue your data from an encrypted backup or from your workstation, if it won't boot properly.

    1. Boot from an Ubuntu Live CD (Desktop Installer) with a working connection to the internet
    2. Open a Terminal window (Applications -> Accessories -> Terminal). Use the Terminal window to type the following commands

      Code:
      $ sudo apt-get install cryptsetup lvm2
      # - This requires a live internet connection
      # - Answer yes to continue if prompted
      
      $ sudo cryptsetup luksOpen /dev/sda5 MYTAG
      # - This command opens the encrypted partition
      # - Enter your passphrase when prompted
      
      $ sudo vgchange -ay
      # - Makes all volume groups active
      # - If you don't want to make them all active, you can run vgscan to get the
      #   name of your volume group, followed by vgchange for a specific volume group.
      #     $ sudo vgscan
      #     $ sudo vgchange -ay [VOLUME GROUP NAME]
      
      $ sudo lvscan
      # - Note the name of the logical volume containing the partition you want to mount
      
      $ sudo mount /dev/[VOLUME GROUP NAME]/[LOGICAL VOLUME NAME] /mnt
    3. Now you can explore the mounted partition under /mnt. When you are done, you can unmount it by typing the following commands in a Terminal window

      Code:
      $ sudo umount /mnt
      $ sudo vgchange -an
      # - Makes all volume groups inactive
      # - Or use a specific volume group name if you want:
      #     $ sudo vgchange -an [VOLUME GROUP NAME]
      
      $ sudo cryptsetup luksClose MYTAG
      # - This command closes the encrypted partition
    Last edited by John Wiersba; May 20th, 2010 at 02:18 PM. Reason: Update for 10.04, add more explanations, alternate methods

  2. #2
    Join Date
    Apr 2006
    Location
    Seattle
    Beans
    2,893
    Distro
    Ubuntu Development Release

    Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system

    Very well organized lists. Approved, and thank you for contributing to Tutorials & Tips.

  3. #3
    Join Date
    Jun 2009
    Beans
    27

    Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system

    http://sunoano.name/ws/public_xhtml/dm-crypt_luks.html is also quite good; there is also a link to page that shows howto setup ecryptfs

  4. #4
    Join Date
    Jul 2009
    Beans
    1

    Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system

    I am trying to follow the second set of instructions, "Install Ubuntu 9.04 (Jaunty Jackalope) over existing encrypted LUKS/LVM partitions" to install over partitions created by Fedora. I can't get past step 12 however, it keeps prompting me for the passphrase over and over.

    I know that these partitions were set up with cryptsetup cypher aes-cbc-essiv:sha256. I also notice that if I drop into installer shell and issue cat /proc/crypto, it only reports stdrng and md5. By comparison, my Fedora 11 box reports: sha256, sha224, cbc(aes), ecb(arc4), arc4, xts(aes), aes, stdrng, crc32c, sha1, md5.

    Could this be the problem? The kernel included with 9.04 alternate cd does not include the crypto modules I need?

  5. #5
    Join Date
    Jan 2007
    Location
    Ann Arbor, MI, USA
    Beans
    55
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system

    My procedure was tested as written on an encrypted partition from Hardy. I don't know how that may be different from what Fedora has. As you suggest, it's probably different crypto/cipher settings. Maybe dmesg from the command line would tell you (or you could look at the logs in /var/log). Here's my Jaunty /proc/crypto:

    $ cat /proc/crypto
    name : ecb(arc4)
    driver : ecb(arc4-generic)
    module : ecb
    priority : 0
    refcnt : 3
    selftest : passed
    type : blkcipher
    blocksize : 1
    min keysize : 1
    max keysize : 256
    ivsize : 0
    geniv : <default>

    name : arc4
    driver : arc4-generic
    module : arc4
    priority : 0
    refcnt : 3
    selftest : passed
    type : cipher
    blocksize : 1
    min keysize : 1
    max keysize : 256

    name : sha256
    driver : sha256-generic
    module : sha256_generic
    priority : 0
    refcnt : 1
    selftest : passed
    type : digest
    blocksize : 64
    digestsize : 32

    name : sha224
    driver : sha224-generic
    module : sha256_generic
    priority : 0
    refcnt : 1
    selftest : passed
    type : digest
    blocksize : 64
    digestsize : 28

    name : cbc(aes)
    driver : cbc(aes-asm)
    module : kernel
    priority : 200
    refcnt : 2
    selftest : passed
    type : givcipher
    async : yes
    blocksize : 16
    min keysize : 16
    max keysize : 32
    ivsize : 16
    geniv : chainiv

    name : cbc(aes)
    driver : cbc(aes-asm)
    module : cbc
    priority : 200
    refcnt : 2
    selftest : passed
    type : blkcipher
    blocksize : 16
    min keysize : 16
    max keysize : 32
    ivsize : 16
    geniv : <default>

    name : aes
    driver : aes-asm
    module : aes_i586
    priority : 200
    refcnt : 3
    selftest : passed
    type : cipher
    blocksize : 16
    min keysize : 16
    max keysize : 32

    name : aes
    driver : aes-generic
    module : aes_generic
    priority : 100
    refcnt : 1
    selftest : passed
    type : cipher
    blocksize : 16
    min keysize : 16
    max keysize : 32

    name : stdrng
    driver : krng
    module : kernel
    priority : 200
    refcnt : 2
    selftest : passed
    type : rng
    seedsize : 0

    name : md5
    driver : md5-generic
    module : kernel
    priority : 0
    refcnt : 1
    selftest : passed
    type : digest
    blocksize : 64
    digestsize : 16

  6. #6
    Join Date
    Dec 2008
    Beans
    27

    Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system

    could someone update this thread for lucid?

  7. #7
    Join Date
    Jun 2010
    Location
    Phoenix, AZ
    Beans
    27
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: install/reinstall encrypted LUKS/LVM system with separate home partition

    Thanks so much for this guide. Everything is working like a charm on Lucid. But I would like to make one minor change to my setup - perhaps someone here could lead me through the steps.

    When setting up the encrypted LUKS volume, and it was time to set up the user accounts, while following the steps, I chose to create an unencrypted account for myself. I have decided now that, because I have other users on my system, I would like to encrypt my home directory. Can anyone lead me through the necessary steps to make that change my ~/ directory from unencrypted to encrypted?

  8. #8
    Join Date
    Jan 2007
    Location
    Ann Arbor, MI, USA
    Beans
    55
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: install/reinstall encrypted LUKS/LVM system with separate home partition

    Quote Originally Posted by Phoenix_Swelter View Post
    I have decided now that, because I have other users on my system, I would like to encrypt my home directory. Can anyone lead me through the necessary steps to make that change my ~/ directory from unencrypted to encrypted?
    I would suggest that you probably don't need an encrypted home directory, if you already are using encrypted LUKS volumes. The primary use case (in my opinion) for these encrypted directories and volumes is to prevent a thief from stealing your data if he is able to steal your hardware. Your encrypted LUKS volumes already take care of that. To protect yourself from other legitimate concurrent system users, file system permissions would normally be the tool of choice.

    If another user can gain root on your system (via sudo or any other means), file system permissions won't be sufficient. However, neither will any other method, including encrypted home directories. So, I would suggest sticking with file system permissions. However, if you want to look further at encrypted home directories, you could reference this page: https://wiki.ubuntu.com/EncryptedHomeFolder

  9. #9
    Join Date
    Jun 2010
    Location
    Phoenix, AZ
    Beans
    27
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: install/reinstall encrypted LUKS/LVM system with separate home partition

    Quote Originally Posted by John Wiersba View Post
    I would suggest sticking with file system permissions.
    Yep - I do believe you are correct. Thank-you.

  10. #10
    Join Date
    May 2009
    Beans
    18

    Re: HOWTO: install and reinstall on an encrypted LUKS/LVM system

    Has anyone successfully followed this HowTo booting from MDADM Raid partitions? I am able to boot from MDADM + LVM or LVM + Encryption, but not all three. Having created two MD devices, one unecrypted for /boot (md0) and one for the encrypted VG (md1), the system doesn't properly assemble the encrypted VG array and goes to an initramfs shell with md1 assembled but inactive. "mdadm --stop /dev/md1" followed by "mdadm --scan --assemble" correctly assembles and activates md1 then the system can boot, but is there any way to avoid this?

    EDIT: Have verified that in fact this works when using the 10.04.2 installation disk. Previously I was using 10.04.1. Also updating an installation using the MDADM + LUKS + LVM combination from a 10.04.1 disk or earlier to the latest packages fixes the problem too.
    Last edited by tomgibson; February 23rd, 2011 at 02:17 AM.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •