HOWTO: install and reinstall on an encrypted LUKS/LVM system

[holocene]

John,

I will try this but I am scared it will hose the system. I need to make a backup! In 9.04, I encrypted my home directory upon install, and after a glitch (now fixed I think), I never saw it again. I know this is a different issue though.

I have a related question, I think. If you go to System | Administration | Disk Utility, then select the line (3rd down on mine) corresponding to the actual hard drive (called 320 GB Hard Disk and then ATA WDC ...), there is an option at the bottom called "Change Passphrase".

I searched help on this but did not really get a good idea of what it does. Do you know?

Is this an alternative way (to the way you explained) to change the passphrase?

Thanks so much.
Steve.

Steve, I believe this is what you're talking about (from my notes):

To change encryption passphrase:

# note: the device name is whatever shows up as /dev/mapper/sda2_crypt

# add a key
sudo cryptsetup -y luksAddKey /dev/sda2

# remove a key
sudo cryptsetup luksRemoveKey /dev/sda2

[John Wiersba]

Steve,

I don't have "Disk Utility" show up in my version (currently running 9.04), but I'd guess that it does something similar to what my command lines do.

I test all these commands on a separate crash-n-burn machine several times before trying them on my day-to-day machine. Like you, I'd be scared to test them on a machine that I need to keep running.

And you're right. Having a backup is key to your peace of mind. Buy an external drive (or two!), create an encrypted partition on it, and rsync your data to it. Test that you can remount it from a different machine.

-- John

[radiobuzzer]

Thanks, this tutorial has been very helpful. Unfortunately I followed it and the new system doesn't do any hibernation. This obviously has to do with the fact that we encrypted the swap disk.

I 've seen many posts in many forums that say that this is possible, mainly but directly editing specific ubuntu conf files.

Is there any hint on how exactly this would be possible, given the instructions above?

[John Wiersba]

Radiobuzzer,

Sorry, but I don't know the solution to your hibernation issue. The method I showed (above) is pretty standard for creating a fully-encrypted installation. The tricky part is reinstalling the OS without needing to restore /home.

However, once you have a fully-encrypted installtion, there may be tweaks needed to get things like hibernation working on your hardware. Indeed, you may need to directly edit various configuration files. You could try searching for some variation of "encrypted hibernation" for more information on this.

If, for some reason, you can't get hibernation working when your swap is encrypted, you could consider not encrypting swap by creating a extra partition for swap outside the LUKS-encrypted container. This weakens the security of your installation, but you may consider a working hibernation feature more important than an encrypted swap.

[omelette]

Being curious, I opted for home-folder encryption when installing 10.04, and when the key was generated, thought I read that I could retrieve it again from the command-line - so never bothered saving it. After more idiocy on my part, I managed to screw up my installation so badly that I had to reinstall it from a backup.

So all is well again. However, said-backup also has the encrypted home-folder, (obviously!) so my question is, did I read right at the time - once logged in, can I retrieve the key from the command-line so I can write it down this time?

[John Wiersba]

Can I retrieve the key from the command-line so I can write it down this time?

Unfortunately, I don't have any experience with encrypted home directories, since it's not a useful feature in a single-user, fully-encrypted installation (such as a laptop). Maybe someone else will know how to retrieve the decryption key. Also, I would suggest using full encryption for your backups, as opposed to encrypting only certain files/directories.

[omelette]

Thanks for the reply. As it is my laptop that is at issue, I am surprised to hear that directory-level encryption is inadequate - as the laptop is used only be myself, I would have thought everything was perfectly secured, bar file-access logs etc. stored in /vars, /etc and the like!

I was just responding to the supplied Ubuntu installation disk's responses which doesn't offer the option of disk-level encryption - but then I guess you know that, hence your HOWTO!

[John Wiersba]

IMHO, directory-level encryption is inadequate for a laptop that has sensitive data on it (that you would be worried about if your laptop was stolen). For example, swap and /tmp will not be encrypted.

But I don't see any extra benefit of directory-level encryption when the entire hard disk is already encrypted; it just creates extra failure points (as you discovered).

[omelette]

Ah yes, I forgot about swap & tmp - good point!

btw, I have just taken the not-too-tedious route of re-installing Ubuntu from scratch again (still just home-directory encryption) and yes, the encryption key can be retrieved from the command-line - simply;

"ecryptfs-unwrap-passphrase"

[Phoenix_Swelter]

Thanks so much for this guide. Everything is working like a charm on Lucid. But I would like to make one minor change to my setup - perhaps someone here could lead me through the steps.

When setting up the encrypted LUKS volume, and it was time to set up the user accounts, while following the steps, I chose to create an unencrypted account for myself. I have decided now that, because I have other users on my system, I would like to encrypt my home directory. Can anyone lead me through the necessary steps to make that change my ~/ directory from unencrypted to encrypted?