Introduction
This HOWTO describes how to encrypt your entire hard disk (except for the /boot partition) with separate partitions for swap, root, and /home. Also described is a procedure for reinstalling the operating system without overwriting the separate /home partition.
Whole-disk encryption is especially useful for protecting personal data on a laptop, since a laptop can be easily stolen. Once stolen, all the data on an unencrypted hard disk is easily recoverable by the thief. The method shown here creates a LUKS-encrypted hard disk partition and uses LVM to create logical partitions within the encrypted physical partition for swap, root, and /home. The encrypted partition is unlocked at boot time by GRUB running from a separate, unencrypted /boot partition.
For data security, it is important that the entire hard disk be encrypted (except for /boot), including the swap and root partitions. This avoids problems associated with unencrypted confidential data leaking into swap or, for example, /tmp. Having an LVM-managed swap partition inside the LUKS-encrypted partition is easier to setup and maintain than having separately-encrypted swap and root partitions.
Rather than upgrading the operating system when a new version is released, many people like to reinstall the entire operating system from scratch. When reinstalling the operating system, there are two common choices:
- Reinstall the complete workstation
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the entire workstation from scratch
- Restore the user data to /home
- Restore the system configuration settings
- Reinstall the operating system only
- Backup the user data in /home
- Backup various system configuration settings
- Reinstall the root partition only, not the /home partition
- Restore the system configuration settings
Choice #1 (reinstalling the complete workstation) is simpler in concept, but may be slower than choice #2 if there is a lot of user data in /home, and it places 100% reliance on the system used to backup /home. Choice #2 (reinstalling only the root partition) may be faster than choice #1 if there is a lot of user data in /home, and it places slightly less stress on the system used to backup /home, since it is not used during the reinstallation.
This HOWTO is a guide for those people who want to reinstall the operating system only, without restoring /home from backup (choice #2 above). This requires creating a separate partition for /home, so that it is independent from the operating system contained in the root partition.
The current Ubuntu installers do not directly support reinstalling the operating system into a pre-existing encrypted partition. This HOWTO shows you how to reinstall the operating system into a separate, LVM-managed root partition, while keeping the LVM-managed /home partition intact.
This HOWTO is based on MaddMatt's post at HOWTO: re-install / upgrade over existing dm-crypt / LUKS system, which gives a similar process, but without some of the specific details. I created this detailed list while testing MaddMatt's instructions in preparation for upgrading my laptop from Ubuntu 8.10 to 9.04. The instructions have been tested on Ubuntu 8.10, 9.04, 9.10, 10.04 and are substantially the same.
NOTE: Whenever you perform a major alteration to your installation, such as reinstalling the operating system, you really MUST be prepared for accidental failure. This means that you MUST back up your data before reinstalling! This HOWTO shows you how to avoid restoring your home directory from backup, but it does not remove the need to back up your irreplacible data!
Original install of Ubuntu 8.10, 9.04, 9.10, 10.04
- Boot from Alternate Installer CD (not Desktop Installer)
- Language: English
- Main Menu: Install Ubuntu
- Choose language: English
- Choose a country: United States
- Detect keyboard layout: No
- Origin of the keyboard: USA
- Keyboard layout: USA
- [INSTALLATION CONTINUES]
- Hostname: ubuntu
- Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently - Partition disks
- Select: Manual
- Display shows:
- Guided partitioning
- ...
- SCSI1 (0,0,0) (sda) - 80.0 GB ...
- pri/log 80.0 GB FREE SPACE
- ... - Select: pri/log 80.0 GB FREE SPACE
- Select: Create a new partition
- New parition size: 200 MB
- Select: Primary
- Select: Beginning
- Options for partition #1 of SCSI1 (0,0,0) (sda)
- Use as: Ext3 (or Ext4)
- Format the partition: yes, format it
- [10.04] Sometimes, this choice is not available - Mount point: /boot
- Label: boot
- Select: Done setting up the partition
- Select: pri/log 79.8 GB FREE SPACE
- Select: Create a new partition
- New parition size: 79.8 GB (i.e. all the rest of the space)
- Select: Logical
- Options for partition #5 of SCSI1 (0,0,0) (sda)
- Use as: Physical volume for encryption
- Select: Done setting up the partition
- Select: Configure encrypted volumes
- Write the changes to disk and configure encrypted volumes: Yes
- [9.10, 10.04] Encrypted configuration actions: Finish - Encryption passphrase: [YOUR PASSPHRASE HERE]
- Re-enter passphrase to verify: [YOUR PASSPHRASE HERE]
- Select: "#1 79.8 GB" under "Encrypted volume (sda5_crypt)"
- Use as: Physical volume for LVM
- Select: Done setting up the partition
- Select: Configure the Logical Volume Manager
- [10.04] Keep current partition layout and configure LVM: Yes
- Select: Create volume group
- Volume group name: vg1
- Devices for the new volume group:
- use [SPACEBAR] to select /dev/mapper/sda5_crypt
- Select: Create logical volume
- Select: vg1
- Logical volume name: lvswap
- Logical volume size: 2048 MB
- Select: Create logical volume
- Select: vg1
- Logical volume name: lvroot
- Logical volume size: 10240 MB
- Select: Create logical volume
- Select: vg1
- Logical volume name: lvhome
- Logical volume size: 66936 MB (i.e. all the rest)
- Select: Finish
- Select: "#1 66.9 GB" under "LVM VG vg1, LV lvhome"
- Use as: Ext3 (or Ext4)
- Mount point: /home
- Label: home
- Select: Done setting up the partition
- Select: "#1 10.7 GB" under "LVM VG vg1, LV lvroot"
- Use as: Ext3 (or Ext4)
- Mount point: / (root)
- Label: root
- Select: Done setting up the partition
- Select: "#1 2.1 GB" under "LVM VG vg1, LV lvswap"
- Use as: swap area
- Select: Done setting up the partition
- Select: Finish partitioning and write changes to disk
- Write the changes to disks: Yes
- This will create
- /dev/sda1: /boot
- /dev/sda2: extended partition
- /dev/sda5: encrypted logical partition
- /dev/mapper/vg1-lvswap: swap
- /dev/mapper/vg1-lvroot: / (root)
- /dev/mapper/vg1-lvhome: /home - [INSTALLATION CONTINUES]
- Full name for the new user: [YOUR NAME HERE]
- Username for your account: [YOUR USERNAME HERE]
- Choose a password for the new user: [YOUR PASSWORD HERE]
- Re-enter password to verify: [YOUR PASSWORD HERE]
- Set up an encrypted private directory: No
- [INSTALLATION CONTINUES]
- HTTP proxy information: [LEAVE BLANK]
- [INSTALLATION CONTINUES]
- [10.04] Install the GRUB boot loader to the master boot record: Yes
- Is the system clock set to UTC: Yes
- Installation is complete: Continue
- [REBOOT]
- Enter passphrase to unlock ... (sda5_crypt): [YOUR PASSPHRASE HERE]
- [10.04] Unlocking the disk /dev/disk/by-uuid/... (sda5_crypt)
- [10.04] Enter passphrase: [YOUR PASSPHRASE HERE] - Enjoy your Ubuntu installation!
Reinstall Ubuntu 9.04, 9.10, 10.04 over existing encrypted LUKS/LVM partitions
Following your encrypted LUKS/LVM installation (above), you decide to reinstall the operating system, perhaps to upgrade to a different version. In order to avoid restoring your /home directory from backup, you can use the following procedure. This procedure will overwrite the root and /boot partitions, but will not overwrite /home. Of course, you still MUST make a backup (or two!) of /home before proceeding, just in case.
Before proceeding with the reinstallation, you need to know which physical partition is your encrypted partition. In the sample installation above, it is sda5. This information is available to you in the prompt, during the boot process, when you are asked to enter the passphrase. For example, if sda5_crypt is being unlocked by GRUB during the boot process, sda5 is the encrypted partition.
Ultimately, you will need to know the UUID corresponding to the encrypted partition (sda5 in this case), in order to generate an entry in /etc/crypttab. The easiest way to prepare to generate the /etc/crypttab entry is shown in the steps below, which must be completed before starting the reinstallation. An alternate way to generate the entry in /etc/crypttab is shown in step 15 of the Repair section below, but you still need to know the name of your encrypted partition in order to use it.
- First, boot your current installation, in order to save a copy of /etc/crypttab, which will be restored after the reinstall. Since /etc/crypttab is kept in the root partition, and the root partition is overwritten during the reinstall, this step needs to be completed before reinstalling. The contents of crypttab look like:
Code:
# <target name> <source device> <key file> <options>
sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks
Run the following command line from a Terminal window (Applications -> Accessories -> Terminal):
Code:
$ sudo cp /etc/crypttab /home/crypttab_copy
This file (/home/crypttab_copy) can be deleted once the reinstallation is complete.
- Now, start the reinstallation. Boot from the Alternate Installer CD (not the desktop Installer) for the new version you want to install (e.g. 10.04)
- Language: English
- Main Menu: Rescue a broken system
- Choose language: English
- Choose a country: United States
- Detect keyboard layout: No
- Origin of the keyboard: USA
- Keyboard layout: USA
- Hostname: ubuntu
- Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently - Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
- Device to use as root file system: /dev/vg1/lvroot
- Rescue operations: [Go Back]
- Device to use as root file system: [Go Back]
- Select: Partition disks
- Select: Manual
- Select: "#1 primary 197.4 MB B ext3" under SCSI1 (0,0,0) (sda)"
- Use as: Ext4
- Mount point: /boot
- Label: boot
- Select: Done setting up the partition
- Select: "#1 10.7 GB ext3" under "LVM VG vg1, LV lvroot"
- Use as: Ext4
- [10.04] Format the partition, if necessary
- Mount point: / (root)
- Label: root
- Select: Done setting up the partition
- Select: "#1 66.9 GB ext3" under "LVM VG vg1, LV lvhome"
- Note the current filesystem type: Ext3 or Ext4
- Use as: (Select the same current value: Ext3 or Ext4)
- Format the partition: no, keep existing data !!
Do not format your existing /home partition !!
- Mount point: /home
- Select: Done setting up the partition
- Finish partitioning and write changes to disk
- Write the changes to disks: Yes
- [INSTALLATION CONTINUES]
- Full name for the new user: [YOUR NAME HERE]
- Username for your account: [YOUR USERNAME HERE]
- Choose a password for the new user: [YOUR PASSWORD HERE]
- Re-enter password to verify: [YOUR PASSWORD HERE]
- [INSTALLATION CONTINUES]
- HTTP proxy information: [LEAVE BLANK]
- [INSTALLATION CONTINUES]
- Choose software to install: use [SPACEBAR] to select Ubuntu desktop
- [INSTALLATION CONTINUES]
- Install GRUB: Yes
- Is the system clock set to UTC: Yes
- [INSTALLATION COMPLETE]
- Alternate Installer CD is ejected, but do not remove it
- Select: Continue with reboot
Repair the boot image after reinstallation to unlock LUKS encrypted partition
Now it is time to repair the /boot/initrd image to automatically unlock the encrypted partition during the GRUB boot process. In step 15 below, you will need to modify /etc/crypttab with the data kept in /home/crypttab_copy, which was created above before starting the reinstallation. If you did not make a copy of /etc/crypttab, you can regenerate it by following the alternate procedure given in step 15.
- Boot from the Alternate Installer CD again (not desktop Installer)
- Language: English
- Main Menu: Rescue a broken system
- Choose language: English
- Choose a country: United States
- Detect keyboard layout: No
- Origin of the keyboard: USA
- Keyboard layout: USA
- Hostname: ubuntu
- Time Zone: Eastern (or whatever)
- [10.04] The time zone is detected slightly differently - Passphrase for /dev/sda5: [YOUR PASSPHRASE HERE]
- Device to use as root file system: /dev/vg1/lvroot
- Rescue operations: Execute a shell in /dev/vg1/lvroot
- Select: Continue
- Enter the following commands (running as root):
Code:
# mount
# NOTE: Depending on the version of the installer, the
# output may show that:
# - /boot is mounted from /dev/sda1, and
# - /home is mounted from /dev/mapper/vg1-lvhome
# However, they might NOT be mounted, so ...
# ls -l /boot # shows no files, so not really mounted
# mount /boot # may "fail" if already mounted; that's ok
# mount /home # may "fail" if already mounted; that's ok
# NOTE: if you did not save a copy of crypttab in a
# previous step, follow the instructions given just below
# to recreate the entry in /etc/crypttab
# cat /home/crypttab_copy >>/etc/crypttab # restore from backup
# cat /etc/crypttab # to check the contents of crypttab
# update-initramfs -k all -c -v
# watch the output to make sure update-initramfs succeeded
# exit # exit busybox back to the Rescue menu
If you did not save a copy of /etc/crypttab before reinstallation, you can still recreate it, if you know the name of the encrypted partition (e.g. sda5).
Code:
# ls -l /dev/disk/by-uuid | grep sda5
lrwxrwxrwx 1 root root 10 May 19 09:10 [HEX UUID] -> ../../sda5
# This hex UUID is what is needed to recreate /etc/crypttab
# crypttab_entry="sda5_crypt /dev/disk/by-uuid/[HEX UUID] none luks"
# echo $crypttab_entry # to check that you've typed it right
# echo $crypttab_entry >>/etc/crypttab
# cat /etc/crypttab # to check the contents of crypttab
- Select: Reboot the system
- Quickly remove the Alternate Installer CD, since it won't be released before rebooting
- After rebooting, you can delete /home/crypttab_copy
How to manually unlock and mount an encrypted LUKS/LVM partition
This procedure might come in handy if you have to rescue your data from an encrypted backup or from your workstation, if it won't boot properly.
- Boot from an Ubuntu Live CD (Desktop Installer) with a working connection to the internet
- Open a Terminal window (Applications -> Accessories -> Terminal). Use the Terminal window to type the following commands
Code:
$ sudo apt-get install cryptsetup lvm2
# - This requires a live internet connection
# - Answer yes to continue if prompted
$ sudo cryptsetup luksOpen /dev/sda5 MYTAG
# - This command opens the encrypted partition
# - Enter your passphrase when prompted
$ sudo vgchange -ay
# - Makes all volume groups active
# - If you don't want to make them all active, you can run vgscan to get the
# name of your volume group, followed by vgchange for a specific volume group.
# $ sudo vgscan
# $ sudo vgchange -ay [VOLUME GROUP NAME]
$ sudo lvscan
# - Note the name of the logical volume containing the partition you want to mount
$ sudo mount /dev/[VOLUME GROUP NAME]/[LOGICAL VOLUME NAME] /mnt
- Now you can explore the mounted partition under /mnt. When you are done, you can unmount it by typing the following commands in a Terminal window
Code:
$ sudo umount /mnt
$ sudo vgchange -an
# - Makes all volume groups inactive
# - Or use a specific volume group name if you want:
# $ sudo vgchange -an [VOLUME GROUP NAME]
$ sudo cryptsetup luksClose MYTAG
# - This command closes the encrypted partition
Bookmarks