PDA

View Full Version : [all variants] Reinstalling Ubuntu with encrypted filesystem



suruena
May 18th, 2008, 02:32 PM
I've upgraded to kubuntu 8.04 in my laptop (using the alternate CD), this time with disk encryption. I followed very closely the next howto:

http://learninginlinux.wordpress.com/2008/04/23/installing-ubuntu-804-with-full-disk-encryption/

So the windows and /boot partitions aren't encrypted, and then one big encrypted partition which includes the swap, the root filesystem, and the home partitions.

I'm happy with the current configuration, but my doubt is if I can reinstall the system without having to format again the whole encrypted partition. That is, whether the ubuntu CD installer will recognize the existing encrypted partition, and allow me to write the current passphrase, then decrypt the root, swap and home partitions, and finally to just format the root and swap partition and reinstall the system without affecting the data at /home

I made some tests, booting with the CD. When doing the manual partitioning the filesystems of the boot and windows partitions are recognized, but not the encrypted partition. Then, I can specify that the big partition is a Encrypted LVM partition and that I don't want to remove the data. However, when configuring the encrypted partition the installer ask for a _new_ passphrase. Am I doing something wrong?

Thanks!

hyper_ch
May 18th, 2008, 07:16 PM
as far as I know it's not possible yet to reinstall on an encrypted filesystem.

Lycaon
May 18th, 2008, 09:32 PM
I would agree with hyper_ch, i don't think it's possible because it's "rubbish" data for an outsider..

RAOF
May 19th, 2008, 03:51 AM
It should be possible to reinstall on the encrypted partition, but I'm not sure how much of it is automated. The worst-case scenario is that you have to switch to a virtual terminal (which the alternate installer provides) and manually unlock your encrypted partition using cryptsetup. That should then allow the partitioner to use the partitions inside your crypt device.

hyper_ch
May 19th, 2008, 08:43 AM
would that then still generate correct boot entries in the grub menu.lst? That's where I see a possible problem if you load the encrypted partitions manually.

P.S.: Upgrading works excellent... I did it with 7.04 to 7.10 (wasn't fully encrypted the but just a few partitions that I manually encrypted back then)

RAOF
May 19th, 2008, 08:53 AM
would that then still generate correct boot entries in the grub menu.lst? That's where I see a possible problem if you load the encrypted partitions manually.
...

I don't know. I think it should, but I've never tried it. If you try it and it doesn't work, please file a bug. It should work :).

hyper_ch
May 19th, 2008, 08:57 AM
I'll try on the vbox tonight :)

hyper_ch
May 19th, 2008, 11:47 PM
so, I tested it now... installed an ubuntu 8.04 encrypted (manual encryption with a /boot and a / partition) in vbox.

After it run fine, I just started over again, when I got to select how I want to partition the drive (guided, guided lvm, guided lvm encrypted, manual) I pressed alt-f2 to enter dos box.

I then run fdisk -l to see what the partitions are and then I tried to open the encrypted partition but it fails. I have a screenshot here.

I don't know why it failes....

I also tried to luksOpen /dev/sda2 but that did not work either.

EDIT: I had to modprobe aes ;)

hyper_ch
May 20th, 2008, 06:32 PM
Hmmm, reinstall went ok into an already encrypted partition by
(1) depmod aes during installer
(2) crypt luksOpen /dev/sda5 sda5_crypt
(3) going back to the partitioner

HOWEVER after reboot the system never gets a password entry and just stops at the screenshot (vBox)

RAOF
May 21st, 2008, 03:08 AM
Right. It looks like the crypttab hasn't been set up correctly. You should be able to boot by running cryptsetup from the busybox prompt to unlock the partitions, then exit-ing the busybox to continue booting normally. Does that work?

hyper_ch
May 21st, 2008, 08:02 AM
I have to try tonight but it seems not like an issue with crypttab. Crypttab is in /etc and this is fully encrypted... I would first need to enter the password for the root partition and then the system could use crypttab somehow... but I don't even get asked to enter the password for the root partition.

RAOF
May 21st, 2008, 08:58 AM
But does crypttab have the correct contents? If I remember correctly, that's where the cryptsetup mojo in the initramfs is generated from.

So, options include: not-correct contents of crypttab, or need to run update-initramfs to make the initial ramdisk know about the crypt setup. There are probably other options, but those are the two that spring to ming.

John Wiersba
July 5th, 2009, 09:02 PM
See HOWTO: install and reinstall on an encrypted LUKS/LVM system (http://ubuntuforums.org/showthread.php?p=7576717)
See HOWTO: re-install / upgrade over existing dm-crypt / LUKS system (http://ubuntuforums.org/showthread.php?t=1034910)