HOWTO: install and reinstall on an encrypted LUKS/LVM system

[John Wiersba]

I have decided now that, because I have other users on my system, I would like to encrypt my home directory. Can anyone lead me through the necessary steps to make that change my ~/ directory from unencrypted to encrypted?

I would suggest that you probably don't need an encrypted home directory, if you already are using encrypted LUKS volumes. The primary use case (in my opinion) for these encrypted directories and volumes is to prevent a thief from stealing your data if he is able to steal your hardware. Your encrypted LUKS volumes already take care of that. To protect yourself from other legitimate concurrent system users, file system permissions would normally be the tool of choice.

If another user can gain root on your system (via sudo or any other means), file system permissions won't be sufficient. However, neither will any other method, including encrypted home directories. So, I would suggest sticking with file system permissions. However, if you want to look further at encrypted home directories, you could reference this page: https://wiki.ubuntu.com/EncryptedHomeFolder

[Phoenix_Swelter]

I would suggest sticking with file system permissions.

Yep - I do believe you are correct. Thank-you.

[tomgibson]

Has anyone successfully followed this HowTo booting from MDADM Raid partitions? I am able to boot from MDADM + LVM or LVM + Encryption, but not all three. Having created two MD devices, one unecrypted for /boot (md0) and one for the encrypted VG (md1), the system doesn't properly assemble the encrypted VG array and goes to an initramfs shell with md1 assembled but inactive. "mdadm --stop /dev/md1" followed by "mdadm --scan --assemble" correctly assembles and activates md1 then the system can boot, but is there any way to avoid this?

EDIT: Have verified that in fact this works when using the 10.04.2 installation disk. Previously I was using 10.04.1. Also updating an installation using the MDADM + LUKS + LVM combination from a 10.04.1 disk or earlier to the latest packages fixes the problem too.

[Widgit]

Hi Guys,

I'm having a real headache with this. I've followed these instructions multiple times using the ubuntu 10.10 alternative release to try and setup a new install on a laptop.

I'm getting an error that says something very similar to:

"error couldn't read file.

Kernel panic - not syncing: VFS: Unable to mount root fs on unknown block(0,0)"

If you guys could provide any assistance with this I'd be extremely grateful.

[within]

Thanks very much for the well done HOWTO.

Works like a charm on my brand new laptop with Lucid.

[vangop]

awesome guide really.
Just one question - can someone explain the difference when mounting /dev/vg1/root and /dev/mapper/vg1-root
I've read that encrypted partition should be addressed via /dev/mapper/xxx, but here we use /dev/vg1/xxx

[John Wiersba]

Just one question - can someone explain the difference when mounting /dev/vg1/root and /dev/mapper/vg1-root
I've read that encrypted partition should be addressed via /dev/mapper/xxx, but here we use /dev/vg1/xxx

On my current system:

$ ls -l /dev/vg1/lvroot /dev/mapper/vg1-lvroot /dev/dm-2
brw-rw---- 1 root disk 252, 2 Nov 17 20:03 /dev/dm-2
lrwxrwxrwx 1 root root 7 Nov 17 20:03 /dev/mapper/vg1-lvroot -> ../dm-2
lrwxrwxrwx 1 root root 7 Nov 17 20:03 /dev/vg1/lvroot -> ../dm-2

/dev/mapper/vg1-lvroot and /dev/vg1/lvroot are the same; both are symlinks to /dev/dm-2. Does that help answer your question?

[vangop]

Thanks, it surely does

[madone1]

Hi
I have problem booting my LVM after i have tryed steps for Reinstalling Ubuntu 9.04, 9.10, 10.04 over existing encrypted LUKS/LVM partitions.
Every command described here is coming true without error including update of initramfs. Re using existing /home works. When i mount it manuly i see files on it. But i cant boot in LVM
I am geting this error

Code:

Loading initial ramdisk...
Volume group "ubuntu" not found
Skiping volume group "ubuntu"
and same error for all logical volumes ubuntu/root ubuntu/swap
then
ALERT! /dev/mapper/ubuntu-root does not exist ! Dropin in to shell !

and i end up in busybox initramfs

[John Wiersba]

From http://ubuntuforums.org/showthread.php?t=2077346:

Ubuntu no longer has an alternate install CD but the other versions still do. You can get Lubuntu's alternate CD and the install the package ubuntu-desktop to get Ubuntu. You can grab the torrent for Lubuntu's alternate CD here: http://cdimage.ubuntu.com/lubuntu/re...12.10/release/

Another option might be to try doing the same thing with the server image.