Page 1 of 4 123 ... LastLast
Results 1 to 10 of 35

Thread: No LUKS password prompt for Ubuntu installation with manual partitioning

  1. #1
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,795
    Distro
    Lubuntu 18.04 Bionic Beaver

    Question No LUKS password prompt for Ubuntu installation with manual partitioning

    If I install Ubuntu with LUKS, asking it to encrypt the entire drive, I can get it to boot properly (after adding startup.nsh and setting nosplash in Grub).

    However, when I use manual partitioning so that the installer doesn't overwrite specific partitions, I cannot get the boot sequence to prompt for the LUKS password. Instead, after a minute or so, the boot falls into initramfs (whatever that is ).

    My test setup is similar to the default whole-disk encryption:
    • /dev/sda1 EFI System Partition
    • /dev/sda2 Boot partition
    • /dev/sda3 Unused space
    • /dev/sda4 LUKS partition containing an LVM group, which contains a swap partition and a root partition.

    All partitions start off empty, so that the installer can format and fill them as needed.

    I ran the installer. I don't know where to place the bootloader, so I've tried both /dev/sda and the default /dev/dm-0 (which points to the encrypted, unlocked partition sda4_crypt).

    Once I have added startup.nsh (bug #1665329) and fixed Grub (another bug), I can boot into the system as far as the Grub prompt.

    Then, after I select Ubuntu, it sits for about a minute before dropping into a prompt for initramfs, something about which I know nothing. (Using the installer's default whole-disk encryption does not have this problem.)

    Do you have any idea what I can do to fix this so that I can enter the LUKS password and continue to boot?

    More information:
    • Installing in VirtualBox
    • Using Ubuntu 16.10 64-bit
    Last edited by Paddy Landau; February 23rd, 2017 at 04:33 PM. Reason: Grammar correction with clarifications
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  2. #2
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Hello Paddy,

    If using whole disk encryption, everything that is in /boot must be unencrypted for obvious reasons. When you customize your install, do you make sure to set up /boot on an unencrypted partition?

    NOTE:

    I do not use whole disk encryption, so am of limited help. But the above is one of the usual problems.

  3. #3
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,795
    Distro
    Lubuntu 18.04 Bionic Beaver

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Quote Originally Posted by DuckHook View Post
    … do you make sure to set up /boot on an unencrypted partition?
    Thanks for your reply, @DuckHook. Yes, it is unencrypted. As described in my setup, only the final partition is encrypted.

    If I understood how the EFI and boot partitions are set up to request the LUKS password, I might be able to figure out what's going on, but I have failed to understand what little I have managed to find.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  4. #4
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Old-ish tutorial, no longer maintained, but perhaps it will help: http://thesimplecomputer.info/full-d...on-with-ubuntu

    **NOTE**

    Untested by me. While I do use encryption, I don't do it whole disk. Too many bad vibes from trying to help people out on these forums. I encrypt only a ~/Private directory, throw all my sensitive stuff in there and symlink back to where the system expects to find it. But I do get the fact that in some situations only full disk will do. I just don't have any personal experience implementing it.

  5. #5
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    No help from me, but ...

    IMHO, every portable device requires as much encryption as possible. I've had devices brazenly stolen in front of me and via pick pockets. At least through encryption, I can give myself time. With hole disk encryption, they have to wipe the entire system before using it and I don't have to worry about any data or credentials getting out.

    I do whole disk encryption and every attempt to make it work manually with booting has failed. I've setup the crypttab, fstab, rebuilt the initrd using the standard tools, etc ... never got it working on OS devices. I can mount LUKS encrypted partition and the LVs inside them no problem. I've pulled disks from properly working encrypted setups and accessed them on other machines too.

    It is just finding the magic incantation and which dog I need to make sacrifices towards which have eluded me.

    It is really frustrating when the default LV sizes generated by the setup are completely wrong for a specific system.

    I'll be lurking hoping someone can make some steps to do this. BTW, CentOS makes this sort of thing trivial. The RPM-based distros all have excellent disk setup tools during install.

  6. #6
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,795
    Distro
    Lubuntu 18.04 Bionic Beaver

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Quote Originally Posted by DuckHook View Post
    Old-ish tutorial, no longer maintained, but perhaps it will help: http://thesimplecomputer.info/full-d...on-with-ubuntu
    Thank you. I had come across something similar, but this one seems more comprehensive. I shall try it when I have a little time.
    Quote Originally Posted by TheFu View Post
    … every attempt to make it work manually with booting has failed.

    I'll be lurking hoping someone can make some steps to do this. BTW, CentOS makes this sort of thing trivial. The RPM-based distros all have excellent disk setup tools during install.
    Yes, it's frustrating! If I find the solution, I'll post it here. If not, I think that I'll head over to AskUbuntu and ask there, because every proposed solution that I've found so far doesn't work.
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  7. #7
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Thanks for the link. After I'm done migrating my remaining 12.04 server to something newer, need to take a look. The link says the default for LUKS in Ubuntu is SHA1 in 2015? Ouch.

    Code:
    $ sudo cryptsetup status sda5_crypt 
    /dev/mapper/sda5_crypt is active and is in use.
      type:    LUKS1
      cipher:  aes-xts-plain64
      keysize: 512 bits
      device:  /dev/sda5
      offset:  4096 sectors
      size:    116224000 sectors
      mode:    read/write
      flags:   discards
    Code:
    LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom
    is the defaults on my 16.04 box. Ouch. It is just for the header, but those are the keys to the universe. Don't see how to change that to sha512.

  8. #8
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,795
    Distro
    Lubuntu 18.04 Bionic Beaver

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Quote Originally Posted by TheFu View Post
    The link says the default for LUKS in Ubuntu is SHA1 in 2015? Ouch.
    Versions 16.04 and 16.10 use SHA256. Enter cryptsetup --help to see the defaults. Scroll right to the end of the help, and you see this (Ubuntu 16.04 and 16.10):
    Code:
    Default compiled-in device cipher parameters:
        loop-AES: aes, Key 256 bits
        plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
        LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
    Use cryptsetup luksDump to view a specific partition. In my case, /dev/sda3 was created by the default Ubuntu whole-disk encryption installer. The relevant results are:
    Code:
    Cipher name:       aes
    Cipher mode:       xts-plain64
    Hash spec:         sha256
    Payload offset:    4096
    MK bits:           512
    If your current setup uses SHA1, you can re-encrypt (I've used /dev/sda3 in my example). Warning: do a full backup first in case it fails! Also, it takes a long, long time to re-encrypt, but at least it gives you an ongoing progress report.
    Code:
    sudo cryptsetup-reencrypt --key-size=512 --hash=sha512 /dev/sda3
    Last edited by Paddy Landau; February 25th, 2017 at 11:06 PM. Reason: More detail, and corrections
    Always make regular backups of your data (and test them).
    Visit Full Circle Magazine for beginners and seasoned Linux enthusiasts.

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Code:
    Default compiled-in device cipher parameters:
            loop-AES: aes, Key 256 bits
            plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
            LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha1, RNG: /dev/urandom
    16.04 install. Looks like different builds have different options?

    But ...
    Code:
    $ sudo cryptsetup luksDump /dev/sda5
    LUKS header information for /dev/sda5
    
    Version:        1
    Cipher name:    aes
    Cipher mode:    xts-plain64
    Hash spec:      sha256
    Payload offset: 4096
    MK bits:        512
    So all isn't THAT bad.

  10. #10
    Join Date
    May 2008
    Location
    United Kingdom
    Beans
    4,795
    Distro
    Lubuntu 18.04 Bionic Beaver

    Re: No LUKS password prompt for Ubuntu installation with manual partitioning

    Quote Originally Posted by TheFu View Post
    16.04 install. Looks like different builds have different options?
    It certainly does! How strange

    Quote Originally Posted by TheFu View Post
    But ...
    Code:
    Hash spec:      sha256
    You must be relieved! It seems that the installer overrides the SHA1 default.
    Last edited by Paddy Landau; March 20th, 2017 at 04:11 AM. Reason: Mistake with formatting

Page 1 of 4 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •