installer does not recognize luks encrypted boot partition

**fst001** · August 10th, 2021

hi guys,

i was trying to setup a fully encrypted system (boot and data like here: Full_Disk_Encryption_Howto_2019 - Community Help Wiki (ubuntu.com)), but the 20.04.2 installer does not recognize the luks enabled boot volume. before continuing with the installer i've used ssh to create all the partitions, create the luks partition for boot and one for data. i've added the data partition to an lvm and created the volumes. so after this is all done, the scheme looks like this:

root@ubuntu-server:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 356.6M 1 loop /media/filesystem
loop1 7:1 0 233.3M 1 loop
loop2 7:2 0 57.1M 1 loop /usr/lib/modules
loop3 7:3 0 31.1M 1 loop /snap/snapd/10707
loop4 7:4 0 55.4M 1 loop /snap/core18/1944
loop5 7:5 0 69.9M 1 loop /snap/lxd/19188
loop6 7:6 0 52.7M 1 loop /snap/subiquity/2280
sda 8:0 0 30G 0 disk
├─sda1 8:1 0 1G 0 part
│ └─LUKS_BOOT 253:0 0 1022M 0 crypt
├─sda2 8:2 0 2M 0 part
├─sda3 8:3 0 128M 0 part
└─sda5 8:5 0 28.9G 0 part
└─sda5_crypt 253:1 0 28.9G 0 crypt
├─ubuntu--vg-swap_1 253:2 0 4G 0 lvm
└─ubuntu--vg-root 253:3 0 19.9G 0 lvm
sr0 11:0 1 1.1G 0 rom /cdrom

so as you can see the boot partition is 1G in size and the crypt-volume is opened and named LUKS_BOOT. same for the data partition -> sda5_crypt, with the underlying lvm volumes for swap and root.

after that i've went back to the console and continued the installer till the partitioning tasks and selcted custom. now the screen shows the encrypted lvm, but not the luks_boot volume. instead it only shows the raw partition as unused. how do i get the luks_boot volume to show up in the installer that i can format it as ext4 and mount on /boot. and last i also need to set /dev/sda as boot device which is also not working because i can't select it

if i do the same with the desktop version (also 20.04.2) everything works fine. any idea why they behave differently? or is there a way to boot to desktop live cd and install the server version?

**MAFoElffen** · August 10th, 2021

Originally Posted by fst001

i was trying to setup a fully encrypted system (boot and data like here: Full_Disk_Encryption_Howto_2019 - Community Help Wiki (ubuntu.com)), but...

<Edited>

if i do the same with the desktop version (also 20.04.2) everything works fine. any idea why they behave differently? or is there a way to boot to desktop live cd and install the server version?

Not completely sure, as I do not use LUKS, but...
Inthe tutrial you followed, in the prerequisites, it said that the Desktop Version was required... In 20.04, in the installer LiveCD's, the Desktop LiveCD is the "debian installer". In the Server LiveCD, the installer is "subiquity server installer'"...

During the Live Installer Announcement, before the release: https://discourse.ubuntu.com/t/serve...0-04-lts/13631

...I remember there where concerns of the new installer's behavior with LUKS and it's abilities at that time. If you search in the comments section, you will see 7 comments about that. https://discourse.ubuntu.com/search?...0topic%3A13631

I think I remember during testing of the Autoinstaller, that there was mention that you had to enter the luks encryption key into the autoinstall scripts and that it was a problem that it couldn't be done interactively...

But then on the Ubuntu ManualFullSystemEncryption Wiki page: https://help.ubuntu.com/community/Ma...stemEncryption
It had this note about 20.04:

Special note for 20.04: This works only if using LUKS 1. It doesn't work with LUKS 2. I don't know why.

But I think this tutorial is a bit more complete and has diagnostics tips that might help you... https://dev-notes.eu/2020/12/LUKS-En...-Ubuntu-20.04/

**fst001** · August 11th, 2021

thanks for your response!

yes i know that the installers are different but i thought this is no big deal since both use the same underlying tools to setup (i think

)

I remember there where concerns of the new installer's behavior with LUKS and it's abilities at that time.

i know that the boot partition is only allowed to be luks1 because GRUB can only open v1. so the boot partition is luks1 and the data partition is default luks2 with lvm (which the installer is picking up, when manually unlocked)

i'll go ahead and give the links you posted a read and get back if i was able to get it up and running

**LHammonds** · August 11th, 2021

Maybe this is similar to the issue I had creating a boot partition with LVM. There is some trickery you have to do with the new non-debian installer for some situations but I have not tried LUKS encryption.

Ubuntu "live" Server 20.04 - How to create custom partition /boot + LVM ???

LHammonds

**fst001** · August 12th, 2021

Originally Posted by LHammonds

Maybe this is similar to the issue I had creating a boot partition with LVM. There is some trickery you have to do with the new non-debian installer for some situations but I have not tried LUKS encryption.

Ubuntu "live" Server 20.04 - How to create custom partition /boot + LVM ???

LHammonds

sadly not, but thanks for the try. the problem here is that the encryption is created from the live environment, but the installer is somehow not picking up all the volumes (or simply can't handle a non LVM encrypted partition/volume)

**fst001** · August 12th, 2021

Originally Posted by MAFoElffen

But I think this tutorial is a bit more complete and has diagnostics tips that might help you... https://dev-notes.eu/2020/12/LUKS-En...-Ubuntu-20.04/

i've had a read on all your links, but was not able to find a solution

do you, or someone else know if there is a way to boot to desktop live cd and run the server installer or use dd/chroot or whatever to manually install the server, bootloader and so on?

**fst001** · August 12th, 2021

wooooohooooo i managed to get it running

i used the alternate installer (which is available for 20.04). it is not as comfortable as with the live, because you cant use ssh to copy the loooooooong encryption keys, it works.

so what i've done....

boot server live installer and set keyboard language
change to console window with alt-f2
edit /etc/ssh/sshd_config to allow root login
systemctl restart sshd
set root pw
ssh in and create partions e.g.

Code:

export DEV=/dev/sda
sgdisk --new=1:0:+1G $DEV
sgdisk --new=2:0:+2M $DEV
sgdisk --new=3:0:+128M $DEV
sgdisk --new=5:0:0 $DEV
sgdisk --typecode=1:8301 --typecode=2:ef02 --typecode=3:ef00 --typecode=5:8301 $DEV
sgdisk --change-name=1:/boot --change-name=2:GRUB --change-name=3:EFI-SP --change-name=5:rootfs $DEV
sgdisk --hybrid 1:2:3 $DEV


sgdisk --print $DEV

create luks volumes

Code:

cryptsetup luksFormat --type=luks1 /dev/sda1
cryptsetup luksFormat /dev/sda5
cryptsetup open /dev/sda1 LUKS_BOOT
cryptsetup open /dev/sda5 sda5_crypt

format partitions

Code:

mkfs.ext4 -L boot /dev/mapper/LUKS_BOOT
mkfs.vfat -F 16 -n EFI-SP /dev/sda3

create lvm on top of luks (for / and swap)

Code:

pvcreate /dev/mapper/sda5_crypt
vgcreate ubuntu-vg /dev/mapper/sda5_crypt
lvcreate -L 4G -n swap_1 ubuntu-vg
lvcreate -l 80%FREE -n root ubuntu-vg

reboot and boot from alternate installer, continue till keyboard language is set
alt-f2 to change to console
mount luks partitions

Code:

cryptsetup open /dev/sda1 LUKS_BOOT
cryptsetup open /dev/sda5 sda5_crypt

alt-f1 to move back to the installer
continue till disk setup -> manual
- swap -> use as swap
- sda5_crypt-ubuntu-vg-root -> ext4 + format -> mountpoint /
- LUKS_BOOT -> ext4 + format -> mountpoint /boot
save layout and continue
continue installer till bootloader -> do not proceed yet
alt-f2 to console
create folders under /target/etc if they do not exist and execute

Code:

echo "GRUB_ENABLE_CRYPTODISK=y" > /target/etc/default/grub.d/local.cfg

alt-f1 to installer and install bootloader
alt-f2 to console and run the following commands

Code:

mount /dev/mapper/ubuntu--vg-root /target
for n in proc sys dev etc/resolv.conf; do mount --rbind /$n /target/$n; done 
chroot /target
mount -a
apt install -y cryptsetup-initramfs
echo "KEYFILE_PATTERN=/etc/luks/*.keyfile" >> /etc/cryptsetup-initramfs/conf-hook 
echo "UMASK=0077" >> /etc/initramfs-tools/initramfs.conf 
mkdir /etc/luks
dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=512 count=1
chmod u=rx,go-rwx /etc/luks
chmod u=r,go-rwx /etc/luks/boot_os.keyfile
cryptsetup luksAddKey /dev/sda1 /etc/luks/boot_os.keyfile 
cryptsetup luksAddKey /dev/sda5 /etc/luks/boot_os.keyfile
echo "LUKS_BOOT UUID=$(blkid -s UUID -o value /dev/sda1) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
echo "sda5_crypt UUID=$(blkid -s UUID -o value /dev/sda5) /etc/luks/boot_os.keyfile luks,discard" >> /etc/crypttab
update-initramfs -u -k all

reboot and enjoy a fully encrypted system

credits go to this tut Full_Disk_Encryption_Howto_2019 - Community Help Wiki (ubuntu.com) - i only changed it to match the server version which was not too straightforward. so hopefully the ubuntu guys fix this flaw in the live installer soon

enjoy!

**LHammonds** · August 12th, 2021

Hmmm....looks like I need to update the Ubuntu Server 20.04 - Difference between "live" and "legacy" thread and add this issue to it as well.

LHammonds

**MAFoElffen** · August 13th, 2021

Congrats on figuring that one out! My hat off to you on that.

Sometimes I wish we could tag/save a specific post. That was full of a lot of good information.

**TheFu** · November 29th, 2021

Originally Posted by MAFoElffen

Congrats on figuring that one out! My hat off to you on that.

Sometimes I wish we could tag/save a specific post. That was full of a lot of good information.

We can. I use vimwiki to save off links and any content with my notes added. For stuff I want to keep a local copy, there's wallabag. Or did you want a way for the forum software to make this easy?