Reusing existing encrypted logical volumes while installing Ubuntu 8.10

…I couldn’t think of a longer title :)

Here’s the situation: I have a desktop which ran Debian Etch and later Lenny, and now I want to run Ubuntu Intrepid on it. Some might say that you could use the wonders of APT to dist-upgrade the system, but that seemed a bit of a long stretch to me. In any case, getting a fresh installation would be a lot easier.

However, I wanted to keep the partitions which had been carefully layed-out when I installed Etch: I mostly followed the recipe that’s in this earlier post of mine, which produced an encrypted volume with a few LVM volumes inside that. Keeping this structure saves you

• moving the data in /home back and forth (actually, the forth part is still necessary, because you wouldn’t want to do this without backups, but at least you save yourself the back part)
• going through the whole encrypted/LVM partitioning-shebang again (although you could reasonably opt out of filling the disk with random bits since that’s happened before)
• uhm, I can’t remember point three…

Here’s the little problem: the Intrepid alternate installer doesn’t give you the option of opening existing LUKS volumes or activating LVM volumes. Luckily, I found some hints in this Debian bug-report. In fact going by the pointers that FJP gives there, you don’t really need me to tell you anything more – but I’ll still do it anyway to document that/how it works with the Intrepid alternate installer.

Some time before you enter the partitioner, you change to another console (e.g. Ctrl-Alt-F2), and type

modprobe dm-mod
modprobe aes
cryptsetup luksOpen /dev/sdx2 sdx2_crypt # replace x and 2
# enter the passphrase...
vgchange -a y group_name # replace group_name

After that, you can go into the partitioner, and your LVM volumes will appear. If you do the above after entering the partitioner, it doesn’t recognise them correctly for some reason that’s too deep for me to grasp. Now you’ll still have to set the mount points, and you need to be careful when choosing which volumes to format (not /home, for example). The installation then proceeds as usual. Read on before you reboot though:

I rebooted straight after the install finished, and ran into the problem that the installer hadn’t written /etc/crypttab, so that the encrypted volume did not get unlocked and booting failed. It was easily fixable, using the install-cd in rescue mode. For some reason in rescue mode it asks the same questions as during the install, but I ignored that and asked for a command prompt (it’s in the menu, sorry I didn’t take screenshots…):

modprobe dm-mod
modprobe aes
cryptsetup luksOpen /dev/sdx2 sdx2_crypt # replace as before
# enter passphrase
vgchange -a y group_name
mkdir /target # don't worry, this is in temporary space
mount -t ext3 /dev/group_name/root_vol /target # mount your root dir ("/")
mount -t ext3 /dev/group_name/home_vol /target/home # optional?
mount -t ext3 /dev/sdx1 /target/boot # replace x and 1
mount -t proc /proc /target/proc
mount -t sysfs /sys /target/sys
chroot /target

Now, you’re not fiddling in temporary space anymore – just thought I’d mention it. Oh and for some reason mount complained when I tried this without specifying the ext3 filesystem types, I don’t see why. Let’s continue: we’re going to make an entry in /etc/crypttab, and then rebuild the boot image.

echo "sdx2_crypt /dev/sdx2 none luks" >> /etc/crypttab
update-initramfs -u all

This rewrites the initrd images in your /boot, so that next time they’ll ask you to unlock the cryptodisk. I would not do the echoing, preferring an editor instead, but you get the idea. Most probably, you can also do all this before rebooting after the installer has done its work – that would save you some hassle (let me know if that works for you, thanks!).

Finally, in case you’re curious: Intrepid Ibex is quite neat. I’ll be a frequent user of the on-the-fly guest account feature…

Eight tips for a robust Ubuntu Hardy installation

It’s been a while since I wrote stuff here – ironically I thought it was cool to get my own domain name, and then I ended up having too much fun on the GNU/Linux blog I also started. This should actually also go on the other blog, but I really wanted to write something here :)

Besides, the more Ubuntu buzz on blogs, the better, right? With the release of Ubuntu 8.04 this week, it couldn’t be a better time.

About these tips

If you’re new to the GNU/Linux operating system, this may not be for you. Nothing I’m mentioning here is complicated in any way, but it sort of assumes you’re reasonably comfortable finding your way around in Ubuntu. Instead, you may want to check out the Ubuntu website and, if you’re looking for help, the Ubuntu Forums.

The tips I’m listing here are a personal collection of things that I think might make your Ubuntu system that little bit more robust. That’s not only in a security or stability sense: I’m also thinking about protecting my system from my own tweaking and fiddling around (which you’ll inevitably do if you want to learn new things).

The tips here are most simple to act on at installation time, so I’ve sort of turned this into an installation advice list. Quite a few pointers here point back to my own writing of this week, for which I apologise. My middle name is not Narcissus, but those pieces needed a good overview to connect them, and this is it.

Preparations

1. Check hardware compatibility before you start – this is still a big problem for all free-software operating systems. By now, it’s no longer a problem the developers can really help: all hardware could be made compatible if some manufacturers weren’t so secretive about the devices they make. As a sad result, the Ubuntu Forums are full of reports on (mostly) hardware compatibility problems.

No general recommendations here, but you’ll want to be prepared. If your wifi chip vendor is an ***, it’s helpful to know which packages and other files you need to have at hand. A few pointers: HardwareSupport on the Ubuntu wiki pages, TuxMobil, UbuntuHCL.org.

2. Download a disc image using BitTorrent – it takes some persistence to find the page with the torrent links for Hardy if you start from the Ubuntu frontpage. I presume they don’t want to confuse new users. Of course, using the torrents takes some load off the main servers, helps some people, and (best of all) it’s likely faster too (especially now, just after the release date).

If you’re interested in the tips in the next section, you’ll want the alternate installer disc image.

Installation

Almost all choices you make during installation are revertible later on. I mean, you can always change your username, clock settings (local or UTC time?), which packages you want. One thing is a bit more tricky to change later, and that’s partitioning your disk(s). The alternate installer gives you some neat extra partitioning options which I want to highlight here.

3. Logical Volume Management - creating your file systems as LVM logical volumes gives you a lot more flexibility. The LVM HOWTO has a section “Benefits of Logical Volume Management on a Small System” which however doesn’t mention one of its cooler features: snapshots. LVM snapshots allow you to keep an image of your file system frozen at some point in time.

That will be useful for at least one thing: six months from now, you can take a snapshot of your root file system, upgrade to Ubuntu 8.10, and if it didn’t work well (proprietary video and wifi drivers seem to have regressions to no end), you still have a working 8.04 snapshot you can boot to use until you fixed the upgrade.

The other useful application for the home user: it’s easier to create consistent backups from a snapshot. Now, while you’re at it, I’d combine LVM with…

4. Disk encryption - reusing the rationale from this post: “if someone steals your laptop, you’ll worry a lot less about them getting access to your email and other important accounts (think browser cookies…). In case you’re wondering why the user login won’t protect you: anyone with physical access to the machine – like a thief – can just reboot and start in single-user mode, thereby getting root user privileges. Not so with an encrypted disk”.

Be sure to make frequent backups though – recovering data from an encrypted disk can be hard.

Post-installation

5. Set up version control on your configuration files - before you stroll off to your favourite geek forum and take advice from everyone and their dog to alter all kinds of stuff in configuration files under /etc, you might want to ensure that you can always get back what it said originally. Don’t get me wrong, I also try risky stuff people I’ve never met recommend to me, but I really like to keep track of those actions, too. So here you go: version control on /etc using Bazaar. As explained there, version control gives you some cool flexibility that a simple backup wouldn’t.

6. Installing additional packages: use aptitude – actually that’s not really what I want to recommend. There are quite a few APT front-ends and it’s worth checking out several, especially if you’ve never looked beyond Synaptic. So check out a few, and then decide that you like aptitude :)

Aptitude runs in a console, and has both a direct command line mode and an interactive mode. Its killer feature for me: it tracks which packages were only installed as dependencies of a package you really chose. So if you ever tell it to remove that package, it will remove its dependencies, too.

Here’s a more elaborate discussion of the tool’s merits.

7. Keep non-repo software under /usr/local – just one more quote of my own writing (promised!): “To ensure that the package manager doesn’t interfere with software you installed “manually” (i.e. not through dpkg, apt-get, aptitude, synaptic, …), there’s an article in the Filesystem Hierarchy Standard that says everything you install manually should go into /usr/local (or /opt, actually) and not directly into /usr.”

If you want to make it easier for yourself to enforce that policy, without reading every line of every install script you use, you might like to check out that post. It’s about installing software on /usr/local without full root privileges.

8. Secure your web browser – with properly set user permissions, should you now bother with such things as a firewall and a virus scanner on your desktop (laptop) machine? Probably not. (Although I wonder if everybody is sudoing all the time, won’t somebody exploit that at some point? How high are the chances that a malicious script that’s trying to use sudo hits you while a sudo session that you started is still open? Not sure how that would work, but then I’m not a seasoned malware designer).

A lot of executable code that you rake in as a normal user is stuff coming through your web browser: scripts on web pages, but also (Firefox) browser plug-ins. Malicious code in those can only destroy stuff that you have write permission for, and can only collect information that you have read permission for (which is typically most of other users’ data!), so decide if you think that’s still worrying. A good start for securing Firefox is this overview at Ubuntu Forums.

Wrap up

That’s all I could produce in my spare time this week… hope it’s useful. I’d love to hear if it is. Commenting here does not require you to leave any contact details (hint!). Thanks for reading.

Installing Ubuntu 8.04 with full disk encryption

“Update”: it’s been ages since this was first posted, but I still use a system that’s configured as described below. The hardware under it has changed, and it’s seen some distribution upgrades, but I’m quite happy with this old disk layout. It’s good news then, that Ahmad, Niels, and Matt report that you can still do the same on Ubuntu 10.04 LTS. Thanks guys, means I still don’t have to write anything new!

This is a brief walk-through of installing Ubuntu Hardy Heron (I used the release candidate, see the previous post) with a LUKS encrypted LVM partition, and preparing it for snapshot backup (explained below). You will need the “alternate” installer for this (ie. not the “desktop” Live CD).

A couple of months ago I did the same thing for my other machine using the Debian 4.0 (Etch) installer and as far as I can remember it was exactly the same procedure. At the time I was planning to run this installation again in a virtual machine and take screenshots, but actually it is really simple (cheers to the team that wrote the installer!) and if you’re attempting this you probably don’t appreciate such hand-holding anyway. So I didn’t bother to make neat virtual-machine screenshots, but to lighten up the text I did put in some crufty digital-camera screenshots here and there.

Why would you want this?

For a home user like me, I think it makes most sense to have this on a laptop. While even strong encryption can’t guarantee that no one will ever read your data, the real-world scenario is of course that you don’t really have anything to hide. Encryption is rather an extra convenience: if someone steals your laptop, you’ll worry a lot less about them getting access to your email and other important accounts (think browser cookies…). In case you’re wondering why the user login won’t protect you: anyone with physical access to the machine – like a thief – can just reboot and start in single-user mode, thereby getting root user privileges. Not so with an encrypted disk.

An objection here is that your CPU will have to do some extra crypto-exercise whenever you read or write to disk, and that will cost some battery life. I haven’t quantitated this but it doesn’t seem to make a huge difference (sorry, that’s a worthless statement indeed). I didn’t notice any slowdown either, using a 1.8GHz Turion64 (more worthless subjectiveness).

What about the LVM stuff? The whole logical volume management thing was mainly designed to give you flexible storage options (eg. add a hard disk and simply expand your existing partitions onto it), and of course that’s not really important for a home user. Heh, in a laptop you’re certainly not very likely to add a new disk. However there’s one feature of LVM that I think is useful to us: snapshots. An LVM snapshot gives special access to your file system as if frozen at some point in time. That means you can run a backup using the snapshot and you can continue working at the same time, without worrying that the backup will catch files in some inconsistent state because you were writing to them.

That’s not a big advantage, because it’s not a big problem most of the time. But as it’s so easy to set up now, why not do it? One downside I can see is that it makes it a bit trickier to access your file system from a recovery disk. Any recovery tool understands plain ext3 partitions (even MS Windows can access those), but if you want to open an (encrypted) LVM partition you might need to check the feature page of the recovery tool, and jump through a few more hoops. In the end, of course, you set this up to enable snapshot backups – so you shouldn’t need recovery tools to begin with ;)

Enough talking, let’s get on with it

All rise please :)

What follows below is really confusing, because everything is referred to as a “partition”. The traditional partitions on your physical hard disk are called partitions, but then inside your encrypted volume you’ll also create an LVM partition, and as far as the installer is concerned the logical volumes you’ll create inside the LVM are also called partitions. There’s probably a more formal lingo for this but I don’t know it. Besides, calling all these things partitions also shows the elegance and transparancy of the system: despite the fancy stuff all your encrypted logical volumes eventually appear to be plain partitions.

One more note: on my laptop, I had to disable the frame buffer (see yesterday’s post). The crufty camera shots below may look slightly different than what you’ll get served.

Ok, so you have the alternate install cd. Boot it and answer some basic stuff (keyboard layout etc) until you get to the disk partitioner. The partitioner has an automatic option “set up encrypted LVM”, which uses the entire disk, creates a small unencrypted boot partition, fills the rest of the disk with an encrypted LVM partition, and creates two volumes within it: one for swap space and one that holds your root file system.

For our purposes, we’ll have to opt out of the automatic option: it doesn’t leave free space for snapshots, and I also really prefer a separate volume for /home. Manual partitioning it is, then.

We start with creating a plain partition to mount as /boot later. I think 100MB has always been more than enough for that, but the automatic partitioner took 250MB: good if you want to be on the safe side. All you need to do is specify the mount point – the standard options for an ext3 file system are fine I think.

I took one big partition to cover the rest of the disk. Here, we choose to use it as “physical volume for encryption”. Again, all the standard dm-crypt options are just fine as far as I’m concerned. But never trust a lame blogger: you can read more about your choices in the Debian Installation manual – currently, section 6.3.2.4 covers encrypted volume options. After that, you’re “Done setting up the partition”.

The partitions overview by now

At this point, the main partitioner menu becomes a little bit unintuitive (it’s just a layout problem really): the option to Configure encrypted volumes appears at the top, where you may not expect it because you’ve been configuring partitions in the lines below. This prompts you to commit your partition changes and wait for the secure erase of the partition to be encrypted (this fills the partition with random bits and takes quite a while). When that’s done, you’ll need to choose a passphrase that unlocks the partition.

You’ll be typing this passphrase quite often (unless you suspend rather than hibernate or shut-down most of the time – note that disk encryption doesn’t protect your suspended system in any way) so my advice is not to pick something too secure ;) If you want to be fancy, you can later create a key file to unlock the system disk using a USB key. Here’s a description that works for Debian Etch; I didn’t try on Ubuntu Hardy yet, but I believe there have been alterations to the boot process which may change the details slightly.

Note the new entry

Now, when you get back to the main partitioner menu, “Encrypted volume” should show up as a new disk. There’s one partition inside it, marked #1, which we’ll use as “physical volume for LVM”. Back in the main menu, again a new option appears at the top – Configure the logical volume manager.

Create a volume group, using your one LVM partition (this seems a bit silly in this context but it would make sense if we had many disks to manage). Now you can create logical volumes within that volume group. I took a generous 10GB to configure as / later, a 1GB swap partition (note: take more if you have more RAM installed and want to write a hibernation file to it), and most of the rest of the disk to mount as /home later. At this point I left a few GB free to be able to create snapshot volumes later.

The LVM config menu

Configuration details: note the bit of free space left. Volume names are arbitrary.

You don’t need much space for a snapshot volume: it only stores reverse changes of your main file system from the time point where you created the snapshot. Unless you leave your snapshot around for days, “a few GB” is in fact far too much. If you’re getting curious how the snapshot backups will work, see this guide from the LVM HOWTO.

Back in the main menu…

So now you’re finished configuring LVM, and you get back to the main partitioner menu. It’s really crowded now: the LVM logical volumes show up as separate disks in addition to the physical disks and the encrypted volume. This is where you configure the partitions on the logical volumes, which are again marked #1. I’m only deviating from the default options in one case: for /home I chose to reserve 0% reserved blocks – I don’t think a full /home can bring the system down (but correct me if I’m wrong! update: it seems I am, see this comment below).

What else? Nothing. Scroll all the way down to find the “Finish partitioning” option and wait while your system gets installed. Unlike with the “desktop” installer you don’t have a live system that allows you to browse the internet while the install is running, so bring out your knitting kit now… (you’ll have to do speed-knitting though, the installer is pretty fast).

How simple was that? I’d say: another cheer for the installer team!