“Update”: it’s been ages since this was first posted, but I still use a system that’s configured as described below. The hardware under it has changed, and it’s seen some distribution upgrades, but I’m quite happy with this old disk layout. It’s good news then, that Ahmad, Niels, and Matt report that you can still do the same on Ubuntu 10.04 LTS. Thanks guys, means I still don’t have to write anything new!
This is a brief walk-through of installing Ubuntu Hardy Heron (I used the release candidate, see the previous post) with a LUKS encrypted LVM partition, and preparing it for snapshot backup (explained below). You will need the “alternate” installer for this (ie. not the “desktop” Live CD).
A couple of months ago I did the same thing for my other machine using the Debian 4.0 (Etch) installer and as far as I can remember it was exactly the same procedure. At the time I was planning to run this installation again in a virtual machine and take screenshots, but actually it is really simple (cheers to the team that wrote the installer!) and if you’re attempting this you probably don’t appreciate such hand-holding anyway. So I didn’t bother to make neat virtual-machine screenshots, but to lighten up the text I did put in some crufty digital-camera screenshots here and there.
Why would you want this?
For a home user like me, I think it makes most sense to have this on a laptop. While even strong encryption can’t guarantee that no one will ever read your data, the real-world scenario is of course that you don’t really have anything to hide. Encryption is rather an extra convenience: if someone steals your laptop, you’ll worry a lot less about them getting access to your email and other important accounts (think browser cookies…). In case you’re wondering why the user login won’t protect you: anyone with physical access to the machine – like a thief – can just reboot and start in single-user mode, thereby getting root user privileges. Not so with an encrypted disk.
An objection here is that your CPU will have to do some extra crypto-exercise whenever you read or write to disk, and that will cost some battery life. I haven’t quantitated this but it doesn’t seem to make a huge difference (sorry, that’s a worthless statement indeed). I didn’t notice any slowdown either, using a 1.8GHz Turion64 (more worthless subjectiveness).
What about the LVM stuff? The whole logical volume management thing was mainly designed to give you flexible storage options (eg. add a hard disk and simply expand your existing partitions onto it), and of course that’s not really important for a home user. Heh, in a laptop you’re certainly not very likely to add a new disk. However there’s one feature of LVM that I think is useful to us: snapshots. An LVM snapshot gives special access to your file system as if frozen at some point in time. That means you can run a backup using the snapshot and you can continue working at the same time, without worrying that the backup will catch files in some inconsistent state because you were writing to them.
That’s not a big advantage, because it’s not a big problem most of the time. But as it’s so easy to set up now, why not do it? One downside I can see is that it makes it a bit trickier to access your file system from a recovery disk. Any recovery tool understands plain ext3 partitions (even MS Windows can access those), but if you want to open an (encrypted) LVM partition you might need to check the feature page of the recovery tool, and jump through a few more hoops. In the end, of course, you set this up to enable snapshot backups – so you shouldn’t need recovery tools to begin with ;)
Enough talking, let’s get on with it
All rise please :)
What follows below is really confusing, because everything is referred to as a “partition”. The traditional partitions on your physical hard disk are called partitions, but then inside your encrypted volume you’ll also create an LVM partition, and as far as the installer is concerned the logical volumes you’ll create inside the LVM are also called partitions. There’s probably a more formal lingo for this but I don’t know it. Besides, calling all these things partitions also shows the elegance and transparancy of the system: despite the fancy stuff all your encrypted logical volumes eventually appear to be plain partitions.
One more note: on my laptop, I had to disable the frame buffer (see yesterday’s post). The crufty camera shots below may look slightly different than what you’ll get served.
Ok, so you have the alternate install cd. Boot it and answer some basic stuff (keyboard layout etc) until you get to the disk partitioner. The partitioner has an automatic option “set up encrypted LVM”, which uses the entire disk, creates a small unencrypted boot partition, fills the rest of the disk with an encrypted LVM partition, and creates two volumes within it: one for swap space and one that holds your root file system.
For our purposes, we’ll have to opt out of the automatic option: it doesn’t leave free space for snapshots, and I also really prefer a separate volume for /home. Manual partitioning it is, then.
We start with creating a plain partition to mount as /boot later. I think 100MB has always been more than enough for that, but the automatic partitioner took 250MB: good if you want to be on the safe side. All you need to do is specify the mount point – the standard options for an ext3 file system are fine I think.
I took one big partition to cover the rest of the disk. Here, we choose to use it as “physical volume for encryption”. Again, all the standard dm-crypt options are just fine as far as I’m concerned. But never trust a lame blogger: you can read more about your choices in the Debian Installation manual – currently, section 6.3.2.4 covers encrypted volume options. After that, you’re “Done setting up the partition”.
The partitions overview by now
At this point, the main partitioner menu becomes a little bit unintuitive (it’s just a layout problem really): the option to Configure encrypted volumes appears at the top, where you may not expect it because you’ve been configuring partitions in the lines below. This prompts you to commit your partition changes and wait for the secure erase of the partition to be encrypted (this fills the partition with random bits and takes quite a while). When that’s done, you’ll need to choose a passphrase that unlocks the partition.
You’ll be typing this passphrase quite often (unless you suspend rather than hibernate or shut-down most of the time – note that disk encryption doesn’t protect your suspended system in any way) so my advice is not to pick something too secure ;) If you want to be fancy, you can later create a key file to unlock the system disk using a USB key. Here’s a description that works for Debian Etch; I didn’t try on Ubuntu Hardy yet, but I believe there have been alterations to the boot process which may change the details slightly.
Note the new entry
Now, when you get back to the main partitioner menu, “Encrypted volume” should show up as a new disk. There’s one partition inside it, marked #1, which we’ll use as “physical volume for LVM”. Back in the main menu, again a new option appears at the top – Configure the logical volume manager.
Create a volume group, using your one LVM partition (this seems a bit silly in this context but it would make sense if we had many disks to manage). Now you can create logical volumes within that volume group. I took a generous 10GB to configure as / later, a 1GB swap partition (note: take more if you have more RAM installed and want to write a hibernation file to it), and most of the rest of the disk to mount as /home later. At this point I left a few GB free to be able to create snapshot volumes later.
The LVM config menu
Configuration details: note the bit of free space left. Volume names are arbitrary.
You don’t need much space for a snapshot volume: it only stores reverse changes of your main file system from the time point where you created the snapshot. Unless you leave your snapshot around for days, “a few GB” is in fact far too much. If you’re getting curious how the snapshot backups will work, see this guide from the LVM HOWTO.
Back in the main menu…
So now you’re finished configuring LVM, and you get back to the main partitioner menu. It’s really crowded now: the LVM logical volumes show up as separate disks in addition to the physical disks and the encrypted volume. This is where you configure the partitions on the logical volumes, which are again marked #1. I’m only deviating from the default options in one case: for /home I chose to reserve 0% reserved blocks – I don’t think a full /home can bring the system down (but correct me if I’m wrong! update: it seems I am, see this comment below).
What else? Nothing. Scroll all the way down to find the “Finish partitioning” option and wait while your system gets installed. Unlike with the “desktop” installer you don’t have a live system that allows you to browse the internet while the install is running, so bring out your knitting kit now… (you’ll have to do speed-knitting though, the installer is pretty fast).
How simple was that? I’d say: another cheer for the installer team!
Thanks! Worked well.
Hi Joe, thanks for leaving a comment! Glad it worked.
Extra info: I just found that Phoronix evaluated the performance of a setup with an encrypted file system recently:
http://www.phoronix.com/scan.php?page=article&item=ubuntu_hdd_encrypt&num=1
Thank you! This was a great guide. Easy to follow even for a beginner like me. But the linked page on how to setup passwordless disk encryption is VERY hard to grasp in comparison. I can’t manage it. Which is sad because I was really looking forward to using a keyfile for my encrypted drive. When I read about that feature being added to Hardy I assumed that it would be doable through the installer menus. Maybe in the next release…
Great post! Exactly what I was looking for.
Btw ext reserved space is also used to avoid fragmentation. I usually reserve 1% for non-root filesystems
Thanks, Jon – and I agree, that tutorial is not so easy. It works though (I used it on my desktop machine). It would be very cool if it became an automated part in the next installer.
Hi Dieter, thanks – I’ll flag the reserved-blocks item as bad advice. I searched for a bit but couldn’t find a good explanation of how ext2/3 prevent fragmentation, and I’m curious now… would you have any pointers for me?
(ps: I’m removing some pingbacks that came from my other posts this week… starts to look like I’m talking to myself too much :))
Thanks for the article! I didn’t realise the Ubuntu installer had this feature. It adds a bit of peace-of-mind when I’m lugging my old laptop from city to city…
Now, I was wondering. Is there an easy way to change the password later?
Hi, thanks – yes it’s not too hard to do that:
Basically you add a second password with something like “sudo cryptsetup luksAddKey /dev/sda2” where you use the device name of the encrypted partition. It prompts you for the existing password and then tells you in which “slot” that is.
You can then use the new password to remove the old one. It’s a kind of nice and safe procedure. See “man cryptsetup” for the exact commands, there’s luksAddKey and luksDelKey and some more stuff.
You mention making snapshots to do backups. I have a ext3 filesystem encrypted with cryptsetup (luks) on a LVM partition and would like to make snapshot of the partition so that I can back it up with dump. Making the snapshot is easy enough
lvcreate –size 1m –snapshot –name snap /dev/vg0/archive
cryptsetup luksOpen /dev/mapper/vg0-snap snap
mount -r /dev/mapper/snap /mnt
but cryptsetup needs to know the passphrase to mount the snapshot. This of course means that I cannot do my backups in a script at 4am. Can you see a way around this or does using encryption make unattended snapshots impossible?
I think there’s a way around that (unless I misunderstand the situation). You can store a key file that unlocks /dev/vg0/archive on /dev/vg0/archive.
Sounds unintuitive, but I assume you have /dev/vg0/archive mounted (why make snapshots, otherwise?). So now you can let the script use the key file to unlock /dev/mapper/vg0-snap.
When you unmount the partition, nobody can see the keyfile because the partition is encrypted, so this is still safe (you can make it readable only by root, in addition). Here’s a tutorial of how you add a key file.
Thanks for visiting!
“Back in the main menu, again a new option appears at the top – Configure the logical volume manager.”
That option never appears for me. After I create the encrypted partition, I only have 3 options at the top: config encrypted vol, guided part, and help on part.
I see the Encrypted volume created as #1, I but I don’t have the menu option.
Hi Leona, thanks for leaving a comment!
So when you select the #1 entry under Encrypted volume (highlight it as in the photo, then hit enter), you can choose what to use it as. In the photo it is still set to use as ext3, but you want to change this to “physical volume for LVM”. Hope that helps, good luck!
yungchin: THANKS! it worked as described.
How does this work if I want to dual-boot with windows?
Hi Rick,
In that case you want to leave your Windows partition in place, so the /boot and LVM partitions would not span the whole disk.
There’s an extra step at the beginning should you need to resize your Windows partition. I’m afraid I don’t have any screenshots for that – I deleted my Windows partition this time around!
As for encryption options, you can only use the LUKS encryption on the non-Windows partitions I think (with some effort you could read the encrypted partitions from within Windows but you can’t put your Windows system on such a partition). You can however use Truecrypt for the Windows partition.
If you need it, FreeOTFE allows LUKS volumes to be mounted under MS Windows. For more info: http://www.freeotfe.org/features.html
You can encrypt your Windoze system partition with Truecrypt as suggested by yungchin and install FreeOTFE within it to gain access to the encrypted LUKS volume. I’m not sure but to access the ext3 or ext2 filesystem inside LUKS partition from Windoze, you may also need “Explore2fs” (http://uranus.it.swin.edu.au/~jn/linux/explore2fs-old.htm).
Finally:
– FreeOTFE (at the moment, as from its feature’s list) doesn’t support Windows system partition encryption but can mount LUKS volumes.
– Truecrypt (see its feature’s list) support Windows system partition encryption but doesn’t LUKS volumes
Ok, I’ve tested making several encrypted hardy installs now (through virtualization software) and start to feel that I’ve gotten the hang of it. Now I’m thinking about trying to setup a keyfile.
I’m most of all hoping that someone will make a guide as great and pedagogical as this one but covering keyfile setup. Though I’m willing to attempt even without that. But could you yungchin, or anyone else likewise experienced with this, tell me if there are any parts of the linked page
http://wejn.org/how-to-make-passwordless-cryptsetup.html
that are likely to be different when trying to setup a keyfile for Hardy?
Hi Jon,
I don’t think there should be any differences, but I didn’t try it!
When I tried it for Etch, I formatted my USB stick with ext2 by the way. That saves you having to build FAT support into the boot loader.
Oh and: you don’t have to leave an email address here by any requirement – so no need to cook one up ;)
Vato: thanks!
how to install hard heron:
http://technicianspot.blogspot.com/2008/05/installing-linux-ubuntu.html
Ok, I finally got around to try this…
I’ve completed all steps in the linked guide. Everything worked for me except part 3, step 1:
# echo -e “vfat\nfat\nnls_cp437\nnls_iso8859_1” >> /etc/initramfs-tools/modules
That gives me an error message: “permission denied.” I’ve also tried it with the sudo prefix but get the same error.
The USB stick I wish to use is formatted in FAT. You wrote that you formatted your stick with ext2. Does that mean that you could skip part 3, step 1? If so, how do I format a USB stick to ext2?
Yes, that would fail with sudo: if you cut up the command in the way bash interprets it, it says: run echo with superuser rights, then append the output of it to /etc/…/modules. But it’s actually the latter that you need to be superuser for.
I don’t know how to do it that way (piping output with sudo), so instead I’d use sudoedit to write the line at the end of the file. But yes, you can skip that line when you have an ext2-formatted stick. You can use mkfs or, more precisely, mke2fs to format the stick (I don’t think I used many switches but I really can’t remember all that stuff so I have to read the man page everytime I use mkfs :)).
Ah, so all that command part does is to append the first textstring to the modules file? I didn’t lie when I said I was a beginner as you can see :-) I’ll give the sudoedit way a try now instead.
Yes, that’s all it does. By the way, I just realised it’s not called piping – I got the terms mixed up. It’s called redirecting: see this section of the Bash Reference Manual.
Ok, back after lunch… I made the changes to /etc/initramfs-tools/modules (I used “sudo gedit /etc/initramfs-tools/modules) and copied the root.key to the USB pendrive. But it was still not found at boot. When editing modules it says “you must run update-initramfs(8) to effect this change.” Could that be the problem? “update-initramfs(8)” and “sudo update-initramfs(8)” fails, so how do I do that?
Just a check: when you edited the modules file, did you replace “\n” by line breaks (you should)? I’m just thinking that maybe this is why update-initramfs fails.
You mean this part: vfat\nfat\nnls_cp437\nnls_iso8859_1 ?
I entered it like this into the modules file:
vfat
nfat
nnls_cp437
nnls_iso8859_1
I’m testdriving this on Hardy through VirtualBox running in Win XP btw. I have activated USB for VirtualBox and can use the USB stick within (virtual) Hardy but maybe it is VirtualBox that gives some problem with the USB stick…
I’ll try to format it the stick to ext3 after all and see if that solves it.
I re-formatted the USB stick with mkfs and copied root.key to it (I can’t drag and drop copy to the stick now btw, but “sudo cp” worked…). But I get the same error at boot: “FAILED to find suitable USB keychain …”
I just tried again with another USB stick (fat formatted). VirtualBox recognizes the stick during boot so that does not seem to be the problem…
Did you perhaps put the root.key file in some folder on the USB stick? (I can’t see any such folder in the script source but I’m starting to run out of things to try so I’m asking anyway…)
Here’s a screencap of when the keyfile is not found (and the step right after the password is entered) – there’s an error message there. Could that be relevant?
Oh, and sorry for just pouring a lot of question onto you. It’s not your instruction I’m trying to follow so feel completely free to opt out of answering any of these questions any time you feel like it. That said, I’m of course really glad if you do help me out.
Doh!
I just reread you last comment: “28 May 2008 at 11:25 Just a check: when you edited the modules file, did you replace “\n” by line breaks (you should)?”
That indeed was the problem! I sloppily replaced the \’s (not the \n’s ) with linebreaks which incorrectly left three n’s at the start of line 2,3&4 below:
vfat
nfat
nnls_cp437
nnls_iso8859_1
It should of course be:
vfat
fat
nls_cp437
nls_iso8859_1
Now everything works! Great, I’m really glad I didn’t give up. Thanks for the help and for your terrific post that lead me onto this. If that hadn’t been so well written I would probably never even had the guts to try this more complicated procedure with the keyfile.
No problem, I’m happy to help (I’m not sure I’m much help here though!).
Yes, I put the file in the root folder, that’s where the script looks for it. Looking at the original script now, I think I forgot to mention something: if you use ext2 you need to modify the mount command in the script! It says “-t vfat” in the example, which of course fails if it’s not vfat. Sorry about that!
You can also check that this is wrong by removing “2> /dev/null” from the end of that line – this redirects the error output of the mount command. Probably if you remove that it tells you that something is wrong with the file system type.
One more thing I noticed from the screenshot: it seems to show your luks password in clear text. Not terribly dangerous, but that could be better… I know it’s possible to change this but I’m not sure how.
EDIT: ow, I see we’re cross-posting! Well, I’m glad it worked (and probably we also know why the ext2 version didn’t work now…). Thanks for your returning visits – makes my blog feel alive! :)
Hi,
re: cleartext password. Yes I noticed that too. My password “test” was probably a bit weak anyhow ;-) But for real use then I’d also prefer if the typed password became asterixed. I guess something in these lines in crypto-usb-key.sh needs to be changed but I don’t know what:
echo -n “Try to enter your password: ” >&2
read -s -r A </dev/console
echo -n “$A”
I’ll google for a solution and, if that fails, email the script author
Thanks again!
Looks like this would work: prompting users for passwords in a shell script
I tried this:
stty -echo
read -s -r A
stty -echo
but get this error: http://img146.imageshack.us/my.php?image=errorjl5.png
Bummer. Yeah, not all commands are available at boot time. So probably we would need to write this in C – too much work ;)
Hello,
Have you tried this procedure on external USB hard drive? I tried but when I am booting for the first time Ubuntu cannot find crypted partition. Any ideas?
Thank you,
Goran
Nope, I haven’t tried that. Sounds like a nice experiment :)
There’s a lot of tricky stuff when booting from USB drives – sometimes they pretend to be floppy disks so then you can’t see the whole drive, things like that. But it’s been maybe three years since I played with that so I can’t really remember, sorry!
I think Vincent said he was toying with Hardy on a USB drive, so you might want to keep an eye on his blog.
Ok, I emailed the author of the keyfile setup guide ( http://wejn.org/how-to-make-passwordless-cryptsetup.html ) about the visible typed characters. He suggested that I’d try:
busybox stty -echo
read -r A
busybox stty echo
but that didn’t work when I tried it just now. So unless someone else has any suggestion on how to solve that I think I’ll just leave that as it is for the moment. The keyfile support is really great. I’ll testdrive it some more in virtual machines and will start to use it permanently on my real laptop soon.
Btw, Imagine if that functionality came prepacked with the next Ubuntu, it’s setup controlled through some easy GUI. I’m sure lots of people would use it!
Stty is not compiled in default initramfs busybox, but you can create following file to include regular stty binary in initrd image – /etc/initramfs-tools/hooks/stty:
–CUT—–
#! /bin/sh -e
PREREQ=””
prereqs () {
echo “$PREREQ”
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /usr/share/initramfs-tools/hook-functions
# Files needed for getting cryptochain
copy_exec /bin/stty /bin
exit 0
–CUT—–
and then just use:
stty -echo
read -r A
stty echo
Hi Milhaus!
I tried your suggestion but then get this error when booting:
/keyscripts/crypto-usb-key.sh: /keyscripts/crypto-usb-key.sh: 45: stty: not found
I can still input the password after that, but it is also still visible as I type.
screencap (“test” is my password) of it all: http://img209.imageshack.us/img209/9430/45cf3.png
i’ m not able to add the “keyfile” to a slot,
it return the error the “sdb2_crypt is not a LUKS partition”
Hi Giancarlo – I’m not sure what your problem could be, sorry. Maybe you’re just not pointing to the right partition?
Jon: I forgot to mention, that you need to rerun “update-initramfs -u all” to generate new initrd image…
I think suspend should be safe enough if you lock the screen on suspend, right? As long as there’s no way into the running system (e.g. kernel hotkey or some exploit via peripherals), then the attacker can’t really do anything. The hard disk is useless, suspend or not. I guess it really comes down to whether the RAM is more vulnerable when the system is on.
It would make for a suspenseful scene in a movie, the hero trying to extract the RAM of a live system without crashing it. Setting up electrical current bypasses, etc. Like bomb diffusion!
Milhaus: I did rerun “update-initramfs -u all”. But I still got that error.
Hi Milhaus, hi Jon, welcome back :)
Justin: you’re right, the system should be pretty secure when suspended because of the password lock. If somebody really wants to get in though, extracting the RAM (with the decryption key) from the system is indeed an option. Apparently that’s not so hard – did you see the Princeton stuff I linked to above? http://citp.princeton.edu/memory/
Jon, does “/bin/stty” exist in your system? It’s part of coreutils package so it should be there. In such a case there should be a problem with hook script, please check its rights:
-rwxr-xr-x 1 root root 222 2008-06-01 11:11 /etc/initramfs-tools/hooks/stty
Also I would check if you don’t have some weird nonpritable characters like ^M in it:
cat -A /etc/initramfs-tools/hooks/stty
Maybe you can also try to run verbose initrd update:
update-initramfs -v -u all
Or put some debug print messages into the /etc/initramfs-tools/hooks/stty script just to see if it’s executed correctly.
Finally just to confirm, I have it working on 8.04 server:
>cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION=”Ubuntu 8.04″
>uname -r
2.6.24-16-server
Hi, if I am dualbooting Windows XP and Ubuntu HH, and want both of them encrypted, the former with Truecrypt, the latter as described above:
on which partition should I put GRUB? During setup I tried to install it on the unencrypted /boot partition of Ubuntu, but I could not because of an error. Also I do not want to place it in the MBR because it will be used by Truecrypt’s boot manager.
thanks
Hi mp,
Putting GRUB on the /boot partition sounds like a fine plan to me. What kind of error does that give you?
Hi yungchin,
Thanks for the guide, I’ve managed to setup my laptop with an encrypted drive thanks to you.
I’ve been following the comments that Jon and you have left re:setting up a passwordless drive using a usb stick.
I’ve finally managed to recreate what you guys have done but the stick had to be reformatted to ext2.
My question is: would it be possible to use an SD card instead of a USB flash drive? My laptop has a built in drive and its much less conspicious to use a SD card. And for more security, I can separate the SD card from the laptop (keeping it with my camera) instead of having to plug in a flash drive.
Thanks in advance,
Crom.
Hi Crom,
I would think that that is possible, and it sounds like a very neat solution.
My guess is that you need to do something similar to what’s done in the keyfile on usb-stick tutorial. At the stage where you select the modules for initramfs you’ll probably need to list your SD-reader module. In the shell script that looks for the usb-stick, you need to modprobe the SD module instead and try reading from it.
I’ll be curious if it works out!
Hi yungchin,
After about a week of trying and numerous emails to the author of the usb keychain page, I’ve managed to get my laptop to read the keyfile from an SD card.
=D I’ve posted what I did in the ubuntuforums.
http://ubuntuforums.org/showthread.php?p=5280616#post5280616
I’m sure that someone could make my kludge more elegant and robust. But for now, I’m just really happy that it works. I’m still very new to linux and this is my first time trying to do something like this.
Anyway, thanks for your guide. =D It helped a lot.
Yungchin,
Just another thanks for a handy article. Encrypted LVM is up and running, USB Key trick next. Always a blast learning new things…
Hi Crom, sorry for the slow reaction – I’ve been away for a few weeks. Awesome work with the SD reader! I really need to sit down and follow up on this blog post; I’ve been planning to play with the LVM snapshotting but can’t find time…
Hello Richard: thanks!!
Crom, awesome! I’m honored that my repeated beginners questions was to some use to someone other than me. I bet yungchin’s and others helpful answers to my questions were even more useful of course. Anyway, cool indeed that you’ve extended the neat keyfile support to include SD cards.
I haven’t had any time for these encryption issues at all during the summer but I will test your revision some time or other and will try to post feedback afterwards (in that ubuntuforums-thread).
Has anyone thought of a way to make the steps involved even easier? Maybe a script or a small GUI application that automates some of them?
One more thing: I have toyed with the idea of making a dual boot machine (XP/ubuntu)where both are encrypted (trucrypt WDE/LUKS) and where the ubuntu half supports keyfile on usb/SD.
I have found this general dual-boot guide:
http://blog.redinnovation.com/2008/07/15/perfect-dual-boot-crypted-hard-disk-setup-with-truecrypt-and-luks/
But I’m not sure if the keyfile support steps discussed here would bring complications. Any ideas on that?
One last thing (really! for now!): I just saw that the original keyfile support instruction site http://wejn.org/how-to-make-passwordless-cryptsetup.html now includes some other updated versions, the latest being the one posted here:
http://tjworld.net/wiki/Linux/Ubuntu/HardyRAID5EncryptedLVM
Hey on my encrypted LVM partition i left some free space and now i have no idea how to create a new partition useing the rest of the free room any help?
After you unlock the partition with your LUKS passphrase, it’s just as good as any old LVM partition as far as the LVM-handling is concerned (That is, if you did it like I did here – if on the other hand you created an LVM partition and then encrypted one of the logical volumes, that’s different).
So basically you can create additional logical volumes in the way the LVM-HOWTO describes. If you wan’t to grow an existing partition to take up the free space, you can do that too: see this chapter.
When I do the snapshot what do I want to “snap” and how?
I have just used the alternate cd to make a whole disk encryption and I have some questions if anyone knows.
1)What kind of encryption/which algorithm is used? I could not find any specifications.
2)What are the known vulnerabilities of this specific type of encryption? I mean if someone tries to check my disk, what he will try to exploit?
3)Is this encryption trusworthy/reliable? Is the whole disk/system really encrypted? When I tried to encrypt the whole disk with truecrypt in Windows it took several hours. This encryption, on the contrary was much faster which really makes me wonder about its reliability.
If someones knows any answer to the above questions or can give me some relevant urls, I would be gratefull. I could not find anything on google
Thank you!!!
Hi Aleks,
(Nexxux: sorry I didn’t see your reply – I don’t get the question though?)
1) you can find what cipher your setup uses with the luksDump option in cryptsetup. If your encrypted partition is e.g. /dev/sda3, then you’d type “sudo cryptsetup luksDump /dev/sda3”. See the man page of cryptsetup for details of the command.
2) the author of LUKS has some papers of his at his website, maybe that’s a starting point?
3) I think the difficulty Truecrypt has to face is that it has to encrypt a disk that already holds data. Setting up LUKS/dm-crypt at install-time means you can just burst-write the whole disk.
Thank you yungchin. I have visited the authors site but it’s not very helpfull.
I ‘ve run the command that you gave me and I found something about SHA1 and SHA256 and I don’t know if these are algorithms. Is there a way that I can change the algorithm to AES?
How can I choose a different algorithm during installation? I was not promted for one when I installed ubuntu using the alternate cd.
Hi Aleks, are you sure the cipher name isn’t AES already?
SHA256 is a hash algorithm. In my very limited understanding of encryption routines, you need to mix your data with some other data (like a hash) that an attacker cannot predict to be there. Otherwise, by guessing what data is on the system (you can expect there to be say a certain version of libc and other standard GNU binaries), you’d have a better chance of breaking the cipher. So that’s what I think the SHA256 is for – it’s not the encryption algorithm.
There’s some more on that here (sorry, again the author’s site) but I should say I didn’t get to read that thoroughly yet.
During installation you can configure the encryption options in the partitioner: it’s in the screen after you select the partition format to be “volume for encryption”.
I did manage to check the algorithm and it IS AES! Thank you again :):):) The link does not work however…
Oops :) I think I fixed it now.
I’m not sure how to create a snapshot volume/take a snapshot of Ubuntu
thanks very much for the guide, just what i’m looking for! i think i’ll do it immediately with my new hard drive. however, this business about snapshots is still confusing to me even after reading the links you provided.
this comment too seems useful but still confusing to me, https://learninginlinux.wordpress.com/2008/04/23/installing-ubuntu-804-with-full-disk-encryption/#comment-54
i have an external hdd which will be truecrypt encrypted and mounted while ubuntu is running, that i would like to automatically backup the system to every night when i’m sleeping. i would also like it to make a differential backup so i can have several days of backups without taking up as much bytes. i do something like this now on my windows systems with acronis.
um, so, how can i automate that? and where does this snapshot business come into play? you say leave a few GB free for the snapshots, but how does that space get used? i don’t see any mention of how to allocate that space. also, you say that is probably too much free space. what is a general rule for how much space to leave? i only have a 32 GB disk for ubuntu and it looks like in your example you have an 80 GB disk….
thx
Hi, thanks to both of you for visiting (again)!
I’ve been working on a post about LVM-snapshots; just can’t find time to continue working on it… so hopefully some more on that when I get it done.
Basically, after you create a snapshot, the logical volume manager keeps track of changes to a logical volume. The snapshot volume looks exactly like the original volume except for the changes that have been made to it.
This is not a backup of your data – the data you see on the snapshot volume is not a copy, it’s the same data as the original! Rather, the LVM snapshot allows you to take a good backup snapshot: by backing up from the snapshot, you avoid problems with files changing during the backup process.
The snapshot volume needs space only to store changes to the original volume during the lifetime of the snapshot. So if, let’s say, you want to be able to edit a 300MB movie file while you have the snapshot stuff going on, you’ll need more than 300MB for the snapshot volume. Usually though, it should be a lot less: just a couple of log-files, the odd email message, and a few small documents you’re working on while you run your backup.
I thought the LVM-HOWTO was a nice link for more info, but please let me know if/what’s unclear there.
As for Stuart’s comment about automating this – I haven’t tried the solution I suggested yet, and it seems Stuart hasn’t come back. But I’m quite convinced it will work fine that way.
Greetings again:) I tried to install ubuntu with full disk encryption to a usb external disk following the exact same procedure that I followed when I made the installation to my internal disk.
Unfortunately, though no error messages are shown, just after ubuntu initial screen is shown I just see the following:
“BusyBox v1.1.3 (Debian….. etc.etc.
(initramfs)”
minus the quotes of course :)
I also don’t get any password promt.
I made the installation thrice with the same cd that I used for installing ubuntu on my laptop (so it’s not a cd problem).
Any ideas on what could be wrong?
Thank you :)
Awesome tutorial! I’ll definitely add a link ;-)
Just a note: when I booted the alternate CD in my laptop (a Sony Vaio), without handling any option to the kernel other what came by default, I got a kernel panic… rebooting and passing fb=false fixed that.
Hi Aleks, I’m not sure how to fix that… one guess of what may be wrong: if the /dev entry for the usb disk is in the configuration files somewhere (e.g. in /etc/crypttab) the boot-loader will have trouble finding it when the /dev entry changes. But a lot of other stuff could be wrong. (I think the clues must be in the “etc. etc.” bit ;)). Did you try at a place like ubuntuforums? There might be a few more people with experience booting from usb-disk there.
gauthma: thanks!! :)
Hey thx for all your help, but now i’ve got one more question. Does anyone know how to mount the encrypted drive, then mount the lvm under windows?
Hi again!
Well let me first say I hardly get to work with Windows these days and the most complicated thing I’ve done on Windows in the last two years is watching a DVD… :) So really I don’t know what I’m talking about and therefore the following links may be very bad choices.
I know that FreeOTFE understands LUKS partitions, but have no hands-on experience with it. The combination with LVM makes life probably even trickier, but I just found (through Google) that Explore2FS lists LVM support on their webpage. So in theory you should be able to do as you say – unlock the encrypted volume, then mount your LVM volumes.
Thank you for your answer! Yes, I have asked EVERYWHERE!!!!! Ubuntu forums in two languages, support forums, even a neighbour accross the street! No answer at all. Not even a hint or suggestion :(.
I also tried to make the installation using an alternate cd of the 64bit version as well as to a usb stick instead of my hd. Always the same problem (in the 64bit case the error message was different but the result the same).
I don’t think that encrypted installation to a usb external disk is possible. As a matter of fact, I do believe that there must be some kind of bug. Do you know where I should report it in order to be fixed in the next version?
Ubuntu bugs are managed at Launchpad, but is it really a bug? I mean, the installer was perhaps not intended for setting up encrypted systems on usb devices.
Did you try the same thing but without encryption? Maybe it’s just a thing with usb installs in general. I’ve never tried that sort of thing, but you might check out pendrivelinux.com
No, I haven’t tried to install it without the encryption using the alternate cd. However ubuntu does function on usb drives. I have used the live cd to install it to the same usb stick (not the hd – but I read it works even better) and it was just fine (apart of being REALLY slow).
Encrypted installation on the other hand seems to be IMPOSSIBLE :(
What about encrypting only the home folder and swap and leaving the root unencrypted? How could we do that?
And what about this bug: https://bugs.launchpad.net/ubuntu/+bug/231451 ???
Hi, just a heads up: the original keyfile instruction site ( http://wejn.org/how-to-make-passwordless-cryptsetup.html ) now has another update:
“Update: Improvement of TJ’s script by Hendrik
Hendrik van Antwerpen sent me his update to TJ’s keyscript (colored version).
Improvements:
supports encrypted (password protected) key devices
password reading now uses stty (when available)
password reading uses oficial function under usplash
refactored debug code ”
Works great!
Hi Aleks, you could do that if you put the encrypted volumes inside the LVM partition instead of the other way around. That’s actually what I did on my new laptop (didn’t get to write about it yet).
I didn’t run into the bug you refer to but I do have a problem with hibernation (on resuming the swap partition is not unlocked in time and so I just get a cold boot – have to still look into this, too).
Thanks for the update, Jon!
Another update: I’ve now successfully set up a working dual-boot system in VirtualBox: (Win XP + truecrypt FDE) and (Ubuntu 8.04 + FDE + keyfile support). Yay! :-) I followed this http://blog.redinnovation.com/2008/07/15/perfect-dual-boot-crypted-hard-disk-setup-with-truecrypt-and-luks/ guide for the dualboot part. BTW, VirtualBox is great for testdriving these things in general so if anyone reading this want to test encryption but hesitate to test it on your main system, then try that first a couple of times.
Nice, thanks for this. I’m waiting for 8.10 tomorrow then whipping my 500GB disk into my laptop and going fully encrypted. I’ve bookmarked this page and will refer back tomorrow. You answered my main question, I need the alternate installer. :)
Just installed 8.10 Intrepid Ibex and it worked flawlessly. I wasn’t prompted to overwrite my disk with random data though. I was very glad of that as I’d spent ~36 hours wiping the disk in preparation and didn’t fancy repeating that!
One or two of the options were a little different, but it was pretty painless, particularly once I noticed that the menus to manage encrypted volumes and logical volumes were at the top of the page. Thanks for that tip.
This message comes to you from Intrepid on a fully encrypted disk. :)
so i have created the snapshot volume and mounted it, by following the example in the link you provided, http://tldp.org/HOWTO/LVM-HOWTO/snapshots_backup.html
now i am ready to make the backup.
{
13.4.3. Do the backup
I assume you will have a more sophisticated backup strategy than this!
# tar -cf /dev/rmt0 /mnt/ops/dbbackup
tar: Removing leading `/’ from member names
}
so, what do you think is more sophisticated? i haven’t used tar in a while. without reading thru the whole man page, can you tell me your opinion in what strategy you would use?
hey i’m back. i wanted to kind of answer my own question (above) and ask some more ;)
what i did was run “simple backup config” in (system > administration) and i configured my backup options to my liking. finally, i chose “manual backups only” on the general tab.
all this is is a front-end to configure the /etc/sbackup.conf, which is used by the python script /usr/sbin/sbackupd
now, i just made a script to create the snapshot volume, mount it, run the backup, unmount the snapshot volume, and delete the snapshot volume:
lvcreate -L450M -s -n backup /dev/ubuntu/root
mount /dev/ubuntu/backup /mnt/backup
/usr/sbin/sbackupd
umount /mnt/backup
echo y|lvremove /dev/ubuntu/backup
and i saved this in a file like ~/backup
then, i did “sudo mkdir /mnt/backup” to create the mount point for the snapshot (only need to do this once)
then, i made this file executable with “chmod +x ~/backup”
then, i edited my crontab with “crontab -e”, and added this line:
0 4 * * * sudo /home/scar/backup
and saved. this will run ~/backup every morning at 4 AM
finally, i had to edit the sudoers file to allow this command to be run without a password:
sudo visudo
shift+g (to go to end of file)
o (to insert a new line)
scar ALL=NOPASSWD: /home/scar/backup
:wq (to save the file and quit)
now, you might be wondering, why this editing of the sudoers file? i did try to “sudo vi /root/backup” and save the script there, and then “sudo crontab -e” instead to run /root/backup everyday at 4 AM. but, when i looked at the backup created, there is nothing saved in the tgz archive. so, i’m not sure why that is. if anyone knows, i think it would be a bit cleaner to not have to edit the sudoers file and have this script run in root’s crontab….
another thing, regarding restoring backups. i am used to acronis. suppose my hard drive gets fried and i have to replace it. with acronis, i would just boot the acronis bootdisk, select the backup archive, and it would restore it to the new hard drive. i could even backup/restore multiple partitions and resize them to fit in the new hard drive.
so, now i am in a little different situation with full disk encryption. how can i accomplish the same thing, if i need to replace the hard drive? i am thinking it won’t be quite as easy, which isn’t such a big deal as long as i can have the same results (namely, getting back into the exact environment i was in before the hard drive crashed, with all the same programs installed, etc.) for example, i am thinking i would have to go thru the setup process explained in your tutorial to get the system running again, and then run the “simple backup restore” to restore all of /. is that going to work well?
Hi scar, sorry I was slow to react… thanks for coming back, and for all the useful info! I didn’t know sbackup. I’ve been “playing” with rdiff-backup and backuppc, but was holding back on posting about it until I had really tested my backups (and of course that didn’t happen yet).
I think the problem with “sudo crontab -e” is that sudo doesn’t change all the environment variables (e.g. $HOME doesn’t point to /root), which is not always what you want. Thus you might have ended up editing your own crontab rather than root’s. You can use the -u switch on crontab to specify that you want to edit root’s crontab.
For restore, I would guess the approach you suggest should work for the most part; it might well break in the details – you wouldn’t e.g. want to overwrite /etc/fstab with the backup, which probably points to different uuids of the old partitions. In any case, I haven’t tried a such a “bare metal” restore from backup yet – only single files…
I’ll be playing around with this!
For anybody wondering how it works with Windows.
FreeOTFE mounts LUKS volumes, no problem at all. It’s in a different place in menu though and may be confusing.
If you have IFS driver installed windows will be able to read and write the mounted drive.
I had no luck with explore2fs.
All in all, encrypted ext3 works with read and write. Encrypted LVM with ext3 on it doesn’t work.
does ‘full disk encryption’ work on a dual boot scenario? lets say i have a windows on one partition and ubuntu on the other. can i just have the ubuntu partition encrypted?
and also,
lets say i already have ubuntu (without full disk encryption) set up, is there some way to introduce full disk encryption easily into the system? it seems that i need to do it partition by partition (ie, home, swap, root)… am i right?
thank you!
nevermind. i saw the first question i have on dual-boot.
swistak: thanks!
harmony: I don’t think you can encrypt unencrypted volumes in-place with these tools. I believe that Truecrypt can pull tricks like that though. edit: …but only for MS Windows volumes. I just meant that technically it’s not unimaginable…
Thank you so very much!!! Amazing tutorial!!
Hi Aleks,
Regarding the installation on a USB-flash… I installed 8.04, using a alternate CD, this way: one partition for “/” and one encrypted partition for 2 LVM volumes – swap and home. I could not make a full encrypted installation, got similar errors like you did.
Still this is not the safest storage for personal data. There could be personal data in /tmp, /var too.
However for my standards, this is “safe” enough. Having a USB-flash whit /home and swap encrypted, that I quite use on other PC’s when I travel is good enough for me.
Have fun
A funny reality check: http://xkcd.com/538/ :)
Of course, that is not why I encrypt my disks. So if anyone comes and demands the passphrase, they won’t need to bring a wrench to get it from me!
Wow, Awesome tutorial. Didn’t know it was that easy to setup.
Wanted to say thanks as this is the second time I’ve referenced this posting. I had to encrypt my work laptop and was able to successfully create a Linux installation next to the encrypted XP system provided by the office. Things had bee going well for quite some time; until today. I foolishly upgraded to Intrepid Ibex which broke… too many things. :)rather than fix it, I’m just wiping and reinstalling Hardy.
So this time, I’m leaving some snapshot space in the LVM within the encrypted container so I can recover when I next feel like upgrading.
Thanks!
&
Thanks, I’m glad it was of use!
I’ve been meaning two work out the snapshot-upgrade stuff for over a year now (halfway through my laptop died, which put a lot of plans on the backburner I guess…). Two things need to be sorted I think: a simple recipe to let one choose between device-mapping either the snapshot or the underlying volume (these will have the same UUIDs I suppose?), and a graceful way to keep a useable copy of the pre-upgrade /boot partition as well as a dist-upgraded /boot partition (our computer officer suggested software RAID-1 to me, where the mirror should be broken just prior to the dist-upgrade – seems tricky though…).
Thanks for the tutorial. It would be nice if you could point to some recovery/”live” CDs that have the tools and kernel modules needed to mount and fix an encrypted disk.
Hi, thanks! I’ve been using SystemRescueCd for that, which contains all the tools to mount encrypted disks and manage LVM volumes. You can actually also use the Debian installer / Ubuntu Alternate installer for this (I drafted some notes on that here), but SystemRescueCd is more convenient: it presents a more powerful shell, most of the modules will have been loaded, and there’s Firefox on hand to look for help.
Nice. See my case: https://bugs.launchpad.net/ubuntu/+bug/359531
Hi guys!
I have already “regular” (unencrypted) system installed and configured – Is there a way to encrypt an existing disk?
Hi Micha, thanks. I guess the answer is no and yes: in principle what you want should be possible, but I’m not aware of anyone who has written the code that would be able to do this…
Thanks, very clear and useful….
Ok, Ubuntu 9.04 is soon to be released and I’m gearing up to reinstall an encrypted dualboot (Ubuntu + XP) system, where the Ubuntu FDE will again have keyfile support as detailed earlier in this blog post + comments.
So I’m wondering if yungchin (or anyone else reading this) knows of any new developments in simplifying the setup? Perhaps some script with/without a GUI that automates some of the (previously manual) steps or something like that?
Hi, no, nothing that I’m aware of, I’m afraid. The live-installer offers the option of an encrypted home directory I think – but that’s of course not quite full disk encryption.
Something I’d be interested to play with, but just can’t find time for, is using a smartcard to unlock the encrypted volume, see e.g. these notes (I have a Dell Latitude D630 now, which has a built-in card reader).
You might also be interested in work being done on Grub2 which should eventually allow the bootloader to unlock the cryptovolume (and which would thus allow you to also encrypt /boot, protecting you somewhat better against a tampered-with kernel).
thank you fro this great how to, I was looking for something similar, you just made it, worked like a charm
Tx again and vive Linux
A tips for next time would be to use some sort of virtualization-software to make the pictures, instead of taking pictures of a screen, which just looks awfull ;-)
You skipped the introduction ;)
Thx yungchin for the detailed howto… BUT I made very bad experiences with Ubuntu and finally am happy with the same approach applied to Debian Lenny.
Lenny is much more stable than Ubuntu!
Exactily what I was looking for.
Thank you.
Hi,
Nicely written blog, thanks. I don’t think it quite shows what I am looking for though. I want to encrypt my existing Ubuntu installation.
There aren’t any tools that could do that for you yet, I’m afraid…
very good and inspirational!!!
the most important sentence for me was : “…a little bit unintuitive (it’s just a layout problem really)…”
then read about what LVM is and the extract from the debian information and voila you know what to do.
thanks!
I got this setup ok, but have one minor concern. I have two 1TB hard drives and the system handles them separately. As a result, I have to put in my pass-phrase twice on boot, once for each drives. Is there a way to setup the encryption so that it use the same encryption for both drives?
john m: Thanks – I agree that’s really the essence of it, totally! Should have pointed it out in the introduction…
Infosyst: With LVM, you may bundle the two disks into one logical volume (or have you already pumped them full with data?), or otherwise you could put a keyfile to unlock the second disk somewhere on the first disk, but that’s a little messy perhaps.
Ok, I tried rebuilding it and configuring LVM before encryption. That worked to a point, but now I have to use a pass-phrase for each partition (including swap) so I’m basically in the same situation. They keyfile idea would probably work, but yes it is a bit messy so I would like to avoid that.
Unless someone has a bright idea I will probably go back to the fist configuration, since there are only two pass-phrases regardless of partitions. Thanks for the write-up btw, very helpful for getting me this far!
I’m sorry, that was a poorly thought-out suggestion I made there. Purely theoretically, you could use LVM to create one big logical volume across the two disks, then turn that into a cryptodevice, then put another level of LVM on that cryptodevice… I’d imagine that wouldn’t do much good for disk performance though… So, I wouldn’t really know a better way to do this.
Unrelated, but maybe of note for people reading the comments-feed: it seems Ubuntu 9.10 will use Grub2 as the boot loader. That could be interesting for us because Grub2 might support LUKS directly at some point…
Hi, very nice guide, everything was great, thanks ! :D
by the way, suppose i run into trouble, and i need to do a system reinstall, or i just want to switch from Ubuntu to Debian or something… how can i open the encrypted volume from the install program, to select the / partition to format and reinstall there ?
Hi Frapell, thanks for visiting!
I did something like that on my desktop, where I replaced Debian 4.0 (which I had installed in the same way as described in this post) by Ubuntu 8.10, and made some notes: Reusing existing encrypted logical volumes while installing Ubuntu 8.10 – essentially, all you need is the cryptsetup tool and vgchange (this comes with the LVM tools). These are also available on e.g. SysRescCd.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Ubuntu Version Bumps
– ——————–
It would be nice if Ubuntu actually supported going from one version to another using LUKS encrypted LVM systems. Ask for this feature and then commit time to debugging it for a month before release date. This has NEVER worked for me in the past. I have to back up my home directory and re-install from scratch.
Another task for the astute sysadmins amoung you is to prepare for an unbootable situation where you need to boot from a CDROM and mount the LVM filesystems for recovery.
That’s my 2 cents.
I love the encrypted filesystem options!
Sincerely,
Joe Baker
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpUHIIACgkQ7J1dPd3sAmD9hQCgj6JwX17c6cCaF78rXQyCVukU
s9sAn3LJZ96jzD+jYLZJ+U0xdu2kTTQZ
=aprH
—–END PGP SIGNATURE—–
Hi Joe, thanks. So what breaks when you dist-upgrade? As for manually mounting things: see Frapell’s post above.
PS: first time I get a PGP-signed comment :)
Does this work on Jaunty? I wouldn’t want to install an older version (i.e Hardy) just because I can’t find a newer HOWTO.
I installed Jaunty following this guide and it works fine.
I recall that i had to do something a bit different than explained here, but was fairly straight forward.
good luck ;)
Good news! Thank you.
Remotely related reading at Schneier on Security: Laptop Security while Crossing Borders – not sure if I should laugh or cry (given that it seems we need to protect ourselves from our own customs officers…)
Not what I was looking for: only interested in remote full disk encryption setup.
Thanks, that helped me.
Hi Yungchin,
Thank you very much for your good work! It worked like a charm.
But I have one question left. I created two partitions. The first one contains systemroot and swap as logical Volumes of the lvm setup. The second one is a partition formatted with fat32. Both partitions have the same passphrase.
When I boot, I am asked for the passphrase twice. I want to avoid that. But I don’t know how to go about it. Do you have any idea? (I hope the answer is not here before my eyes and I did not see it ;-))
Thank you!
Hi, thanks!
One thing you could do is unlocking the fat partition using a keyfile. If you make sure the system-root is unlocked and mounted before that, then you can safely store the keyfile on there. I’m a bit rusty on the details (I haven’t changed anything to my machine in ages), so you’re best off checking the crypttab manpage for how to configure this.
Hope that’s a good starting point, have fun!
Thanks! I will try that.
hi, i followed this guide quite some time ago, i see my comments are still here ;) i am now running 9.04 through upgrading and i haven’t had any problems at all.
i come to you today because i do not quite still understand how i partitioned my disk, and i would like to allocate a new partition so i can put a virtual machine’s disk image there.
i have a 300 GB disk, and i mostly followed your instructions. i allocated about 100MB to /boot, and the rest was allocated to an encrypted partition, inside of which is a 20 GB / (root) partition and a 4 GB swap partition, leaving approximately 270 GB of unused space inside the encrypted partition as far as i know.
now i would like to just create another 10 GB partition to store a virtual machine disk image on, and i cannot figure out how to do that, with all of the pv* and lv* commands.
can you help me understand the disk layout i have created and how to manage/create/delete additional partitions, should i need them? thanks
Hi, cool that you’re back!
Here’s the disk layout of the above described in LVM-speak:
* your encrypted partition serves as the Physical Volume
* there’s one Volume Group, and it only has that one PV
* your Logical Volumes are in that VG – so currently you have a LV for the system root and another one for swap
Adding new LVs can be done with lvcreate. There’s apparently also a gui to configure those things: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Deployment_Guide/s1-system-config-lvm.html – I’ve never used it though.
Hope that clears it up!
awesome! thanks. i installed system-config-lvm package. it was extremely easy to use.
What if I wanted to boot the system from USB key? I don’t like the idea of having an unencrypted boot partition sitting around on my hard disk. Is there a way I could have GRUB and whatever else is needed to open LUKS/LVM on the key, and chain to the OS inside the LVM?
I seem to have answered my own question! The trick is to select the USB drive’s partition to be mounted as /boot, and the installer will put GRUB on that drive.
Thanks, both for the question and the answer! So I guess this means you need to remember to mount the USB-stick partition whenever there are kernel or grub updates, but otherwise you can leave the stick out during use?
This tutorial worked perfectly with Ubuntu 10.4 (Text-based Installer). Thanks!
Just used your guide with Ubuntu 10.04 Alternate install CD. A few minor differences, but otherwise EXCELLENT! Thanks so much for your work on this!
Dear author, thank you for your tutorial.
I have got a variant suggestion to ask you:
let say I have a dedicated linux box server, made by me (obviously) and to be sold to some customers. It delivers services I have put a lot of my knowledge to set it up. Let say a special proxy or a special fax server.
Once I place that box to a customer site it may be cloned by somebody to take advantage of my installation and configuration.
This is the unwanted part.
While the real end user must have some access to some configuration files if any modification is needed, i.e. add some websites to whitelist or to blacklists.
How to make this mechanism working and prevent unauthorized copies of my server system or configuration? Is it encyption a solution? Or it could be a mixture of encrypting some directories while other must simply be protected at user level?
Thank you for any tip.
Robert
Robert: You want them to have a computer that they can turn on, but can’t access the internals of? Well, I’m not sure you can do that with purely digital means, such as encryption — they’ll have to provide the computer with a passphrase, which they could use with a LiveCD.
I agree with Tim, no, in fact I don’t think you can do that at all. You want someone to be able to use something, but at the same time you don’t: this is Digital Restrictions Management, and if you think about it, it is broken by its very principle.
Also, I’d say that obscuring the configuration scripts is, while perhaps not against the letter, certainly against the spirit of the GPL.
Hello,
it has been two years now, since I followed this tutorial and set up my laptop with ubuntu and full disk encryption. I use my SD card reader to store the passphrases. Pretty easy and beatiful in contrast to USB Flash drives.
Now that Ubuntu 10 is released, I would like to do an aptitude dist-upgrade.
Did anybody try this one out. Success reports?
I’d expect problems with the upgraded init-ramdisk image.
Regards
@ea: I upgraded from 9.10 to 10.04. I had some trouble during the grub portion — each time I would go to reinstall grub, it would unmount my USB /boot partition and throw an inscrutable error. Eventually, I gave up and rebooted… and everything works fine. Dunno what the problem was.
i am now running 10.04 too. i have a question about the backup scheme, because i am getting about many messages like:
EXT4-fs (dm-3): ext4_orphan_cleanup: deleting unreferenced inode 130636
…
EXT4-fs (dm-3): 39 orphan inodes deleted
EXT4-fs (dm-3): recovery complete
EXT4-fs (dm-3): mounted filesystem with ordered data mode
exactly every day, so i think they are occurring around the time i am running the backup. my backup script that runs everyday is simple:
lvcreate -L450M -s -n backup /dev/den/root
mount /dev/den/backup /mnt/backup
/usr/sbin/sbackupd
umount /mnt/backup
echo y|lvremove /dev/den/backup
do you know what is causing the messages? how i can investigate further? i think it may be related to the snapshot volume that is created and then deleted. maybe it gets unmounted/removed to quickly? not sure…
thanks
Great manual, thanks!
If I have a dual-boot (Ubuntu and Windows) machine is there a good way to encrypt my Windows installation at the same time?