Last active
September 17, 2018 17:41
-
-
Save HoffmannP/699f3beb2f9901cd64e8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
################################################################################ | |
# full-disk-encryption-lvm-luks 2 | |
# This is especially designed for Linux Mint | |
# just a modification of the glorious script by andreas haerter (kudos) | |
# http://blog.andreas-haerter.com/2011/06/18/ubuntu-full-disk-encryption-lvm-luks | |
# | |
# Usage: | |
# 1) Boot a (K)Ubuntu/LinuxMint live session | |
# ATTENTION: Choose the language you are going to install right from the | |
# start! This prevents trouble regarding different keyboard | |
# layouts and your entered encryption password! | |
# 2) Enable execution of this script (chmod +x FILENAME) | |
# 3) Call this script with SUPERUSER privileges (->sudo ./FILENAME) | |
# 4) If you made an error or something like that, REBOOT the Live CD and try it | |
# again! | |
# | |
# | |
# LICENSE: This file is open source software (OSS) and may be copied under | |
# certain conditions. See the links below for details or try to contact | |
# the author(s) of this file in doubt. | |
# | |
# @author Berengar W. Lehr <Hoffmann.P@gmx.net> | |
# @copyright 2014, Berengar W. Lehr | |
# @license GPLv2 (http://www.gnu.org/licenses/gpl2.html) | |
# @license New/3-clause BSD (http://opensource.org/licenses/bsd-license.php) | |
# @version 2014-12-14 | |
################################################################################ | |
################################################################################ | |
# DO NOT TOUCH ANYTHING BELOW THIS LINE WITHOUT KNOWING WHAT YOU ARE DOING! | |
################################################################################ | |
################################################################################ | |
# Process | |
################################################################################ | |
URL_ARTICLE="http://blog.andreas-haerter.com/2011/06/18/ubuntu-full-disk-encryption-lvm-luks" | |
# functions | |
function checkError() { | |
return=$? | |
if [ $return -ne 0 ]; then | |
echo -e "$1 Please reboot and try it again!" 1>&2 | |
exit 1 | |
fi | |
} | |
function question() { | |
echo -n "$1 [y|n]: " | |
read INPUT | |
return [ "$INPUT" = "y" ] || [ "$INPUT"== "Y" ] || [ "$INPUT" = "j" ] [ "$INPUT" = "J" ]; | |
} | |
#welcome user | |
clear | |
echo "###############################################################################" | |
echo "# Helper script to install an encrypted (K)Ubuntu Linux (full disk encryption" | |
echo "# using LUKS/LVM)" | |
echo "# Found system: $(lsb_release -rs) $(lsb_release -cs)" | |
echo "#" | |
echo "# Note: internet connection is mandatory!" | |
echo "#" | |
echo "# ATTENTION: THIS SCRIPT MAY ERASE ALL YOUR DATA ON THE CHOSEN DEVICE!" | |
echo "# MAKE SURE YOU GOT A BACKUP OF ALL YOUR IMPORTANT DATA OR USE/TRY" | |
echo "# AN EMPTY DISK! USE AT YOUR OWN RISK! YOU HAVE BEEN WARNED!" | |
echo "###############################################################################" | |
#check: are we root? | |
if [ $(id -u) -ne 0 ] | |
then | |
echo "" | |
echo "Superuser privileges needed. Please call this script using 'sudo'/as root." 1>&2 | |
exit 1 | |
fi | |
#article read? start reading now? | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Article read?" | |
echo "###############################################################################" | |
echo "Everything is better if you know what you are doing. All important information" | |
echo "can be found at:" | |
echo ${URL_ARTICLE} | |
echo "" | |
if $(question "Have you read and understand the article?"); then | |
echo "Starting browser..." | |
hash firefox > /dev/null 2>&1 | |
if [ $? -ne 0 ] | |
then | |
echo "" | |
echo "Firefox error... maybe Kubuntu instead of Ubuntu is running here." | |
echo "Let's try to start konqueror or rekonq...." | |
echo "" | |
hash konqueror > /dev/null 2>&1 | |
if [ $? -ne 0 ] | |
then | |
killall rekonq > /dev/null 2>&1 #default since Kubuntu 11.04 | |
rekonq "${URL_ARTICLE}" > /dev/null 2>&1 & | |
else | |
killall konqueror > /dev/null 2>&1 | |
konqueror "${URL_ARTICLE}" > /dev/null 2>&1 & | |
fi | |
else | |
killall firefox-bin > /dev/null 2>&1 | |
firefox "${URL_ARTICLE}" > /dev/null 2>&1 & | |
fi | |
fi | |
echo "" | |
echo "Note: Before all data on your disk will be erased, you will be asked AGAIN." | |
if ! $(question "Start work now?"); then | |
echo "Operation cancelled by user. Recall this script to setup an encrypted system." | |
exit 0 | |
fi | |
#keyboard layout check | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Correct keyboard layout?" | |
echo "###############################################################################" | |
echo "Please double check if your keyboard layout is the one you will finally use!" | |
echo "This is ESSENTIAL because you have to define a password." | |
echo "" | |
echo "Example: If you are typing a password containing 'z' or 'y' and you are using a" | |
echo " US keyboard layout during this setup but going to install Ubuntu in " | |
echo " German, your probably set another password as you may thought," | |
echo " wondering why your password is not working ;-) (hint: on German" | |
echo " keyboards 'y' and 'z' are interchanged compared to an U.S. keyboard)" | |
echo "" | |
echo "Starting keyboard settings. Please check the 'Layouts' tab." | |
hash gnome-keyboard-properties > /dev/null 2>&1 | |
if [ $? -ne 0 ] | |
then | |
echo "" | |
echo "gnome-keyboard-properties error... maybe Kubuntu instead of Ubuntu" | |
echo "is running here. Let's try to start the KDE system settings" | |
echo "" | |
systemsettings > /dev/null 2>&1 | |
else | |
gnome-keyboard-properties > /dev/null 2>&1 | |
fi | |
read -sp "Press [Enter] to continue." | |
echo "" | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Define your values: target device" | |
echo "###############################################################################" | |
echo "Please enter the device we have to use (ALL DATA WILL BE ERASED ON THIS ONE!)" | |
echo "" | |
echo "Hints:" | |
echo "- In common, IDE disk are adressed via '/dev/hd[a-z]' ('/dev/hda'=1st disk," | |
echo " '/dev/hdb'=2nd disk, '/dev/hdc'=3rd disk and so on...)." | |
echo "- In common, SATA disk are adressed via '/dev/sd[a-z]' ('/dev/sda'=1st disk," | |
echo " '/dev/sdb'=2nd, '/dev/sdc'=3rd disk disk and so on...)." | |
echo "" | |
DEVICE_TARGET="" | |
while true; do | |
if [ -b "$DEVICE_TARGET" ] && $(question "You typed '${DEVICE_TARGET}'. Is this correct?"); then | |
break 1 | |
fi | |
echo -n "Which device should be used? " | |
read DEVICE_TARGET | |
done | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Define your values: size of your boot partition (-> '/boot')" | |
echo "###############################################################################" | |
echo "Please enter the size you wish to be used for your boot partition '/boot'. This" | |
echo "partition should be at least 100MB big. 200MB should be enough to be on the" | |
echo "safe side." | |
echo "This script defines a minimal value of 50MB for '/boot', everything below will" | |
echo "not be accepted." | |
echo "Please enter the size in MB, digits only. (e.g. enter 200 for 200MB)." | |
echo "" | |
echo "NOTE: remaining free space (=space not allocated by) will be used either for" | |
echo " '/' or '/home'. A summary will be shown after all needed values are" | |
echo " defined." | |
echo "" | |
SIZE_BOOT="" | |
while true; do | |
if [ -n "$SIZE_BOOT" ] && [ $SIZE_BOOT -gt 49 ] && $(question "You typed '${SIZE_BOOT}'. Is this correct?"); then | |
break 1 | |
fi | |
echo -n "Size (in MB) of your boot partition '/boot' (200 is recommended)?" | |
read SIZE_BOOT | |
done | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Define your values: size of swap" | |
echo "###############################################################################" | |
echo "Please enter the size you wish to be used for your swap partition. It should" | |
echo "be 1/3 bigger as your installed RAM to prevent problems using hibernation." | |
echo "This script defines a minimal value of 256MB for swap, everything below will" | |
echo "not be accepted." | |
echo "Please enter the size in MB, digits only (e.g. enter 5200 for 5200MB)." | |
echo "" | |
echo "Hints:" | |
echo "- 1GB RAM -> 1000MB*1.3 -> 1300MB swap" | |
echo "- 2GB RAM -> 2000MB*1.3 -> 2600MB swap" | |
echo "- 3GB RAM -> 3000MB*1.3 -> 3900MB swap" | |
echo "- 4GB RAM -> 4000MB*1.3 -> 5200MB swap" | |
echo "- 6GB RAM -> 6000MB*1.3 -> 7800MB swap" | |
echo "- 8GB RAM -> 8000MB*1.3 -> 10400MB swap" | |
echo "- 10GB RAM -> 10000MB*1.3 -> 13000MB swap" | |
echo "- 12GB RAM -> 12000MB*1.3 -> 15600MB swap" | |
echo "" | |
echo "NOTE: remaining free space (=space not allocated by) will be used either for" | |
echo " '/' or '/home'. A summary will be shown after all needed values are" | |
echo " defined." | |
echo "" | |
SIZE_SWAP="" | |
while true; do | |
if [ -n "$SIZE_SWAP" ] && [ $SIZE_BOOT -gt 255 ] && $(question "You typed '${SIZE_SWAP}'. Is this correct?"); then | |
break 1 | |
fi | |
echo -n "Size (in MB) of your swap partition?" | |
read SIZE_SWAP | |
done | |
if $(question "Do you want a seperate '/home' partition?"); then | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Define your values: size of '/'" | |
echo "###############################################################################" | |
echo "Please enter the size you wish to be used for your root partition '/'. This" | |
echo "partition should be at least 8000M big. 25000M should be enough for nearly" | |
echo "everybody." | |
echo "This script defines a minimal value of 2500MB for '/', everything below will" | |
echo "not be accepted." | |
echo "Please enter the size in MB, digits only. (e.g. enter 8000 for 8000MB)." | |
echo "" | |
echo "NOTE: remaining free space (=space not allocated by '/', '/boot' and swap) will" | |
echo " be used for '/home'. A summary will be shown after all needed values are" | |
echo " defined." | |
echo "" | |
SIZE_ROOT="" | |
while true; do | |
if [ -n "$SIZE_ROOT" ] && [ $SIZE_BOOT -gt 2499 ] && $(question "You typed '${SIZE_ROOT}'. Is this correct?"); then | |
break 1 | |
fi | |
echo -n "Size (in MB) of your root partition '/'?" | |
read SIZE_ROOT | |
done | |
else | |
SIZE_ROOT="" | |
fi | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Encryption strength" | |
echo "###############################################################################" | |
echo "Using 'aes-xts-plain' with a key size of 256bit for XTS and AES is recommended" | |
echo "on newer machines. However, if you got an older PC (single core), a 128bit key" | |
echo "is the better choice - and is still *very* secure." | |
echo "Please enter the size in bit, digits only (e.g. enter 256 for 256bit)." | |
echo "" | |
echo "Recommended:" | |
echo "- Single core/slower machine: 128bit" | |
echo "- Dualcore and above: 256bit" | |
echo "" | |
KEYSIZE="" | |
while true; do | |
if [ "$KEYSIZE" == "128" ] || [ "$KEYSIZE" = "256" ] && $(question "You typed '${KEYSIZE}'. Is this correct?"); then | |
break 1 | |
fi | |
echo -n "XTS/AES key size (128 or 256)?" | |
read KEYSIZE | |
done | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Start now?" | |
echo "###############################################################################" | |
echo "Target device: ${DEVICE_TARGET}" | |
echo "Key size: ${KEYSIZE}bit (for each XTS and AES)" | |
echo "Size of '/boot': ${SIZE_BOOT}MB" | |
echo "Size of 'swap': ${SIZE_SWAP}MB" | |
if [ $SIZE_ROOT ]; then | |
echo "Size of '/': ${SIZE_ROOT}MB" | |
echo "Size of '/home': 100% of the remaining space not used by '/', '/boot' and swap." | |
else | |
echo "Size of '/': 100% of the remaining space not used by '/boot' and swap." | |
fi; | |
echo "" | |
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" | |
echo "! ATTENTION: ALL DATA ON '${DEVICE_TARGET}' WILL BE ERASED!" | |
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" | |
if ! $(question "Start work now?"); then | |
echo "Operation cancelled by user" | |
exit 0 | |
fi | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Write random data to '${DEVICE_TARGET}'?" | |
echo "###############################################################################" | |
echo "It is recommended to completely fill up your target device with random data" | |
echo "if it is a common harddisk and was storing unencrypted, personal data until" | |
echo "now. Additionally, this is a good HDD reliability test for new drives." | |
echo "" | |
echo "Note: This may take VERY long (e.g. ~24h for a slower 500GB harddisk using a" | |
echo " Celeron M@1.7GHz)." | |
echo "" | |
if $(question "Fill '${DEVICE_TARGET}' with random data before encrypting it?"); then | |
echo "Start filling up disk with random data... THIS MAY TAKE SEVERAL HOURS!" | |
echo "" | |
sudo dd if=/dev/urandom of=${DEVICE_TARGET} bs=32M | |
checkError "Filling up disk with random data failed! Please check:\n1) is '${DEVICE_TARGET}' correct? 2) your hardware" | |
read -sp "Filling up disk with random data done. Press [Enter] to continue." | |
fi | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# LiveCD: Install needed packages and load needed kernel modules" | |
echo "###############################################################################" | |
#install needed packages | |
sudo apt-get install --yes lvm2 cryptsetup | |
checkError "Could not install needed packages - please check your internet connection or:" | |
#load needed kernel modules | |
sudo modprobe dm-checkError | |
checkError "Could not load needed kernel modules?!" | |
echo "Done." | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Target system: create needed partitions on '${DEVICE_TARGET}'" | |
echo "###############################################################################" | |
sudo parted --script ${DEVICE_TARGET} mklabel gpt | |
checkError "Could not create partition label!" | |
sudo parted --script ${DEVICE_TARGET} mkpart primary 0 ${SIZE_BOOT} | |
checkError "Could not create first partition!" | |
sudo parted --script ${DEVICE_TARGET} mkpart primary ${SIZE_BOOT} 100% | |
checkError "Could not create second partition!" | |
echo "Done." | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Target system: init encryption on '${DEVICE_TARGET}2'" | |
echo "###############################################################################" | |
echo "Please follow the instructions..." | |
echo "" | |
#XTS is supporting key size of 128 or 256bit. "--key-size 512" means, both | |
#AES and XTS are using the maximum key size of 256bit. For slower systems | |
#"--key-size 256" may be an option, resulting in a 128bit encryption. | |
let LUKSKEYSIZE=${KEYSIZE}+${KEYSIZE} | |
#using while loops because the user may enter long, complicated passwords... | |
DO=1 | |
while [ $? -ne 0 ] || | |
[ ${DO} -ne 0 ] | |
do | |
DO=0 | |
sudo cryptsetup --cipher aes-xts-plain --key-size ${LUKSKEYSIZE} --verify-passphrase luksFormat ${DEVICE_TARGET}2 | |
done | |
echo "cryptsetup was succesful, crypto-device '${DEVICE_TARGET}2' was created." | |
echo "" | |
echo "Unlocking the freshly created crypto-device for the upcoming actions." | |
echo "Therefore, please type your pwd." | |
echo "" | |
DO=1 | |
while [ $? -ne 0 ] || | |
[ ${DO} -ne 0 ] | |
do | |
DO=0 | |
sudo cryptsetup luksOpen ${DEVICE_TARGET}2 lvm_crypt | |
done | |
unset DO | |
echo "" | |
echo "Done." | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Target system: setup LVM (Logical Volume Manager) within '${DEVICE_TARGET}2'" | |
echo "###############################################################################" | |
sudo pvcreate /dev/mapper/lvm_crypt | |
checkError "Could not create physical volume '/dev/mapper/lvm_crypt'!" | |
sudo vgcreate crypt /dev/mapper/lvm_crypt | |
checkError "Could not create volume group 'crypt'!" | |
sudo lvcreate -L ${SIZE_SWAP}M -n swap crypt | |
checkError "Could not create logical volume 'swap' in volume group 'crypt'!" | |
if [ "$SIZE_ROOT" ]; then | |
sudo lvcreate -L ${SIZE_ROOT}M -n root crypt | |
checkError "Could not create logical volume 'root' in volume group 'crypt'!" | |
sudo lvcreate -l 100%FREE -n home crypt | |
checkError "Could not create logical volume 'home' in volume group 'crypt'!" | |
else | |
sudo lvcreate -L 100%FREE -n root crypt | |
checkError "Could not create logical volume 'root' in volume group 'crypt'!" | |
fi | |
echo "" | |
echo "Done." | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Target system: preparing partitions to prevent problems with the installer" | |
echo "###############################################################################" | |
echo "NOTE: you can choose other filesystems later. These mkfs calls are just done to" | |
echo " prevent problems with the graphical Ubuntu installer." | |
echo "" | |
sudo mkswap /dev/mapper/crypt-swap | |
checkError "Could not create filesystem on '/dev/mapper/crypt-swap'!" | |
sudo mkfs.ext4 /dev/mapper/crypt-root | |
checkError "Could not create filesystem on '/dev/mapper/crypt-root'!" | |
if [ "$SIZE_ROOT" ]; then | |
sudo mkfs.ext4 /dev/mapper/crypt-home | |
checkError "Could not create filesystem on '/dev/mapper/crypt-home'!" | |
fi | |
echo "" | |
echo "Done." | |
clear | |
echo "###############################################################################" | |
echo "# LiveCD: starting the graphical installer" | |
echo "###############################################################################" | |
echo "The graphical Ubuntu installer will be launched now. Please follow the" | |
echo "instructions the installer prints out (but do NOT reboot after installation was" | |
echo "finished)." | |
echo "" | |
echo "You have to choose 'Specify partitions manually (advanced)' and make sure:" | |
echo "- '${DEVICE_TARGET}1' is attached to the mount point '/boot'" | |
echo " and will be formatted as EXT3 (recommended) or EXT2" | |
echo "" | |
echo "- '/dev/mapper/crypt-root' is attached to the mount point '/'" | |
echo " and will be formatted as EXT4 (recommended) or another fs you like" | |
if [ "$SIZE_ROOT" ]; then | |
echo "" | |
echo "- '/dev/mapper/crypt-home' is attached to the mount point '/home'" | |
echo " and will be formatted as EXT4 (recommended) or another fs you like" | |
fi | |
echo "" | |
echo "If you need a detailed description with screenshots, have a look at:" | |
echo ${URL_ARTICLE} | |
echo "" | |
echo "" | |
echo "ATTENTION: DO **NOT REBOOT** AFTER THE INSTALLATION HAS FINISHED! CHOOSE" | |
echo " 'Continue tryout'!" | |
read -sp "Press [Enter] to continue." | |
echo "" | |
echo "" | |
echo "Starting the installer 'ubiquity'..." | |
echo "NOTE: Do NOT close this window/terminal!" | |
ubiquity --desktop %k gtk_ui > /dev/null 2>&1 #command copied from the properties of the GNOME starter on the Live CD's Desktop | |
if [ $? -ne 0 ] | |
then | |
echo "" | |
echo "ubiquity with GNOME UI exited with an error... maybe Kcrypt instead" | |
echo "of Ubuntu is running here. Let's try to start ubiquity with KDE interface." | |
echo "" | |
ubiquity kde_ui > /dev/null 2>&1 #command copied from the properties of the KDE starter on the Live CD's Desktop | |
if [ $? -ne 0 ] | |
then | |
echo "" | |
echo "ubiquity with KDE UI exited with an error... maybe Mint instead" | |
echo "of (K)Ubuntu is running here. Let's try to start ubiquity without any speciality." | |
echo "" | |
ubiquity > /dev/null 2>&1 #command copied from the properties of the Mint starter on the Live CD's Desktop | |
checkError "Installer exited with an error!" | |
fi; fi | |
echo "" | |
sleep 2 #give system some time... | |
echo "Done. Please wait a few seconds..." | |
sleep 8 #give system some time... | |
echo "" | |
echo "" | |
echo "###############################################################################" | |
echo "# Target system: post installation actions" | |
echo "###############################################################################" | |
echo "Installing the needed software into the freshly installed Ubuntu to get a" | |
echo "bootable system" | |
echo "" | |
echo "NOTE: You can ignore Openpty()- and /etc/crypttab warnings as long as the" | |
echo " software was installed." | |
echo "" | |
sudo mount /dev/mapper/crypt-root /mnt | |
checkError "Could not mount: mount /dev/mapper/crypt-root /mnt!" | |
sudo mount ${DEVICE_TARGET}1 /mnt/boot | |
checkError "Could not mount: ${DEVICE_TARGET}1 /mnt/boot!" | |
sudo mount -o bind /dev /mnt/dev | |
checkError "Could not mount: mount -o bind /dev /mnt/dev!" | |
sudo mount -t proc proc /mnt/proc | |
checkError "Could not mount: mount -t proc proc /mnt/proc!" | |
sudo mount -t sysfs sys /mnt/sys | |
checkError "Could not mount: mount -t sysfs sys /mnt/sys!" | |
sudo cp /etc/resolv.conf /mnt/etc/resolv.conf #not everyone got a router... | |
checkError "Could not copy /etc/resolv.conf to /mnt/etc/resolv.conf! Please reboot and try it again!" | |
sudo chroot /mnt /bin/bash << EOF | |
apt-get install --yes cryptsetup lvm2 | |
echo "lvm_crypt $(blkid /dev/${DEVICE_TARGET}2 | cut -d ' ' -f 2) none luks" >> /etc/crypttab | |
update-initramfs -u -k all | |
exit | |
EOF | |
checkError "Something regarding chroot failed!" | |
echo "" | |
echo "Success, work done :-)" | |
read -sp "Press [Enter] to reboot now." | |
echo "" | |
sudo reboot | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
have a look at https://github.com/rdkr/lvm-on-luks