Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@superjamie
Last active April 21, 2024 15:07
Show Gist options
  • Star 52 You must be signed in to star a gist
  • Fork 11 You must be signed in to fork a gist
  • Save superjamie/d56d8bc3c9261ad603194726e3fef50f to your computer and use it in GitHub Desktop.
Save superjamie/d56d8bc3c9261ad603194726e3fef50f to your computer and use it in GitHub Desktop.
How to install Ubuntu with LUKS Encryption on LVM

How to install Ubuntu with LUKS Encryption on LVM

My work requires us to have full-disk encryption, so these are the steps I use.

The basic idea is to create a LUKS-encrypted partition which is used as an LVM Physical Volume.

The GRUB boot partition isn't encrypted, but everything else is.

These steps tested and working on 22.04 (jammy) and 20.04 (focal).

Steps

Boot from the Ubuntu LiveUSB. I am actually using Ubuntu MATE.

Open the terminal application and become root:

sudo -s

If you're using storage which had something on it before, you might want to ATA Secure Erase and reboot again.

If using BIOS Legacy Boot, use fdisk /dev/sda to create partitions like:

  • sda1 - at least 512M - type 83 Linux
  • sda2 - rest of disk - type 8e LVM seems fine, or type e8 LUKS

If using UEFI, use gdisk /dev/sda to create partitions like:

  • sda1 - at least 512M - type EF00 EFI System Partition
  • sda2 - at least 512M - type 8300 Linux
  • sda3 - rest of disk - type 8309 LUKS

If using UEFI, format the EFI System Partition as FAT32:

mkfs.vfat -F 32 /dev/sda1

For the rest of this tutorial, I will refer to the LUKS partition as sdaX. Select sda2 or sda3 as appropriate for your system.

Encrypt the LUKS partition with a passphrase:

cryptsetup luksFormat /dev/sdaX

Mount the encrypted partition with your passphrase:

cryptsetup open /dev/sdaX luks1

The encrypted partition is now mounted at /dev/mapper/luks1.

Treat /dev/mapper/luks1 as an LVM PV and create your volumes. Mine are like:

  • Volume Group vg_hostname
    • Logical Volume lv_root - Probably at least 20G, maybe 30 or 40
    • Logical Volume lv_swap - Optional, maybe not desirable if you have an SSD
    • Logical Volume lv_home - Rest of the space

Commands to do this are:

pvcreate /dev/mapper/luks1
vgcreate vg_hostname /dev/mapper/luks1
lvcreate -L 30G -n lv_root vg_hostname
lvcreate -L 512M -n lv_swap vg_hostname
lvcreate -l100%FREE -n lv_home vg_hostname

Run the regular installer, choose custom partitioning.

If using BIOS Legacy Boot, set it up like:

  • /dev/sda1 - ext4 or XFS at /boot
  • /dev/mapper/vg_hostname-lv_root - ext4 or XFS at / (root)
  • /dev/mapper/vg_hostname-lv_home - ext4 or XFS at /home
  • Add swap if you created it
  • Install bootloader into /dev/sda

If using UEFI, set it up like:

  • /dev/sda1 - EFI System Partition
  • /dev/sda2 - ext4 or XFS at /boot
  • /dev/mapper/vg_hostname-lv_root - ext4 or XFS at / (root)
  • /dev/mapper/vg_hostname-lv_home - ext4 or XFS at /home
  • Add swap if you created it

When the installer finishes, don't reboot.

The system currently won't boot from disk, so stay in the LiveUSB environent.

(If you accidentally do reboot, that's fine, just get back into the LiveUSB and cryptsetup open again then pvscan; vgscan; lvscan to find the LVM volumes)

Open the terminal application and become root:

sudo -s

We'll now create a chroot and enter the installed system:

## /target will already exist in the live environment post-install
mkdir -p /target
## mount the root filesystem at /target
mount /dev/mapper/vg_hostname-lv_root /target
## mount some extra stuff so the chroot works
for DIR in proc sys dev /etc/resolv.conf; do mount --rbind /$DIR /target/$DIR; done
## enter the chroot
chroot /target
## we are now inside the installed system, not the live environment
## the following command mounts /boot (and /boot/efi if present) so initramfs/GRUB updates work
mount -a

Get the UUID of the encrypted outer partition sdaX with:

blkid
/dev/sdaX: UUID="abcdef-abcd-abcd-abcd-abcd-abcd-abcdef" TYPE="crypto_LUKS"

Using the above UUID, create the file /etc/crypttab with the contents:

luks1 UUID="abcdef-abcd-abcd-abcd-abcd-abcd-abcdef" none luks

The none parameter makes the system ask for passphrase on boot.

Edit /etc/default/grub and set:

GRUB_ENABLE_CRYPTODISK=y

As of kernel 5.11.0-40-generic there's a ~45-second pause at boot while the system tries to find a non-existent resume device, so we'll disable resume.

Create the file /etc/initramfs-tools/conf.d/noresume.conf with contents:

RESUME=none

If you want to mount /tmp as tmpfs (ramdisk) then:

sudo ln -s /usr/share/systemd/tmp.mount /etc/systemd/system/ 
sudo systemctl enable tmp.mount

Update the initramfs for all installed kernels:

update-initramfs -u -k all

Update the GRUB bootloader config:

grub-mkconfig -o /boot/grub/grub.cfg

Exit the chroot with Ctrl+d and turn the system off gracefully with poweroff.

Remove the LiveUSB, boot normally.

You will be asked for your encryption passphrase before boot proceeds.

References

Author and License

History

  • 2021-11 - First publish
  • 2022-01 - Add UEFI steps, remove mid-install reboot, add license, tidy here and there
  • 2022-04 - Works on 22.04 as well
  • 2022-11 - Fix a typo, remove my old Asus-laptop-specific microcode workaround from a general guide
@radekcrlik
Copy link

I thank you. I thank you dearly. I wish luck to you, your family, and your children for 100 generations!
This was exactly what I was looking for. I spent 3 days unable to make Ubuntu work with this disc layout. I really don't know why it's that complicated.

@tux2bsd
Copy link

tux2bsd commented Dec 7, 2023

cryptsetup open /dev/sdaX luks1

suggested tweak:

cryptsetup luksOpen /dev/sdaX luks1

A little clearer to about the "luks"-ness in is occuring, since cryptsetup covers range of things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment