Andreas Haerter has a step-by-step guide on how to install an Ubuntu Linux system with full disk encryption. However it does not encrypt the GRUB2 or /boot partition.
The purpose of using
LVM is that multiple encrypted volumes can be opened with one pass-phrase at boot because they all reside on one encrypted disk partition with a
LUKS header.
Here is a
summary.
In the following examples:
- boot partition is sda2
- encrypted partition is sda5
- opened encrypted partition is sda5-secure
- encrypted VG is SecureVG
- Root LV is secure-root
From the live install disk install LVM2 and cryptsetup.
# apt-get install LVM2
# apt-get install cryptsetup
# modprobe dm-crypt
Create the LUKS header for the encrypted partition, e.g.
# cryptsetup --cipher aes-xts-plain --key-size 512 --verify-passphrase luksFormat /dev/sda5
Open the encrypted partition, e.g.
# cryptsetup luksOpen /dev/sda5 sda5-secure
This maps to /dev/mapper/sda5-secure
Create the LVM volumns:
# pvcreate /dev/mapper/sda5-secure
# vgcreate SecureVG /dev/mapper/sda5-secure
# lvcreate ...
Install the system.
Chroot to the new system root mounted at /mnt/secure-root.
# mkdir /mnt/secure-root
# mount /dev/mapper/SecureVG-secure--root--01 /mnt/secure-root
# mount /dev/sda2 /mnt/secure-root/boot
# mount -o bind /dev /mnt/secure-root/dev
# mount -t proc proc /mnt/secure-root/proc
# mount -t sysfs sys /mnt/secure-root/sys
# cp /etc/resolv.conf /mnt/secure-root/etc/resolv.conf
# chroot /mnt/secure-root /bin/bash
Install LVM2 and cryptsetup on the new system.
# apt-get update
# apt-get install cryptsetup lvm2
Add an entry in /etc/crypttab. Generate the line with:
# echo "secure-sda5 UUID=$(ls -la /dev/disk/by-uuid | grep $(basename /dev/sda5) | cut -d ' ' -f 10) none luks"
E.g. "secure-sda5 UUID=6e61c215-b930-41bf-b33a-cfb52cc5b969 none luks"
Add GRUB2 modules for preload to /etc/default/grub:
GRUB_PRELOAD_MODULES="lvm cryptodisk luks"
Update the GUB2 menu:
# update-grub
Regenerate the initrd:
# update-initramfs -u -k all
Do you feel lucky?
# exit
# reboot