Ubuntu 15.10 fulldisk encryption howto

The following howto has been partly stolen from somewhere else . I adapted it to my situation. The main setup is the same: The whole installation (swap + root fs + home) should reside in a single encrypted container so that at boot we only have to provide one password and hibernate is encrypted too. Only the bootloader is unencrpyted.

Partition table:

/dev/sda1 : 280 MB /boot
/dev/sda2: Logical partition 800 GB, type 83 (Linux)

Create single LUKS container, spanning whole disk:

cryptsetup luksFormat /dev/sda5
cryptsetup luksOpen /dev/sda5 CryptDisk

With “cryptsetup status” you can check the used algorithm etc.:

cryptsetup status /dev/mapper/CryptDisk

Create LVM physical volume and volume group on LUKS container:

pvcreate /dev/mapper/CryptDisk
vgcreate lvm-vg /dev/mapper/CryptDisk

17G SWAP partition (prepare for hibernate and 16GB memory):

lvcreate -n swap -L 17g lvm-vg

35g root partition should be enough:

lvcreate -n root -L 35g lvm-vg

Rest should go to /home:

lvcreate -n home -l +100%FREE lvm-vg

Create filesystems and SWAP

mkfs.ext4 -l /root /dev/mapper/lvm--vg-root
mkfs.ext4 -l /home /dev/mapper/lvm--vg-home
mkswap /dev/mapper/lvm--vg-swap

Install with the graphical installer, choose “other” as installation method and assign the proper mountpoint to the partition:

  • /boot to /dev/sda1
  • / to /dev/mapper/lvm–vg-root
  • /home to /dev/mapper/lvm–vg-home
  • swap for /dev/mapper/lvm–vg-swap
  • Install bootloader on /dev/sda

After GUI installer finished select “continue testing”, because we are going to configure the system so that at startup it knows how to handle the encrypted disks.

During my installation the installer left the target system mounted under /target, so we can still use it (otherwise mount it yourself):

mount /dev/sda1 /target/boot
mount /dev/mapper/lvm--vg-home /target/home
mount --bind /dev /target/dev

The next steps are in the chroot environment:

chroot /target
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts

/etc/crypttab has to point to the encrypted LUKS container, the information can be obtained by blkid:

$ blkid /dev/sda5
/dev/sda3: UUID="8b80b3a7-6a33-4db3-87ce-7f126545c74af" TYPE="crypto_LUKS" PARTUUID="12345678-12"
$ cat /etc/crypttab
CryptDisk UUID=8b80b3a7-6a33-4db3-87ce-7f126545c74af none luks,retry=1,lvm=lvm-vg

Create a file /etc/initramfs-tools/conf.d/cryptroot, the UUID should match that of the LUKS container:

CRYPTROOT=target=CryptDisk,source=/dev/disk/by-uuid/8b80b3a7-6a33-4db3-87ce-7f126545c74af

initramfs needs to be updated after that step:

update-initramfs -k all -c

The setting GRUB_CMD_LINUX in /etc/default/grub must contain the UUID of the encrypted partition:

GRUB_CMDLINE_LINUX="cryptopts=target=CryptDisk,source=/dev/disk/by-uuid/8b80b3a7-6a33-4db3-87ce-7f126545c74af,lvm=lvm-vg"

As a last action in the chroot environment run update-grub:

update-grub

After exit the chroot environment and boot into the new encrypted system.

Check /boot for tampering

With the described setup the /boot partition is unencrypted (because it contains the unencrypted kernel). Its a good idea to be at least able to detect changes. The german magazine Ct published a tool in 2012 called chckboot  to do exactly this: Create checksums for stuff in /boot and detect changes at next boot.

There is an updated version available on github. After cloning it can be simply installed by

make install-systemd

Make sure to edit /etc/default/chkboot and change the variables
BOOTDISK and BOOTPART. In our example its the default setting:

$ grep -e "BOOTDISK\|BOOTPART" /etc/default/chkboot.conf
BOOTDISK=/dev/sda
BOOTPART=/dev/sda1

By default the change notification is available on text console only. To have the check done also after desktop environment login, run chkboot-desktopalert as one of your desktop startup programs.

Leave a Reply

Your email address will not be published. Required fields are marked *