Installing ubuntu 14.04 in an encrypted LVM

I’ve been hearing some hype about the new LTS (long term support) release 14.04 of ubuntu, so I decided to give it a try.  I have not yet used it enough to give an adequate review, so this post will only be about my experience with installing.

The ubuntu release is available for download at www.ubuntu.com.  I downloaded both the main distribution file “ubuntu-14.04-desktop-amd64.iso” and the kubuntu distribution file “kubuntu-14.04-desktop-amd64.iso”.  This post describes installing from the main distribution file.

Booting the installer

The downloaded file is for a live installer for the 64-bit version.  It is intended to be burned to a DVD, though the ubuntu site also has instructions for preparing a live USB.  I ignored the instructions, and wrote the iso file to a USB using “dd_rescue” on opensuse.  And that worked fine.  I had no trouble booting that live USB.  I was able to boot on an older system, and on a newer UEFI system with secure-boot enabled.

Using encryption

It was because I wanted to use encryption, that the install ran into some problems.  The installer gave three initial choices:

  1. install alongside other operating systems;
  2. delete everything on the disk and allow ubuntu to use it all;
  3. something else.

I chose the third option.  I expect things would have been easier with either of the other options.  But I wanted to install in an already existing encrypted LVM.  And there was no direct option for that.

The release notes did warn that there were extra steps if you wanted to re-use an existing LUKS encrypted partition.  They advised that you should first boot into the live system.  Next, you should open the LUKS encrypted partition.  And then you should close that partition before proceeding.

I tried that.  There was nothing on the desktop for my encrypted LVM.  The file manager showed other partitions, but did not show the encrypted LVM.  So there was no way to click on it in the desktop, so as to open it.

So I used the command line.  First

sudo bash

got me a root shell.  And, from there, I could use “cryptsetup” to access the LUKS encrypted partition.  That turned out to already make the LVM volumes accessible.  I checked that with

ls /dev/mapper

I presumed that was what the release notes were calling for.  And perhaps that would have worked for a regular partition, but I ran into problem with that as an LVM.

 Installing

I proceeded to the install, by clicking the “Install ubuntu” icon.

The installation itself seemed simple enough.  Choosing that third install option, as mentioned above, I was given a list of partition.  That list included the volumes inside the LVM.  I selected the volumes to use for swap and root, and the unencrypted partition to use for “/boot”.  I indicated that the EFI partition should be used, though I’m not sure that was needed.

It indicated that the system would be booted from the drive “/dev/sda”.  I was not sure about that, for it seemed to hint at installing grub in the MBR instead of using efi booting.  The only choices were to boot from other partitions.  So I decided to proceed and see what happened.

The install itself seemed to go smoothly.  Then came the reboot.

Booting the system

On reboot, the UEFI firmware did recognize the new install.  So apparently the booting had been setup correctly for UEFI and for secure-boot.

The problem was that the system never booted.  After a while, there was a timeout message about not being able to find the root file system.  And I had never been prompted for the encryption key.  Evidently, the “initrd” had not been properly built to handle the crypto.

With a little googling, I found that this was expected.  Or, at least, it was expected for earlier ubuntu releases.  The page that I found did provide sufficient hints for me to be able to get it working.

Rescue time

It was time to go into rescue mode.  So I booted the live installer USB.  I then used

sudo bash

to get a root shell.

The first step was to open the encrypted LVM and mount the file systems.  I first used the “blkid” command to find the UUID of the partition, since I knew that ubuntu likes to mount by UUID.

# cryptsetup luksOpen UUID=7428e7b8-30da-407a-b4ec-6b53ac372022 cr_lvm1

opened the encrypted partition and made the LVM accessible.  Looking in “/dev/mapper” showed me the device special files that were now accessible.  I mounted the file for the root partition at “/mnt”.

Next, I checked whether there was a file “/mnt/etc/crypttab”.  There was no such file.  So I created one:

cr_lvm1 UUID=7428e7b8-30da-407a-b4ec-6b53ac372022 none none

That done, I set about fixing the “initrd”.

# mount /dev/sda4 /mnt/boot
# mount /dev/sda2 /mnt/boot/efi
# mount --bind /dev /mnt/dev
# mount --bind /proc /mnt/proc
# mount --bind /sys /mnt/sys
# chroot /mnt
# update-initramfs -k all -c -v

The last of those commands was to rebuild the initrd from the chroot environment.  The output looked good.

Success

The final step was to reboot the system.  There was a grub menu for ubuntu.  That was followed by a prompt for the encryption key.  And, shortly thereafter, I was running my installed ubuntu.

After a few days of testing, I will probably replace that with a kubuntu install.  So I expect that I will have to go through these steps again.

Advertisements

Tags: , ,

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

20 responses to “Installing ubuntu 14.04 in an encrypted LVM”

  1. Luis says :

    Thank you for your post, it’s helping me as I’m going through the same painful porcess.

    In my case, I want to customize the size of encrypted/LVM partitions as I have a small SSD (32 GB) and a big disk (1 TB) to avoid using all the SSD, and to put swap on HDD. So I will have to encrypted FS, on for SSD and one for HDD.

    What was your output for your update-initramfs command? For me, it shows ” Nothing to do, exiting.” and when I reboot, it does not recognise / partition… any ideas?

    I don’t want you to bother you with my problem, but see below my setup, should you have a minute to take a look:

    root@ubuntu:~# blkid
    /dev/loop0: TYPE="squashfs" 
    /dev/sda1: UUID="cbe475e3-f468-42eb-88db-8b0c3b537afa" TYPE="crypto_LUKS" 
    /dev/sdb1: UUID="DF18-FC5D" TYPE="vfat" 
    /dev/sdb2: UUID="804c4cae-3d8e-4f7b-baec-867ee87e46de" TYPE="ext2" 
    /dev/sdb3: UUID="df369b26-8205-488d-a01d-36456a737905" TYPE="crypto_LUKS" 
    /dev/sdc1: LABEL="UBU_1404" UUID="3795-F7B6" TYPE="vfat" 
    /dev/mapper/sdb3_crypt: UUID="viOrjh-O4SE-OEbC-8xVW-mTnL-uZ3O-cmZQvl" TYPE="LVM2_member" 
    /dev/mapper/vg_ssd_system-lv_root: UUID="97a7d810-dc46-415b-9f0f-bf1ee0c2bb01" TYPE="ext4" 
    
    root@ubuntu:~# mount /dev/sdb2 /mnt/boot
    root@ubuntu:~# mount /dev/sdb1 /mnt/boot/efi
    root@ubuntu:~# mount --bind /dev /mnt/dev
    root@ubuntu:~# mount --bind /proc /mnt/proc
    root@ubuntu:~# mount --bind /sys /mnt/sys
    root@ubuntu:~# chroot /mnt
    root@ubuntu:/# update-initramfs -k all -c -v
    Nothing to do, exiting.
    root@ubuntu:/# 
    root@ubuntu:/# cat /etc/crypttab 
    sdb3_crypt UUID="df369b26-8205-488d-a01d-36456a737905" none none
    sda1_crypt UUID="cbe475e3-f468-42eb-88db-8b0c3b537afa" none none
    

    Many thanks!

    Luis

    [I inserted <pre> tags to improve readability — Neil Rickert]

    Like

    • Neil Rickert says :

      What was your output for your update-initramfs command?

      Hundreds of lines of output. I did not record it.

      In your case, obviously something went wrong.

      In your rescue attempt, did you first mount the intended root partition as “/mnt”? Your description does not show that.

      Was “cryptsetup” available in the installed system? I noticed that if I installed ubuntu without using encryption, then the installer removes “lvm2” and “cryptsetup” and related software during the install.

      Your list of mounts uses

      -bind

      but it should be

      --bind

      with two “-” symbols. That might be wordpress editing messing up what you posted. I use <pre> … </pre> tags in the original post, to avoid that problem.

      [Added note: It was the wordpress editor messing up what you posted. I have since fixed that by inserting the <pre> … </pre> tags.

      Like

      • Luis says :

        Thank you for your answer.

        Indeed, when it fails to start and drops into a ” busybox” shell, I do have lvm command available… but not cryptsetup. So it seem it’s the good track (no cryptsetup available to decrypt the volume).

        Any ideas on how to force cryptsetup into initramfs?

        Thanks again!

        Luis

        Like

        • Neil Rickert says :

          Any ideas on how to force cryptsetup into initramfs?

          I’m not sure, but I think that’s what the “-c” command line option for “update-initramfs” is supposed to do.

          When you do the “chroot /mnt” to get into your mounted system, is cryptsetup available? You can try

          cryptsetup --help

          If it gives help, it is available. Otherwise it will probably tell you what “apt-get” command you need to install it. Run that command inside the chroot environment.

          Note that I have very little ubuntu experience, so I am making this up as I go along.

          Like

          • Luis Fernando says :

            Hi,

            Thanks again.

            I have been using ubuntu for a long time. But it’s the first time I’m trying to use a LUKS+LVM combination (installing from zero in a new laptop).

            After chroot /mnt, cryptsetup is still available.

            But after rebooting, I have :

            Gave up waiting for root device. Common problems:
            - Boot qrgs (cat /proc/cmdline)
              - Check rootdelay= (did the system wait long enough?)
              - Check root= (did the system wait for the right device?)
            - Missing modules (cat /proc/modules; ls /dev)
            ALERT! /dev/mapper/vg_ssd_system-lv-root does not exist. Dropping to a shell!
            
            BusyBox v1.21.1 (Ubuntu 1:1.21.0-1ubuntu1) built-in shell (ash)
            Enter 'help' for a list of built-in commands.
            (initramfs) cryptsetup
            /bin/sh: cryptsetup not found
            

            Here is the output for cat /proc/modules:

            (initramfs) cat /proc/modules
            nls_iso8859_1 12713 1 - Live 0xffffffffa003b000
            usbhid 52616 0 - Live 0xffffffffa0315000
            hid 106148 1 usbhid, Live 0xffffffffa02f3000
            usb_storage 62209 1 - Live 0xffffffffa00f5000
            nouveau 1097199 0 - Live 0xffffffffa01dc000
            rtsx_pci_sdmmc 23274 0 - Live 0xffffffffa0023000
            i915 783485 1 - Live 0xffffffffa011b000
            mxm_wmi 13021 1 nouveau, Live 0xffffffffa00a2000
            ttm 85115 1 nouveau, Live 0xffffffffa008c000
            i2c_algo_bit 13413 2 nouveau,i915, Live 0xffffffffa0006000
            drm_kms_helper 52758 2 nouveau,i915, Live 0xffffffffa010d000
            drm 302817 4 nouveau,i915,ttm,drm_kms_helper, Live 0xffffffffa0041000
            ahci 25819 0 - Live 0xffffffffa0033000
            libahci 32168 1 ahci, Live 0xffffffffa002a000
            rtsx_pci 45956 1 rtsx_pci_sdmmc, Live 0xffffffffa0016000
            wmi 19177 2 nouveau,mxm_wmi, Live 0xffffffffa000c000
            video 19476 2 nouveau,i915, Live 0xffffffffa0000000
            

            The output for ls /dev:

            (initramfs) ls /dev 
            vga_arbiter
            rfkill
            mem
            null
            port
            zero
            full
            random
            urandom
            kmsg
            tty
            console
            tty0
            vcs
            vcsa
            vcs1
            vcsa1
            tty1
            tty2
            tty3
            tty4
            tty5
            tty6
            tty7
            tty8
            tty9
            tty10
            tty11
            tty12
            tty13
            tty14
            tty15
            tty16
            tty17
            tty18
            tty19
            tty20
            tty21
            tty22
            tty23
            tty24
            tty25
            tty26
            tty27
            tty28
            tty29
            tty30
            tty31
            tty32
            tty33
            tty34
            tty35
            tty36
            tty37
            tty38
            tty39
            tty40
            tty41
            tty42
            tty43
            tty44
            tty45
            tty46
            tty47
            tty48
            tty49
            tty50
            tty51
            tty52
            tty53
            tty54
            tty55
            tty56
            tty57
            tty58
            tty59
            tty60
            tty61
            tty62
            tty63
            cpu
            snapshot
            ecryptfs
            fuse
            ptmx
            ttyS0
            ttyS1
            ttyS2
            ttyS3
            ttyS4
            ttyS5
            ttyS6
            ttyS7
            ttyS8
            ttyS9
            ttyS10
            ttyS11
            ttyS12
            ttyS13
            ttyS14
            ttyS15
            ttyS16
            ttyS17
            ttyS18
            ttyS19
            ttyS20
            ttyS21
            ttyS22
            ttyS23
            ttyS24
            ttyS25
            ttyS26
            ttyS27
            ttyS28
            ttyS29
            ttyS30
            ttyS31
            ttyprintk
            hpet
            tpm0
            ram0
            ram1
            ram2
            ram3
            ram4
            ram5
            ram6
            ram7
            ram8
            ram9
            ram10
            ram11
            ram12
            ram13
            ram14
            ram15
            loop-control
            loop0
            loop1
            loop2
            loop3
            loop4
            loop5
            loop6
            loop7
            net
            ppp
            bus
            input
            psaux
            uinput
            rtc0
            mapper
            mcelog
            cpu_dma_latency
            network_latency
            network_throughput
            pts
            core
            fd
            stdin
            stdout
            stderr
            btrfs-control
            char
            rtc
            block
            dri
            fb0
            sg0
            bsg
            sda
            sg1
            sdb
            sdb1
            sdb2
            sdb3
            sda1
            disk
            sg2
            sdc
            sdc1
            sg3
            sdd
            sdd1
            vcs2
            vcsa2
            vcs3
            vcsa3
            vcs4
            vcsa4
            vcs5
            vcsa5
            vcs6
            vcsa6
            vcs7
            vcsa7

            I will post it to ubuntu forums and see what happens.

            Thank you so far.

            Luis

            Like

          • Neil Rickert says :

            I will post it to ubuntu forums and see what happens.

            Yes, good idea.

            The puzzle is why “update-initramfs” is not doing anything on your system.

            Like

  2. Luis Fernando says :

    It worked!

    Weird but I did almost the same as you recommended, so I did not really understand why it worked now. After chroot, I did:

    cd /boot
    update-initramfs -u -k all
    

    As per http://askubuntu.com/questions/438746/luks-and-lvm-install-no-boot-gave-up-waiting-for-root-device, I did the following check:

    lsinitramfs initrd.img-$(uname -r) | grep dm 

    Before, there was no dm-crypt.ko on it.
    After update-initramfs I had this:

    lib/modules/3.13.0.24-generic/kernel/drivers/md/md-crypt.ko

    Note: As I have 2 crypted disks (ssd and hdd), I’m asked twice for LUKS password on boot.

    I saw an approach for creating one initial partition for storing passwords for my both crypted disks, so I would asked only once for password. But for now, I’m quite scared to do that 🙂

    Thank you again.

    Luis

    Like

    • Neil Rickert says :

      I’m glad it is now working. I’m not familiar enough with ubuntu to know what went wrong the first time.

      With opensuse, the two password problem occurs when one password is requested from the “initrd” and the other is requested later during startup. I solve that by forcing both to be done in the “initrd”. But I don’t know whether that works for ubuntu.

      Like

  3. George says :

    Hi. Thanks for the post. This saved me too, on 14.04.1. A lot of trouble just to have a separate /home partition, with lvm and encryption. I don’t know why Ubuntu defaults to only a / partition. And given that lvm with encryption is an option in the installer, I don’t know why it doesn’t detect properly that it’s being installed on an encrypted lvm, even if one did the partition setup manually.

    It’s times like these that I’m tempted to jump ship to Fedora. Fedora has had such a good installer for so long. I don’t know why it’s so hard for other distros to do this well.

    Like

    • Neil Rickert says :

      The opensuse installer is also good — perhaps better than Fedora. So that’s another possibility.

      And yes, I agree. Ubuntu does make it unnecessarily difficult to install to an existing encrypted LVM.

      Like

  4. Arik says :

    Thanks! That was very helpful.

    I recorded the mounts during the Ubuntu install and replicated them to create the chroot environment, but other than that pretty much everything worked.

    Two things differed:

    1. I had to provide a “hash=” parameter on crypttab, update-initramfs let me know that it will select ripemd160 unless I do.

    2. I did have a crypttab with a UID that came out of nowhere that I could tell for my encrypted swap partition. Since I wanted the swap partition to sit on an LV that was on a VG with only encrypted PV, I simply commented it out from crypttab. Then I encountered a surprise – the entry for the swap with the correct LV already existed in fstab – but for some reason the installer failed to mkswap it.

    Go figure. I used Ubuntu 14.04.1 LTS.

    — Arik

    Like

  5. Eduardo says :

    I am trying this on Ubuntu 15.10. Unfortunately, after reboot, I get several messages saying “WARNING: Failed to connect to lvmetad. Falling back to internal scanning.” They repeat several times and, after a while, I am presented with the rescue prompt (initramfs). Any ideas about what I may be missing here?

    Like

    • Neil Rickert says :

      Unfortunately, after reboot, I get several messages saying “WARNING: Failed to connect to lvmetad. Falling back to internal scanning.”

      I regularly see messages like that. I ignore them.

      I’m not sure what your problem is, but it is probably not related to those messages.

      I assume that you did add appropriate lines to “/etc/crypttab”. Those lines are used by “update-initramfs”.

      I have not tried ubuntu-15.10.

      Like

  6. rovingrichard says :

    THANK YOU! LIFESAVER!

    Note, the mount /dev/sda2 /mnt/boot/efi line failed for me with a “directory doesn’t exist” error. I skipped it and everything booted up fine 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: