Installing ubuntu 14.04 in an encrypted LVM
I’ve been hearing some hype about the new LTS (long term support) release 14.04 of ubuntu, so I decided to give it a try. I have not yet used it enough to give an adequate review, so this post will only be about my experience with installing.
The ubuntu release is available for download at www.ubuntu.com. I downloaded both the main distribution file “ubuntu-14.04-desktop-amd64.iso” and the kubuntu distribution file “kubuntu-14.04-desktop-amd64.iso”. This post describes installing from the main distribution file.
Booting the installer
The downloaded file is for a live installer for the 64-bit version. It is intended to be burned to a DVD, though the ubuntu site also has instructions for preparing a live USB. I ignored the instructions, and wrote the iso file to a USB using “dd_rescue” on opensuse. And that worked fine. I had no trouble booting that live USB. I was able to boot on an older system, and on a newer UEFI system with secure-boot enabled.
It was because I wanted to use encryption, that the install ran into some problems. The installer gave three initial choices:
- install alongside other operating systems;
- delete everything on the disk and allow ubuntu to use it all;
- something else.
I chose the third option. I expect things would have been easier with either of the other options. But I wanted to install in an already existing encrypted LVM. And there was no direct option for that.
The release notes did warn that there were extra steps if you wanted to re-use an existing LUKS encrypted partition. They advised that you should first boot into the live system. Next, you should open the LUKS encrypted partition. And then you should close that partition before proceeding.
I tried that. There was nothing on the desktop for my encrypted LVM. The file manager showed other partitions, but did not show the encrypted LVM. So there was no way to click on it in the desktop, so as to open it.
So I used the command line. First
got me a root shell. And, from there, I could use “cryptsetup” to access the LUKS encrypted partition. That turned out to already make the LVM volumes accessible. I checked that with
I presumed that was what the release notes were calling for. And perhaps that would have worked for a regular partition, but I ran into problem with that as an LVM.
I proceeded to the install, by clicking the “Install ubuntu” icon.
The installation itself seemed simple enough. Choosing that third install option, as mentioned above, I was given a list of partition. That list included the volumes inside the LVM. I selected the volumes to use for swap and root, and the unencrypted partition to use for “/boot”. I indicated that the EFI partition should be used, though I’m not sure that was needed.
It indicated that the system would be booted from the drive “/dev/sda”. I was not sure about that, for it seemed to hint at installing grub in the MBR instead of using efi booting. The only choices were to boot from other partitions. So I decided to proceed and see what happened.
The install itself seemed to go smoothly. Then came the reboot.
Booting the system
On reboot, the UEFI firmware did recognize the new install. So apparently the booting had been setup correctly for UEFI and for secure-boot.
The problem was that the system never booted. After a while, there was a timeout message about not being able to find the root file system. And I had never been prompted for the encryption key. Evidently, the “initrd” had not been properly built to handle the crypto.
With a little googling, I found that this was expected. Or, at least, it was expected for earlier ubuntu releases. The page that I found did provide sufficient hints for me to be able to get it working.
It was time to go into rescue mode. So I booted the live installer USB. I then used
to get a root shell.
The first step was to open the encrypted LVM and mount the file systems. I first used the “blkid” command to find the UUID of the partition, since I knew that ubuntu likes to mount by UUID.
# cryptsetup luksOpen UUID=7428e7b8-30da-407a-b4ec-6b53ac372022 cr_lvm1
opened the encrypted partition and made the LVM accessible. Looking in “/dev/mapper” showed me the device special files that were now accessible. I mounted the file for the root partition at “/mnt”.
Next, I checked whether there was a file “/mnt/etc/crypttab”. There was no such file. So I created one:
cr_lvm1 UUID=7428e7b8-30da-407a-b4ec-6b53ac372022 none none
That done, I set about fixing the “initrd”.
# mount /dev/sda4 /mnt/boot # mount /dev/sda2 /mnt/boot/efi # mount --bind /dev /mnt/dev # mount --bind /proc /mnt/proc # mount --bind /sys /mnt/sys # chroot /mnt # update-initramfs -k all -c -v
The last of those commands was to rebuild the initrd from the chroot environment. The output looked good.
The final step was to reboot the system. There was a grub menu for ubuntu. That was followed by a prompt for the encryption key. And, shortly thereafter, I was running my installed ubuntu.
After a few days of testing, I will probably replace that with a kubuntu install. So I expect that I will have to go through these steps again.