DaveQB's Rambles

I have let this blog go a bit, ok a lot. Maybe because I have been lazy and not documented my recent findings or perhaps I am getting so good I am know all the answers. Yes, the answer is obvious.

Today I setup a laptop work gave me to use. We use Ubuntu 12.04 on the servers here, so I figured it would be smart to use Ubuntu 12.04 (or derived distro). I love KDE and I am using Mint 13 on my desktop, so made sense to go with that. What I quickly found is that the installer is lacking any options for encrypting your disk.

Off I went to find a tutorial on this. Three main pages I used was: https://www.martineve.com/2012/11/02/luks-encrypting-multiple-partitions-on-debianubuntu-with-a-single-passphrase, http://blog.lifebloodnetworks.com/?p=1348 and https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto. The last link is close to what what I wanted (page may be deleted, it is saying!) but I also wanted to go with GPT because...why not, it is 2013. So I will cover the steps here.

STEP 1

Launch a terminal and install the needed software before starting the Mint installer.

sudo -i
apt-get install lvm2 cryptsetup gdisk
gdisk /dev/sda

Setup a GPT partition table. I can't remember the command, it wasn't hard. Now setup 3 partitions. 1 will be ef02 type and only needs to be 1M. This is for grub-bios. It stores the stage 2 files to allow booting on systems that don't support EFI and do a BIOS boot. GPT doesn't have an alloated space for these files, hence the partition. Then partition 2 will be the boot partition, type 8300. I set it to 500MB. Then last will be the LVM pv, type 8e00, using all remaining space.

STEP 2

Next we setup the disk and partitions.

cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda3
cryptsetup luksOpen /dev/sda3/ system

And now the LVM on top of the encrypted partition (/dev/sda3).

pvcreate /dev/mapper/system
vgcreate luks /dev/mapper/system
lvcreate -n swap -L 8G
lvcreate -n slash -L 12G
lvcreate -n home -l 100%FREE

Then I found the installer wouldn't recognise these logical volumes unless they were formated so...

mkfs.ext2 /dev/sda2
mkfs.ext4 /dev/luks/slash
mkfs.ext4 /dev/luks/home
mkswap /dev/luks/swap

STEP 3

Now we proceed with the installer. When it comes time to do the partitioning, select Manual. Be sure match the right paritions with the right mount points In my example:

/dev/luks/slash (/)
/dev/luks/home (/home)
/dev/sda2 (/boot)
/dev/luks/swap (swap)

Don't reboot once the install has completed.

STEP 4

Now we setup the new install to be aware of and use the new disks.

sudo -i
mkdir a
mount /dev/luks/slash a
mount /dev/sda2 a/boot
mount -B /dev a/dev
mount -B /dev/pts a/dev/pts
mount -B /sys a/sys
mount -B /proc a/proc
chroot a
apt-get update
apt-get install lvm2 cryptsetup

STEP 5

You can check your new /etc/fstab (/root/a/etc/fstab outside the chroot) but mine was fine and didn't need editing. The next file is /etc/crypttab that needs to be created. In our example here it would be:

system /dev/sda3 none luks

You can use a UUID="840311bc-9333-47f6-b64f-a9becf3c5b1e" style entry there in place of /dev/sda3 And the next step that got me was to tell grub about this setup. vim /etc/defaults/grub (/root/a/etc/defaults/grub outside the chroot)
Change:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

to

GRUB_CMDLINE_LINUX_DEFAULT="cryptopts=target=system,source=/dev/sda3,lvm=luks quiet splash"

Change as required. Then run update-grub.

Done!