How to install Ubuntu 15.10 on an encrypted RAID 1
I recently set up an Ubuntu 15.10 (desktop) on a encrypted RAID 1 and want to share how to achieve this as it didn't work out of the box and I didn't find any tutorial. So what I wanted to achieve was an Ubuntu running on an encrypted volume which is mirrored to two physical HDDs running in RAID 1 configuration.
Solution 1:
Big Picture
So let's start with an image of what the result looks like:
Basic Strategy
So the steps to setup a system like this are the following:
- Create a Live-USB Stick
- Boot the Live-CD
- Prepare the RAID (mdadm used)
- Prepare the Encrypted Container (luks used)
- Install Ubuntu via the installer (unfortunately doesn't support this setup out of the box)
- Switch to target system via chroot
- Fix mdadm-installation (not automatically installed when installing on raid)
- Fix crypttab (not automatically installed when installing on encrypted volume)
- Fix grub (if necessary)
- Reboot
Step by Step
So I will walk you through these steps:
Create a Live-USB Stick from http://releases.ubuntu.com/15.10/ubuntu-15.10-desktop-amd64.iso (or any other architecture if applicable)
Boot the live CD (don't install)
3./4. Start the first shell script which will walk you through the following steps
- Prepare the RAID
- Prepare the Encrypted Container
#!/bin/bash
read -p "verify sda/sdb are the intended devices and other devices are unplugged"
sudo apt-get install gparted mdadm
read -p "create empty partitions for raid and also reserved bios gpt areas manually! Use gpt-partition tables in all steps, apply the following layout to both disks: 1MiB unformmated (bios_grub) (recommendation to leave 99MiB unallocated in case we need to do some nasty EFI stuff), remaining space unformatted partition"
sudo gparted
sudo parted /dev/sda set 1 raid on
sudo parted /dev/sdb set 1 raid on
read -p "verify non-bios partition is actual sda2 and sdb2"
sudo mdadm --create /dev/md0 --auto md --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
read -p "create boot partition and empty partition for encryption"
sudo gparted
sudo cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/md0p2
sudo cryptsetup luksOpen /dev/md0p2 lukslvm
sudo pvcreate /dev/mapper/lukslvm
sudo vgcreate vgubuntu /dev/mapper/lukslvm
sudo lvcreate -L 10G -n swap vgubuntu
sudo lvcreate -L 100G -n root vgubuntu
sudo lvcreate -l 100%FREE -n home vgubuntu
sudo mkswap /dev/mapper/vgubuntu-swap -L swap
sudo mkfs.ext4 /dev/mapper/vgubuntu-root -L root
sudo mkfs.ext4 /dev/mapper/vgubuntu-home -L home
echo "all done, start installation (and fix boot in chroot)"
Install Ubuntu via the installer (recommendation don't install updates on install so in case of an error you don't wait unnecessarily)
Switch to target system via chroot. To do so open a new terminal window cd to /media/ubuntu and prepare the chroot with the following script:
#!/bin/bash
read -p "verify this script is called from /media/ubuntu/ and a subfolder is used as mountpoint for the chroot root filesystem named root"
mkdir /media/ubuntu/root
#umount /media/ubuntu/bootpart
mount /dev/mapper/vgubuntu-root root
mount /dev/md0p1 root/boot/
mount -o rbind /dev root/dev
mount -t proc proc root/proc/
mount -t sysfs sys root/sys
cp /etc/resolv.conf root/etc/resolv.conf
echo "chroot setup, call 'sudo chroot /media/ubuntu/root /bin/bash' to chroot"
7./8./9. Use the following script in the chroot shell (after calling 'sudo chroot /media/ubunu/root /bin/bash') to:
- Fix mdadm-installation
- Fix crypttab
- Fix grub (if necessary)
#!/bin/bash
sudo apt-get update
apt-get install emacs mdadm
#read -p "the BIOS boot partition must be configured to be 1MiB, unformatted and having flag bios_grub"
#sudo gparted
grub-install /dev/sda
echo "reading UUID of root device /dev/md0p2"
blkid /dev/md0p2
read -p "edit crypttab add line 'lukslvm UUID=<VOLUME_ID> none luks'"
emacs /etc/crypttab
read -p "edit modules add line 'dm-crypt'"
emacs /etc/modules
update-initramfs -u -k all
read -p "add 'kopt=root=/dev/mapper/vgubuntu-root' to 'GRUB_CMDLINE_LINUX_DEFAULT' in /etc/default/grub"
emacs /etc/default/grub
sudo update-grub
- Reboot
You can adapt any sizes in the scripts to your needs. Save and excute them to reduce the time needed.
By the way, thanks to a good friend for helping me out when I got really stuck.