How to install Ubuntu 15.10 on an encrypted RAID 1

ubuntu raid encryption disk-encryption fde

I recently set up an Ubuntu 15.10 (desktop) on a encrypted RAID 1 and want to share how to achieve this as it didn't work out of the box and I didn't find any tutorial. So what I wanted to achieve was an Ubuntu running on an encrypted volume which is mirrored to two physical HDDs running in RAID 1 configuration.


Solution 1:

Big Picture

So let's start with an image of what the result looks like: enter image description here

Basic Strategy

So the steps to setup a system like this are the following:

  1. Create a Live-USB Stick
  2. Boot the Live-CD
  3. Prepare the RAID (mdadm used)
  4. Prepare the Encrypted Container (luks used)
  5. Install Ubuntu via the installer (unfortunately doesn't support this setup out of the box)
  6. Switch to target system via chroot
  7. Fix mdadm-installation (not automatically installed when installing on raid)
  8. Fix crypttab (not automatically installed when installing on encrypted volume)
  9. Fix grub (if necessary)
  10. Reboot

Step by Step

So I will walk you through these steps:

  1. Create a Live-USB Stick from http://releases.ubuntu.com/15.10/ubuntu-15.10-desktop-amd64.iso (or any other architecture if applicable)

  2. Boot the live CD (don't install)

3./4. Start the first shell script which will walk you through the following steps

  • Prepare the RAID
  • Prepare the Encrypted Container
#!/bin/bash

read -p "verify sda/sdb are the intended devices and other devices are unplugged"
sudo apt-get install gparted mdadm

read -p "create empty partitions for raid and also reserved bios gpt areas manually! Use gpt-partition tables in all steps, apply the following layout to both disks: 1MiB unformmated (bios_grub) (recommendation to leave 99MiB unallocated in case we need to do some nasty EFI stuff), remaining space unformatted partition"
sudo gparted
sudo parted /dev/sda set 1 raid on
sudo parted /dev/sdb set 1 raid on

read -p "verify non-bios partition is actual sda2 and sdb2"
sudo mdadm --create /dev/md0 --auto md --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2

read -p "create boot partition and empty partition for encryption"
sudo gparted
sudo cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat /dev/md0p2
sudo cryptsetup luksOpen /dev/md0p2 lukslvm
sudo pvcreate /dev/mapper/lukslvm
sudo vgcreate vgubuntu /dev/mapper/lukslvm
sudo lvcreate -L 10G -n swap vgubuntu
sudo lvcreate -L 100G -n root vgubuntu
sudo lvcreate -l 100%FREE -n home vgubuntu
sudo mkswap /dev/mapper/vgubuntu-swap -L swap
sudo mkfs.ext4 /dev/mapper/vgubuntu-root -L root
sudo mkfs.ext4 /dev/mapper/vgubuntu-home -L home
echo "all done, start installation (and fix boot in chroot)"

  1. Install Ubuntu via the installer (recommendation don't install updates on install so in case of an error you don't wait unnecessarily)

  2. Switch to target system via chroot. To do so open a new terminal window cd to /media/ubuntu and prepare the chroot with the following script:

#!/bin/bash

read -p "verify this script is called from /media/ubuntu/ and a subfolder is used as mountpoint for the chroot root filesystem named root"
mkdir /media/ubuntu/root
#umount /media/ubuntu/bootpart 
mount /dev/mapper/vgubuntu-root root
mount /dev/md0p1 root/boot/
mount -o rbind /dev root/dev
mount -t proc proc root/proc/
mount -t sysfs sys root/sys
cp /etc/resolv.conf root/etc/resolv.conf 
echo "chroot setup, call 'sudo chroot /media/ubuntu/root /bin/bash' to chroot"

7./8./9. Use the following script in the chroot shell (after calling 'sudo chroot /media/ubunu/root /bin/bash') to:

  • Fix mdadm-installation
  • Fix crypttab
  • Fix grub (if necessary)
#!/bin/bash

sudo apt-get update
apt-get install emacs mdadm
#read -p "the BIOS boot partition must be configured to be 1MiB, unformatted and having flag bios_grub"
#sudo gparted
grub-install /dev/sda
echo "reading UUID of root device /dev/md0p2"
blkid /dev/md0p2 
read -p "edit crypttab add line 'lukslvm UUID=<VOLUME_ID> none luks'"
emacs /etc/crypttab
read -p "edit modules add line 'dm-crypt'"
emacs /etc/modules
update-initramfs -u -k all
read -p "add 'kopt=root=/dev/mapper/vgubuntu-root' to 'GRUB_CMDLINE_LINUX_DEFAULT' in /etc/default/grub"
emacs /etc/default/grub
sudo update-grub
  1. Reboot

You can adapt any sizes in the scripts to your needs. Save and excute them to reduce the time needed.

By the way, thanks to a good friend for helping me out when I got really stuck.

Related

How to remove a drive from a non-standard 2-drive RAID 5 array?
Excel - stipulate an average for random number function
How do I access a hard drive from a computer where windows is deleted?
How to run an Apache Tomcat Webserver on my PC and access it from a real Android Device?
Outlook 2010 Navigation Pane - Show Unread Count on Mailbox
Fix degraded SSD performance on Mac without full erase
How do I instruct Firefox to allow me to open file:/// URLs on a localhost-server http:// webpage?
Auto deleting files older than given minutes on Windows
svchost.exe is crashing
Multiple default gateways
Is better a low power WiFi signal without interference or a more powerful signal with interference?
How do I delete a directory that appears to contain nameless files?