How can I reinstall Ubuntu focal 20.04 on an existing LUKS encrypted system?

encryption reinstall multi-boot ubuntu-20.04 luks

Based on the my personal experiments using the Ubuntu 20.04 installer, online research, and asking various forums (and lack of answers there), I conclude that as of today, there is no way to do all of the following:

  • Installing/reinstalling Ubuntu ...
  • using the installer GUI ...
  • on a pre-encrypted system (LUKS, with separate /home partition or not) without destroying pre-existing personal files...
  • with dual booting another OS.

Of course there are ways of doing this if you rely on the command line, which I was looking to avoid. I've decided to switch to Fedora 32 as it meets all these requirements. Ubuntu served me rather well for over a decade, hope to return when the above issue is fixed.

For those interested in my Fedora 32 setup:

  • Dual-boot setup with Windows 10.
  • Reuse (DO NOT FORMAT) /boot/efi partition from Windows 10 install
  • Create UNENCRYPTED /boot partition
  • Create/Reuse ENCRYPTED / partition
  • Create/Reuse ENCRYPTED /home partition
  • Provide Passphrase to unlock above encrypted partitions.
  • Post install, added RPMFusion repository and Gnome Tweaks extension

Thats the summary, its been a week and so far things have been great with Fedora 32. I've not really noticed much difference from Ubuntu for my needs (Email, Browsing, viewing photos/videos, music, skype, spreadsheets, documents).

Thanks!


I could manage it with my PC I had to reinstall because Ubuntu upgrade was failed from 18 LTS to 20 LTS.

I had an Ubuntu 18 LTS with two partition:

  • /dev/sda1 for /boot without encryption
  • /dev/sda5 for LVM PV with encryption (extended partition because Ubuntu 18 LTS installer created this way at last Christmas)

Inside the LVM partition, I have everyting encrypted with luks:

  • gabor2-vg VG
    • root LV formatted for ext4 mounted for /
    • home LV formatted for ext4 mounted for /home
    • swap LV

Similarly to your case, home LV contains all my important stuff I want to keep untouched while I am reinstalling my whole system to the latest Ubutnu 20.04.1 LTS with Cinnamon UI.

I have a PXE server at home to make my job easier but you can use a USB stick as well to do the same with help of iso images and rufus image writer software.

In the first round, I tried Ubuntu 20.04 LTS net boot installer. It was started fine but showed only my partitions: sda1 and sda5, so nothing about LVM and LUKS.

I found in the help menu at the top right an option to have a bash shell. There I hope opened the LUKS volume, step back and forth but installer still not saw the LVM volumes.

cryptsetup luksOpen /dev/sda5 gabor2-crypt

As a second round, I tried exactly the same with the Ubuntu 20.04 LTS live CD as well. I opened a terminal, opened the luks container then started the installer from the desktop icon.

Magically this installer saw the LVM logical volumes if I opened the LUKS container and I could select which LV is which, and which one should be formatted and which not. Perfect, I thought but then my PC is not booted at all. I got initramfs prompt.

At the installation, when you select filesystems, mountpoints, etc for your LVM volumes, be careful with the format option to avoid accidental reformat your home LV. I reformatted /boot and / to ensure no waste remains back.

Reason was quite obvious: /etc/crypttab was not set by the installer automatically.

So I went back to the live Ubuntu CD (booted from PXE but whatever), mounted all the necessary partitions, entered into chroot, edited crypttab, regenerated initramfs and grub then I could boot while my home was remained untouched. My Cinnamon UI had the original background, icons, etc. Very nice. Would be even better if it would fully be automated :)

Here are the commands I used to fix the boot as described above. Starting point is a live Ubuntu 20.04.1 LTS CD on the PC we just reinstalled and want to fix.

# open luks container
cryptsetup luksOpen /dev/sda5 gabor2-crypt

# mount LVM volumes
mount /dev/mapper/gabor2--vg-root /mnt
mount /dev/mapper/gabor2--vg-home /mnt/home
mount /dev/sda1 /mnt/boot

# mount some other thing just because to make chroot fully functional
mount --bind /dev /mnt/dev
mount --bind /run /mnt/run
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys

# enter into chroot where we want to act as we would be in the properly booted target system which is our new Ubuntu 20.04.1 LTS
chroot /mnt

# get the UUID we have to write to /etc/crypttab file
blkid /dev/sda5
/dev/sda5: UUID="........-....-....-......." TYPE="crypto_LUKS" PARTUUID=".....-.."

# create crypttab (if no vim, install it with apt!)
vim /etc/crypttab
  gabor2_crypt UUID="........-....-....-......." none luks

# regenerate initramfs and grub (initramfs might be enough but I'm lazy enough to reboot and grub update takes quite a little time)
update-initramfs -u
update-grub

# we are done, need to exit from the chroot and unmount and close everything to ensure filesystem consistency, then reboot
exit
umount /mnt/dev
umount /mnt/sys
umount /mnt/proc
umount /mnt/run
umount /mnt/boot
umount /mnt/home
umount /mnt/
cryptsetup luksClose gabor2-crypt
reboot

I hope I described precise enough what I did and will help for others too.

When I just rebooted my PC without unmounting my logical volumes and without closing my LUKS container, I experienced some filesystem issues: my root volume was remounted in read-only automatically at random times. After I did that long unmount command series filesystem issue was gone.

Good luck! Have fun!


There is a Launchpad bug about this, the workaround there is:

https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1904270

Workaround

Ubuntu 20.04: Extra Steps for Re-Using Existing LUKS Encrypted Partition

(replace nvme0n1p8 with your encrypted LUKS partition)

  • BEFORE starting the installer (if in Ubuntu or Kubuntu live CD desktop), or at the first step (if using Ubuntu Server text-based live CD installer):
# open existing LUKS partition 
cryptsetup luksOpen /dev/nvme0n1p8 nvme0n1p8_crypt
  • Then, either do this at the end after the installer has run, or boot into a live CD environment (e.g. Kubuntu) and do:
cryptsetup luksOpen /dev/nvme0n1p8 nvme0n1p8_crypt
mount -o subvol=@ /dev/mapper/MainVG-root /mnt/
mount /dev/nvme0n1p7 /mnt/boot/
mount --rbind /dev/ /mnt/dev/
mount --rbind /sys/ /mnt/sys/
mount --rbind /run/ /mnt/run/
mount --rbind /proc/ /mnt/proc/
chroot /mnt /bin/bash -l
blkid | grep crypto_LUKS
# Example: /dev/nvme0n1p8: UUID="8cb9831a-692e-4b0e-936f-72529a3ed56d" TYPE="crypto_LUKS" PARTUUID="139f23d2-a0ff-4f4f-b41f-8083964ac894"
apt install vim
vim /etc/crypttab
# Add a line for the encrypted partiton, e.g:
# nvme0n1p8_crypt UUID="8cb9831a-692e-4b0e-936f-72529a3ed56d" none luks
#
# MAKE SURE There's a newline at end of /etc/crypttab

# update the initramfs
update-initramfs -u -k all


umount -l /mnt


# Optional, probably not needed
grub-install --recheck /dev/nvme0n1
grub-mkconfig -o /boot/grub/grub.cfg

Related

(Closed) Is there a way to unlock a bitlocked hard drive using TPM in command prompt?
What does XDG stand for?
What is the best way to watch internet movies (Hulu, etc.) on my TV? [closed]
Windows Explorer: How to avoid that a "slow" double click on a file opens "renaming"
Why does some of the songs in my iTunes library stop prematurely and go to the next song?
What is a good external trackpad for a Mac? [closed]
Laptop power options while flying [closed]
Is it possible to stop Windows Update from backing up for future uninstall?
What's a good way for organizing PDF documents on Windows? [closed]
Is there a typo corrector for bash?
How can I display a web page as my Gnome screensaver?
Capture live streaming