How can I reinstall Ubuntu focal 20.04 on an existing LUKS encrypted system?

Based on the my personal experiments using the Ubuntu 20.04 installer, online research, and asking various forums (and lack of answers there), I conclude that as of today, there is no way to do all of the following:

  • Installing/reinstalling Ubuntu ...
  • using the installer GUI ...
  • on a pre-encrypted system (LUKS, with separate /home partition or not) without destroying pre-existing personal files...
  • with dual booting another OS.

Of course there are ways of doing this if you rely on the command line, which I was looking to avoid. I've decided to switch to Fedora 32 as it meets all these requirements. Ubuntu served me rather well for over a decade, hope to return when the above issue is fixed.

For those interested in my Fedora 32 setup:

  • Dual-boot setup with Windows 10.
  • Reuse (DO NOT FORMAT) /boot/efi partition from Windows 10 install
  • Create UNENCRYPTED /boot partition
  • Create/Reuse ENCRYPTED / partition
  • Create/Reuse ENCRYPTED /home partition
  • Provide Passphrase to unlock above encrypted partitions.
  • Post install, added RPMFusion repository and Gnome Tweaks extension

Thats the summary, its been a week and so far things have been great with Fedora 32. I've not really noticed much difference from Ubuntu for my needs (Email, Browsing, viewing photos/videos, music, skype, spreadsheets, documents).

Thanks!


I could manage it with my PC I had to reinstall because Ubuntu upgrade was failed from 18 LTS to 20 LTS.

I had an Ubuntu 18 LTS with two partition:

  • /dev/sda1 for /boot without encryption
  • /dev/sda5 for LVM PV with encryption (extended partition because Ubuntu 18 LTS installer created this way at last Christmas)

Inside the LVM partition, I have everyting encrypted with luks:

  • gabor2-vg VG
    • root LV formatted for ext4 mounted for /
    • home LV formatted for ext4 mounted for /home
    • swap LV

Similarly to your case, home LV contains all my important stuff I want to keep untouched while I am reinstalling my whole system to the latest Ubutnu 20.04.1 LTS with Cinnamon UI.

I have a PXE server at home to make my job easier but you can use a USB stick as well to do the same with help of iso images and rufus image writer software.

In the first round, I tried Ubuntu 20.04 LTS net boot installer. It was started fine but showed only my partitions: sda1 and sda5, so nothing about LVM and LUKS.

I found in the help menu at the top right an option to have a bash shell. There I hope opened the LUKS volume, step back and forth but installer still not saw the LVM volumes.

cryptsetup luksOpen /dev/sda5 gabor2-crypt

As a second round, I tried exactly the same with the Ubuntu 20.04 LTS live CD as well. I opened a terminal, opened the luks container then started the installer from the desktop icon.

Magically this installer saw the LVM logical volumes if I opened the LUKS container and I could select which LV is which, and which one should be formatted and which not. Perfect, I thought but then my PC is not booted at all. I got initramfs prompt.

At the installation, when you select filesystems, mountpoints, etc for your LVM volumes, be careful with the format option to avoid accidental reformat your home LV. I reformatted /boot and / to ensure no waste remains back.

Reason was quite obvious: /etc/crypttab was not set by the installer automatically.

So I went back to the live Ubuntu CD (booted from PXE but whatever), mounted all the necessary partitions, entered into chroot, edited crypttab, regenerated initramfs and grub then I could boot while my home was remained untouched. My Cinnamon UI had the original background, icons, etc. Very nice. Would be even better if it would fully be automated :)

Here are the commands I used to fix the boot as described above. Starting point is a live Ubuntu 20.04.1 LTS CD on the PC we just reinstalled and want to fix.

# open luks container
cryptsetup luksOpen /dev/sda5 gabor2-crypt

# mount LVM volumes
mount /dev/mapper/gabor2--vg-root /mnt
mount /dev/mapper/gabor2--vg-home /mnt/home
mount /dev/sda1 /mnt/boot

# mount some other thing just because to make chroot fully functional
mount --bind /dev /mnt/dev
mount --bind /run /mnt/run
mount --bind /proc /mnt/proc
mount --bind /sys /mnt/sys

# enter into chroot where we want to act as we would be in the properly booted target system which is our new Ubuntu 20.04.1 LTS
chroot /mnt

# get the UUID we have to write to /etc/crypttab file
blkid /dev/sda5
/dev/sda5: UUID="........-....-....-......." TYPE="crypto_LUKS" PARTUUID=".....-.."

# create crypttab (if no vim, install it with apt!)
vim /etc/crypttab
  gabor2_crypt UUID="........-....-....-......." none luks

# regenerate initramfs and grub (initramfs might be enough but I'm lazy enough to reboot and grub update takes quite a little time)
update-initramfs -u
update-grub

# we are done, need to exit from the chroot and unmount and close everything to ensure filesystem consistency, then reboot
exit
umount /mnt/dev
umount /mnt/sys
umount /mnt/proc
umount /mnt/run
umount /mnt/boot
umount /mnt/home
umount /mnt/
cryptsetup luksClose gabor2-crypt
reboot

I hope I described precise enough what I did and will help for others too.

When I just rebooted my PC without unmounting my logical volumes and without closing my LUKS container, I experienced some filesystem issues: my root volume was remounted in read-only automatically at random times. After I did that long unmount command series filesystem issue was gone.

Good luck! Have fun!


There is a Launchpad bug about this, the workaround there is:

https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1904270

Workaround

Ubuntu 20.04: Extra Steps for Re-Using Existing LUKS Encrypted Partition

(replace nvme0n1p8 with your encrypted LUKS partition)

  • BEFORE starting the installer (if in Ubuntu or Kubuntu live CD desktop), or at the first step (if using Ubuntu Server text-based live CD installer):
# open existing LUKS partition 
cryptsetup luksOpen /dev/nvme0n1p8 nvme0n1p8_crypt
  • Then, either do this at the end after the installer has run, or boot into a live CD environment (e.g. Kubuntu) and do:
cryptsetup luksOpen /dev/nvme0n1p8 nvme0n1p8_crypt
mount -o subvol=@ /dev/mapper/MainVG-root /mnt/
mount /dev/nvme0n1p7 /mnt/boot/
mount --rbind /dev/ /mnt/dev/
mount --rbind /sys/ /mnt/sys/
mount --rbind /run/ /mnt/run/
mount --rbind /proc/ /mnt/proc/
chroot /mnt /bin/bash -l
blkid | grep crypto_LUKS
# Example: /dev/nvme0n1p8: UUID="8cb9831a-692e-4b0e-936f-72529a3ed56d" TYPE="crypto_LUKS" PARTUUID="139f23d2-a0ff-4f4f-b41f-8083964ac894"
apt install vim
vim /etc/crypttab
# Add a line for the encrypted partiton, e.g:
# nvme0n1p8_crypt UUID="8cb9831a-692e-4b0e-936f-72529a3ed56d" none luks
#
# MAKE SURE There's a newline at end of /etc/crypttab

# update the initramfs
update-initramfs -u -k all


umount -l /mnt


# Optional, probably not needed
grub-install --recheck /dev/nvme0n1
grub-mkconfig -o /boot/grub/grub.cfg