LVM & LUKS manual partitioned but issues with loader/init/grub
I've had some success with manually partitioning and installing LVM & LUKs.
The partitions are created - home, root, swap and boot, the pv and vg's were all created and set up correctly.
I installed from Live and everything in the file system installed to the right places.
I chroot and mounted and set up /etc/crypttab with the correct UUID and /etc/fstab is pointing to the right mapper and UUIDs (based on blkid output).
At this point I try a couple of approaches to try and get the bootloader and grub to give me a password login screen that will decrypt what I referenced in /etc/crypttab.
First approach -
mount -t proc proc /proc
mount -t sysfs sys /sys
update-initramfs -u
running this tells me
/usr/sbin/iucode_tool: cpuid kernel driver unavailable, cannot scan system processor signatures
Second approach -
Checking for /etc/mkinitcpio.conf to add lvm2 and encrypt and then followed by
mkinitcpio -p linux
This doesnt work either because mkinitcpio doesnt exist.
After some research I was thinking that /etc/crypttab perhaps is enough for the existing init processes?
Third approach -
Editing /etc/default/grub to add
GRUB_ENABLE_CRYPTODISK=y
and then running
grub mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda1
The problem I am getting with this I am getting
/usr/sbin/grub-probe: error: failed to get canonical path of `/dev/mapper/ubuntu-rootvol'
I know it should be fairly simple to get this boot screen with password sorted out but I'm out of options. Please can you tell me the correct method for having Ubuntu reference /etc/crypttab
Thanks for your help!
I found a way to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2
Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below.
- Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows :
- sda1: /boot (1G)
- sda2: LUKS partition (the rest of the disk)
- Setup LUKS
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda2
sudo cryptsetup luksOpen /dev/sda2 CryptDisk
- While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data.
sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M
BEWARE, this could take a really long time!
- Setup LVM on /dev/mapper/CryptDisk
sudo pvcreate /dev/mapper/CryptDisk
sudo vgcreate vg0 /dev/mapper/CryptDisk
sudo lvcreate -n swap -L 2G vg0
sudo lvcreate -n root -L 10G vg0
sudo lvcreate -n home -l +100%FREE vg0
- Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sda1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sda, and continue with installation.
- When installation is complete, don't reboot! Choose the option to "Continue Testing".
- In a terminal, type the following and look for the UUID of /dev/sda2. Take note of that UUID for later.
sudo blkid
- The important line on my machine reads
/dev/sda2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
- Next lets get the newly installed system mounted again so we can make some more changes.
sudo mount /dev/vg0/root /mnt
-
sudo mount /dev/vg0/home /mnt/home
# this is probably not necessary sudo mount /dev/sda1 /mnt/boot
- If you have an EFI partition, mount it at
/mnt/boot/efi
-
sudo mount --bind /dev /mnt/dev
# I'm not entirely sure this is necessary sudo mount --bind /run/lvm /mnt/run/lvm
- Now run
sudo chroot /mnt
to access the installed system - From the chroot, mount a couple more things
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
- Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
- Lastly, rebuild some boot files.
update-initramfs -k all -c
update-grub
- Reboot, and the system should ask for a password to decrypt on boot!
Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.
I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm