How do I preseed encrypting just the root partition?
I have 3 partitions: EFI (/boot/efi
), boot (/boot
) and root (/
). I want to encrypt just /
. I can do this manually via the installer, but I want to preseed it.
How do I define it? My (non-encrypted) recipe looks something like the below. It is something of a mishmash of suggestions for EFI System Partitions I have found (found no clear guide).
boot-root ::
100 100 100 fat32
$primary
$iflabel{ gpt }
$reusemethod( }
use_filesystem{ } filesystem{ vfat }
method{ efi } format{ }
mountpoint{ /boot/efi }
.
300 300 300 ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ /boot }
.
100% 3000 100% ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ / }
.
How do I make sda3
be a physical partition for LUKS-encryption and then have a filesystem on top of that?
UPDATE:
I discovered that I can set the partition to be crypto as below, but there are still 3 issues:
- I still need to create and activate the encrypted volumes on the chosen partition
- I still need to set the correct ext4 filesystem on the encrypted volume after created and activated
- The recipe doesn't select the encryption type to
dm-crypt
which is required for creating and activating the encrypted volumes.
Still struggling mightily
boot-root ::
100 100 100 fat32
$primary
$iflabel{ gpt }
$reusemethod( }
use_filesystem{ } filesystem{ vfat }
method{ efi } format{ }
mountpoint{ /boot/efi }
.
300 300 300 ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ /boot }
.
100% 3000 100% ext4
method{ crypto } format{ }
.
Solution 1:
At first, open a root terminal:
sudo -i
Then fill the partition, which should be encrypted, with random data using a command like this:
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy
You have to replace sdxy
with the partition which will be encrypted. Then type
cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy
to encrypt the partition sdxy
. Open the volume and name it root
:
cryptsetup luksOpen /dev/sdxy root
Use this command to make an ext4 filesystem inside it:
mkfs.ext4 /dev/mapper/root
Next you can start the installer. Chose "Something else" when being asked what you would like to do. Then chose the mount points for all your not-encrypted partitions. For your root
partition, select /dev/mapper/root
, click "Change". Then select ext4
for the filesystem type and set the mount point to /
. Then click "Install now" and install Ubuntu normally.
When finished installing click "Continue testing". Open a terminal and type:
sudo -i
cd /mnt
mkdir root
mount /dev/mapper/root root
mount /dev/sdyz root/boot
sdyz
should be replaced with your boot
partition. Next, type:
chroot root
mount -t proc proc /proc
mount -t sysfs sys /sys
nano /etc/crypttab
Open a second terminal and type sudo blkid
. Find the UUID for root
(the one that says crypto_luks
in the end) and paste it into /etc/crypttab
. Then the file /etc/crypttab
should look something like this:
root UUID=d68911dd-172a-4608-86d4-084eb72f409c none luks
Close the file with Ctrl+x, y and Enter. Type nano /etc/fstab
in the terminal and check if everything looks right (e.g. the UUIDs).
At last, quit the chroot environment and type:
cryptsetup luksHeaderBackup /dev/sdxy --header-backup-file /root/root.img
This puts an image of the header of the encrypted partition into the folder /root
and names it root.img
. Then move the image to an external drive (in case of forgetting the password). Now you can reboot into your newly installed Ubuntu.
Source: http://thesimplecomputer.info/full-disk-encryption-with-ubuntu