How do I preseed encrypting just the root partition?
I have 3 partitions: EFI (/boot/efi), boot (/boot) and root (/). I want to encrypt just /. I can do this manually via the installer, but I want to preseed it.
How do I define it? My (non-encrypted) recipe looks something like the below. It is something of a mishmash of suggestions for EFI System Partitions I have found (found no clear guide).
boot-root ::
100 100 100 fat32
$primary
$iflabel{ gpt }
$reusemethod( }
use_filesystem{ } filesystem{ vfat }
method{ efi } format{ }
mountpoint{ /boot/efi }
.
300 300 300 ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ /boot }
.
100% 3000 100% ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ / }
.
How do I make sda3 be a physical partition for LUKS-encryption and then have a filesystem on top of that?
UPDATE:
I discovered that I can set the partition to be crypto as below, but there are still 3 issues:
- I still need to create and activate the encrypted volumes on the chosen partition
- I still need to set the correct ext4 filesystem on the encrypted volume after created and activated
- The recipe doesn't select the encryption type to
dm-cryptwhich is required for creating and activating the encrypted volumes.
Still struggling mightily
boot-root ::
100 100 100 fat32
$primary
$iflabel{ gpt }
$reusemethod( }
use_filesystem{ } filesystem{ vfat }
method{ efi } format{ }
mountpoint{ /boot/efi }
.
300 300 300 ext4
use_filesystem{ } filesystem{ ext4 }
method{ format } format{ }
mountpoint{ /boot }
.
100% 3000 100% ext4
method{ crypto } format{ }
.
Solution 1:
At first, open a root terminal:
sudo -i
Then fill the partition, which should be encrypted, with random data using a command like this:
openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy
You have to replace sdxy with the partition which will be encrypted. Then type
cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy
to encrypt the partition sdxy. Open the volume and name it root:
cryptsetup luksOpen /dev/sdxy root
Use this command to make an ext4 filesystem inside it:
mkfs.ext4 /dev/mapper/root
Next you can start the installer. Chose "Something else" when being asked what you would like to do. Then chose the mount points for all your not-encrypted partitions. For your root partition, select /dev/mapper/root, click "Change". Then select ext4 for the filesystem type and set the mount point to /. Then click "Install now" and install Ubuntu normally.
When finished installing click "Continue testing". Open a terminal and type:
sudo -i
cd /mnt
mkdir root
mount /dev/mapper/root root
mount /dev/sdyz root/boot
sdyz should be replaced with your boot partition. Next, type:
chroot root
mount -t proc proc /proc
mount -t sysfs sys /sys
nano /etc/crypttab
Open a second terminal and type sudo blkid. Find the UUID for root (the one that says crypto_luks in the end) and paste it into /etc/crypttab. Then the file /etc/crypttab should look something like this:
root UUID=d68911dd-172a-4608-86d4-084eb72f409c none luks
Close the file with Ctrl+x, y and Enter. Type nano /etc/fstab in the terminal and check if everything looks right (e.g. the UUIDs).
At last, quit the chroot environment and type:
cryptsetup luksHeaderBackup /dev/sdxy --header-backup-file /root/root.img
This puts an image of the header of the encrypted partition into the folder /root and names it root.img. Then move the image to an external drive (in case of forgetting the password). Now you can reboot into your newly installed Ubuntu.
Source: http://thesimplecomputer.info/full-disk-encryption-with-ubuntu