Full disk encryption with Ubuntu (9.04 Jaunty or newer), LVM and LUKS

This article provides a step-by-step guide on how to install an Ubuntu Linux system with full disk encryption (new installation). However, you should take a relaxed day as topical newbie for further reading. You don't have to keep everything in mind but it is never an error to acquaint oneself with something new.

In this case, full disk encryption means:

• All non-boot data of the system will be encrypted (incl. temporary files and swap)
• Only a small boot partition remains unencrypted to store the boot loader and the kernel. The security of your data won't be affected by this.
• Automatic real-time, on-the-fly encryption incl. pre-boot authentication.

Additional key points:

• This how-to does not use the (IMHO inflexible) Alternate-CD crypto setup.
• There will be a separate /home partition within the encrypted volume, making backups and fresh installations easier.
• Despite the fact that there is more than one single encrypted partition, you only have to enter one single password during boot time. The Logical Volume Manager (LVM) is used to make this possible. LVM will be used as “crypto container”, containing the different partitions /, /home and swap.
• You don't loose any comfort – apart from the password question when the system boots, you don't have to expect any changes during daily usage. This is also true regarding kernel and/or distribution updates, there is nothing special to keep in mind. Therefore it is really worth it to tough it out.
• Suspend-to-disk (S4)/hibernation works (if it also would work on an unencrypted installation, for sure).
• Thanks to Logical Volume Manager (LVM), subsequent partitioning changes are possible.

Short summary to get an overview of the actions needed to be done:

1. Boot a live session plus endow it with the needed software (LVM, LUKS/cryptsetup).
2. Subdivide the target device into two partitions:
   • small boot partition (~200MB are more than enough)
   • unformatted partition (remaining space)
3. Encrypt the unformatted partition, unlock it afterwards.
4. Creation of a LVM group on the unformatted, unlocked crypto partition, containing the root, home and swap partition.
5. Start of the graphical Ubuntu installation wizard, telling it to use the root, home and swap partition within the encrypted LVM group plus the small, unencrypted partition as /boot.
6. Do not reboot directly after the installation wizard finished its work. Change into the freshly installed system with chroot instead. This is needed to install the required software (LVM, LUKS/cryptsetup) on it (you won't be able to boot it otherwise).
7. Reboot.

If it's all Greek to you, don't be scared. It is no rocket science.

• A Ubuntu installation CD (not the Alternate-CD) to be able to start a live session: download
• Working Internet connection. You have to install some additional software packages during the live session (for which Internet connection is necessary). It is probably most convenient to connect your system to a Internet router or something similar to prevent needless configuration at the live session. If your network card does not work out-of-the-box, you may want to temporarily install a cheap Realtek NIC or something like that.

readm3.org provides a crypt-setup bash script, making the system installation faster and easier. The scripts prompts the user to enter the needed data (target device, partition sizes, key length etc.) and processes the installation as described at ”Manual installation” afterwards. This saves much typing and prevents errors. Using the script, a full disk encryption setup should only take a few minutes longer than a default installation.

Boot from the installation CD and start a live session (not the installer). The fitting menu item should be “Try Ubuntu” or something similar (the notation may vary a little bit, depending on the Ubuntu version and when/if a key was pressed). Please choose the language you are going to use on the installed system right from the start. This prevents problems regarding the keyboard layout and the password setup.¹⁾

Open a terminal and run the following commands to download and start the script (copy and paste recommended):

wget "http://readm3.org/_export/code/os/ubuntu/full-disk-encryption-lvm-luks.sh?codeblock=1" -O "/tmp/full-disk-encryption-lvm-luks.sh"
chmod a+rx "/tmp/full-disk-encryption-lvm-luks.sh"
sudo "/tmp/full-disk-encryption-lvm-luks.sh"

Boot from the installation CD and start a live session (not the installer). The fitting menu item should be “Try Ubuntu” or something similar (the notation may vary a little bit, depending on the Ubuntu version and when/if a key was pressed). Please choose the language you are going to use on the installed system right from the start. This prevents problems regarding the keyboard layout and the password setup.²⁾

Because the full disk encryption will be prepared by using a live session (which brings no more than what is absolutely necessary), you have to install some additional packages plus their dependencies for the running session (lvm2 and cryptsetup). Open a terminal and execute the following command:

sudo apt-get install lvm2 cryptsetup

You can't reboot for understandable reasons (→live session, your changes would be gone after a reboot). This is why you have to load a needed kernel module manually (provided by the packages you installed) using the termimal:

sudo modprobe dm-crypt

Now the current live session does provide everything you need to install the encrypted system.

You have to subdivide the target hard disk into two partitions. This will be done with GParted (which is already available). Start it via terminal (→ gksudo gparted) or by clicking “System→Administration→GParted”

The following partitions are needed:

• dev/sdX1, ext3, 200MB at the beginning
  You can use up to 17 chars for the description. I chose “boot (no crypt)”.
• dev/sdX2, unformatted, at least 8GB (the root, home and swap partitions need to find room).
  You can use up to 17 chars for the description. I chose “sys (lvm,crypt)”. Normally, you should simply use all remaining space (how it was done in the following).

You can close GParted after all operations were applied (→ green check mark).

sudo shred -vn 1 /dev/sdX1
sudo shred -vn 1 /dev/sdX2

The partition sdX2 will be prepared to act as crypto device by using the cryptsetup luksFormat command. This is also the moment to decide which encryption algorithm, chaining mode and initialization vector should be used. aes-xts-plain is recommended because it brings protection against so called “watermarking” and other known attacks plus encrypts your data securely by using AES:

sudo cryptsetup --cipher aes-xts-plain --key-size 512 --verify-passphrase luksFormat /dev/sdX2
[define the password. Attention: there will be no feedback like * or something similar]

After formatting, the crypto device needs a name and has to be unlocked to make it possible for the installer to access it. The device is accessible via /dev/mapper/<chosen name> if everything works. I chose the name lvm_crypt:³⁾

sudo cryptsetup luksOpen /dev/sdX2 lvm_crypt

The Logical Volume Manager (LVM) won't be used to connect multiple drives here. It is used to prevent the management of different keys respectively the need to type multiple passwords when booting the system. Because /home gets its own partition and swap is also encrypted, you normally would have to type a separate password for each partition. To bypass this annoyance, a LVM volume incl. LVM volume group will be generated within the opened crypto partition you created earlier by using the cryptsetup command. pvcreate is used to initialize the LVM volume, vgcreate creates the LVM volume group within the LVM volume:

sudo pvcreate /dev/mapper/lvm_crypt
sudo vgcreate ubuntu /dev/mapper/lvm_crypt

Now you are able to create the needed partitions within the LVM volume respectively the LVM volume group ubuntu. Swap should be ~1.3 times greater as your installed RAM (at least if you want a solid suspend-to-disk (S4)/hibernation). If space is rare (e.g. when using a SSD), you certainly want to use less. But opinions about a sane swap size differ as much as the ones about the size of the root partition. This is why you should look at the following values as an example (but they can be adopted without any problems). The PC I used to write this article got 4GB RAM (→ multiplied by 1.3 = 5200MB swap) and I created a 25GB root partition:

sudo lvcreate -L 5200M -n swap ubuntu
sudo lvcreate -L 25000M -n root ubuntu
sudo lvcreate -l 100%FREE -n home ubuntu 

If you need additional/other partitions, you can create them by using the same schema. If you have problems with the syntax, man lvcreate may be helpful.

You should format the created partitions to prevent problems with some versions of the graphical Ubuntu-installer ubiquity (during the graphical installation of the real system, the partitions will be formatted again. So don't worry if you want to choose another file system than EXT4: you can choose it there):

sudo mkswap /dev/mapper/ubuntu-swap
sudo mkfs.ext4 /dev/mapper/ubuntu-root
sudo mkfs.ext4 /dev/mapper/ubuntu-home

The needed preparations of the encrypted device are finished now. All needed partitions are existing and the installation of the real system can begin.

Start the graphical Ubuntu installation wizard by clicking the “Install Ubuntu <version>” icon on the desktop:

After choosing language, time zone etc. you have to choose “specify partitions manually” at the “Prepare disk space” window (the notation may vary a little bit, depending on the used Ubuntu version). There you have to assign the partitions you created before:⁴⁾

• /dev/sdX1
  • Boot partition
  • File system (“use as”): ext3 journaling file system (no ext4 to prevent compatibility issues)
  • Format the partition: yes
  • Mount point: /boot
• /dev/mapper/ubuntu-root
  • Root partition
  • File system (“use as”): ext4 journaling file system (or your own option)
  • Format the partition: yes
  • Mount point: /
• /dev/mapper/ubuntu-home
  • Home partition
  • File system (“use as”): ext4 journaling file system (or your own option)
  • Format the partition: yes
  • Mount point: /home

Complete the setup by following the instructions of the installation wizard. You may activate the “Log in automatically” option (without bad conscience) to prevent the need for typing an additional password before logging in. The encryption password should be enough in single-user environments. Do NOT reboot the system after the installer finished. There is still some work to do.

If you would reboot your system now, the installed system couldn't boot. It still needs the software to access the encrypted drive and has to prompt the user for the password. Therefore we use chroot to change into the freshly installed system to install the needed packages lvm2 und cryptsetup (Attention: all following commands have to be executed within the same terminal window. And don't forget to replace sdX1 with your own partition, e.g. sda1):

sudo mount /dev/mapper/ubuntu-root /mnt
sudo mount /dev/sdX1 /mnt/boot
sudo mount -o bind /dev /mnt/dev
sudo mount -t proc proc /mnt/proc
sudo mount -t sysfs sys /mnt/sys
sudo cp /etc/resolv.conf /mnt/etc/resolv.conf
sudo chroot /mnt /bin/bash
apt-get install cryptsetup lvm2

Now, you are almost done. Ubuntu was installed into a LVM group on a crypted drive and has the software necessary to decrypt the data. In order to ask the drive to decipher automatically when booting the system, you have to write a fitting UUID entry for the /dev/sdX2 partition into the /etc/crypttab file. The following command detects the UUID and writes the needed line into /etc/crypttab (don't forget to replace sdX2 with your own partition, e.g. sda2):

echo "lvm_crypt UUID=$(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdX2) | cut -d ' ' -f 9) none luks" >> /etc/crypttab

The system has to inherit the /etc/crypttab changes now (you can ignore “cryptsetup: WARNING: invalid line in /etc/crypttab” and “Cannot find /lib/modules/[…]-generic” warnings):

update-initramfs -u -k all 

Done . You should be asked for the password when booting the system. Work with your securely encrypted system as usual. Simply close the chroot environment and reboot your computer:

exit
sudo reboot

LUKS is able to manage up to eight passwords at the same time. Each password will be stored in a so-called slot (0-7). The currently used slots of the encrypted partition can be printed out by using luksDump (don't forget to replace sdX2 with your own partition, e.g. sda2):

sudo cryptsetup luksDump /dev/sdX2

[...example output follows...]
Key Slot 0: ENABLED
	Iterations:         	xxxxxx
	Salt:               	[...]
	                      	[...]
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

To add a new password, use luksAddKey:

sudo cryptsetup luksAddKey /dev/sdX2

To remove an existing password, use luksRemoveKey:

sudo cryptsetup luksRemoveKey /dev/sdX2

Enrcypt a system

• Artikel im Linux Magazin 2005/08: Geheime Niederschrift - Festplattenverschlüsselung mit DM-Crypt und Cryptsetup-LUKS: Technik und Anwendung
• Debuntu: How-To: encrypted partitions over LVM with LUKS
• System verschlüsseln
• Daten verschlüsseln
• Logical Volume Manager (LVM)
• Linux Unified Key Setup (LUKS)

Other

• Disk encryption theory
• Block cipher modes of operation
• Initialization vector
• Advanced Encryption Standard (AES)
• Universally Unique Identifier (UUID)
• Pre-boot authentication
• Was bringt EXT4?