Full disk encryption of Ubuntu for certain partitions at install time

Sat Aug 5 17:48:49 UTC 2017

Sreyan Chakravarty schreef op 05-08-2017 18:02:

> I have two unencrypted partitions containing Windows 10. Now I want to 
> install Ubuntu 16.04 into the remaining free space that I have, with 
> full disk encryption ie. encrypted root, encrypted swap, and encrypted 
> home.

Normally you would create an encrypted LVM partition, that is to say one 
regular partition, encrypted with LUKS, then LVM (PV) in the opened 
device, in the LVM your root, boot and swap. Which is what I would do 
anyway, but I guess it depends.

To get that bootable the Grub obviously needs to be in your MBR usually?

Grub is capable of unlocking LUKS but that means you have to enter the 
password in the (minimal) (or I would say, ugly) GRUB prompt.

At that point your /boot partition will be read and used for providing 
the menu and booting your system. At that point it needs access to a 
file to unlock this entire LVM partition because GRUB cannot pass it on 
to the initrd, I think.

That means that in Ubuntu you need to have a /etc/crypttab that contains 
a keyscript which is /bin/cat, or, (I am not sure about this) directly a 
keyfile, in both cases there needs to be a keyfile that your initrd can 
access, which means it is a keyfile that has to be copied to your 
initrd.

Typically for me this has been manually set up.

Steps would have been:

1) GRUB_CRYPTODISK=y in /etc/default/grub
2) a file in /etc/initramfs-tools/hooks/ with a line like "cp 
/root/keyfile ${DESTDIR}"
3) a /etc/crypttab with the line keyscript=/bin/cat and the required 
file mentioned in the previous column.

4) you have to manually add this file (can be a random file from 
/dev/urandom) to your LUKS container using "cryptsetup luksAddKey 
/dev/sda5 /root/keyfile"

At that point your container has both a password and a keyfile that can 
open it.

5) You need to regenerate your initramfs by now (update-initramfs -u).

6) /bin/cat also needs to be copied, like I said, I am not sure this is 
even necessary but haven't tried without. Either it happens 
automatically or you need another line in the hook script, but I think 
it happens automatically.

This is basically what is necessary.

If this is not what you want then it gets more complicated.

You are going to depend on systemd opening multiple containers. Systemd 
has no support for keyscripts but like I said, might not be necessary.

You don't want to enter your password three times, so you would have to 
do the same keyfile trick in a sense. You would have 3 containers with 
all the same keyfile.

Then a regular crypttab file should be capable of opening those.

Provided the key is mentioned in the crypttab.

Grub will open your boot device for itself, but the initrd will open the 
root device and will also need to open the swap possibly, so I might be 
a bit wrong there.

In any case to make it work with Grub, the keyfile needs to be in the 
initrd, after which the initrd unlocks more stuff (most notably the root 
device).

Sorry for the messy message; I just haven't tried without a keyscript 
myself.

Regards.