Full disk encryption of Ubuntu for certain partitions at install time

Mon Aug 7 17:14:11 UTC 2017

Just tell me something I place grubx64.efi on my EFI System Partition and I
keep all my grub configuration files in the /boot directory right ?

On Sat, Aug 5, 2017 at 11:18 PM, Xen <list at xenhideout.nl> wrote:

> Sreyan Chakravarty schreef op 05-08-2017 18:02:
>
> I have two unencrypted partitions containing Windows 10. Now I want to
>> install Ubuntu 16.04 into the remaining free space that I have, with full
>> disk encryption ie. encrypted root, encrypted swap, and encrypted home.
>>
>
> Normally you would create an encrypted LVM partition, that is to say one
> regular partition, encrypted with LUKS, then LVM (PV) in the opened device,
> in the LVM your root, boot and swap. Which is what I would do anyway, but I
> guess it depends.
>
> To get that bootable the Grub obviously needs to be in your MBR usually?
>
> Grub is capable of unlocking LUKS but that means you have to enter the
> password in the (minimal) (or I would say, ugly) GRUB prompt.
>
> At that point your /boot partition will be read and used for providing the
> menu and booting your system. At that point it needs access to a file to
> unlock this entire LVM partition because GRUB cannot pass it on to the
> initrd, I think.
>
> That means that in Ubuntu you need to have a /etc/crypttab that contains a
> keyscript which is /bin/cat, or, (I am not sure about this) directly a
> keyfile, in both cases there needs to be a keyfile that your initrd can
> access, which means it is a keyfile that has to be copied to your initrd.
>
> Typically for me this has been manually set up.
>
> Steps would have been:
>
> 1) GRUB_CRYPTODISK=y in /etc/default/grub
> 2) a file in /etc/initramfs-tools/hooks/ with a line like "cp
> /root/keyfile ${DESTDIR}"
> 3) a /etc/crypttab with the line keyscript=/bin/cat and the required file
> mentioned in the previous column.
>
> 4) you have to manually add this file (can be a random file from
> /dev/urandom) to your LUKS container using "cryptsetup luksAddKey /dev/sda5
> /root/keyfile"
>
> At that point your container has both a password and a keyfile that can
> open it.
>
> 5) You need to regenerate your initramfs by now (update-initramfs -u).
>
> 6) /bin/cat also needs to be copied, like I said, I am not sure this is
> even necessary but haven't tried without. Either it happens automatically
> or you need another line in the hook script, but I think it happens
> automatically.
>
> This is basically what is necessary.
>
> If this is not what you want then it gets more complicated.
>
> You are going to depend on systemd opening multiple containers. Systemd
> has no support for keyscripts but like I said, might not be necessary.
>
> You don't want to enter your password three times, so you would have to do
> the same keyfile trick in a sense. You would have 3 containers with all the
> same keyfile.
>
> Then a regular crypttab file should be capable of opening those.
>
> Provided the key is mentioned in the crypttab.
>
> Grub will open your boot device for itself, but the initrd will open the
> root device and will also need to open the swap possibly, so I might be a
> bit wrong there.
>
> In any case to make it work with Grub, the keyfile needs to be in the
> initrd, after which the initrd unlocks more stuff (most notably the root
> device).
>
> Sorry for the messy message; I just haven't tried without a keyscript
> myself.
>
> Regards.
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailm
> an/listinfo/ubuntu-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20170807/42d97abf/attachment.html>