Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Github Stackoverflow MLA CORE Institutional Repo ORCID ID  ORCID iD Wikipedia Pictures for Re-Use

The Ubuntu guided installer is great, in some ways. It offers you the opportunity to use full-disk encryption which certainly made my day a lot better when I had my laptop stolen. That said, it's slightly problematic: I very much like to separate out my partitions: I want my /home/ mount to be on a different partition than the root filesystem for the obvious reason that it facilitates re-installs.

However, even if you have the same passphrase set on each of the partitions, the boot-time cryptsetup system will ask you for multiple passphrases. The way around this is to setup the following system. LUKS allows a file to act as a key that will automatically unlock a device. If we store this key on a LUKS encrypted partition, we can simply unlock that first partition and the key can then be used to unlock other partitions.

The way that I achieved this was to follow a modified version of Mark Loiseau's excellent guide on encrypting using aes-xts-plain64. I'm going to replicate parts of this here in case his site goes down. Please note that I disclaim any responsibility if this messes up your system. You need a good level of tech competence to do this and I cannot be responsible for any errors in what's pasted below. I have, however, set this up successfully on my system.

Step 1

This guide assumes the following:
/dev/sda1 is your boot partition
/dev/sda2 is your swap partition
/dev/sda3 is your root partition
/dev/sda4 is your home partition

Download yourself an Ubuntu Desktop image and boot into the live environment. Use Gparted to setup the basic sizes of the partitions that you want. From there, drop to a root terminal (sudo -i) and then:

apt-get install lvm2

cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda3
cryptsetup luksOpen /dev/sda3/ crypt
mkfs.ext4 /dev/mapper/crypt
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda4
cryptsetup luksOpen /dev/sda4/ crypthome
mkfs.ext4 /dev/mapper/crypthome
mkswap /dev/sda2

This install lvm2 onto your system, creates encrypted filesystems on /dev/sda3 and /dev/sda4 and calls them "crypt" and "crypthome" respectively and then finally sets up /dev/sda2 as a swap partition.

Step 2

Install Ubuntu onto these filesystems using the "Install Ubuntu" option on the live image. When you get to the partitioner stage, do it manually and specify the correct mountpoints:

/dev/mapper/crypt (as root)
/dev/mapper/crypthome (as /home)
/dev/sda2 (as swap)
/dev/sda1 (as boot)


Step 3

Inside your root terminal in the live image:

cd /mnt
mkdir root
mount /dev/mapper/crypt root
mount /dev/sda1 root/boot

sudo chroot root
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts

Now you have a chrooted environment for your new install. Now open a second root terminal and run this in the terminal outside the chroot (this allows internet access to your chrooted install):

cp /etc/resolv.conf /mnt/root/etc/resolv.conf

Now, inside your first terminal (the chroot) run the following to ensure all necessary components are installed:

apt-get update
apt-get install lvm2 cryptsetup

Step 4

We now need to generate the keyfile. In your second terminal (outside the chroot), run:

sudo dd if=/dev/urandom of=/mnt/root/root/keyfile bs=1024 count=4
sudo chmod 0400 /mnt/root/root/keyfile
sudo cryptsetup luksAddKey /dev/sda4 /mnt/root/root/keyfile

This generates a keyfile consisting of random characters and adds it to the home partition as an allowed unlock method.

Step 5

The penultimate step is to wire this all together in /etc/fstab and /etc/crypttab. First of all, ascertain the ids of the devices by running "sudo blkid" outside of the chroot. Note down the UUIDs for all the relevant partitions.

Now, inside the chrooted shell edit /etc/fstab ("sudo nano /etc/fstab") and you should end up with something like this:

# /etc/fstab: static file system information.
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/crypt /               ext4    errors=remount-ro 0       1
# /boot was on /dev/sda1 during installation
UUID=e4ef3f23-cd60-4d84-a8d2-b6004a26d055 /boot           ext4    defaults        0       2
/dev/mapper/crypthome /home           ext4    defaults        0       2
# swap was on /dev/sda2 during installation
UUID=cbab5539-3754-4f95-b90f-cf75d2094267 none            swap    sw              0       0

Then edit crypttab ("sudo nano /etc/crypttab"):

crypt UUID=82abbfdb-0ac4-4e57-af7e-031e05bffef9 none luks
crypthome UUID=d125fa61-bb52-406c-a7b6-048f0ac68456 /root/keyfile luks

Obviously, in each case change the UUIDS to the appropriate values (of the block device, not the mapper).

Step 6

There are further steps to encrypt your swap, should you so wish, but I'm not going to cover those here. The only thing you need to do now is to run this inside your chrooted shell:

sudo update-initramfs -u

and reboot.