Skip to content

Kubuntu Install on Encrypted LVM Partition

Mike Lippert edited this page Nov 14, 2024 · 17 revisions

Kubuntu Install on Encrypted LVM Partition

Caution

The new 24.04 Ubuntu/Kubuntu installer DOES NOT SUPPORT installing to an existing encrypted LVM partition, I'm not sure it even supports installing to any existing LVM partition!

When I tried it, explicitly specifying mounting the existing ESP partition to /boot/efi, a new non-LVM partition to /boot and a new LV on an encrypted partition to / (which I had made accessible via cryptsetup in the live OS before running the installer). The install failed with an error and booting was broken requiring me to fix it by mounting my existing partitions in /mnt, and chroot'ing as specified below, and running grub-install and update-grub.

An Ubuntu launchpad bug was filed about this 2065236. I found the link in this askubuntu question/answers. Also there's a discussion in this ubuntu forums thread.

The install error I got was:

The bootloader could not be installed. The installation command <pre>grub-mkconfig -o /boot/grub/grub.cfg</pre> returned error code 1.

Note

This askubuntu answer helped guide much of the instructions on this page. The author b_laoshi has said he has a more comprehensive write-up on his blog.

Summary

My goal in setting up a new initial install is to set up the partitions similar to how the Ubuntu automated install sets things up for an encrypted LVM partition install.

However, I want to be able to install a 2nd linux OS, probably the next LTS when it comes out, without overwriting the existing initial boot, so that I can dual boot the old and new OS install until the time I'm ready to remove the old install, maybe not until the subsequent LTS is released and I can use the OLD partitions as the new NEW.

Personal additional partitions

userdata

I use a special userdata partition which I map to /userdata and create many soft links from /home/[USER] to files and directories in /userdata/[USER]. This makes it easier to move my personal data and configuration settings that don't change from one distribution release to another.

var

When I was using many docker images, they are stored by default in /var. When /var was on the root partition, I would occasionally run out of space there which is a pain. I decided that putting /var in its own partition would make dealing with it (increasing it's size when needed) easier than having to change the size of the root partition.

others

I do create other personal partitions, but none that need to be defined at install time.

Drive Partition Layout

  • EFI partition (to be mounted on /boot/efi on every installed distribution (300MB) Label: ESP Partition Label: EFI system partition
  • boot1 partition (to be mounted on /boot on a single installed distribution. Use a label to know which distribution it belongs to e.g. ku2204_boot. (1GB - 1.5GB s/b enough room for 8-12 kernels)
  • boot2 partition (to be mounted on /boot on a single installed distribution. Use a label to know which distribution it belongs to e.g. ku2404_boot. (1GB - 1.5GB)
  • encrypted LUKS LVM physical partition (remainder of space on drive)
    • lv: root1 (named for example: ku2204) (40GB)
    • lv: var1 (named for example: ku2204_var) (30GB)
    • lv: userdata (named: userdata) (32GB)
    • lv: swap (named: swap) (2GB small because it really shouldn't be needed)
    • lv: root2 (named for example: ku2404) to be created before subsequent distro install
    • lv: var2 (named for example: ku2404_var) to be created before subsequent distro install

Pre-installion Partition Creation: direct and LVM (from live OS boot)

You want to setup LUKS and LVM while manually partitioning!

Boot kubuntu from a Live OS and select the option to try Ubuntu without installing.

Setup the direct drive partitions

If this is the 1st install the drive must have a Partition Table (GPT is recommended) and these 4 partitions.

Note that setting/changing the GPT Partition name AKA PARTLABEL is done using the gdisk utility which is not installed on UBUNTU systems by default. Also note that although I think it's helpful to set the labels, it is not necessary.

I'm not listing any commands to accomplish setting up these partitions, use the tools you're comfortable with, such as KDE Partition Manager, fdisk, gdisk or parted.

EFI partition

  • 300MB in size
  • Partition Label: EFI System Partition
  • FAT32 file system
  • Label ESP

boot1 partition

  • 1.5GB in size
  • Partition Label: Boot Partition for Kubuntu 22.04
  • ext4 file system
  • Label ku2204_boot

boot2 partition

  • 1.5GB in size
  • Partition Label: Boot Partition for Kubuntu 24.04
  • ext4 file system
  • Label ku2404_boot

OS staging partition (only for workaround install)

  • 12.05GB in size
  • Partition Label: Install staging 4 copy to encr part
  • ext4 file system
  • Label OS_staging_area

Encrypted partition

  • 1.5GB in size
  • Partition Label: Encrypted LVM Partition
  • lvm2_pv file system

Setup LUKS (encrypt lvm2_pv partition)

The default encryption options should be good, so they aren't specified in the following command to luksFormat the lvm2_pv partition.

  • sudo cryptsetup --verbose luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/nvme0n1p4

Next open the LUKS formatted partition giving it the name in /dev/mapper it will be known by. (I like the name b-laoshi used in his answer, so I'm using it here. The 22.04 Kubuntu install named it nvme0n1p4_crypt).

  • sudo cryptsetup --verbose luksOpen /dev/nvme0n1p4 CryptDisk
  • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data.
    sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!

The encrypted partition (/dev/mapper/CryptDisk) is now ready to be given to LVM as a physical volume (pv).

Setup LVM

Create the PV, VG and LVs

Only create the LVs for the initial distro (in this example ku2404 for /, and ku2404_var for /var for a Kubuntu 24.04 install). You can create the LVs for a 2nd distro when you're ready to install it, say in 2 years for 26.04.

  • sudo pvcreate /dev/mapper/CryptDisk
  • sudo vgcreate vgkubuntu /dev/mapper/CryptDisk
  • sudo lvcreate -L 40G -n ku2404 vgkubuntu
  • sudo lvcreate -L 30G -n ku2404_var vgkubuntu
  • sudo lvcreate -L 32G -n userdata vgkubuntu
  • sudo lvcreate -n swap -L 2G vgkubuntu

Format the LVs with the desired file systems

This could wait and be done during install if you want.

  • sudo mkfs.ext4 -L ku2404 /dev/mapper/vgkubuntu-ku2404
  • sudo mkfs.ext4 -L ku2404_var /dev/mapper/vgkubuntu-ku2404_var
  • sudo mkfs.ext4 -L userdata /dev/mapper/vgkubuntu-userdata

Copied from the askubuntu answer for reference:

  1. Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows:

    • other partitions: existing OSs -- we don't care about these
    • sdb1: /boot (1G)
    • sdb2: LUKS partition (the rest of the disk)
  2. Setup LUKS

    • sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb2
    • sudo cryptsetup luksOpen /dev/sdb2 CryptDisk
    • While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
  3. Setup LVM on /dev/mapper/CryptDisk

    • sudo pvcreate /dev/mapper/CryptDisk
    • sudo vgcreate vg0 /dev/mapper/CryptDisk
    • sudo lvcreate -n swap -L 2G vg0
    • sudo lvcreate -n root -L 10G vg0
    • sudo lvcreate -n home -l +100%FREE vg0

Post-install Changes BEFORE REBOOT

Setup the crypttab

The `/etc/crypttab file describes encrypted block devices that are set up during system boot.

Mount the newly install root to /mnt (note we could also mount /dev/mapper/vgkubuntu-ku2404 it's the same partition)

  • sudo mount /dev/vgkubuntu/ku2404 /mnt
  • Find the UUID of the encrypted partition for the crypttab entry
    • sudo blkid | grep LUKS
  • Using your favorite text editor, create the file /mnt/etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
    CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard

Update the initramfs boot file and grub

Mount the other partitions for the new install

You will need to know the drive/partition names of the EFI partition and the boot partition you specified during the install. In the examples I've used nvme0n1p1 is the EFI partition and nvme0n1p2 is the boot1 partition used for the install (the 2nd install may have used the boot2 partition; nvme0n1p3).

  • sudo mount /dev/vgkubuntu/ku2404 /mnt
  • sudo mount /dev/nvme0n1p2 /mnt/boot
  • (Only if you're using EFI): sudo mount /dev/nvme0n1p1 /mnt/boot/efi
  • sudo mount /dev/vgkubuntu/ku2404_var /mnt/var
  • sudo mount --bind /dev /mnt/dev
  • sudo mount --bind /run/lvm /mnt/run/lvm

chroot (to rebase root to that install)

  • sudo chroot /mnt to access the installed system

From the chroot, mount a couple more things

  • mount -t proc proc /proc
  • mount -t sysfs sys /sys
  • mount -t devpts devpts /dev/pts

Rebuild the boot files for the new install w/ the new crypttab file

  • update-initramfs -k all -c
  • update-grub

Reboot, and the system should ask for a password to decrypt on boot!


Copied from the askubuntu answer for reference:

Post-installation configuration from live OS

This bit is really important if you want your system to boot! I spent quite a bit of time researching this to figure out these post-installation steps. In my case I was actually doing it because I wanted to customize the size of /boot on /dev/sda, but all that work should carry over to your situation as well.

  1. In a terminal, type the following and look for the UUID of /dev/sdb2. Take note of that UUID for later.

    • sudo blkid | grep LUKS
    • The important line on my machine reads
      /dev/sdb2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
  2. Next lets get the newly installed system mounted again so we can make some more changes.

    • sudo mount /dev/vg0/root /mnt
    • sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
    • sudo mount /dev/sdb1 /mnt/boot
    • sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
    • sudo mount --bind /run/lvm /mnt/run/lvm
    • (Only if you're using EFI): sudo mount /dev/sd*/your/efi/partition /mnt/boot/efi
  3. Now run sudo chroot /mnt to access the installed system

  4. From the chroot, mount a couple more things

    • mount -t proc proc /proc
    • mount -t sysfs sys /sys
    • mount -t devpts devpts /dev/pts
  5. Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.

    • CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
  6. Lastly, rebuild some boot files.

    • update-initramfs -k all -c
    • update-grub
  7. Reboot, and the system should ask for a password to decrypt on boot!


24.04 Installation workaround to dual boot

In order to workaround the fact that the installer just breaks things when attempting to install on existing encrypted LVs (even when using the Live boot to decrypt the encrypted partition first and pre-defining all of the necessary LVs as defined above). The installer does let you specify to use the LVs (and the non-encrypted existing ESP and new partition for /boot) but then fails breaking existing boot.

  1. Free up enough space for a regular partition for root ('/'), I think 12GB should be enough.
    • Assuming you've got the free (unused) space in your encrypted pv. the KDE Partition Manager worked great to make the pv partition smaller (I did this while it was decrypted). Then I booted the live USB and used KDE Partition Manager to move the pv partition while it was still encrypted (assuming you're a little anal like I am and want the new partitions before it)
  2. Create the 12GB partition formatted as ext4 for a temp_root install target.
  3. Install 24.04 specifying the /boot partition the /boot/efi partition and this temp root / partition.
  4. After install go back to the Live Kubuntu.

The idea now is to copy everything on the temp_root partition to the encrypted LV you have created for it. Something like this (from the command line in ubuntu home):

(this is assuming the existing boot is kubuntu 22.04 and the new install is Kubuntu 24.04, and the partition layout is similar to what's described above)

# Assuming the new temp root partition is /dev/nvme0n1p5, unmount it
sudo umount /dev/nvme0n1p5

# Assuming the encrypted partition is /dev/nvme0n1p4, decrypt it
sudo cryptsetup --verbose luksOpen /dev/nvme0n1p4 CryptDisk

# Block copy the new install to the encrypted LV (**triple check these device names!**)
sudo dd if=/dev/nvme0n1p5 of=/dev/mapper/vgkubuntu-ku2404 bs=4M conv=sync status=progress

# copied fs is smaller than target partition size, expand it to use entire partition
sudo resize2fs /dev/mapper/vgkubuntu-ku2404

# Create some mount points and mount the LVs for the new install and for the
# existing install used for reference
mkdir -p tmp/ku2404 tmp/ku2404_var tmp/ku2204
cd tmp
sudo mount /dev/vgkubuntu/ku2404 ku2404
sudo mount /dev/vgkubuntu/ku2404_var ku2404_var
sudo mount /dev/vgkubuntu/ku2404 ku2404

# Move the contents of the new installed /var to the partition created for it
sudo rsync -av ku2404/var/ ku2404_var/
sudo rm -r ku2404/var
sudo mkdir ku2404/var
sudo umount ku2404_var
sudo mount /dev/vgkubuntu/ku2404_var ku2404/var

# Edit the new install's /etc/fstab to specify the correct root, /boot, /boot/efi, /var to mount
# comparing to the old (ku2204) install's fstab may help
sudo vim ku2204/etc/fstab ku2404/etc/fstab
# I also had some additional users I wanted to copy over so I took this time to edit ku2404/etc/passwd and ku2404/etc/group

# Copy the /etc/crypttab from the existing ku2204 to the new ku2404
sudo cp ku2204/etc/crypttab ku2404/etc/crypttab

# Change the name of the decrypted device to match what you named it here 'CryptDisk' or
# open it with the same name the ku2204 boot uses.
sudo vim ku2404/etc/crypttab

# We want to enable the 'os-prober' despite the potential security risk
# uncomment or add 'GRUB_DISABLE_OS_PROBER=false' in /etc/default/grub
sudo vim ku2404/etc/default/grub

# Now fix grub and the initramfs of the new boot
# Use the instructions above to mount all the necessary things under ku2404
# boot boot/efi var (already done) dev run/lvm (you make have to create the run/lvm mount point first)
# chroot to ku2404
# mount proc sys and dev/pts
update-initramfs -k all -c
update-grub