-
Notifications
You must be signed in to change notification settings - Fork 1
Kubuntu Install on Encrypted LVM Partition
Caution
The new 24.04 Ubuntu/Kubuntu installer DOES NOT SUPPORT installing to an existing encrypted LVM partition, I'm not sure it even supports installing to any existing LVM partition!
When I tried it, explicitly specifying mounting the existing ESP partition to /boot/efi
,
a new non-LVM partition to /boot
and a new LV on an encrypted partition to /
(which
I had made accessible via cryptsetup in the live OS before running the installer). The
install failed with an error and booting was broken requiring me to fix it by mounting
my existing partitions in /mnt, and chroot'ing as specified below, and running
grub-install
and update-grub
.
An Ubuntu launchpad bug was filed about this 2065236. I found the link in this askubuntu question/answers. Also there's a discussion in this ubuntu forums thread.
The install error I got was:
The bootloader could not be installed. The installation command <pre>grub-mkconfig -o /boot/grub/grub.cfg</pre> returned error code 1.
Note
This askubuntu answer helped guide much of the instructions on this page. The author b_laoshi has said he has a more comprehensive write-up on his blog.
My goal in setting up a new initial install is to set up the partitions similar to how the Ubuntu automated install sets things up for an encrypted LVM partition install.
However, I want to be able to install a 2nd linux OS, probably the next LTS when it comes out, without overwriting the existing initial boot, so that I can dual boot the old and new OS install until the time I'm ready to remove the old install, maybe not until the subsequent LTS is released and I can use the OLD partitions as the new NEW.
I use a special userdata partition which I map to /userdata
and create many soft links from
/home/[USER] to files and directories in /userdata/[USER]. This makes it easier to move
my personal data and configuration settings that don't change from one distribution release to
another.
When I was using many docker images, they are stored by default in /var
. When /var
was on the
root partition, I would occasionally run out of space there which is a pain. I decided that putting
/var
in its own partition would make dealing with it (increasing it's size when needed) easier than
having to change the size of the root partition.
I do create other personal partitions, but none that need to be defined at install time.
- EFI partition (to be mounted on
/boot/efi
on every installed distribution (300MB) Label:ESP
Partition Label:EFI system partition
- boot1 partition (to be mounted on
/boot
on a single installed distribution. Use a label to know which distribution it belongs to e.g.ku2204_boot
. (1GB - 1.5GB s/b enough room for 8-12 kernels) - boot2 partition (to be mounted on
/boot
on a single installed distribution. Use a label to know which distribution it belongs to e.g.ku2404_boot
. (1GB - 1.5GB) - encrypted LUKS LVM physical partition (remainder of space on drive)
- lv: root1 (named for example:
ku2204
) (40GB) - lv: var1 (named for example:
ku2204_var
) (30GB) - lv: userdata (named:
userdata
) (32GB) - lv: swap (named:
swap
) (2GB small because it really shouldn't be needed) - lv: root2 (named for example:
ku2404
) to be created before subsequent distro install - lv: var2 (named for example:
ku2404_var
) to be created before subsequent distro install
- lv: root1 (named for example:
You want to setup LUKS and LVM while manually partitioning!
Boot kubuntu from a Live OS and select the option to try Ubuntu without installing.
If this is the 1st install the drive must have a Partition Table (GPT is recommended) and these 4 partitions.
Note that setting/changing the GPT Partition name AKA PARTLABEL is done using the gdisk
utility which is not installed on UBUNTU systems by default. Also note that although I think
it's helpful to set the labels, it is not necessary.
I'm not listing any commands to accomplish setting up these partitions, use the tools you're comfortable with, such as KDE Partition Manager, fdisk, gdisk or parted.
- 300MB in size
- Partition Label: EFI System Partition
-
FAT32
file system - Label ESP
- 1.5GB in size
- Partition Label: Boot Partition for Kubuntu 22.04
-
ext4
file system - Label ku2204_boot
- 1.5GB in size
- Partition Label: Boot Partition for Kubuntu 24.04
-
ext4
file system - Label ku2404_boot
- 12.05GB in size
- Partition Label: Install staging 4 copy to encr part
-
ext4
file system - Label OS_staging_area
- 1.5GB in size
- Partition Label: Encrypted LVM Partition
-
lvm2_pv
file system
The default encryption options should be good, so they aren't specified in the following
command to luksFormat the lvm2_pv
partition.
sudo cryptsetup --verbose luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/nvme0n1p4
Next open the LUKS formatted partition giving it the name in /dev/mapper it will be
known by. (I like the name b-laoshi used in his answer, so I'm using it here.
The 22.04 Kubuntu install named it nvme0n1p4_crypt
).
sudo cryptsetup --verbose luksOpen /dev/nvme0n1p4 CryptDisk
- While not necessary, it is a good idea to fill your LUKS partition with zeros so
that the partition, in an encrypted state, is filled with random data.
sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M
BEWARE, this could take a really long time!
The encrypted partition (/dev/mapper/CryptDisk
) is now ready to be given to LVM as a physical volume (pv).
Only create the LVs for the initial distro (in this example ku2404 for /
, and ku2404_var
for /var
for a Kubuntu 24.04 install). You can create the LVs for a 2nd distro when you're
ready to install it, say in 2 years for 26.04.
sudo pvcreate /dev/mapper/CryptDisk
sudo vgcreate vgkubuntu /dev/mapper/CryptDisk
sudo lvcreate -L 40G -n ku2404 vgkubuntu
sudo lvcreate -L 30G -n ku2404_var vgkubuntu
sudo lvcreate -L 32G -n userdata vgkubuntu
sudo lvcreate -n swap -L 2G vgkubuntu
This could wait and be done during install if you want.
sudo mkfs.ext4 -L ku2404 /dev/mapper/vgkubuntu-ku2404
sudo mkfs.ext4 -L ku2404_var /dev/mapper/vgkubuntu-ku2404_var
sudo mkfs.ext4 -L userdata /dev/mapper/vgkubuntu-userdata
Copied from the askubuntu answer for reference:
-
Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows:
- other partitions: existing OSs -- we don't care about these
- sdb1: /boot (1G)
- sdb2: LUKS partition (the rest of the disk)
-
Setup LUKS
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sdb2
sudo cryptsetup luksOpen /dev/sdb2 CryptDisk
- While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data.
sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M
BEWARE, this could take a really long time!
-
Setup LVM on /dev/mapper/CryptDisk
sudo pvcreate /dev/mapper/CryptDisk
sudo vgcreate vg0 /dev/mapper/CryptDisk
sudo lvcreate -n swap -L 2G vg0
sudo lvcreate -n root -L 10G vg0
sudo lvcreate -n home -l +100%FREE vg0
The `/etc/crypttab file describes encrypted block devices that are set up during system boot.
Mount the newly install root to /mnt (note we could also mount /dev/mapper/vgkubuntu-ku2404
it's the same partition)
sudo mount /dev/vgkubuntu/ku2404 /mnt
- Find the UUID of the encrypted partition for the crypttab entry
sudo blkid | grep LUKS
- Using your favorite text editor, create the file
/mnt/etc/crypttab
and add the following line, changing out the UUID with the UUID of your disk.
CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
You will need to know the drive/partition names of the EFI partition and the boot partition
you specified during the install. In the examples I've used nvme0n1p1
is the EFI partition
and nvme0n1p2
is the boot1 partition used for the install (the 2nd install may have used
the boot2 partition; nvme0n1p3
).
sudo mount /dev/vgkubuntu/ku2404 /mnt
sudo mount /dev/nvme0n1p2 /mnt/boot
-
(Only if you're using EFI):
sudo mount /dev/nvme0n1p1 /mnt/boot/efi
sudo mount /dev/vgkubuntu/ku2404_var /mnt/var
sudo mount --bind /dev /mnt/dev
sudo mount --bind /run/lvm /mnt/run/lvm
-
sudo chroot /mnt
to access the installed system
From the chroot, mount a couple more things
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
update-initramfs -k all -c
update-grub
Reboot, and the system should ask for a password to decrypt on boot!
Copied from the askubuntu answer for reference:
Post-installation configuration from live OS
This bit is really important if you want your system to boot! I spent quite a bit of time researching this to figure out these post-installation steps. In my case I was actually doing it because I wanted to customize the size of /boot on /dev/sda, but all that work should carry over to your situation as well.
-
In a terminal, type the following and look for the UUID of /dev/sdb2. Take note of that UUID for later.
sudo blkid | grep LUKS
- The important line on my machine reads
/dev/sdb2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
-
Next lets get the newly installed system mounted again so we can make some more changes.
sudo mount /dev/vg0/root /mnt
-
sudo mount /dev/vg0/home /mnt/home
# this is probably not necessary sudo mount /dev/sdb1 /mnt/boot
-
sudo mount --bind /dev /mnt/dev
# I'm not entirely sure this is necessary sudo mount --bind /run/lvm /mnt/run/lvm
-
(Only if you're using EFI):
sudo mount /dev/sd*/your/efi/partition /mnt/boot/efi
-
Now run
sudo chroot /mnt
to access the installed system -
From the chroot, mount a couple more things
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
-
Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
-
Lastly, rebuild some boot files.
update-initramfs -k all -c
update-grub
-
Reboot, and the system should ask for a password to decrypt on boot!
In order to workaround the fact that the installer just breaks things when attempting to install
on existing encrypted LVs (even when using the Live boot to decrypt the encrypted partition first
and pre-defining all of the necessary LVs as defined above). The installer does let you specify to
use the LVs (and the non-encrypted existing ESP and new partition for /boot
) but then fails breaking
existing boot.
- Free up enough space for a regular partition for root ('/'), I think 12GB should be enough.
- Assuming you've got the free (unused) space in your encrypted pv. the KDE Partition Manager worked great to make the pv partition smaller (I did this while it was decrypted). Then I booted the live USB and used KDE Partition Manager to move the pv partition while it was still encrypted (assuming you're a little anal like I am and want the new partitions before it)
- Create the 12GB partition formatted as ext4 for a temp_root install target.
- Install 24.04 specifying the
/boot
partition the/boot/efi
partition and this temp root/
partition. - After install go back to the Live Kubuntu.
The idea now is to copy everything on the temp_root partition to the encrypted LV you have created for it. Something like this (from the command line in ubuntu home):
(this is assuming the existing boot is kubuntu 22.04 and the new install is Kubuntu 24.04, and the partition layout is similar to what's described above)
# Assuming the new temp root partition is /dev/nvme0n1p5, unmount it
sudo umount /dev/nvme0n1p5
# Assuming the encrypted partition is /dev/nvme0n1p4, decrypt it
sudo cryptsetup --verbose luksOpen /dev/nvme0n1p4 CryptDisk
# Block copy the new install to the encrypted LV (**triple check these device names!**)
sudo dd if=/dev/nvme0n1p5 of=/dev/mapper/vgkubuntu-ku2404 bs=4M conv=sync status=progress
# copied fs is smaller than target partition size, expand it to use entire partition
sudo resize2fs /dev/mapper/vgkubuntu-ku2404
# Create some mount points and mount the LVs for the new install and for the
# existing install used for reference
mkdir -p tmp/ku2404 tmp/ku2404_var tmp/ku2204
cd tmp
sudo mount /dev/vgkubuntu/ku2404 ku2404
sudo mount /dev/vgkubuntu/ku2404_var ku2404_var
sudo mount /dev/vgkubuntu/ku2404 ku2404
# Move the contents of the new installed /var to the partition created for it
sudo rsync -av ku2404/var/ ku2404_var/
sudo rm -r ku2404/var
sudo mkdir ku2404/var
sudo umount ku2404_var
sudo mount /dev/vgkubuntu/ku2404_var ku2404/var
# Edit the new install's /etc/fstab to specify the correct root, /boot, /boot/efi, /var to mount
# comparing to the old (ku2204) install's fstab may help
sudo vim ku2204/etc/fstab ku2404/etc/fstab
# I also had some additional users I wanted to copy over so I took this time to edit ku2404/etc/passwd and ku2404/etc/group
# Copy the /etc/crypttab from the existing ku2204 to the new ku2404
sudo cp ku2204/etc/crypttab ku2404/etc/crypttab
# Change the name of the decrypted device to match what you named it here 'CryptDisk' or
# open it with the same name the ku2204 boot uses.
sudo vim ku2404/etc/crypttab
# We want to enable the 'os-prober' despite the potential security risk
# uncomment or add 'GRUB_DISABLE_OS_PROBER=false' in /etc/default/grub
sudo vim ku2404/etc/default/grub
# Now fix grub and the initramfs of the new boot
# Use the instructions above to mount all the necessary things under ku2404
# boot boot/efi var (already done) dev run/lvm (you make have to create the run/lvm mount point first)
# chroot to ku2404
# mount proc sys and dev/pts
update-initramfs -k all -c
update-grub