Linux

Installing Ubuntu 16.10 on existing LUKS-encrypted LVM

This is a short overview of how to install Ubuntu 16.10 on an existing LUSK-encrypted partition containing logical volumes, and using two unencrypted partitions for /boot and /boot/efi/.

Disk layout

All the commands shown later, will be according to this layout.

1
2
3
4
5
6
7
8
9
NAME                  SIZE RO TYPE  Note
sdc                 223,6G  0 disk  Disk that should be used
├─sdc1                256M  0 part  unencrypted fat32 that should be used for /boot/efi
├─sdc2                256M  0 part  unencrypted ext4 that should be used for /boot
└─sdc3              223,1G  0 part  LUKS encrypted partition
  └─develop         223,1G  0 crypt 
    ├─vg01-swap         8G  0 lvm   swap that should be used
    ├─vg01-root       100G  0 lvm   should be used as root /
    └─vg01-develop  115,1G  0 lvm   data partition that should not be touched

Install

  • Boot from your install medium in UEFI mode.
  • Start the live system (“Try Ubuntu …”)

  • Unlock the encrypted partition

    1
    2
    3
    4
    # find partition
    lsblk
    # open it
    sudo cryptsetup luksOpen /dev/sdc3 sdc3_crypt

  • run the installer

    • set the root to be /dev/mapper/vg01-root select a filesystem (ext4) and check the format box
    • set /boot as mountpoint for /dev/sdc2
    • set /dev/sdc as boot device
    • install

Manually setup the boot partition

  • prepare the new install for chroot 

    1
    2
    3
    4
    5
    6
    7
    8
    # mount the root partition
    sudo mount /dev/mapper/vg01-root /mnt
    sudo mount /dev/sdc2 /mnt/boot
    sudo mount /dev/sdc1 /mnt/boot/efi
    # bind the dev, proc, and sys to the new root
    sudo mount --bind /dev /mnt/dev
    sudo mount --bind /proc /mnt/proc
    sudo mount --bind /sys /mnt/sys

  • chroot into the new install

    1
    sudo chroot /mnt

  • find the uuid of the luks encrypted partition

    1
    blkid /dev/sdc3

  • add a new file /etc/crypttab with the content (where sdc3_crypt is just a name, I used the same here as in the luksOpen above)

    1
    2
    # <target name>	<source device>		<key file>	<options>
    sdc3_crypt UUID=f2ee83ef-a828-4a84-a150-2ffd781b495a none luks,discard

The discard option is only relevant for SSD drives and may reduce the security, see the warning in the manpage here.

  • fix the boot setup
    1
    2
    3
    4
    5
    6
    7
    8
    9
    # reinstall grub
    apt-get install --reinstall grub-efi-amd64
    grub-install 

    # update the initramfs
    update-initramfs -k all -c -v

    # update grub 
    update-grub

All done

That should be it, reboot the system and there should be an “ubuntu” entry in the UEFI menu, boot from it and it should prompt for the LUKS password and then boot to the normal lightdm login screen.

Thank you for reading, I hope that it was helpful :)

Edit: Post edited on 2016-10-14. Changed from single partition for /boot and /efi to separate partitions and fixed errors.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.