Cryptography, Hardening, Information Security, Linux, Privacy, System Administration

Installing K-Ubuntu 16.04 with LVM+LUKS Full Encryption

Leave a comment

Kubuntu and mostly ubuntu installations comes with a very basic installer, and does not allow you to personalize the encryption, by example, if you have windows and linux together in the same hard drive, the installation won’t allow you to dual boot it, it will force you to use the whole disk, removing the existing windows partition.

DISCLAIMER:  This should be adapted to your system specifications. I am not to be liable for direct, indirect or consequential damages or for any loss of revenue, profits or data arising in connection with using this site or material, including, but not limited to, medical, physical and psychological effects. The information contained within this website is provided ‘as-is’, without warranties as to its accuracy whether expressed or implied and is intended for educational purposes only.

LVM comes to be useful when you have hard drive encryption like LUKS, because it enables you to create multiple “logical volumes”, which are like partitions.

This installation mechanism is for an non-efi environment.

We are going to create two main partitions:

/dev/sda1: /boot
/dev/sda2: LUKS with LVM (/, /home and swap).

Let’s start partitioning with fdisk:


now we see that our disk haves two partitions, let’s create another two ones for /boot and LVM+LUKS.

First create the /boot partition, 1Gb will be enough, but remember to clean old kernels frequently and do “apt autoremove”.

Now create the LVM+LUKS  partition:

Remember the partition numbers and write into disk:

 

Now you can start creating the LUKS in /dev/sda2 (or your main partition):

 

Format the LUKS container (using random should improve the crypto-key security but  it will take a lot of time and require some entropy feedback):

root@kubuntu:~# cryptsetup -c aes-xts-plain64 --key-size 256 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sda2 
 
WARNING! 
======== 
This will overwrite data on /dev/sda2 irrevocably. 
 
Are you sure? (Type uppercase yes): YES 
Enter passphrase:  
Verify passphrase:

Open the luks container:

root@kubuntu:~# cryptsetup luksOpen /dev/sda2 hdcrypt0 
Enter passphrase for /dev/sda2:

Now we proceed to the creation of the LVM Logic Volumes, Physical Volumes and Volume Groups:

Create the PV:

root@kubuntu:~# pvcreate  /dev/mapper/hdcrypt0  
  Physical volume "/dev/mapper/hdcrypt0" successfully created

Create the volume group:

root@kubuntu:~# vgcreate vg0 /dev/mapper/hdcrypt0 
  Volume group "vg0" successfully created

I chose 50Gb for the OS installation and the rest for /home, if you need to choose another value, this is the point.

Create the LVM partitions (swap, home and root):

root@kubuntu:~# lvcreate --name swap --size 8G vg0 
  Logical volume "swap" created. 
root@kubuntu:~# lvcreate --name root --size 50G vg0 
  Logical volume "root" created. 
root@kubuntu:~# lvcreate --name home -l 100%FREE vg0 
  Logical volume "home" created.

Now you have all the partitions:

Installing the OS:

Now we are ready, all the partitions and encryption is configured properly, now open the installer (not before) and install in the following way:

Choose your lang and Press continue:

Choose your options and continue:

Choose manual installation type and continue:

Start editing partition /dev/sda1 (which would be /boot) as follows:

Edit partition /dev/mapper/vg0-swap as follows:

Edit the root partition as follows:

Edit partition home as follows:

 

Choose the bootloader disk (In this case /dev/sda):

and continue twice:

Now choose your time zone and continue during the installation:

Now choose the keyboard layout:

and your username / host:

By continuing, it will install/configure the hardware/software. It will take some time.

Done with the installation…

Initramfs will not recognize that it’s an encrypted installation… So we must have to repair the installation

Reboot and start again with the livedvd/usb kubuntu installation again, and open a terminal:

Open the luks container:

root@kubuntu:~# cryptsetup luksOpen /dev/sda2 hdcrypt0 
Enter passphrase for /dev/sda2:

Now mount the system:

root@kubuntu:~# mkdir /target
root@kubuntu:~# mount /dev/mapper/vg0-root /target
root@kubuntu:~# mount /dev/sda1 /target/boot
root@kubuntu:~# mount --bind /proc /target/proc
root@kubuntu:~# mount --bind /sys /target/sys
root@kubuntu:~# mount --bind /dev /target/dev

Now chroot into it:

root@kubuntu:~# chroot /target/ su -
mesg: ttyname failed: Success.

And now request the block id for the encrypted partition:

root@kubuntu:/etc# blkid /dev/sda2 
/dev/sda2: UUID="1b3b6b72-994c-41af-cdef-12a832f712e5" TYPE="crypto_LUKS" PARTUUID="6f916d90-02"

Copy the UUID and create the /etc/crypttab with the following content (using nano or vi) in one line:

hdcrypt0 UUID=1b3b6b72-994c-41af-cdef-12a832f712e5 none luks,discard

And update the initramfs:

root@kubuntu:~# update-initramfs -v -k all -c

It should reconstruct the initramfs with the following output in verbose:

Calling hook compcache 
Calling hook cryptroot 
Copying module directory kernel/arch/x86/crypto

logout from the chroot and umount all fs:

root@kubuntu:/etc# logout

root@kubuntu:~# umount /target/dev
root@kubuntu:~# umount /target/sys
root@kubuntu:~# umount /target/proc
root@kubuntu:~# umount /dev/sda1 /target/boot
root@kubuntu:~# umount /dev/mapper/vg0-root /target
root@kubuntu:~#

Now initramfs has been written successfully and you can reboot.

Done!, insert your password and enjoy your encrypted ubuntu installation.

Leave a Reply