|
1. Introduction
2. Requirements
3. Installation
4. About
This howto describes how to install Ubuntu 8.04 (Hardy Heron) on LVM2 residing on a partition encrypted with dm-crypt.
Furthermore, it explains how to keep an already installed operating system in order to do a dual boot.
The installation can be done directly from the Ubuntu CD, but the alternate version must be used, since the desktop version seems to don't support it.
If you need more information about LVM, you might be interested to my LVM micro howto.
If you need more information about dm-crypt, you might be interested to my Dm-crypt micro howto.
1.1. Why to encrypt the whole OS?
I have written this howto because I have my personal data on my laptop, which could be lost, stolen, etc. In this case, I wan't to be sure that no one can access it. In the worst case, I would lose only my hardware but not my data!
Also if this howto is focused on a laptop installation, it can be easily applied to a desktop installation.
It is a common mistake to don't encrypt personal data on laptops but it is also a common mistake to think that data is at safe just because it has been encrypted. This is wrong!
When the data owner accesses its encrypted data, this last is decrypted. Starting from now, there is the risk that the decrypted data or a part of it is copied in a not safe place. This can be typically the /tmp partition or simply the swap partition. Neither the /tmp nor the swap partitions are cleaned on system shutdown! You could think, where is the problem? On the next OS start up they are cleaned! This is true. But what happens if somebody uses a rescue CD to mount your harddisk? It has access to all the decrypted data still residing outside the encrypted partition!
By encrypting the whole OS as well as my personal data, I have a good assurance that my data can be read only by me, because also temporary decrypted data is still stored on an encrypted partition: that of the OS.
Since I like a lot LVs (Logical Volumes) because they are very flexible and can spare me a lot of wasted disk space, I also use LVs in conjunction with dm-crypt, which makes the installation a little bit more complicated but not impossible. This howto describes step by step how to do it.
Two words before starting:
1) This task is not indicated for beginners, but the howto should be detailed enough to permit everyone to do the installation.
2) Don't forget to make a backup of your data, better if on an external HD that will be unplugged before starting the installation or on a CD/DVD.
1.2. How it works
During the OS start up, a very minimal part of the OS is read out of the /boot partition, which is not encrypted and does not contain any critical data. The user is then prompted for a passphrase. If this passphrase is not correct, the OS won't continue the start up process, because the 99% of the OS residing on an encrypted partition won't be available.
Once the correct passphrase is entered, a special device (called sda3_crypt in this document) is created. This device is necessary to access the encrypted partition.
Once the encrypted partition is accessible, the harddisk is scanned for LVM2 volume groups.
Once the volume group (called vg in this document) has been found it is activated.
Once the volume group is active, all its LVM2 logical volumes are available.
The root partition (residing in a LV in the encrypted partition) is mounted and the start up process can continue.
1.3. Restrictions
There is arestriction booting a system installed on a LV.
The /boot cannot be a LV because it does not exist an easy way the bootloader can read inside LVs!
The LILO bootloader seems to be able to do that (may be only with a patch), but this procedure is out of the scope of this document.
1.4. Harddisk layout
The choosen partitions configuration is realized with only 1 harddisk: /dev/sda.
A working OS is already installed in /dev/sda1.
The rest of the disk will be used. Any existing partition shall be destroyed.
+-------------------------------------------------------------------+
| sda1 | free |
+-------------------------------------------------------------------+
1.4.1. LVM layout
Since /boot cannot reside on a LV, at least 2 additional partitions are needed: one for /boot and one for /.
1.4.2. dm-crypt layout
To avoid typing severl passphrases, only one partition is encrypted. This partition will contain all the LVs.
1.4.3. Final layout
Here the result:
+-------------------------------------------------------------------+
| sda1 | sda2 | sda3 |
+-------------------------------------------------------------------+
| | |
+-------------------------------------------------------------------+
| FIRST OS | - | sda3_crypt |
| /media/sda1 | /boot | LVs: root, swap, ... |
+-------------------------------------------------------------------+
The existing OS will be automatically mounted by Ubuntu (an icon will be placed on the desktop).
1.4.4. LVM layout
For the volume group name I have choosen "vg", but you can use any name.
For the logical volume name of the / I have choosen "root", but you can use any name.
For the logical volume name of the swap I have choosen "swap", but you can use any name.
Here the result:
/dev/mapper/vg-root: used for /
/dev/mapper/vg-swap: used for swap
Please note, that the LVs devices are refered via /dev/mapper/vg-xxx and not via /dev/vg/xxx.
This kind of installation is not supported in the Ubuntu desktop version. You need the alternate version to do that.
3.1. Booting the DVD
Power on with the Ubuntu CD in your CD-ROM reader.
Once the Ubuntu logo appears, start the installation:
- press ENTER to start "Install in text mode"
3.2. Installing the system: before dm-crypt/LVM configuration
Answers to the following items:
- select language and press ENTER
- select keyboard layout and press ENTER
- enter your hostname (the name of your laptop) and press ENTER
The steps described in the next chapters are that specific to dm-crypt and LVM.
3.3. Starting dm-crypt/LVM configuration
The following chapters are the most important part of this document.
Start dm-crypt/LVM configuration:
- select "Manual" for partitioning method and press ENTER
3.4. Freeing harddisk
You should see something like this:
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 40.0 GB B K NTFS /media/sda2
#3 primary 50.0 GB B K NTFS /media/sda3
The partition #1 is the partition containing the OS to be kept.
The partition #2, #3, etc are considered useless in this document and will be destroyed in order to create space for Ubuntu.
Warning! This operation will destroy any data stored in these partitions. Did you make the backup, Forrest?
Delete partitions:
- select partition #2 and press ENTER
- select "Delete partition" and press ENTER
Repeat for any other partition.
Be sure you have enough place on the disk before continue.
For the OS, with 5 GBs you have enough place for the standard installation plus a large reserve.
For the data, it is your choice.
After have deleted the useless partitions, you should see something like this:
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
pri/log 97.4 GB FREE SPACE
3.5. Creating /boot partition
Create sda2:
- select "FREE SPACE" and press ENTER
- select "Create a new partition" and press ENTER
- enter 200MB
- select "Primary" and press ENTER
- select "Beginning" and press ENTER
- select "Use as:" and press ENTER
- select "ReiserFS journaling file system" and press ENTER
- select "Mount point:" and press ENTER
- select "/boot - static files of the boot loader" and press ENTER
- select "Mount options:" and press ENTER
- select "notail - disable packing of files into the file system tree" and press ENTER
- select "Label:" and press ENTER
- enter "boot"
- select "Bootable flag:" to "on" by presssing ENTER
- select "Done setting up the partition"
You should now see something like:
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
pri/log 97.4 GB FREE SPACE
You have just created /dev/sda2, which will be used for /boot.
3.6. Creating encrypted partition
Create sda3
- select "FREE SPACE" and press ENTER
- select "Create a new partition"
- leave the displayed value
- select "Primary"
Mark sda3 as LVM:
- select "Use as:"
- select "physical volume for encryption"
- select "Done setting up the partition"
You should now see something like:
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
#3 primary 97.2 GB K crypto not active
You have just created /dev/sda3, which will be used for the encrypted partition sda3_crypt.
3.7. Configuring encrypted partitions
- select "Configure encrypted volumes" and press ENTER
- select "Yes" and press ENTER
- enter passphrase
- enter passphrase again
You should now see something like:
Encrypted volume (sda3_crypt) - 97.2 GB Linux device-mapper
#1 97.2 GB f ext3
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
#3 primary 97.2 GB K crypto (sda3_crypt)
You have just created /dev/mapper/sda3_crypt, which will be used for the LVs.
3.8. Creating LV devices
Mark sda3_crypt as LVM:
- select encrypted volume "#1 97.2 GB f ext3" and press ENTER
- select "Use as:" and press ENTER
- select "physical volume for LVM" and press ENTER
- select "Done setting up the partition" and press ENTER
You should now see something like:
Encrypted volume (sda3_crypt) - 97.2 GB Linux device-mapper
#1 97.2 GB K lvm
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
#3 primary 97.2 GB K crypto (sda3_crypt)
Now, the /dev/mapper/sda3_crypt device is ready to be used with LVM and we can proceed by creating our LVs.
3.9. Creating LVs
- select "Configure the Logical Volume Manager" and press ENTER
- select "Yes" and press ENTER
3.9.1. Creating volume group
Create volume group:
- select "Create volume group" and press ENTER
- enter "vg"
- select "/dev/mapper/sda3_crypt" and press ENTER
- select "Continue" and press ENTER
Now, it exists a volume group called "vg" and we use it to create our LVs.
3.9.2. Creating logical volume root
Create logical volume "root" with a size of 7G and of group "vg":
- select "Create logical volume" and press ENTER
- select "vg" and press ENTER
- enter "root" and press ENTER
- enter "7G" and press ENTER
This LV will be used later for the / partition.
3.9.3. Creating logical volume swap
Create logical volume "swap" with a size of 2G and of group "vg":
- select "Create logical volume"
- select "vg" and press ENTER
- enter "swap" and press ENTER
- enter "2G" and press ENTER
This LV will be used later for the swap partition.
Depending on your configuration, create additional volumes in the group "vg" for /home, /var/www, ...
If you prefer, you can do this later, but the process will be a little bit more complicated.
3.10. Closing LVM configuration
Save LVM configuration:
- select "Finish" and press ENTER
You should now see something like:
Encrypted volume (sda3_crypt) - 97.2 GB Linux device-mapper
#1 97.2 GB K lvm
LVM VG vg, LV root - 7.5 GB Linux device-mapper
#1 7.5 GB
LVM VG vg, LV swap - 2.1 GB Linux device-mapper
#1 2.1 GB
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
#3 primary 97.2 GB K crypto (sda3_crypt)
The LVM configuration is now finished and we can proceed by creating our filesystems.
3.11. Creating filesystem on root partition
Create mountpoint for /:
- select "#1 7.5 GB" of the "LVM VG vg, LV root" (which corresponds to /dev/vg/root)
- select "Use as:" and press ENTER
- select "ReiserFS journaling file system" and press ENTER
- select "Mount point:" and press ENTER
- select "/ - the root file system" and press ENTER
- select "Mount options:" and press ENTER
- select "notail - disable packing of files into the file system tree" and press ENTER
- select "Label:" and press ENTER
- enter "root" and press ENTER
- select "Done setting up the partition" and press ENTER
You should now see something like:
Encrypted volume (sda3_crypt) - 97.2 GB Linux device-mapper
#1 97.2 GB K lvm
LVM VG vg, LV root - 7.5 GB Linux device-mapper
#1 7.5 GB f reiserfs /
LVM VG vg, LV swap - 2.1 GB Linux device-mapper
#1 2.1 GB
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
#3 primary 97.2 GB K crypto (sda3_crypt)
3.12. Creating filesystem on swap partition
Create mountpoint for swap:
- select "#1 2.1 GB" of the "LVM VG vg, LV swap" (which corresponds to /dev/vg/swap)
- select "Use as:" and press ENTER
- select "swap area" and press ENTER
- select "Done setting up the partition" and press ENTER
You should now see something like:
Encrypted volume (sda3_crypt) - 97.2 GB Linux device-mapper
#1 97.2 GB K lvm
LVM VG vg, LV root - 7.5 GB Linux device-mapper
#1 7.5 GB f reiserfs /
LVM VG vg, LV swap - 2.1 GB Linux device-mapper
#1 2.1 GB f swap swap
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
#3 primary 97.2 GB K crypto (sda3_crypt)
3.13. Creating additional LVs before rebooting
For each additional logical volume you have created before, repeat the same process like for the / partition.
If you didn't create any additional LV, skip this chapter.
Here an example for /home:
- select "#1" of the "LVM VG raid, LV home" (which corresponds to /dev/vg/home)
- select "Use as:" and press ENTER
- select "ReiserFS journaling file system" and press ENTER
- select "Mount point:" and press ENTER
- select "/home - user home directories" and press ENTER
- select "Mount options:" and press ENTER
- select "notail - disable packing of files into the file system tree" and press ENTER
- select "Label:" and press ENTER
- enter "home" and press ENTER
- select "Done setting up the partition" and press ENTER
You should now see something like:
Encrypted volume (sda3_crypt) - 97.2 GB Linux device-mapper
#1 97.2 GB K lvm
LVM VG vg, LV root - 7.5 GB Linux device-mapper
#1 7.5 GB f reiserfs /
LVM VG vg, LV swap - 2.1 GB Linux device-mapper
#1 2.1 GB f swap swap
LVM VG vg, LV home - 2.0 GB Linux device-mapper
#1 2.0 GB f reiserfs /home
SCSI1 (0,0,0) (sda) - 107.4 GB
#1 primary 10.0 GB B K NTFS /media/sda1
#2 primary 197.4 MB B f reiserfs /boot
#3 primary 97.2 GB K crypto (sda3_crypt)
3.14. Creating filesystem on boot partition
This step has already been done at the begin of the disk partitioning and can therefore be skipped.
3.15. Closing partitioning
Write all changes to disk:
- select "Finish partitioning and write changes to disk" and press ENTER
- select "Yes" and press ENTER
At this point, the special configuration for the dm-crypt/LVM combination has been done. You can now proceed with the classical installation.
3.16. Installing the system: after dm-crypt/LVM configuration
You can proceed by installing the system exactly as you would make without LVM and dm-crypt.
Configure the remaining items like normally:
- time zone
- clock
- set up users and passwords
3.17. Installing the GRUB bootloader
In order to be able to boot several OSs, you need the GRUB bootloader:
- answer "Yes" to "Install the bootloader in the MBR"
Once the GRUB bootloader is installed on the MBR, the original bootloader (that of the first OS) is overwritten.
Since GRUB automatically detects the first OS and adds and entry in the bootloader menu, at each start up it is possible to choose the OS to be started.
4.1. Author
Emidio Planamente <eplanamente@gmx.ch>
4.2. History
Version 1
First public release
|
