Install Ubuntu with encrypted LVM and multiple logical volumes

Submitted by olaf on 2014-10-16
Last modified at 2015-06-05

Before you start, backup your hard disk! I use rsnapshot for my regular daily backup.

I already have Ubuntu 12.04 on my desktop and want to install the new LTS Ubuntu 14.04 on a second hard disk. With the current Ubuntu installer (Trusty, 14.04), you cannot create multiple logical volumes for root, /usr, /home and /var.

To do this, you must either use a standard install and repartition later or prepare the logical volumes upfront. I chose the second.

To prepare a disk as an encrypted LVM, you must first create the needed partitions. To create a bootable system, you need a /boot partition, taking the Linux kernels and initramfs images, and a second (extended) partition, which will contain the encrypted LVM.

I use fdisk, but you can use any partitioning tool, you’re comfortable with. Since I want to install on my second hard drive, I will use /dev/sdb. You need to use your appropriate device, sda, sdb, or sdc

fdisk /dev/sdb

After creating the primary boot and extended logical partition, it looks like

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048      514047      256000   83  Linux
/dev/sdb2          514048   976773167   488129560    5  Extended
/dev/sdb5          516096   976773167   488128536   8e  Linux LVM

sdb1 will be the boot partition, containing Grub, Linux kernels and so on, sdb5 will be the encrypted LVM partition.

Now I need to initialize the encrypted partition. This is done with cryptsetup luksFormat, see the manual page and cryptsetup FAQ for more details.

cryptsetup luksFormat /dev/sdb5

and make it available

cryptsetup luksOpen /dev/sdb5 sdb5_crypt

This creates a mapping /dev/mapper/sdb5_crypt, which allows us to create the volume group and the logical volumes for the new Ubuntu system. Initialize the physical volume

pvcreate /dev/mapper/sdb5_crypt

and create the volume group

vgcreate vg1 /dev/mapper/sdb5_crypt

As the final preparation step, I create the logical volumes for root, /usr, etc.

lvcreate --size 1G --name root vg1
lvcreate --size 1G --name tmp vg1
lvcreate --size 10G --name usr vg1
lvcreate --size 5G --name var vg1
lvcreate --size 100G --name home vg1

You may want to create additional volumes, like /opt, /usr/local, /srv, a multimedia volume or adjust the sizes for your need. To review the volume group

vgdisplay -s

which shows something like

“vg1” 465,51 GiB [37,00 GiB used / 428,51 GiB free]
“vg0” 931,04 GiB [652,19 GiB used / 278,86 GiB free]

and the same for logical volumes

lvs

which gives on my system

LV VG Attr LSize Origin Snap% Move Log Copy% Convert
home vg0 -wi-ao 46,56g

var vg0 -wi-ao 4,66g
local vg1 -wi-a- 20,00g
root vg1 -wi-a- 1,00g
tmp vg1 -wi-a- 1,00g
usr vg1 -wi-a- 10,00g
var vg1 -wi-a- 5,00g

That’s the end for preparation. Now I booted into the live installation CD, opened a terminal and again made the logical volumes available with

cryptsetup luksOpen /dev/sdb5 sdb5_crypt

If you have done these preparation steps in a terminal from the installation media, you don’t need to reboot and do luksOpen, of course.

You’re ready to start the Ubuntu installation program. When asked for the installation type, select “Something else”. In the next panel, you can now see the encrypted logical volumes as /dev/mapper/vg1-root, /dev/mapper/vg1-usr, … and use them as mount points for /, /usr and so on.

I forgot to use /dev/sdb1 for /boot and mistakenly selected /dev/sdb as the location for Grub. This confused the install process and so, I had to start all over again. Next time I selected /dev/sdb1 and installation went through without any error message.


After rebooting, the system didn’t come up. It showed an error

gave up waiting for root

and dropped me in a shell with an (initramfs) prompt. According to this webpage LUKS and LVM install: no boot (gave up waiting for root device), initramfs might miss the necessary crypto modules. I found the deciding hint on this webpage System no longer boots, gave up waiting for root device, (initramfs), /dev/mapper/gnome-root does not exist. In my case, the crypto modules and tools were missing, because my /etc/crypttab was empty.

I booted into my old system, opened the encrypted partition

cryptsetup luksOpen /dev/sdb5 sdb5_crypt

and mounted all LVM volumes in a new target directory

mkdir /mnt/target
mount /dev/mapper/vg1-root /mnt/target
mount /dev/sdb1 /mnt/target/boot
mount /dev/mapper/vg1-usr /mnt/target/usr
mount /dev/mapper/vg1-var /mnt/target/var
mount -o bind /dev /mnt/target/dev
mount -o bind /proc /mnt/target/proc

Then, I looked up the UUID with blkid

blkid /dev/sdb5

/dev/sdb5: UUID=”af23c7d6-fcea-437b-b788-29df596e895b” TYPE=”crypto_LUKS”

which I used for creating /etc/crypttab

echo "sdb5_crypt UUID=af23c7d6-fcea-437b-b788-29df596e895b none luks" >/mnt/target/etc/crypttab

Finally, I recreated initramfs

chroot /mnt/target
update-initramfs -u

I verified with

lsinitramfs /boot/initrd.img-3.13.0-24-generic | grep crypt

that dm-crypt and cryptsetup were built into my new initramfs.

2 Comments

Simon Greensmith on 2015-05-12 14:22:00 +0200

Hi Olaf

First of all, I’m fairly inexperienced with linux but I wanted to thank you for posting your instructions, they were incredibly useful and helped me do exactly what I wanted to do to set up my system.

However, there was one step that stumped me and I was wondering if you would consider adding a comment along these lines.

The step to update initramfs:

$ update-initramfs -u

gave me an error saying “/proc/cmdline” doesn’t exist, and resulted in no dm-crypt or cryptstartup modules being included. This is of course because the /proc/ directory is empty on the root partition that I mounted.

The solution I found was to use an additional bind command that linked the /proc directory from the active partition I was on (bootable USB) to the /proc of the freshly mounted root directory:

$ mount -o bind /proc /mnt/target/proc

This allowed the update initramfs command to be run without any errors.

Many thanks for your time, I’ll be sure to post links to you site on the various other forums that were not nearly as helpful.

Regards

Simon

Olaf on 2015-06-05 12:02:00 +0200

Simon, thank you for catching my error and taking the time to report it. I adjusted the article accordingly.

Post a comment

All comments are held for moderation; Markdown and basic HTML formatting accepted. If you want to stay anonymous, leave name, e-mail and website empty.