Install Ubuntu with encrypted LVM and multiple logical volumes

Before you start, backup your hard disk! I use rsnapshot for my regular daily backup.

I already have Ubuntu 12.04 on my desktop and want to install the new LTS Ubuntu 14.04 on a second hard disk. With the current Ubuntu installer (Trusty, 14.04), you cannot create multiple logical volumes for root, /usr, /home and /var.

To do this, you must either use a standard install and repartition later or prepare the logical volumes upfront. I chose the second.

To prepare a disk as an encrypted LVM, you must first create the needed partitions. To create a bootable system, you need a /boot partition, taking the Linux kernels and initramfs images, and a second (extended) partition, which will contain the encrypted LVM.

I use fdisk, but you can use any partitioning tool, you’re comfortable with. Since I want to install on my second hard drive, I will use /dev/sdb. You need to use your appropriate device, sda, sdb, or sdc

fdisk /dev/sdb

After creating the primary boot and extended logical partition, it looks like

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048      514047      256000   83  Linux
/dev/sdb2          514048   976773167   488129560    5  Extended
/dev/sdb5          516096   976773167   488128536   8e  Linux LVM

sdb1 will be the boot partition, containing Grub, Linux kernels and so on, sdb5 will be the encrypted LVM partition.

Now I need to initialize the encrypted partition. This is done with cryptsetup luksFormat, see the manual page and cryptsetup FAQ for more details.

cryptsetup luksFormat /dev/sdb5

and make it available

cryptsetup luksOpen /dev/sdb5 sdb5_crypt

This creates a mapping /dev/mapper/sdb5_crypt, which allows us to create the volume group and the logical volumes for the new Ubuntu system. Initialize the physical volume

pvcreate /dev/mapper/sdb5_crypt

and create the volume group

vgcreate vg1 /dev/mapper/sdb5_crypt

As the final preparation step, I create the logical volumes for root, /usr, etc.

lvcreate --size 1G --name root vg1
lvcreate --size 1G --name tmp vg1
lvcreate --size 10G --name usr vg1
lvcreate --size 5G --name var vg1
lvcreate --size 100G --name home vg1

You may want to create additional volumes, like /opt, /usr/local, /srv, a multimedia volume or adjust the sizes for your need. To review the volume group

vgdisplay -s

which shows something like

“vg1” 465,51 GiB [37,00 GiB used / 428,51 GiB free]
“vg0” 931,04 GiB [652,19 GiB used / 278,86 GiB free]

and the same for logical volumes

lvs

which gives on my system

LV VG Attr LSize Origin Snap% Move Log Copy% Convert
home vg0 -wi-ao 46,56g
…
var vg0 -wi-ao 4,66g
local vg1 -wi-a- 20,00g
root vg1 -wi-a- 1,00g
tmp vg1 -wi-a- 1,00g
usr vg1 -wi-a- 10,00g
var vg1 -wi-a- 5,00g

That’s the end for preparation. Now I booted into the live installation CD, opened a terminal and again made the logical volumes available with

cryptsetup luksOpen /dev/sdb5 sdb5_crypt

If you have done these preparation steps in a terminal from the installation media, you don’t need to reboot and do luksOpen, of course.

You’re ready to start the Ubuntu installation program. When asked for the installation type, select “Something else”. In the next panel, you can now see the encrypted logical volumes as /dev/mapper/vg1-root, /dev/mapper/vg1-usr, … and use them as mount points for /, /usr and so on.

I forgot to use /dev/sdb1 for /boot and mistakenly selected /dev/sdb as the location for Grub. This confused the install process and so, I had to start all over again. Next time I selected /dev/sdb1 and installation went through without any error message.

After rebooting, the system didn’t come up. It showed an error

gave up waiting for root

and dropped me in a shell with an (initramfs) prompt. According to this webpage LUKS and LVM install: no boot (gave up waiting for root device), initramfs might miss the necessary crypto modules. I found the deciding hint on this webpage System no longer boots, gave up waiting for root device, (initramfs), /dev/mapper/gnome-root does not exist. In my case, the crypto modules and tools were missing, because my /etc/crypttab was empty.

I booted into my old system, opened the encrypted partition

cryptsetup luksOpen /dev/sdb5 sdb5_crypt

and mounted all LVM volumes in a new target directory

mkdir /mnt/target
mount /dev/mapper/vg1-root /mnt/target
mount /dev/sdb1 /mnt/target/boot
mount /dev/mapper/vg1-usr /mnt/target/usr
mount /dev/mapper/vg1-var /mnt/target/var
mount -o bind /dev /mnt/target/dev
mount -o bind /proc /mnt/target/proc

Then, I looked up the UUID with blkid

blkid /dev/sdb5

/dev/sdb5: UUID=”af23c7d6-fcea-437b-b788-29df596e895b” TYPE=”crypto_LUKS”

which I used for creating /etc/crypttab

echo "sdb5_crypt UUID=af23c7d6-fcea-437b-b788-29df596e895b none luks" >/mnt/target/etc/crypttab

Finally, I recreated initramfs

chroot /mnt/target
update-initramfs -u

I verified with

lsinitramfs /boot/initrd.img-3.13.0-24-generic | grep crypt

that dm-crypt and cryptsetup were built into my new initramfs.

$ update-initramfs -u

$ mount -o bind /proc /mnt/target/proc