Idiot's guide for getting LUKS to boot?

Discussion in 'all things UNIX' started by Palancar, Aug 4, 2015.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    I am following a guide and trying to setup LVM on LUKS for a 75 gig partition. I have it setup to the point where the LVM is on LUKS and luks is open. I used the installer to do the mount points and format my partitions after manually configuring (in terminal and Gparted) the partition and drives. I have switched back to "more testing" mode with the live 14.04 disk. The next step in the guide shows to setup what I need below. I'll just paste it in:

    sudo mount /dev/mapper/lvm /mnt
    sudo mount /dev/sda1 /mnt/boot
    sudo mount --bind /dev /mnt/dev
    sudo chroot /mnt
    > mount -t proc proc /proc
    > mount -t sysfs sys /sys
    >mount -t devpts devpts /dev/pts

    When I run: sudo mount /dev/mapper/lvm /mnt I receive the following error:

    ubuntu@ubuntu:~$sudo mount /dev/mapper/lvm /mnt
    mount: unknown filesystem type 'LVM2_member'

    I realize this is tough to follow since I am using pages of instructions trying to get a handle on this. Its fun but so frustrating too.

    Stepping back I am trying to figure out how to get Ubuntu to find the LUKS container during boot. I am almost certain I have it correct other than that.

    Is there an idiot's guide for how to get LUKS "called up" during boot? Its all there and working perfectly but once I shut down boot can't find it. I can see the UUID and all the logical volumes, etc.... I am so close, and yet so far.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I'm guessing that "lvm" is your LVM2 volume group. You don't mount the volume group, but rather each logical volume. Let's say that there are just two logical volumes, swap and root. Then it would be:
    Code:
    $ sudo mount /dev/mapper/lvm-root /mnt/root
    Are you using systemd? I don't know it yet :(

    Did you setup initramfs? Once /etc/crypttab and /etc/fstab are done, you need to rebuild initramfs to include them. That's how the system knows that a LUKS partition and LVM2 volumes are expected. For /etc/fstab:
    Code:
    proc /proc proc defaults 0 0
    /dev/mmcblk0p1 /boot vfat defaults 0 2
    /dev/mapper/lvm-root / ext4 defaults,noatime 0 1
    /dev/mapper/lvm-swap none swap sw 0 0
    Then:
    Code:
    $ sudo mount /dev/sda1 /mnt/boot
    $ sudo mkinitramfs -o /mnt/boot/initramfs.gz
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,971
    Location:
    Brasil
    This tutorial seems over complicated.

    What I do on Debian and that works on Ubuntu too is:

    # cryptsetup -c serpent-xts-plain64 -y -s 512 --iter-time 5000 luksFormat /dev/sda2

    In this case, "serpent" is the algorithm I use in most cases, but you can use aes or twofish. "iter time" is the time between each passphrase attempt, in this case 10 seconds before a new passphrase can be entered if the first one wasn't correct.

    # cryptsetup open --type luks /dev/sda2 sda2_crypt
    # pvcreate /dev/mapper/sda2_crypt
    # vgcreate debian /dev/mapper/sda2_crypt
    # lvcreate -L 60G debian -n root
    # lvcrete -L 16G debian -n swap
    # lvcreate -l 100%FREE debian -n home

    Done. Now procceed with partitioning from the menu. Remember to select all filesystems correctly and their mountpoints.
    Install the base system, configure package manager, etc, etc.

    When it's almost finished, that is, when the installer says "INSTALL GRUB BOOT LOADER ONTO A HARD DISK" you go to a terminal and do:

    # chroot /target /bin/bash
    # nano /etc/crypttab

    and put there:

    sda2_crypt /dev/sda2 none luks

    Done. Type "exit" 2 times, and then install GRUB.

    Finish installation and reboot.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Hey, thanks for trying to help me out here. I have been messing with this for a couple of hours today and no dice so far. I am using the Ubuntu 14.04 installer just so you are for sure on the same page as me. Your mini-tutorial makes perfect sense and I wiped my disk and started over using it exactly (even "names" for volumes/files/etc). The process of creating the volumes and partitions is about exactly what I had been doing, but I did it again just to follow your steps.

    Lets say that my volumes are all created using gparted and terminal. Solid there I am sure they are good to go so far. Then I switch over to the installer and add mount points and formatting (figure attached below). Also an easy step.

    Here is where your comments above leave me with questions:

    Using the 14.04 installer I don't see how to do this. If I hit the install button the installer completes including all the boot disk stuff as well, meaning its completely finished. If you don't click install then the system never gets installed. You basically are stuck with partitions made, formatted, and mount points but that is it. There really is NO system at this point yet.

    If you click install and allow it to complete you can then select "Continue Testing", which is what I do. Then I bring up a terminal and attempt your chroot commands but they don't work ----- see below.


    ubuntu@ubuntu:~$ sudo chroot /target /bin/bash

    chroot: cannot change root directory to /target: No such file or directory


    upload_2015-8-5_23-15-1.png


    While I haven't looked at the Debian installer on this, is it much different?

    I am stuck here. Anything you could add would be appreciated. btw---- have you done this on debian 8.1 or 14.04 yourself? The installer did work on older versions so I am trying to make sure whether or not you've done this on the newer versions?
     
    Last edited: Aug 5, 2015
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Nothing? I would have really liked to be able to do this. I have a 1 TB disk and doing full device encryption isn't going to be practical for me. Just needed around 80 Gig for a sweet setup. Even on my 500 Gig test machine I didn't want FDE just partition encryption. I really don't understand why the dev's don't have that option. In the Lubuntu you can select available free space, but not with an encryption option. Wouldn't that be nice if one was available?

    Straight up here - I am disappointed in myself that I didn't figure this out with LUKS.

    I may go read about straight DM-Crypt but its so cryptic and limited.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Well, amarildojr left something unsaid. In the Debian character-based installer, you can cycle between four consoles:

    Left-Alt-F1 is the installer itself
    Left-Alt-F2 is a busybox single-user shell
    Left-Alt-F3 is another busybox single-user shell
    Left-Alt-F4 shows the debug log

    See http://www.debian.org/releases/stable/i386/ch06s01.html.en

    Anyway, here's the "guide" with my inserts:
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Thanks, I'll give it a go later tonight or tomorrow. I know you guys are trying to help me [smiling with GREAT appreciation].

    As I recall Debian 8.1 doesn't come with cryptsetup so I'll need to get it -- > sudo apt-get install cryptsetup ? Does it come with GParted so I can create the 80 Gig lvm2 partition or will the Deb installer do that? The guide steps seem easy but having the partition ready with lvm2 support is important. I don't remember if Deb has lvm2 support "out of the box". I guess I'll find out.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    OK, I'm clearly missing something. Because the busybox single-user shell doesn't have cryptsetup or lvm2, or even apt-get or dpkg.

    I have a feeling that one needs to run a LiveCD, and then run the installer in a chroot. But I've never done that. So maybe amarildojr can help.
     
  9. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,971
    Location:
    Brasil
    Sorry for the late response, I really don't check past messages unless I get a waring when someone quotes my post(s), like mirimir did.

    I think I never used the graphical install, SPECIALLY for cryptographic stuff. The text-based installer, which is the same as default Debian, gives me quite a lot of control over graphical Ubuntu stuff.

    That's correct, and the user can just enter the menu "Execute a Shell" between each install setp as well, which is what was referring to.

    Sorry for not being so clear.

    OK

    I'm not sure GParted can configure LVM volumes, I never used such method because I want to not only learn what each command does but to have full control if I decide to change something along the way.

    You can create the partition table and the two partitions on GParted with no problem. But I'd switch to text once cryptsetup was supposed to be setup.

    I don't know why but I had the impression you were using the Alternate Ubuntu installer, which is pretty much the same deal as regular Debian installer.

    Could you confirm if the Ubuntu installer installs the system to "/target" or "/mnt"?

    I tried this on Debian 6, 7, and 8 editions, all worked.

    Straight DM-Crypt without LVM is more time consuming, not only to setup but to de-crypt the partitions as well because you'll have to type the passphrase for each encrypted partition.

    BTW, why not FDE? Partition encryption is fine for most people, but if you're paranoid like me you know anyone can find left-overs in non-encrypted places :p

    I feel really sorry for letting you down and for not being so straight about my instructions. If have any further questions please use the "Reply" button so I get a notification, or send me a Private Message saying that you replied to my comment.

    Would you be willing to use the Alternate Ubuntu installer? I haven't used Ubuntu in 3 years so I'm really not the most qualified person to assist you with the regular installer.

    Debian does come with cryptsetup. Once you boot up the install media (CD, DVD, FlashDrive) you'll be promped to Load Modules from CD; there you can find the crypto modules, as well as "rescue mode" and "cfdisk", etc. After that, you Detect Disks and go straight to the Terminal for partitioning, but don't forget to load the module first:

    # modprobe dm-crypt

    I don't know about the LiveCD, but the Install medias don't come with GParted.

    Yes, it does. Once you "fdisk /dev/sdX" you'll need to convert the created partition to "8e".

    If you want I could record a tutorial showing step-by-step how to completely setup and LVM + Luks Debian system. I'm pretty sure the Ubuntu Alternate Installer is going to be almost the same thing.
     
    Last edited: Aug 6, 2015
  10. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591



    Guys,

    THANK YOU, that is what I needed. I set this up from scratch a couple of times now (Deb 8.1). Works fine and fast being bare metal. Debian is quite different than Ubuntu with the layout and buttons, etc.... I have a linux system on an external with Gparted installed, which I used to create /boot (Ext2) and lvm2 in the 75 Gig partition before I started the "guide". I am still testing a few things and then I'll wipe it all away and "noise fill" the space before my permanent installation.

    Suggestion if others are following this thread: You will need to change the "Debconfig priority" to low in order to see the modules to load. It took me awhile to figure that out. If you follow what we are referring to as the "guide" you can easily have LUKS encrypted linux on a single partition. If you are in a high security threat I would suggest moving /boot to a removable flash drive and just take it with you.

    Lubuntu disk: I didn't try this yet but I intend to confirm this process on Ubuntu too.



    btw ---- someone asked me why not device FDE? Everything on my disk is encrypted. I have 5 operating systems on one disk and they ALL are FDE in their individual partitions. TrueCrypt encrypted - 3 windows systems (two hidden with none in slot 2) Now 2 linux systems being added on individual partitions with separate /boot flash media to fire them up. All slick. Sector based backups so all can be restored as needed.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Cool :thumb: Congratulations :)
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    So hey, this got me thinking of another challenge: Is it possible to setup LUKS on a remote server, without IPMI or some sort? Once the system reboots after installation, you must enter the LUKS passphrase locally, or via IPMI. But IPMI is a notorious security hole. So I've been playing with VMs.

    Anyway, with a custom network installer, which installs busybox and dropbear, you can do the install via SSH. When the installer is ready to reboot, you get a BusyBox shell, and chroot into /target. Then you tweak dropbear configuration, and update initramfs and grub. Then you exit back to the installer, and let it finish and reboot. Now you can SSH to dropbear in initramfs, and supply the LUKS passphrase. Then SSH to the booted system.

    No IPMI needed!

    I've managed this with Debian wheezy. And I'm about to test with jessie.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    And why do you want to do something like this?
    Mrk
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Using FDE reduces the risk of adversaries seeing my data. I do get that FDE is weak without physical access control. But at least I know when the server reboots, and that it might have been stolen and dissected. And so I can choose how to respond. Maybe I nuke and reinstall. Maybe I walk away. Or whatever.

    Resourceful adversaries could use portable UPS, for sure. And dissect the machine live. But at least with FDE, I can discourage the clueless. And honest hosts like PRQ will take down everything when raided.

    If I wanted to spend the money, I could harden and tripwire a server, and do co-location. So this would let me reinstall without IPMI or remote assistance.

    Anyway. And it does also work for Debian jessie :)
     
  15. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    Mirimir, unfortunately for you I see you think like I do at times. LOL! Not being quite as sophisticated, I just rely upon "kill switch" methods which are sure fire for physical security!

    BTW -- the "guide" above also works fine with the Lubuntu alternate 14.04 iso. Some of the steps need just a bit of tweaking, but its a pretty simple adjustment if you are familiar with the Jessie installer from Debian. Mainly F6 to access/set expert mode, and load modules.

    Having used Jessie/Deb 8.1 and Lubuntu/14.04 about 4 times each now (for "partition only" LVM on LUKS FDE), I see that this can be done very easily and with a predictable outcome!
     
Loading...