V2P and Encryption — 2

I was uncomfortable with my recent virtual-to-physical (V2P) effort. The fact that NetworkManager (NM) is horribly designed to store credentials in clear text motivated me to want to encrypt the system partition as well as the /home partition.

Basically I performed the same steps as previously except this time I created a 250 MB /boot partition (/dev/sda7) and a 10 GB encrypted system partition (/dev/sda8) where I would store /home, the swap file, and the operating system.

After preparing the partitions I copied the contents of my spare disk. I modified my system GRUB to chainload to the new /dev/sda7 /boot partition.

The system would not boot. After much digging, I learned that the initrd was not compiling properly. The fix is straightforward albeit a bit lengthy. I needed to chroot into the system to perform repairs.

I booted with a Live Ubuntu MATE ISO.

    cryptsetup luksOpen /dev/sda8 lukssda8
    mount /dev/mapper/lukssda8 /mnt/chroot
    mount --bind /dev /mnt/chroot/dev
    mount --bind /proc /mnt/chroot/proc
    mount --bind /sys /mnt/chroot/sys
    chroot /mnt/chroot

After chrooting into the encrypted partition I edited two files.

    /etc/default/grub: GRUB_ENABLE_CRYPTODISK=y
    /etc/environment: CRYPTSETUP=y

I created /etc/initramfs-tools/conf.d/cryptroot:

target=lukssda8,source=UUID=9568dae1-b9eb-45f6-b32a-2180f9f6d802,key=none,rootdev

Where the UUID is the partition and not the file system.

I created /etc/initramfs-tools/hooks/cryptsetup:

    CRYPTSETUP=y
    export CRYPTSETUP=y

The file must be chmod +x.

As this was a live ISO session I manually exported CRYPTSETUP=y for the current terminal session. This step is important otherwise the previous modifications do not trigger and the initrd still won’t compile correctly. This is not a problem when booting the final system because the environment variable is set through /etc/environment.

Finally I could run update-grub and update-initramfs -u.

I rebooted. The chainload succeeded but the Ubuntu system showed a Press any key to continue message. The message is caused by a cryptomount -u entry in grub.cfg that should not exist. Looks like grub-mkconfig is broken. My work-around was to copy the Ubuntu update-grub script to /usr/local/sbin which in my $PATHenvironment variable precedes /usr/sbin.

    #!/bin/sh
    set -e
    grub-mkconfig -o /boot/grub/grub.cfg "$@"

    # Fix a bug.
    if [ "`grep \"cryptomount -u $\” /boot/grub/grub.cfg`" != "" ]; then
      echo "Attempting to delete bogus ‘cryptomount -u’ lines."
      sed -i ‘/cryptomount -u $/d’ /boot/grub/grub.cfg
    fi

Finally the Ubuntu system booted without interruption or pain. I was asked for the LUKS passphrase.

I now had a fully encrypted partition containing both /home and a swap file.

Some people might wonder why I did not use the Ubuntu installer. The installer is limited. I can create the /boot and encrypted partitions and instruct the installer to use those partitions, but I do not want a default installation. My V2P is configured exactly how I want.

Posted: Category: Tutorial, Usability Tagged: General

Next: Migrating a Business to Linux — 2

Previous: V2P and Encryption — 1