V2P and Encryption — 2
I was uncomfortable with my recent virtual-to-physical (V2P) effort. The fact that NetworkManager (NM) is horribly designed to store credentials in clear text motivated me to want to encrypt the system partition as well as the /home
partition.
Basically I performed the same steps as previously except this time I created a 250 MB /boot
partition (/dev/sda7) and a 10 GB encrypted system partition (/dev/sda8) where I would store /home
, the swap file, and the operating system.
After preparing the partitions I copied the contents of my spare disk. I modified my system GRUB to chainload to the new /dev/sda7 /boot
partition.
The system would not boot. After much digging, I learned that the initrd was not compiling properly. The fix is straightforward albeit a bit lengthy. I needed to chroot into the system to perform repairs.
I booted with a Live Ubuntu MATE ISO.
cryptsetup luksOpen /dev/sda8 lukssda8 mount /dev/mapper/lukssda8 /mnt/chroot mount --bind /dev /mnt/chroot/dev mount --bind /proc /mnt/chroot/proc mount --bind /sys /mnt/chroot/sys chroot /mnt/chroot
After chrooting into the encrypted partition I edited two files.
/etc/default/grub: GRUB_ENABLE_CRYPTODISK=y /etc/environment: CRYPTSETUP=y
I created /etc/initramfs-tools/conf.d/cryptroot
:
target=lukssda8,source=UUID=9568dae1-b9eb-45f6-b32a-2180f9f6d802,key=none,rootdev
Where the UUID is the partition and not the file system.
I created /etc/initramfs-tools/hooks/cryptsetup
:
CRYPTSETUP=y export CRYPTSETUP=y
The file must be chmod +x
.
As this was a live ISO session I manually exported CRYPTSETUP=y
for the current terminal session. This step is important otherwise the previous modifications do not trigger and the initrd still won’t compile correctly. This is not a problem when booting the final system because the environment variable is set through /etc/environment
.
Finally I could run update-grub
and update-initramfs -u
.
I rebooted. The chainload succeeded but the Ubuntu system showed a Press any key to continue
message. The message is caused by a cryptomount -u
entry in grub.cfg
that should not exist. Looks like grub-mkconfig
is broken. My work-around was to copy the Ubuntu update-grub
script to /usr/local/sbin
which in my $PATH
environment variable precedes /usr/sbin
.
#!/bin/sh set -e grub-mkconfig -o /boot/grub/grub.cfg "$@" # Fix a bug. if [ "`grep \"cryptomount -u $\” /boot/grub/grub.cfg`" != "" ]; then echo "Attempting to delete bogus ‘cryptomount -u’ lines." sed -i ‘/cryptomount -u $/d’ /boot/grub/grub.cfg fi
Finally the Ubuntu system booted without interruption or pain. I was asked for the LUKS passphrase.
I now had a fully encrypted partition containing both /home
and a swap file.
Some people might wonder why I did not use the Ubuntu installer. The installer is limited. I can create the /boot
and encrypted partitions and instruct the installer to use those partitions, but I do not want a default installation. My V2P is configured exactly how I want.
Posted: Tutorial, Usability Tagged: General
Category:Next: Migrating a Business to Linux — 2
Previous: V2P and Encryption — 1