How do I preseed encrypting just the root partition?

Question

I have 3 partitions: EFI (/boot/efi), boot (/boot) and root (/). I want to encrypt just /. I can do this manually via the installer, but I want to preseed it.

How do I define it? My (non-encrypted) recipe looks something like the below. It is something of a mishmash of suggestions for EFI System Partitions I have found (found no clear guide).

boot-root ::
  100 100 100 fat32
    $primary
    $iflabel{ gpt }
    $reusemethod( }
    use_filesystem{ } filesystem{ vfat }
    method{ efi } format{ }
    mountpoint{ /boot/efi }
  .
  300 300 300 ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ /boot }
  .
  100% 3000 100% ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ / }
  .

How do I make sda3 be a physical partition for LUKS-encryption and then have a filesystem on top of that?

UPDATE:

I discovered that I can set the partition to be crypto as below, but there are still 3 issues:

I still need to create and activate the encrypted volumes on the chosen partition
I still need to set the correct ext4 filesystem on the encrypted volume after created and activated
The recipe doesn't select the encryption type to dm-crypt which is required for creating and activating the encrypted volumes.

Still struggling mightily

boot-root ::
  100 100 100 fat32
    $primary
    $iflabel{ gpt }
    $reusemethod( }
    use_filesystem{ } filesystem{ vfat }
    method{ efi } format{ }
    mountpoint{ /boot/efi }
  .
  300 300 300 ext4
    use_filesystem{ } filesystem{ ext4 }
    method{ format } format{ }
    mountpoint{ /boot }
  .
  100% 3000 100% ext4
    method{ crypto } format{ }
  .

FYI, the labels like `sda`, `sdb`, `sdc`, etc don't always keep the same letters (a,b,c) between boots (mine switch every boot) — Xen2050, May 04 '16 at 14:53
@Xen2050 right you are, `UUID` or `PARTUUID` or `LABEL` or `PARTLABEL` are much better. In my case, I am booting up an image to format, so there is only one drive in. Either way, how do I set it up to crypt single partition? I can do it interactively, but I need it preseeded. — deitch, May 04 '16 at 16:00
Hmm, might be getting somewhere, but more questions. Will post other q. — deitch, May 05 '16 at 15:09
@deitch - is this a server partition configuration or a client or just a desktop partition example ? These 3 partitions are too few for your intention - there is missing /swap and /home - so you have to set up somehow an extended part of the harddisk with logical partitions - normally partitions allow only 4 on the whole but extended with logical partitions allow 4 times 63 partitions at maximum (and GPT allows much more) ?! - http://unix.stackexchange.com/questions/33555/what-is-the-max-partition-supported-in-linux - regarding master and slaves partitions. — dschinn1001, May 12 '16 at 02:11
@dschinn1001 actually its a template for a secure server. The core operating system is on a removable drive. The user data and swap are on an internal drive, which a systemd service finds and mounts appropriately. But ignoring that.... how can I set up the root to be encrypted without LVM? — deitch, May 12 '16 at 10:50

score 1 · Answer 1 · edited Aug 15 '16 at 09:42

At first, open a root terminal:

sudo -i

Then fill the partition, which should be encrypted, with random data using a command like this:

openssl enc -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero > /dev/sdxy

You have to replace sdxy with the partition which will be encrypted. Then type

cryptsetup luksFormat --cipher twofish-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 /dev/sdxy

to encrypt the partition sdxy. Open the volume and name it root:

cryptsetup luksOpen /dev/sdxy root

Use this command to make an ext4 filesystem inside it:

mkfs.ext4 /dev/mapper/root

Next you can start the installer. Chose "Something else" when being asked what you would like to do. Then chose the mount points for all your not-encrypted partitions. For your root partition, select /dev/mapper/root, click "Change". Then select ext4 for the filesystem type and set the mount point to /. Then click "Install now" and install Ubuntu normally.

When finished installing click "Continue testing". Open a terminal and type:

sudo -i
cd /mnt
mkdir root
mount /dev/mapper/root root
mount /dev/sdyz root/boot

sdyz should be replaced with your boot partition. Next, type:

chroot root
mount -t proc proc /proc
mount -t sysfs sys /sys
nano /etc/crypttab

Open a second terminal and type sudo blkid. Find the UUID for root (the one that says crypto_luks in the end) and paste it into /etc/crypttab. Then the file /etc/crypttab should look something like this:

root UUID=d68911dd-172a-4608-86d4-084eb72f409c none luks

Close the file with Ctrl+x, y and Enter. Type nano /etc/fstab in the terminal and check if everything looks right (e.g. the UUIDs).

At last, quit the chroot environment and type:

cryptsetup luksHeaderBackup /dev/sdxy --header-backup-file /root/root.img

This puts an image of the header of the encrypted partition into the folder /root and names it root.img. Then move the image to an external drive (in case of forgetting the password). Now you can reboot into your newly installed Ubuntu.

Source: http://thesimplecomputer.info/full-disk-encryption-with-ubuntu

Welcome to Ask Ubuntu! Whilst this may theoretically answer the question, [it would be preferable](//meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. — Kalle Richter, Aug 13 '16 at 13:24
@Earl you are suggesting building the partition beforehand in a chroot (or containerized) environment, and then sticking it into the installer? — deitch, Aug 14 '16 at 01:02
I don't know, but that's at least a solution to make a LUKS-encrypted `root`-partition without LVM. — Earl Nick, Aug 14 '16 at 07:49

How do I preseed encrypting just the root partition?

1 Answers1