---
layout: post
status: publish
published: true
title: LUKS encrypting multiple partitions on Debian/Ubuntu with a single passphrase
wordpress_id: 2474
wordpress_url: https://www.martineve.com/?p=2474
date: !binary |-
MjAxMi0xMS0wMiAxMjozMDo0NSArMDEwMA==
date_gmt: !binary |-
MjAxMi0xMS0wMiAxMjozMDo0NSArMDEwMA==
categories:
- Technology
tags: []
comments: []
---
<p>The Ubuntu guided installer is great, in some ways. It offers you the opportunity to use full-disk encryption which certainly made my day a lot better when I had my laptop stolen. That said, it's slightly problematic: I very much like to separate out my partitions: I want my /home/ mount to be on a different partition than the root filesystem for the obvious reason that it facilitates re-installs.</p>
<p>However, even if you have the same passphrase set on each of the partitions, the boot-time cryptsetup system will ask you for multiple passphrases. The way around this is to setup the following system. LUKS allows a file to act as a key that will automatically unlock a device. If we store this key on a LUKS encrypted partition, we can simply unlock that first partition and the key can then be used to unlock other partitions.</p>
<p>The way that I achieved this was to follow a modified version of <a href="http://blog.markloiseau.com/2012/05/ubuntu-aes-xts-plain64/">Mark Loiseau's excellent guide on encrypting using aes-xts-plain64</a>. I'm going to replicate parts of this here in case his site goes down. Please note that I disclaim any responsibility if this messes up your system. You need a good level of tech competence to do this and I cannot be responsible for any errors in what's pasted below. I have, however, set this up successfully on my system.</p>
<h2>Step 1</h2>
<p>This guide assumes the following:<br />
/dev/sda1 is your boot partition<br />
/dev/sda2 is your swap partition<br />
/dev/sda3 is your root partition<br />
/dev/sda4 is your home partition</p>
<p>Download yourself an Ubuntu Desktop image and boot into the live environment. Use Gparted to setup the basic sizes of the partitions that you want. From there, drop to a root terminal (sudo -i) and then:</p>
{% highlight bash %}
apt-get install lvm2
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda3
cryptsetup luksOpen /dev/sda3/ crypt
mkfs.ext4 /dev/mapper/crypt
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda4
cryptsetup luksOpen /dev/sda4/ crypthome
mkfs.ext4 /dev/mapper/crypthome
mkswap /dev/sda2
{% endhighlight %}
<p>This install lvm2 onto your system, creates encrypted filesystems on /dev/sda3 and /dev/sda4 and calls them "crypt" and "crypthome" respectively and then finally sets up /dev/sda2 as a swap partition.</p>
<h2>Step 2</h2>
<p>Install Ubuntu onto these filesystems using the "Install Ubuntu" option on the live image. When you get to the partitioner stage, do it manually and specify the correct mountpoints:</p>
<p>/dev/mapper/crypt (as root)<br />
/dev/mapper/crypthome (as /home)<br />
/dev/sda2 (as swap)<br />
/dev/sda1 (as boot)</p>
<p><b>DON'T REBOOT THE LIVE IMAGE AFTER INSTALL</b></p>
<h2>Step 3</h2>
<p>Inside your root terminal in the live image:</p>
{% highlight bash %}
cd /mnt
mkdir root
mount /dev/mapper/crypt root
mount /dev/sda1 root/boot
sudo chroot root
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
{% endhighlight %}
<p>Now you have a chrooted environment for your new install. Now open a second root terminal and run this in the terminal outside the chroot (this allows internet access to your chrooted install):</p>
{% highlight bash %}
cp /etc/resolv.conf /mnt/root/etc/resolv.conf
{% endhighlight %}
<p>Now, inside your first terminal (the chroot) run the following to ensure all necessary components are installed:</p>
{% highlight bash %}
apt-get update
apt-get install lvm2 cryptsetup
{% endhighlight %}
<h2>Step 4</h2>
<p>We now need to generate the keyfile. In your second terminal (outside the chroot), run:</p>
{% highlight bash %}
sudo dd if=/dev/urandom of=/mnt/root/root/keyfile bs=1024 count=4
sudo chmod 0400 /mnt/root/root/keyfile
sudo cryptsetup luksAddKey /dev/sda4 /mnt/root/root/keyfile
{% endhighlight %}
<p>This generates a keyfile consisting of random characters and adds it to the home partition as an allowed unlock method.</p>
<h2>Step 5</h2>
<p>The penultimate step is to wire this all together in /etc/fstab and /etc/crypttab. First of all, ascertain the ids of the devices by running "sudo blkid" outside of the chroot. Note down the UUIDs for all the relevant partitions.</p>
<p>Now, <b>inside the chrooted shell</b> edit /etc/fstab ("sudo nano /etc/fstab") and you should end up with something like this:</p>
{% highlight bash %}
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/crypt / ext4 errors=remount-ro 0 1
# /boot was on /dev/sda1 during installation
UUID=e4ef3f23-cd60-4d84-a8d2-b6004a26d055 /boot ext4 defaults 0 2
/dev/mapper/crypthome /home ext4 defaults 0 2
# swap was on /dev/sda2 during installation
UUID=cbab5539-3754-4f95-b90f-cf75d2094267 none swap sw 0 0
{% endhighlight %}
<p>Then edit crypttab ("sudo nano /etc/crypttab"):</p>
{% highlight bash %}
crypt UUID=82abbfdb-0ac4-4e57-af7e-031e05bffef9 none luks
crypthome UUID=d125fa61-bb52-406c-a7b6-048f0ac68456 /root/keyfile luks
{% endhighlight %}
<p>Obviously, in each case change the UUIDS to the appropriate values (of the block device, not the mapper).</p>
<h2>Step 6</h2>
<p>There are further steps to encrypt your swap, should you so wish, but I'm not going to cover those here. The only thing you need to do now is to run this inside your chrooted shell:</p>
{% highlight bash %}
sudo update-initramfs -u
{% endhighlight %}
<p>and reboot.</p>
<p>Tada!</p>