--- layout: post status: publish published: true title: LUKS encrypting multiple partitions on Debian/Ubuntu with a single passphrase wordpress_id: 2474 wordpress_url: https://www.martineve.com/?p=2474 date: !binary |- MjAxMi0xMS0wMiAxMjozMDo0NSArMDEwMA== date_gmt: !binary |- MjAxMi0xMS0wMiAxMjozMDo0NSArMDEwMA== categories: - Technology tags: [] comments: [] ---
The Ubuntu guided installer is great, in some ways. It offers you the opportunity to use full-disk encryption which certainly made my day a lot better when I had my laptop stolen. That said, it's slightly problematic: I very much like to separate out my partitions: I want my /home/ mount to be on a different partition than the root filesystem for the obvious reason that it facilitates re-installs.
However, even if you have the same passphrase set on each of the partitions, the boot-time cryptsetup system will ask you for multiple passphrases. The way around this is to setup the following system. LUKS allows a file to act as a key that will automatically unlock a device. If we store this key on a LUKS encrypted partition, we can simply unlock that first partition and the key can then be used to unlock other partitions.
The way that I achieved this was to follow a modified version of Mark Loiseau's excellent guide on encrypting using aes-xts-plain64. I'm going to replicate parts of this here in case his site goes down. Please note that I disclaim any responsibility if this messes up your system. You need a good level of tech competence to do this and I cannot be responsible for any errors in what's pasted below. I have, however, set this up successfully on my system.
This guide assumes the following:
/dev/sda1 is your boot partition
/dev/sda2 is your swap partition
/dev/sda3 is your root partition
/dev/sda4 is your home partition
Download yourself an Ubuntu Desktop image and boot into the live environment. Use Gparted to setup the basic sizes of the partitions that you want. From there, drop to a root terminal (sudo -i) and then:
{% highlight bash %} apt-get install lvm2 cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda3 cryptsetup luksOpen /dev/sda3/ crypt mkfs.ext4 /dev/mapper/crypt cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda4 cryptsetup luksOpen /dev/sda4/ crypthome mkfs.ext4 /dev/mapper/crypthome mkswap /dev/sda2 {% endhighlight %}This install lvm2 onto your system, creates encrypted filesystems on /dev/sda3 and /dev/sda4 and calls them "crypt" and "crypthome" respectively and then finally sets up /dev/sda2 as a swap partition.
Install Ubuntu onto these filesystems using the "Install Ubuntu" option on the live image. When you get to the partitioner stage, do it manually and specify the correct mountpoints:
/dev/mapper/crypt (as root)
/dev/mapper/crypthome (as /home)
/dev/sda2 (as swap)
/dev/sda1 (as boot)
DON'T REBOOT THE LIVE IMAGE AFTER INSTALL
Inside your root terminal in the live image:
{% highlight bash %} cd /mnt mkdir root mount /dev/mapper/crypt root mount /dev/sda1 root/boot sudo chroot root mount -t proc proc /proc mount -t sysfs sys /sys mount -t devpts devpts /dev/pts {% endhighlight %}Now you have a chrooted environment for your new install. Now open a second root terminal and run this in the terminal outside the chroot (this allows internet access to your chrooted install):
{% highlight bash %} cp /etc/resolv.conf /mnt/root/etc/resolv.conf {% endhighlight %}Now, inside your first terminal (the chroot) run the following to ensure all necessary components are installed:
{% highlight bash %} apt-get update apt-get install lvm2 cryptsetup {% endhighlight %}We now need to generate the keyfile. In your second terminal (outside the chroot), run:
{% highlight bash %} sudo dd if=/dev/urandom of=/mnt/root/root/keyfile bs=1024 count=4 sudo chmod 0400 /mnt/root/root/keyfile sudo cryptsetup luksAddKey /dev/sda4 /mnt/root/root/keyfile {% endhighlight %}This generates a keyfile consisting of random characters and adds it to the home partition as an allowed unlock method.
The penultimate step is to wire this all together in /etc/fstab and /etc/crypttab. First of all, ascertain the ids of the devices by running "sudo blkid" outside of the chroot. Note down the UUIDs for all the relevant partitions.
Now, inside the chrooted shell edit /etc/fstab ("sudo nano /etc/fstab") and you should end up with something like this:
{% highlight bash %} # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # #Then edit crypttab ("sudo nano /etc/crypttab"):
{% highlight bash %} crypt UUID=82abbfdb-0ac4-4e57-af7e-031e05bffef9 none luks crypthome UUID=d125fa61-bb52-406c-a7b6-048f0ac68456 /root/keyfile luks {% endhighlight %}Obviously, in each case change the UUIDS to the appropriate values (of the block device, not the mapper).
There are further steps to encrypt your swap, should you so wish, but I'm not going to cover those here. The only thing you need to do now is to run this inside your chrooted shell:
{% highlight bash %} sudo update-initramfs -u {% endhighlight %}and reboot.
Tada!