Eubolist's Blog

about IT, Linux, the web and much more

Howto: Ubuntu Lucid Lynx Beta 1 Encrypt System Partition using Live CD

with 5 comments

In case the alternate installation doesn’t work for you (there have been some bugs reported in the current Beta 1 version) or you only downloaded the Desktop CD and now suddenly decided to install Ubuntu on an encrypted partition, this is the right guide for you. If you just like pretty GUIs that’s okay too, but be aware that for this tutorial you should be comfortable working from the terminal. (though most of this tutorial you can just copy – paste into a terminal window).

Let’s start by installing lvm2 on your live system (the desktop cd doesn’t have that by default), open a terminal and type:

sudo su

aptitude update && aptitude install lvm2

If that fails check your network connection. You need a working internet connection to download the package. Now you need to set up (at least) two partitions:

  • /dev/sda1: an unencrypted /boot partition (around 250 MB) and
  • /dev/sda2: one encrypted LVM volume for your / filesystem and swap.

In your system it may be /dev/sdb or whatever you choose: Adjust the following commands to your system configuration:

cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sda2

When choosing a password take a long, safe password which is not prone to dictionary or brute force attacks. But also make sure you won’t forget it – if you forget your password all your files and settings will be lost.

cryptsetup luksOpen /dev/sda2 lvm

pvcreate /dev/mapper/lvm

vgcreate ubuntu /dev/mapper/lvm

lvcreate -L 1300M -n swap ubuntu

You can change the size of the swap partition, usually a value 1.3-1.5x your RAM size is fine.

lvcreate -l 100%FREE -n root ubuntu

If you want more than one partition (eg. a seperate /home partition) don’t use 100%FREE but the value you wish and define the additional partitions using the above scheme before proceeding to the next step.

mkswap /dev/mapper/ubuntu-swap

mkfs.ext4 /dev/mapper/ubuntu-root

Now start the installation process (don’t close the terminal yet, we’ll need it later). In the partitioning step choose /dev/mapper/ubuntu-root -> Mount point: / and reformat the partition with ext4. Choose /dev/sda1 -> Mount point: /boot and also reformat the partition.

Then continue your installation. On my system it wasn’t able to install the bootloader – don’t worry, we’ll fix that later, just continue with the installation. Once it’s finished don’t restart the system: Close the window and go to the terminal again.

mount /dev/mapper/ubuntu-root /mnt
mount /dev/sdX1 /mnt/boot
mount -o rbind /dev /mnt/dev
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
chroot /mnt

Now you’re chrooted in your new installation and able to modify it in order to boot into the encrypted partition. Install the necessary software:

aptitude install cryptsetup lvm2

Then you need to write the UUID of the encrypted partition into /etc/crypttab

echo “lvm UUID=VOLUME_ID none luks” >> /etc/crypttab

You can find out the volume id by typing blkid /dev/sda2 in your terminal. Lastly you need to update the initramfs with

update-initramfs -u -k all

If you were able to install the bootloader grub during the installation process you’re done now, you can exit the terminal and reboot. If not there are three more commands you need to run before exiting:

aptitude install grub2

grub-install /dev/sda


If all went well you have a 10.04 installation with an encrypted system drive now. Congratulations!

NOTE: The last part of this tutorial (chrooting plus installing grub) may also serve as a workaround if you encounter any problems or bugs setting up grub during the regular installation process.


Written by eubolist

2010/04/05 at 18:51

5 Responses

Subscribe to comments with RSS.

  1. What’s the LVM for? Why can’t I just have encryption without additional overhead?


    2010/04/09 at 01:13

    • You don’t absolutely need to setup lvm, but since cryptsetup requires device-mapper it’s convenient to just set up lvm on the go, given you’ll be more flexible to later change your partition setup.
      If you don’t want lvm, just tie the plain partition (eg sda2) to /dev/mapper/ubuntu-root resp. ubuntu-swap.


      2010/04/09 at 09:42

    • You need LVM unless you want to type in two paswords, if you have one swap and one root (/) partition.
      With LVM you need to enter the password just once.


      2010/04/29 at 10:06

  2. […] partition with Lucid Filed under: Linux, Security — 0ddn1x @ 2010-04-13 21:46:52 +0000… Leave a Comment TrackBack […]

  3. […] to remain unencrypted. Here is a good tutorial on how to install Ubuntu in an encrypted partition.…using-live-cd/ I see in your profile that you use archlinux. I am not familiar with that, but if it has an option […]

    encrypt my system

    2010/05/16 at 23:16

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: