Hi All,
I just installed the pre-release version of Focal on a 2014 T540 Thinkpad with SSD drive. As with my previous install, I wanted to have full disk encryption (using Luks LVM). I did a clean install and opted to do the partition and Luks setup manually, with an encrypted main/root partition and a encrypted /boot partition as well, and using BTRFS for both.
Essentially I followed this guide but had to improvise a little:
https://help.ubuntu.com/community/Fu...ion_Howto_2019
The steps described worked perfectly until I got to the "Post-Installation Steps", where things did not go smoothly and I had to fix the chroot environment myself (see below). One other thing: for some reason in this guide all /dev/sda partitions have a 'p' before the number , as in /dev/sdap5 --- I omitted that, since mine don't have that and I have never seen that.
The result is a mostly working system, but unfortunately the decryption of the main Luks volume at the initial stage does not work automatically. Here the system drops into the Busy Box (initramfs) shell and I have to manually decrypt and mount the root partition. This only requires two commands:
[#] cryptsetup luksOpen /dev/sda5 sda5_crypt [/#]
[#] vgchange -ay [/#]
(and Ctrl-D to exit the shell)
However, I find this a bit unsatisfying and I would like to get this fixed.
Deviation from guide during post-installation setup:
Essentially the chroot environment did not work after the commands listed, because several essential system utilities were missing (including bash...). So I actually had to 'mount --rbind' all system folders in the original root, not only the ones listed; in addition, /etc required special treatment, since we need to write to that folder: therefore we need to mount--rbind the /etc/apt/ folder and the /etc/resolv.conf file separately (inside a newly created /etc folder in the new chroot environment). Also keep in mind that you need to create all the folders (and one file) that serve as mount points for mount --rbind. But other than fixing the chroot environment in this manner, I followed the instructions and all commands execute successfully.
I don't really understand why the main Luks partition does not decrypt automatically; however, I don't really understand how that is supposed to work in the first place... it appears that the (also encrypted) boot partition does decrypt and mount automatically: I get a password prompt for that, enter it, then a KDE splash screen, but then the initramfs shell, so the second (main) partition does not decrypt. I did check that all of the permissions and file contents in the /etc/luks folder and friends are correct (as per the commands shown in the guide).
I'm not sure if having BTRFS on both, the /boot and the main/root partition would have any impact; the guide suggests to use ext4. (In fact, the initial motivation to do this myself, and the reason I searched for this guide, was that the default full disk encryption offered by the installer will use ext4 and you can't change that.)
Any ideas would be greatly appreciated! I am afraid I don't understand this boot loader and crypt-setup stuff well enough to really see what is going on here.
Thanks!
I just installed the pre-release version of Focal on a 2014 T540 Thinkpad with SSD drive. As with my previous install, I wanted to have full disk encryption (using Luks LVM). I did a clean install and opted to do the partition and Luks setup manually, with an encrypted main/root partition and a encrypted /boot partition as well, and using BTRFS for both.
Essentially I followed this guide but had to improvise a little:
https://help.ubuntu.com/community/Fu...ion_Howto_2019
The steps described worked perfectly until I got to the "Post-Installation Steps", where things did not go smoothly and I had to fix the chroot environment myself (see below). One other thing: for some reason in this guide all /dev/sda partitions have a 'p' before the number , as in /dev/sdap5 --- I omitted that, since mine don't have that and I have never seen that.
The result is a mostly working system, but unfortunately the decryption of the main Luks volume at the initial stage does not work automatically. Here the system drops into the Busy Box (initramfs) shell and I have to manually decrypt and mount the root partition. This only requires two commands:
[#] cryptsetup luksOpen /dev/sda5 sda5_crypt [/#]
[#] vgchange -ay [/#]
(and Ctrl-D to exit the shell)
However, I find this a bit unsatisfying and I would like to get this fixed.
Deviation from guide during post-installation setup:
Essentially the chroot environment did not work after the commands listed, because several essential system utilities were missing (including bash...). So I actually had to 'mount --rbind' all system folders in the original root, not only the ones listed; in addition, /etc required special treatment, since we need to write to that folder: therefore we need to mount--rbind the /etc/apt/ folder and the /etc/resolv.conf file separately (inside a newly created /etc folder in the new chroot environment). Also keep in mind that you need to create all the folders (and one file) that serve as mount points for mount --rbind. But other than fixing the chroot environment in this manner, I followed the instructions and all commands execute successfully.
I don't really understand why the main Luks partition does not decrypt automatically; however, I don't really understand how that is supposed to work in the first place... it appears that the (also encrypted) boot partition does decrypt and mount automatically: I get a password prompt for that, enter it, then a KDE splash screen, but then the initramfs shell, so the second (main) partition does not decrypt. I did check that all of the permissions and file contents in the /etc/luks folder and friends are correct (as per the commands shown in the guide).
I'm not sure if having BTRFS on both, the /boot and the main/root partition would have any impact; the guide suggests to use ext4. (In fact, the initial motivation to do this myself, and the reason I searched for this guide, was that the default full disk encryption offered by the installer will use ext4 and you can't change that.)
Any ideas would be greatly appreciated! I am afraid I don't understand this boot loader and crypt-setup stuff well enough to really see what is going on here.
Thanks!
Comment