V2P and Encryption — 2
I was uncomfortable with my recent virtual-to-physical (V2P) effort. The fact that NetworkManager (NM) is horribly designed to store credentials in clear text motivated me to want to encrypt the system partition as well as the
Basically I performed the same steps as previously except this time I created a 250 MB
/boot partition (/dev/sda7) and a 10 GB encrypted system partition (/dev/sda8) where I would store
/home, the swap file, and the operating system.
After preparing the partitions I copied the contents of my spare disk. I modified my system GRUB to chainload to the new /dev/sda7
The system would not boot. After much digging, I learned that the initrd was not compiling properly. The fix is straightforward albeit a bit lengthy. I needed to chroot into the system to perform repairs.
I booted with a Live Ubuntu MATE ISO.
cryptsetup luksOpen /dev/sda8 lukssda8 mount /dev/mapper/lukssda8 /mnt/chroot mount --bind /dev /mnt/chroot/dev mount --bind /proc /mnt/chroot/proc mount --bind /sys /mnt/chroot/sys chroot /mnt/chroot
After chrooting into the encrypted partition I edited two files.
/etc/default/grub: GRUB_ENABLE_CRYPTODISK=y /etc/environment: CRYPTSETUP=y
Where the UUID is the partition and not the file system.
CRYPTSETUP=y export CRYPTSETUP=y
The file must be
As this was a live ISO session I manually exported
CRYPTSETUP=y for the current terminal session. This step is important otherwise the previous modifications do not trigger and the initrd still won’t compile correctly. This is not a problem when booting the final system because the environment variable is set through
Finally I could run
I rebooted. The chainload succeeded but the Ubuntu system showed a
Press any key to continue message. The message is caused by a
cryptomount -u entry in
grub.cfg that should not exist. Looks like
grub-mkconfig is broken. My work-around was to copy the Ubuntu
update-grub script to
/usr/local/sbin which in my
$PATHenvironment variable precedes
#!/bin/sh set -e grub-mkconfig -o /boot/grub/grub.cfg "$@" # Fix a bug. if [ "`grep \"cryptomount -u $\” /boot/grub/grub.cfg`" != "" ]; then echo "Attempting to delete bogus ‘cryptomount -u’ lines." sed -i ‘/cryptomount -u $/d’ /boot/grub/grub.cfg fi
Finally the Ubuntu system booted without interruption or pain. I was asked for the LUKS passphrase.
I now had a fully encrypted partition containing both
/home and a swap file.
Some people might wonder why I did not use the Ubuntu installer. The installer is limited. I can create the
/boot and encrypted partitions and instruct the installer to use those partitions, but I do not want a default installation. My V2P is configured exactly how I want.