Montag, 14. Mai 2012

Setup Ubuntu 12.04 server with full disk encryption

Although there are several tutorials out there describing how to encrypt your system using dmcrypt. There are essentially two reasons why I made this one:
  1. As preparation for the following tutorial on how to setup unlocking via SSH
  2. To document the setup for myself.
We start from scratch with installing ubuntu 12.04 LTS server. You can download it here.
I won't go into the detail on the setup itself, but only the process of partitioning the disk.

There are many ways to encrypt your harddisk. Arch wiki covers it pretty well if your're interested. I'll describe one specific way here. The goal: encrypting "root" and "swap". However, when you setup two encrypted paritions you set up two (different) passwords. I am pretty lazy, so I want to unlock all encrypted volumes at once. This is where LVM comes in. So I just create one encrypted partition and let LVM handle the rest of the partitioning. So let's go:

Obviously you are going to set up the partitions manually, so select "Manual" on this screen.

I start with a completely empty disk. If it's not a new drive you should probably "secure erase" it first.
So first you setup a boot-partition.

This partition will contain the kernel and the initialramfs required to unlock your system. I created a 200MB partition formatted as ext4. You can adjust the size according to your needs.
Then setup a partition using up the rest of the space.

Then select "Configure encrypted volumes" and then "Create encrypted volumes". Select the disks to use for encryption accordingly:

After setting the password you'll end up with an encrypted volume (e.g. sda2_crypt).

Now select "Configure the Logical Volume Manager".

Select "Create Volume group" and give it a name. This name will be used to present your device in udev (/dev/mapper/yourlvmdisk).

Make sure you select the encrypted volume for the volume group.

Then select "Create logical volume" to create a partition inside the volume group. Setup partitions as desired. You can control your layout at the end by selecting "Display configuration Details".

I decided to setup just a root and a swap partition in this testsetup. If you want additional partitions (e.g. home) you need to create them here. When you're satisfied with your volume setup hit finish.

The volumes now appear as partitions in the partition manager and can be formatted like regular partitions.

I setup the first partition as root-partition with ext4 as filesystem.

When you're done setting up the partitions hit "Finish partitioning and write changes to disk" and then carry on with the installation as usual. When the setup is finished and the system rebooted you will be prompted the password for the volume.

Congratulations! Your system is now fully encrypted.


  1. I have followed excactly your instructions (besides taking xfs fs for root as a logical volume). Now the system runs in a black screen. I also tried in 3 times, and varies lvm config to first use smaller partitions but with no other result.

    It seems like Ubuntu 12.04 Server edition could not manage the transition from /boot (which I finally turned on the boot flag) to the encrypted partition.

    No terminals, no logs are shown, the screen is absolutely black (but turned on lcd bg lights).

    So finally it just system did not ask for the password. Blind typing does not work as well. Sometimes if you hit the keys, there is activity on the hd, but this is no necessary context or connection.

    Do you have any clue, what went wrong??

  2. Did you try other distributions as well?
    Ubuntu 13.04 should include a wizard to setup disk-encryption (don't know if this applies to the server-edition as well).