// Full disk encryption with Ubuntu (9.04 Jaunty or newer), LVM and LUKS

This article provides a step-by-step guide on how to install an Ubuntu Linux system with full disk encryption (new installation). However, you should take a relaxed day as topical newbie for further reading. You don't have to keep everything in mind but it is never an error to acquaint oneself with something new.

The described setup was tested with the following versions (32bit and 64bit):

  • Ubuntu 9.04 Jaunty, 9.10 Karmic, 10.04 Lucid, 10.10 Maverick, 11.04 Natty, 11.10 Oneiric.
  • Kubuntu 10.04 Lucid, 11.04 Natty.
  • I did not have the time to test every version out there. Therefore it does not mean that this manual does not work for you if your version is not listed above.

In this case, full disk encryption means:

  • All non-boot data of the system will be encrypted (incl. temporary files and swap)
  • Only a small boot partition remains unencrypted to store the boot loader and the kernel. The security of your data won't be affected by this.
  • Automatic real-time, on-the-fly encryption incl. pre-boot authentication.

Additional key points:

  • This how-to does not use the (IMHO inflexible) Alternate-CD crypto setup.
  • There will be a separate /home partition within the encrypted volume, making backups and fresh installations easier.
  • Despite the fact that there is more than one single encrypted partition, you only have to enter one single password during boot time. The Logical Volume Manager (LVM) is used to make this possible. LVM will be used as “crypto container”, containing the different partitions /, /home and swap.
  • :!: You don't loose any comfort – apart from the password question when the system boots, you don't have to expect any changes during daily usage. This is also true regarding kernel and/or distribution updates, there is nothing special to keep in mind. Therefore it is really worth it to tough it out. ;-)
  • Suspend-to-disk (S4)/hibernation works (if it also would work on an unencrypted installation, for sure).
  • Thanks to Logical Volume Manager (LVM), subsequent partitioning changes are possible.

Short summary to get an overview of the actions needed to be done:

  1. Boot a live session plus install the needed software (LVM, LUKS/cryptsetup).
  2. Subdivide the target device into two partitions:
    • small boot partition (~200MB are more than enough)
    • unformatted partition (remaining space)
  3. Encrypt the unformatted partition, unlock it afterwards.
  4. Creation of a LVM group on the unformatted, unlocked crypto partition, containing the root, home and swap partition.
  5. Start of the graphical Ubuntu installation wizard, telling it to use the root, home and swap partition within the encrypted LVM group plus the small, unencrypted partition as /boot.
  6. Do not reboot directly after the installation wizard finished its work. Change into the freshly installed system with chroot instead. This is needed to install the required software (LVM, LUKS/cryptsetup) on it (you won't be able to boot it otherwise).
  7. Reboot.

If it's all Greek to you, don't be scared. It is no rocket science. ;-)

The very good article Linux Magazin 2005/08: Geheime Niederschrift - Festplattenverschlüsselung mit DM-Crypt und Cryptsetup-LUKS: Technik und Anwendung :lang_de: is still valid and contains much LUKS background knowledge, e.g. preventing some questions why a special encryption method is (not) used. If you don't understand German, have a look at the Wikipedia articles about Disk encryption theory, LUKS, AES, and Block cipher modes of operation.

However, you can still install and use the crypto system, even if you are not interested in this additional information. :-)

Necessary preparations

  • A Ubuntu installation CD (not the Alternate-CD) to be able to start a live session: download
  • Working Internet connection. You have to install some additional software packages during the live session (for which Internet connection is necessary). It is probably most convenient to connect your system to a Internet router or something similar to prevent needless configuration at the live session. If your network card does not work out-of-the-box, you may want to temporarily install a cheap Realtek NIC or something like that.

Before you paralyze your real system, it is a good idea to try everything out in a virtual machine.

I provide a crypt-setup bash script, making the system installation faster and easier. The scripts prompts the user to enter the needed data (target device, partition sizes, key length etc.) and processes the installation as described at “Manual installation” afterwards. This saves much typing and prevents errors. Using the script, a full disk encryption setup should only take a few minutes longer than a default installation.

  1. Start the live session. Boot from the installation CD and start a live session (not the installer). The fitting menu item should be “Try Ubuntu” or something similar (the notation may vary a little bit, depending on the Ubuntu version and when/if a key was pressed). Please choose the language you are going to use on the installed system right from the start. This prevents problems regarding the keyboard layout and the password setup.1)
  2. Run the script. Open a terminal and run the following commands to download and start the script (copy and paste recommended):
    wget "http://blog.andreas-haerter.com/_export/code/2011/06/18/ubuntu-full-disk-encryption-lvm-luks.sh?codeblock=1" -O "/tmp/ubuntu-full-disk-encryption-lvm-luks.sh"
    chmod a+rx "/tmp/ubuntu-full-disk-encryption-lvm-luks.sh"
    sudo "/tmp/ubuntu-full-disk-encryption-lvm-luks.sh"

Manual installation

You have to replace sdX by your own target decive (e.g. sda or hda). Pay attention to this if you are going to copy & paste the commands.

Start the live session

Boot from the installation CD and start a live session (not the installer). The fitting menu item should be “Try Ubuntu” or something similar (the notation may vary a little bit, depending on the Ubuntu version and when/if a key was pressed). Please choose the language you are going to use on the installed system right from the start. This prevents problems regarding the keyboard layout and the password setup.2)

Install needed packages

Because the full disk encryption will be prepared by using a live session (which brings no more than what is absolutely necessary), you have to install some additional packages plus their dependencies for the running session (lvm2 and cryptsetup). Open a terminal and execute the following command:

sudo apt-get install lvm2 cryptsetup

You can't reboot for understandable reasons (→live session, your changes would be gone after a reboot). This is why you have to load a needed kernel module manually (provided by the packages you installed) using the termimal:

sudo modprobe dm-crypt

Now the current live session does provide everything you need to install the encrypted system.

Create needed partitions

You have to subdivide the target hard disk into two partitions. This will be done with GParted.3) Start it via terminal (→ gksudo gparted) or by clicking “System→Administration→GParted”

The following partitions are needed:

  • dev/sdX1, ext3, 200MB at the beginning
    You can use up to 17 chars for the description. I chose “boot (no crypt)”.
  • dev/sdX2, unformatted, at least 8GB (the root, home and swap partitions need to find room).
    You can use up to 17 chars for the description. I chose “sys (lvm,crypt)”. Normally, you should simply use all remaining space (how it was done in the following).

You can close GParted after all operations were applied (→ green check mark).

Prepare the device

If the target device stored unencrypted data until now, you may want to overwrite the partitions with random data first. This securely prevents all (theoretical!) risks to restore data fragments:

sudo shred -vn 1 /dev/sdX1
sudo shred -vn 1 /dev/sdX2

The whole process is also a good stress test of your hard disk but may needs several hours or even days (depending on the disk size and your CPU).

If your device was already encrypted (or you aren't a security fanatic) you may ignore this. You also should skip this if you are using a SSD.

The partition sdX2 will be prepared to act as crypto device by using the cryptsetup luksFormat command. This is also the moment to decide which encryption algorithm, chaining mode and initialization vector should be used. aes-xts-plain is recommended because it brings protection against so called “watermarking” and other known attacks plus encrypts your data securely by using AES:

sudo cryptsetup --cipher aes-xts-plain --key-size 512 --verify-passphrase luksFormat /dev/sdX2
[define the password. Attention: there will be no feedback like * or something similar]

Choose a long, secure password or pass phrase. Even the best encryption is nearly useless if your password is weak. ;-)

After formatting, the crypto device needs a name and has to be unlocked to make it possible for the installer to access it. The device is accessible via /dev/mapper/<chosen name> if everything works. I chose the name lvm_crypt:4)

sudo cryptsetup luksOpen /dev/sdX2 lvm_crypt

XTS supports 128 or 256 bit keys. In this case, the keysize of 512 means that both AES and XTS are using the maximum keysize of 256 bit. For slower systems, --key-size 256 comes into question which equates to a 128 bit encryption.

XTS is available since Ubuntu 8.04 (Hardy Heron) and is more secure than CBC. Therefore aes-xts-plain is preferable to the frequently-used aes-cbc-essiv:sha256 (however, it is still secure and there is no real alternative if an old kernel has to be used). aes-cbc-plain has to be considered as vulnerable, ESSIV instead of PLAIN as initialization vector is strongly recommended in combination with CBC.

The Logical Volume Manager (LVM) won't be used to connect multiple drives here. It is used to prevent the management of different keys respectively the need to type multiple passwords when booting the system. Because /home gets its own partition and swap is also encrypted, you normally would have to type a separate password for each partition. To bypass this annoyance, a LVM volume incl. LVM volume group will be generated within the opened crypto partition you created earlier by using the cryptsetup command. pvcreate is used to initialize the LVM volume, vgcreate creates the LVM volume group within the LVM volume:

sudo pvcreate /dev/mapper/lvm_crypt
sudo vgcreate ubuntu /dev/mapper/lvm_crypt

Now you are able to create the needed partitions within the LVM volume respectively the LVM volume group ubuntu. Swap should be ~1.3 times greater as your installed RAM (at least if you want a solid suspend-to-disk (S4)/hibernation). If space is rare (e.g. when using a SSD), you certainly want to use less. But opinions about a sane swap size differ as much as the ones about the size of the root partition. This is why you should look at the following values as an example (but they can be adopted without any problems). The PC I used to write this article got 4GB RAM (→ multiplied by 1.3 = 5200MB swap) and I created a 25GB root partition:

sudo lvcreate -L 5200M -n swap ubuntu
sudo lvcreate -L 25000M -n root ubuntu
sudo lvcreate -l 100%FREE -n home ubuntu 

If you need additional/other partitions, you can create them by using the same schema. If you have problems with the syntax, man lvcreate may be helpful.

You should format the created partitions to prevent problems with some versions of the graphical Ubuntu-installer ubiquity (during the graphical installation of the real system, the partitions will be formatted again. So don't worry if you want to choose another file system than EXT4: you can choose it there):

sudo mkswap /dev/mapper/ubuntu-swap
sudo mkfs.ext4 /dev/mapper/ubuntu-root
sudo mkfs.ext4 /dev/mapper/ubuntu-home

The needed preparations of the encrypted device are finished now. All needed partitions are existing and the installation of the real system can begin.

Installation of the system

Start the graphical Ubuntu installation wizard by clicking the “Install Ubuntu <version>” icon on the desktop:
Icon of the installation wizard "ubiquity", running Ubuntu 10.04 Lucid Lynx

After choosing language, time zone etc. you have to choose “specify partitions manually” at the “Prepare disk space” window (the notation may vary a little bit, depending on the used Ubuntu version). There you have to assign the partitions you created before:5)

  • /dev/sdX1
    • Boot partition
    • File system (“use as”): ext3 journaling file system (no ext4 to prevent compatibility issues)
    • Format the partition: yes
    • Mount point: /boot
  • /dev/mapper/ubuntu-root
    • Root partition
    • File system (“use as”): ext4 journaling file system (or your own option)
    • Format the partition: yes
    • Mount point: /
  • /dev/mapper/ubuntu-home
    • Home partition
    • File system (“use as”): ext4 journaling file system (or your own option)
    • Format the partition: yes
    • Mount point: /home

Complete the setup by following the instructions of the installation wizard. You may activate the “Log in automatically” option (without bad conscience) to prevent the need for typing an additional password before logging in. The encryption password should be enough in single-user environments. Do NOT reboot the system after the installer finished. There is still some work to do.

If you would reboot your system now, the installed system couldn't boot. It still needs the software to access the encrypted drive and has to prompt the user for the password. Therefore we use chroot to change into the freshly installed system to install the needed packages lvm2 und cryptsetup (Attention: all following commands have to be executed within the same terminal window. And don't forget to replace sdX1 with your own partition, e.g. sda1):

sudo mount /dev/mapper/ubuntu-root /mnt
sudo mount /dev/sdX1 /mnt/boot
sudo mount -o bind /dev /mnt/dev
sudo mount -t proc proc /mnt/proc
sudo mount -t sysfs sys /mnt/sys
sudo cp /etc/resolv.conf /mnt/etc/resolv.conf
sudo chroot /mnt /bin/bash
apt-get install cryptsetup lvm2

You can ignore openpty(), /etc/crypttab and update-initramfs warnings (“Can not write log…”, “cryptsetup: WARNING: invalid line in /etc/crypttab”, “Cannot find /lib/modules/[…]-generic”)

Now, you are almost done. Ubuntu was installed into a LVM group on a crypted drive and has the software necessary to decrypt the data. In order to ask the drive to decipher automatically when booting the system, you have to write a fitting UUID entry for the /dev/sdX2 partition into the /etc/crypttab file. The following command detects the UUID and writes the needed line into /etc/crypttab (don't forget to replace sdX2 with your own partition, e.g. sda2):

echo "lvm_crypt UUID=$(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdX2) | cut -d ' ' -f 9) none luks" >> /etc/crypttab

The system has to inherit the /etc/crypttab changes now (you can ignore “cryptsetup: WARNING: invalid line in /etc/crypttab” and “Cannot find /lib/modules/[…]-generic” warnings):

update-initramfs -u -k all 

Done :-). You should be asked for the password when booting the system. Work with your securely encrypted system as usual. Simply close the chroot environment and reboot your computer:

exit
sudo reboot

Tips and tricks

  • Change/add/remove passwords: LUKS is able to manage up to eight passwords at the same time. Each password will be stored in a so-called slot (0-7). The currently used slots of the encrypted partition can be printed out by using luksDump (don't forget to replace sdX2 with your own partition, e.g. sda2):
    sudo cryptsetup luksDump /dev/sdX2
    
    [...example output follows...]
    Key Slot 0: ENABLED
    	Iterations:         	xxxxxx
    	Salt:               	[...]
    	                      	[...]
    	Key material offset:	8
    	AF stripes:            	4000
    Key Slot 1: DISABLED
    Key Slot 2: DISABLED
    Key Slot 3: DISABLED
    Key Slot 4: DISABLED
    Key Slot 5: DISABLED
    Key Slot 6: DISABLED
    Key Slot 7: DISABLED

    To add a new password, use luksAddKey:

    sudo cryptsetup luksAddKey /dev/sdX2

    To remove an existing password, use luksRemoveKey:

    sudo cryptsetup luksRemoveKey /dev/sdX2
  • Access an encrypted system from a Live CD: In the case of emergency, it may be useful to have access to the encrypted files of a system installed by using this manual (you need the password, for sure). Boot the Live CD and install the needed software:
    sudo apt-get install lvm2 cryptsetup
    sudo modprobe dm-crypt

    Open/decrypt the device (replace sda2 with your device if needed):

    sudo cryptsetup luksOpen /dev/sda2 lvm

    Activate the LVM to get /dev/ubuntu/home, /dev/ubuntu/root and /dev/ubuntu/swap:

    sudo pvscan
    sudo vgscan
    sudo lvscan
    sudo vgchange -a y

    Mount the root and home partition:

    sudo mkdir /mnt/root
    sudo mount /dev/ubuntu/root /mnt/root
    sudo mkdir /mnt/home
    sudo mount /dev/ubuntu/home /mnt/home

    Now you can access your home partition via /mnt/home, the root partition is located at /mnt/root. So you can copy or edit all of your data. If you don't have enough permissions to copy needed files, try it with a filemanager started with gksudo nautilus.

1) , 2)
E.g. if you are starting an English live session to install a German system, X and Z are interchanged outside of the graphical installation wizard (compared to an U.S. keyboard). If your password – which has to be typed at the terminal – contains a X/x or Z/z, you would have to type another password on the freshly installed German system during its first boot than you supposedly defined during the setup
3)
which is already available if you run Ubuntu. Use sudo apt-get install gparted to get it on Kubuntu
4)
“lvm_” because we are using LVM within the crypto device, “crypt” because it is encrypted
5)
simply double click on the entries to open the configuration dialogue. The swap partition should be detected automatically

Comments

Johannes
No. 1 @ 2011/07/25 00:07

Vielen Dank für das tolle Script. Super Arbeit :)

Hier noch ein Hinweis für diejenigen, die wie ich nicht Ubuntu verwenden wollen. Sollte die Distribution Ubuntu-basiert sein (in meinem Falle Linux Mint 11, ich vermute die meisten Debian-Varianten sollten auch funktionieren), muss das Script geändert werden, da der Installer natürlich nicht im Script hinterlegt ist. Dadurch bricht das Script ab und ihr müsst neustarten und von vore anfangen. Sucht im Script nach der Zeile

ubiquity –desktop %k gtk_ui > /dev/null 2>&1 #command copied from the properties of the GNOME starter on the Live CD's Desktop

Ersetzt sie mit dem Befehl für den Installer eurer Distribution (zu finden über einen Rechtsklick auf das Symbol auf dem Desktop unter Eigenschaften), lasst aber natürlich das

/dev/null 2>&1

dahinter stehen. Und schon seid ihr dabei.

Grüße

Merlin
No. 2 @ 2011/08/14 20:12

I followed the tutorial, combining it with manual partition creation because my disk uses Advanced Format so I had to align the partitions manually myself using parted. I also added one EFI partition needed for booting my laptop.

Everything went really well until the end and at the final reboot I get to the grub menu, I pick the kernel and then I get thrown to initramfs command line. No password is asked before that to decrypt the LVM.

Any idea what could be wrong?

No. 3 @ 2011/08/16 07:49

@Merlin:

Any idea what could be wrong?

Entry in /etc/crypttab really correct? If not, you'll get the busybox. Maybe you forgot to replace /dev/sdX2 with your device when you used to following command:

echo "lvm_crypt UUID=$(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdX2) | cut -d ' ' -f 9) none luks" >> /etc/crypttab
Rajesh
No. 4 @ 2012/01/08 13:14

I followed your instruction (& went with the manual steps as I wanted to see how it was done) with Oneiric. It worked precisely as documented. Thank you very very much. I had dual boot (Windows XP and Ubuntu) on my laptop. The only additional thing I did was that before shutting down (for restart post installation), apart from the steps you mentioned was that I modified my XP boot.ini file as documented here: http://bkpavan.wordpress.com/2008/04/02/how-to-boot-linux-using-windows-bootloader-xp/. My Windows partition is completely unaffected which is great as I had backed up my data to it! :-D

Moritz
No. 5 @ 2012/02/20 14:01

Nice article, quite handy for people who are not into full disk encryption, yet.

What I'm missing is a discussion of the weaknesses of XTS. It is not safe for use on large crypto devices and there are thus actually situations where aes-cbc-essiv provides better resistance than aes-xts-plain.

http://www.saout.de/pipermail/dm-crypt/2009-August/000017.html

No. 6 @ 2012/02/22 09:12

@Moritz: Hi Moritz. Don't you think “not safe” is a little bit extreme regarding the described issues? ;-)

With a petabyte the attack success probability rate
decreases to at most eight in a trillion.

AFAIK, cbc-essiv also got some theoretical issues (watermarking…). However: I'm not a mathematician or information scientist with crypto-background. Do you have more information about the weaknesses of XTS regarding large amounts of data regarding? I especially mean the type of attacks resulting out of the XTS issues (Just Watermarking or decryption of partial/small amounts of data? Or breaking the whole encryption? …).

Thanks! :-)

Martin
No. 7 @ 2012/03/05 13:14

Thanks very much for the article and the hard work that went into it!

My question is regarding dual boot with another Linux distro. What are the necessary steps to get that working? Would I simply create the necessary partition inside the LVM, and assume that the two would share the same /boot partition?

No. 8 @ 2012/03/05 16:36

Thank you for the script. Tested successfully on Lubuntu 11.04 to USB flash drive. One small problem, not sure if it's grub or something else. First, I get a blinking cursor and I have to press CTRL+ALT+F3 to see the graphics prompt to enter the passphrase. Is there a way to go straight to the prompt and to skip having to enter CTRL+ALT+F3?

Knut
No. 9 @ 2012/03/13 21:44

I'm booting linux mint 12 and am running your script and get:

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
device-mapper: reload ioctl failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/sda2.
Check that kernel supports aes-xts-plain cipher (check syslog for more info).

Any idea why?

Felix
No. 10 @ 2012/03/14 19:53

Just wanted to say thanks for this nice tutorial, it's easy to follow and it worked like a charm :).

Anthony
No. 11 @ 2012/04/05 18:29

  $(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdX2) | cut -d ' ' -f 9)
  

Installing Ubuntu 12.04, I found I had to change the end of the above to “-f 11” – there were a couple of additional spaces in the string, so “-f 9” didn't return the UUID.

It might be a good idea to display the output of the above to the user so it's easy to confirm that the correct string is generated.

Oliver Lau
No. 12 @ 2012/05/09 21:37

Die manuelle Verschüsselung mit Luks funktioniert bei ubuntu Ver. 12.04 LTS von der Desktop-CD nicht mehr. Habe das mehrfach bei mir unfreiwillig testen müssen. Nach dem chroot geben die Befehle update-initramfs -u -a all aber grub-update Fehler aus. Auch gibt es Probleme mit der Systemreperatur nach dem chroot derselben Art bei mir, was mir aufgefallen ist nach dem upgrade, weil der bootloader in den Masterbootrekord der Festplatte und nicht auf meinen Stick geschrieben wurde und deshalb versehentlich von mir zerstört wurde. Ferner wird die UUID nicht in die /etc/crypttab der verschlüsselten Partition geschrieben, was eigentlich nach der Befehlfolge zu erwarten wäre.

Bei Luci hatte das alles noch bei mir funktioniert. Bin daher auf der Suche nach einer anderen Lösung. Im Moment habe ich kein Linux auf meiner Festplatte aufgrund dieser upgrade Probleme.

Oliver Lau, Einbeck

Jens
No. 13 @ 2012/06/22 07:45

Ein super Script ist das und absolut notwendig für Anfänger wie mich, solange die Jungs von Mint Verschlüsselung ab Werk nicht einbauen.

Nur 2 Bugs unter Mint 13.

1. Die resolv.conf war nicht zu finden, wo sie gesucht wurde.

2. $(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdX2) | cut -d ' ' -f 9) liefert nicht die uuid sondern $(ls -la /dev/disk/by-uuid | grep $(basename /dev/sdX2) | cut -d ' ' -f 10)

Danke nochmal.

No. 14 @ 2012/11/22 03:08

I'm trying to install Mint 14 (new, don't know if that might have anything to do with it) on my new laptop using this guide. Everything works great until the installer reaches “configuring hardware” (one of the later stages) at which point it hangs. There's a debug terminal output, but it's only one line tall so unfortunately I can't get anything useful out of it.

Any ideas?

No. 15 @ 2012/11/22 20:27

@Soren Bjornstad: I got things working by using Mint 13. I'm not sure why 14 didn't work…if anyone figures out what's different or gets it to work, please post something.

Speed
No. 16 @ 2013/01/25 00:42

I have done several Linux Mint 13 'Maya“ installs with this script and they all have worked well with one exception that we resolved (sort of)in-house. The login for an installed FDE fails on one box. It's difference from the other boxes is that it has a wireless keyboard (Logitech K520). The keyboard works at the grub menu and will work in the booted install but it does not work at the prompt for the luks password to unlock the sda2 partition. I've yet to figure out why this failure occurs. Our fix has been to replace the wireless keyboard with a wired keyboard. Other than that quirk things are great when using this routine. Thank you!

Speed
No. 17 @ 2013/01/25 00:48

@Soren Bjornstad:

In LM14 there's an easier way to do it. You can upgrade ubiquity and it offers full disk encryption in the partitioner during an install. Boot up you cd/dvd and do this in a terminal:

sudo apt-get remove ubiquity sudo apt-get update sudo apt-get install ubiquity sudo ubiquity

All that gets rid of the old installer, updates the repos, installs a new installer (and some other stuff), and the last command starts the new install DO NOT start the installer from the icon on the desktop.

Anon
No. 18 @ 2013/03/01 08:39

@Soren Bjornstad:

If things aren't working for you in Linux Mint 14, look carefully after updating your initramfs (the last step). If you see a message mentioning “en_US.utf8” or something like that, try this command (note that this still needs to be in the chroot environment), and then try the initramfs command again:

sudo locale-gen –purge –no-archive

If the message went away, you should be good.

Anon
No. 19 @ 2013/03/03 08:17

@Anon: It should also be noted that you can't copy and paste the command I just wrote, because the – is actually supposed to be “dash dash”. If it is pasted into the terminal as it is seen here, it won't actually do anything. You should get a generation complete message when it is done.

Qus
No. 20 @ 2013/03/03 13:32

@Anon: So sudo locale-gen –purge –no-archive

should actually be this?

sudo locale-gen -–purge -–no-archive

Jack
No. 21 @ 2013/06/19 06:02

I've tried this setup twice manually and once using your script and every time I get an error on reboot saying “cryptsetup: evms_activate is not available”

Any idea what the issue could be?

No. 22 @ 2013/08/11 00:27

Here's a more robust, in my opinion, line to generate /etc/crypttab echo “lvm_crypt UUID=$(ls -la /dev/disk/by-uuid | grep “md1$” | tr -s ” “ | cut -d ' ' -f 9) none luks” | tee /etc/crypttab

LamboR
No. 23 @ 2013/11/23 10:25

I'm to get an error on reboot saying “cryptsetup: evms_activate is not available” Please help me.

stevaskstev
No. 24 @ 2014/01/16 23:16

say one had installed mint petra 32bit mate opting full disk encryption using livedvd defaults on a single 300gig sata drive

then someone copied so many files to it on lan via NFS using ALL FREE SPACE

but say i noyiced the space warning and deleted all those copied files.. deleted not moved to trash

1 why might mint insist 100% of available space now used (after deleting files that had made this true)

3 apps crash with IO errors complaining no free space

4 recovery hamgs too 2 subsequent boot hangs because no free space

salsadancer
No. 25 @ 2014/04/13 13:01

before doing update-initramfs, I added a few modules to /etc/intramfs-tool/modules, and also inserted a hook to make sure /sbin/cryptsetup is added in the initramfs image. Take a look here (ignore the part about the usb-keys): http://www.oxygenimpaired.com/debian-lenny-luks-encrypted-root-hidden-usb-keyfile

Leave a comment…




  • E-Mail address will not be published.
  • Formatting:
    //italic//  __underlined__
    **bold**  ''preformatted''
  • Links:
    [[http://example.com]]
    [[http://example.com|Link Text]]
  • Quotation:
    > This is a quote. Don't forget the space in front of the text: "> "
  • Code:
    <code>This is unspecific source code</code>
    <code [lang]>This is specifc [lang] code</code>
    <code php><?php echo 'example'; ?></code>
    Available: html, css, javascript, bash, cpp, …
  • Lists:
    Indent your text by two spaces and use a * for
    each unordered list item or a - for ordered ones.
I'm no native speaker (English)
Please let me know if you find any errors (I want to improve my English skills). Thank you!
QR Code: URL of current page
QR Code: URL of current page 2011:06:18:ubuntu-full-disk-encryption-lvm-luks (generated for current page)