Encrypting disks on Ubuntu 19.04

Isuru Perera
May 15 · 9 min read

Encrypting data

Disk encryption using LUKS

What is LUKS?

Preparing partitions

Booting Ubuntu 19.04 live image with “Try Ubuntu" option.

Creating partitions

GParted after deleting existing Linux partitions
Boot partition
Root partition
Home partition
Pending operations in GParted
Confirmation to apply pending operations
Applying pending operations
3 new partitions created

Encrypting root and data partitions

sudo cryptsetup luksFormat --hash=sha512 --key-size=512 /dev/sda7 
sudo cryptsetup open --type=luks /dev/sda7 rootfs
sudo cryptsetup luksFormat --hash=sha512 --key-size=512 /dev/sda8
sudo cryptsetup open --type=luks /dev/sda8 home
Initializing and opening LUKS partitions
sudo dd if=/dev/zero of=/dev/mapper/rootfs bs=16M status=progress
sudo dd if=/dev/zero of=/dev/mapper/home bs=16M status=progress

Creating logical volumes to install Ubuntu and create Home directory

sudo pvcreate /dev/mapper/rootfs
sudo vgcreate vgroot /dev/mapper/rootfs
sudo lvcreate -n lvroot -l 100%FREE vgroot
sudo pvcreate /dev/mapper/home
sudo vgcreate vghome /dev/mapper/home
sudo lvcreate -n lvhome -l 100%FREE vghome
Logical volumes creation
LUKS partitions and logical volumes shown in “Disks” application
Ubuntu installation wizard
Installation type
Mount partitions and install boot loader
Configuring the boot partition
Mounting boot partition to /boot and specifying to format it
Mounted /dev/sda6 to /boot
Encrypted logical volumes
Mounting / to “/dev/mapper/vgroot-lvroot”
Mounting /home to “/dev/mapper/vghome-lvhome”
Mounted encrypted logical volumes
Confirmation to write changes
Configuring user account
Copying files…
Installation complete message
sudo blkid </dev/DEV_ROOTFS>
sudo blkid </dev/DEV_HOME>
sudo mount /dev/mapper/vgroot-lvroot /mnt
sudo mount </dev/DEV_BOOT> /mnt/boot
sudo mount /dev/mapper/vghome-lvhome /mnt/home
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt
mount -t proc proc /proc
mount -t sysfs sys /sys
mount -t devpts devpts /dev/pts
Mounting the installed OS to /mnt
sudo nano /etc/crypttab
# <target name> <source device> <key file> <options>
rootfs UUID=<UUID_ROOTFS> none luks,discard
home UUID=<UUID_HOME> none luks,discard
update-initramfs -k all -c

Conclusion

Isuru Perera

Written by

Engineer at WSO2

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade