Ubuntu Root Partition Encryption using LUKS and dm-crypt

Shubhdeep Rajput
Bobble Engineering
Published in
6 min readSep 2, 2022
Photo by Towfiqu barbhuiya on Unsplash

Note: These steps are tested for Ubuntu 20.04 and 22.04 dual and single boot, please test them in virtual environment, in case your linux distribution is different, before applying on your system or else I am not responsible for data loss.

Credit: Most of the steps in this blog are same as that of opencraft.com’s tutorial on same, of which I am attaching the link below:

INTRODUCTION

I won’t go into why encryption is important and all that stuff because if you are here, you probably know it. What I intend to achieve with this blog is to provide a complete guide at one place to someone who wants to encrypt their linux root partition and don’t want to lose data. Further, I won’t go deep into what a particular command does, you can refer to original blog above, for detailed explanation. However, I’ll try my best to explain wherever its necessary. Lastly, I’ll cover how to handle possible issue, if you make some mistake in steps, but, I’ll highly recommend double checking commands to avoid mistakes. We’ll be using dm-crypt with LUKS for encryption purpose which is same method used by ubuntu to encyrpt disk on installaton but that wipes the whole disk, which is an issue if we already have important data on disk. I’ll be doing all these steps on ubuntu 20.04 in a virtual machine.

PREREQUISITES

  1. Your computer has UEFI, which most modern systems do.
  2. Your ubuntu installation has EFI partition mounted at /boot/efi and ofcourse, root partition at /.
  3. Your root filesystem type is EXT3/EXT4, which it is, most of the time, for ubuntu atleast.
  4. A USB drive with Ubuntu ISO to boot into live usb mode, because you cannot encrypt mounted partition.

PREPARATION STEPS

While you are logged in your system, open terminal and run

$ mount

You will get output like above. Look for / and /boot/efi mount points. Note device id that are mounted on both points, in this case, /dev/sda5 and /dev/sda1 respectively.

Now, reboot your system into live usb and open terminal. Run this command, replacing X with root partition number:

$ blkid -s UUID -o value /dev/sdaX

Note down the UUID you get after running this command.

ENCRYPTION STEPS

I’ll list down the commands to execute. I’ll tell you necessary information about commands wherever required, but to get more deep explanation, you can refer to above mentioned blog. Also, if you get permission denied or similar error while runnning these commands, use sudo. Execute below commands by replacing X with root partition number:

$ e2fsck -f /dev/sdaX
$ resize2fs -M /dev/sdaX

Above two commands will check the filesystem and then resize the partition to add LUKS header. Make sure to execute above commands before executing the command below:

$ cryptsetup-reencrypt /dev/sdaX --new --reduce-device-size 16M --type=luks1

— type=luks1 is important because default LUKS format used by the cryptsetup tool changed to version 2 but GRUB only supports version 1.

After executing above command, you will be asked to enter passphrase. Remember this passphrase as this will be used every time you boot after encryption. After entering passphrase, it will take sometime, depending on size of your partition, and then you will get following output:

If you are not asked for passphrase then you should recheck the commands but if everything is alright till now, then congrats! your disk is encrypted. But! but! but! the work is not done yet, you need to make important boot adjustments, so that grub can boot into your root partition.

BOOT ADJUSTMENTS

Since partition is encrypted now, you need to open it to continue. Execute the following command:

$ cryptsetup open /dev/sdaX rootfs

This will ask for passphrase. Enter it and this will map the partition at /dev/mapper/rootfs. Use below command to extend partition to take up all the available space in the partition:

$ resize2fs /dev/mapper/rootfs

Since, we need to make adjustments to the grub of installed os, which is in root partition, we need to mount it with other important mount points. Execute following commands, where Y is /boot/efi partition number:

$ mount /dev/mapper/rootfs /mnt
$ mount /dev/sdaY /mnt/boot/efi
$ mount --bind /dev /mnt/dev
$ mount --bind /dev/pts /mnt/dev/pts
$ mount --bind /sys /mnt/sys
$ mount --bind /proc /mnt/proc
$ chroot /mnt

Now, we will create a keyfile, add it to luks and set up in /etc/crypttab, which describes the encrypted block devices that are set up during system boot. Execute below commands:

$ mkdir /etc/luks
$ dd if=/dev/urandom of=/etc/luks/boot_os.keyfile bs=4096 count=1
$ chmod u=rx,go-rwx /etc/luks
$ chmod u=r,go-rwx /etc/luks/boot_os.keyfile
$ cryptsetup luksAddKey /dev/sdaX /etc/luks/boot_os.keyfile

If you are prompted to install cryptsetup after last command above, use following command and then try again:

$ apt install cryptsetup -y

IIf some problem occurs in installing the above package, use nano /etc/resolv.conf and add nameserver 8.8.8.8, save and exit and then try again. Now, run below echo statements:

$ echo “KEYFILE_PATTERN=/etc/luks/*.keyfile” >> /etc/cryptsetup-initramfs/conf-hook
$ echo “UMASK=0077” >> /etc/initramfs-tools/initramfs.conf

Open disks apps and look for the root partition. You will notice that the root partition is further divided in two parts, one will have lock sign on it and its content will have LUKS Encryption. Copy the UUID of this part. Below is the image for your reference:

Edit /etc/crypttab and add the line below and replace <encrypted_rootfs_uuid> with UUID copied in the last step.

rootfs UUID=<encrypted_rootfs_uuid> /etc/luks/boot_os.keyfile luks,discard

Edit /etc/fstab and replace root partition UUID with /dev/mapper/rootfs. As shown in image below:

Edit /etc/default/grub and remove existing reference to root partition, if any, and add following:

GRUB_ENABLE_CRYPTODISK=y

Lastly, run following commands:

$ grub-install /dev/sda
$ update-grub
$ update-initramfs -k all -c

Make sure, there is no error or warnings while running above commands and then exit. Reboot your system, remove usb and you will see something like this:

IF you see this, congrats! you have successfully encrypted your partition. Type your passphrase and wait for some seconds, you will boot into your system, which is now encrypted!

What if you don’t see Enter passphrase screen?

If you have followed the blog properly, you will not face any issue, however, maybe you mistyped something or you got some warnings while updating grub or initramfs, then your system will go into grub rescue mode. If your partition was encrypted successfully, then normal commands to get out of grub-rescue mode will not work, since your os partition is encrypted and grub won’t be able to read it. In that case, run following commands:

grub rescue> cryptomount (hd0, gptX)

You will get output which will say: Slot 0 opened or any other number slot opened. Use ls to list the partitions. You will see crypto0 or crypto1 or something like that. Using this partition type below commands but change device name to yours:

grub rescue> set root=(crypto0)
grub rescue> set prefix=(crypto0)/boot/grub
grub rescue> insmod normal
grub rescue> normal

You should now get to the Enter passphrase screen. Log in to system and run update grub command, this will fix the issue for you.

CONCLUSION

In this blog, I have listed down steps to encrypt root partition without reinstalling the OS or loosing the data. I have also mentioned the way to get out of possible issue.In case, you still face some other issue, comment it down, I’ll try to look into that. Hope this blog helped you in some way or another. I’ll be happy to know if it did!

--

--