I took a look at the Ubuntu guide, the preseed example file and the partman auto recipe document - all of them mentioned the possibility to create an encrypted setup but none said how. So I google'd and I google'd but couldn't find anybody who had actually done it and shared their results.
I did however find some failed attempts and many dead forum posts where the question had been raised but not answered. One person said that the setup should be really close to an LVM setup but hadn't posted a working example with the encryption part. (Sorry, I don't have a link to this post) So I took most of the example and modified it to fit my needs and started experimenting. 16 hours and about a hundred tries on my test VM later, I seem to have figured out how to do it. Here is the relevant part of the preseed.cfg file:
#Partitioning d-i partman-auto/disk string /dev/sda d-i partman-lvm/device_remove_lvm boolean true d-i partman-md/device_remove_md boolean true d-i partman-lvm/confirm boolean true d-i partman-auto-lvm/guided_size string max d-i partman-auto/method string crypto d-i partman-auto/choose_recipe select boot-crypto d-i partman-auto-lvm/new_vg_name string crypt d-i partman-auto/expert_recipe string boot-crypto :: \ 250 35 250 ext4 $primary{ } $bootable{ } \ method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } \ mountpoint{ /boot } \ .\ 3072 75 3072 ext4 $lvmok{ } lv_name{ root } \ in_vg { crypt } method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } mountpoint{ / } \ .\ 100% 75 100% linux-swap $lvmok{ } lv_name{ swap } \ in_vg { crypt } method{ swap } format{ } \ .\ 2048 50 3072 ext4 $lvmok{ } lv_name{ usr } \ in_vg { crypt } method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } mountpoint{ /usr } \ .\ 512 50 1024 ext4 $lvmok{ } lv_name{ tmp } \ in_vg { crypt } method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } mountpoint{ /tmp } \ .\ 256 25 1000000 ext4 $lvmok{ } lv_name{ home } \ in_vg { crypt } method{ format } format{ } \ use_filesystem{ } filesystem{ ext4 } mountpoint{ /home } \ .\ d-i partman-partitioning/confirm_write_new_label boolean true d-i partman/choose_partition select finish d-i partman/confirm boolean true d-i partman/confirm_nooverwrite boolean trueThis gets the encryption working and is a decent bootable setup. I did run into some trouble when trying to use btrfs and ext2 filesystems for some partitions, but it didn't bother me so much as to try to fix it.
I hope this will help somebody in the future or myself, should my PXE machine die.
I agree the documentation of "partman-auto/method string crypto" is scarce to say the least. My use case calls for only one partition (/) and no swap, but now I have somewhere to start at least. Thanks a lot!
ReplyDeleteI hope this will save me a lot of work!
ReplyDeleteStupid question maybe, how is the encryption password provided?
I'd consider it a security risk to add it to the configuration file, therefor I just enter it to the prompt on the target computer.
DeleteHowever it should be possible to add it to the configuration in plain-text should you desire to do so.
Do you know what would be the correct sentence to setup the initial passphrase ?
DeleteI've successfully used your recipes, but in my case I can live with rhe security risk associated with the initial passphrase beeing readable in the preseed file, and I'd rather have a full automated install, with a know-correct passphrase.
You can use partman-crypto/passphrase and partman-crypto/passphrase-again [1].
Delete[1]: https://salsa.debian.org/installer-team/partman-crypto/-/blob/master/debian/partman-crypto.templates#L344-374
Has anyone figured out how to do this _without_ LVM? Just a plain primary partition that is encrypted? I am able to configure this manually in the installer, but I have not figured out how to preseed this.
ReplyDeleteOh yeah. I have spent the last day and a half trying to get that to work. No dice. I can do it manually, but not preseed.
DeleteDo you know how to set the IV Algorithm for the encryption?
ReplyDeleteDo you know if it is possible to do RAID-1, then crypto, then lvm? If not, do you have any suggestions on how to do disk mirroring, with encryption, and the capability of resizing partitions?
ReplyDeleteI have the EXACT same question. First I wanted RAID+crypto (without LVM), but I've found you can't do crypto without LVM. But I haven't found a combination for RAID+crypto+LVM that works. I've asked on the Debian mailing lists, stack exchange, scoured pretty much EVERYWHERE with no luck.
DeleteYou didn't happen to have found an answer for this, did you?
Tried this and it does not work with Ubuntu Server 16.04.3 LTS. Will complain about "selected recipe does not contain any partition that can be created on LVM volumes." So there is something new that is required but I have not found out what that might be.
ReplyDeleteto use all the remaining space for /home I do this:
ReplyDelete100% 100% 100% ext4 $lvmok{ } lv_name{ home } \
in_vg { crypt } method{ format } format{ } \
use_filesystem{ } filesystem{ ext4 } mountpoint{ /home } \
.\