Ubuntu Full Disk Encryption

An Eccentric Anomaly: Ed Davies's Blog

Encrypting the whole of your disk is a jolly good idea if there's any possibility at all of the computer being lost or stolen. Which there is, of course. It's also the decent thing to do if you handle other people's data; having an email address book is a rather minimal example of that.

Ubuntu (and Mint and, I guess, related distributions) provides the option to set up full-disk encryption (FDE) as part of the installation step. However, it's not very flexible.

There are two problems which I can see. The first is that it's rather literally full-disk encryption - there's only the option to set up the whole disk for FDE without un-encrypted partitions for other operating systems or whatever (e.g., leaving a Windows recovery partition “just in case”).

Also, when it's set up there's just one main partition containing the system (/) and user data (/home). While you can get a bit carried away with partitioning it seems to me that at least separating these two is a good idea. My netbook has a somewhat old version of Mint on it. The only upgrade path is a re-installation (!) which would be a lot less painful with a separate /home partition.

I haven't worked out how to solve the blatting-the-whole-disk problem but separating out /home turns out not to be too difficult. Somehow I failed to think of the general approach for quite a while then it took a little bit of research to be clear about the details so I thought it was worth documenting - if only for my own future reference.

First, install Ubuntu as normal with FDE selected.

This sets up an small un-encrypted /boot primary partition (“sda1”) with the rest of the disk dedicated to a single extended partition (“sda2”) containing one big logical partition (“sda5”) which is encrypted using LUKS with the key specified during installation.

The contents of that LUKS partition is an LVM physical volume. It's the only physical volume in a volume group called “ubuntu-vg” ("kubuntu-vg" on Kubuntu, “mint-vg” on Mint - substitute as appropriate below).

Within that physical volume/volume group are two logical volumes: a swap volume called “swap_1” and a volume filling the rest of the space for the main data called “root” (which gets mounted as '/', of course).

What we want to do is split that root volume in two with the second containing /home. That's just the sort of thing that LVM is for but it takes some care to get the steps right. It's a lot less tricky if you do it straight after installation before putting all your data in your home directory and installing lots of software.

This is all best done while the patient is unconscious - that is, the file systems concerned are not mounted which is most practically achieved by booting the installation media and running “Try Ubuntu”. Open a terminal window (ctrl-alt-T) then get set up as root and unlock the encrypted partition using:

sudo -s
cryptsetup open --type=luks /dev/sda5 sda5_crypt

The name it gets mapped to (“sda5_crypt”) doesn't matter as we're not going to actually mount anything. As if by magic LVM finds what we need and sets up handy mappings (e.g., /dev/mapper/ubuntu--vg-root) for us.

Next we need to shrink the root volume to make room for home. Some say 20 GB is plenty for a root partition but I chose 50 GB - with nearly 1000 GB to hand it seemed silly to risk running out here. This is a two-step process, first reduce the size of the actual file system within the volume then resize the volume itself. Leaving a safety margin (for things like differences between kB being 1000 or 1024 bytes) I shrank the file system to 40 GB first:

e2fsck -f /dev/mapper/ubuntu--vg-root
resize2fs /dev/mapper/ubuntu--vg-root 40G

The e2fsck seems to be needed, if you don't do it resize2fs will ask you to. Then reduce the volume to 50 GB:

lvresize -L 50G /dev/ubuntu-vg/root

Then expand the file system back up to fill the space available. resize2fs defaults to doing that if you don't give it a size.

resize2fs /dev/mapper/ubuntu--vg-root

Another e2fsck doesn't seem to be needed here but I assume resize2fs will ask if it is.

Commands like vgdisplay and lvdisplay are now handy to check what's happening and figure out how much spare space there is for the new /home volume to be created. On my laptop there was 877.38 GiB available so I decided to create an 877 GB volume:

lvcreate --size 877G --name home ubuntu-vg
mke2fs -L george-home -j /dev/mapper/ubuntu--vg-home

After booting into the now rather small system I created a temporary directory ('h'), mounted /dev/mapper/ubuntu--vg-home on it and rsynced (-av) the contents of /home to it.

The final step to getting it working is to edit /etc/fstab and add an entry to mount the file system on the new volume on the old /home directory entry on the root volume. Mine looks like this:

/dev/mapper/ubuntu--vg-home /home ext3 errors=remount-ro 0 1

For bonus points you can go back and remove the contents of the old /home directory on the root volume. Obviously, that has to be done while the home volume is not mounted. Must get round to that…