HOWTO: Install Ubuntu 7.04 using debootstrap to an encrypted root partition

Background

I have wanted to run my laptop with an encrypted root partition for a while now, I have finally sat down and worked out how to do it without using any temporary partitions like other guides do. I use debootstrap on another GNU/Linux host to prepare the hard disc. I am using a 20GB 2.5″ laptop hard disc connected up to a USB adapter on my workstation to install Ubuntu. This is still work in progress, as with all things YMMV.

Disclaimer

Please be aware this guide contains some nasty lines of shell script which will eradicate the contents of /dev/sdb by default, please change this to suit your situation. I am not responsible for your actions whether you use my guide or not, I may not be held responsible for anything you do to your system(s) no matter how destructive/terminal. That said I have used this guide to the letter at four times over and have not had a single problem.

You have been warned.

Method

  1. Getting Started

    We need to set up our host machine with a few utilities to be able to install our new system. I am assuming for this guide you are running Debian or Ubuntu GNU/Linux

    $ sudo aptitude install debootstrap cryptsetup hashalot xfsprogs fdisk grub
    debootstrap notes for specific Ubuntu/Debian versions:

    1. Ubuntu 6.06

      Install debootstrap from edgy-backports.

    2. Ubuntu <6.06 and Debian GNU/Linux

      Install debootstrap by downloading manually from the Ubuntu archive.

    Connect up your hard disc drive to the host computer.

  2. Prepare the disc

    Partition the disc, I use fdisk personally.

    WARNING: This will reset write a new partition table preventing access to any data currently on the disc, ensure you are have selected the correct disc

    $ echo -e "o\nn\np\n1\n\n+100M\nn\np\n2\n\n+200M\nn\np\n3\n\n\na\n1\nw\n" | sudo fdisk /dev/sdb

    You can do the same in parted like this but, fdisk is preferred.

    $ sudo parted /dev/sdb mklabel msdos mkpart primary ext2 0 100MB mkpart primary ext2 100MB 300MB  mkpart primary ext2 300MB 100% set 1 boot on

    This creates a 100MB boot partition, a 200MB partition for swap and the rest is used for the root.

  3. Wipe the disc clean

    Erase all the data off the hard disc, we don’t want the bad guys finding all your old pr0n right?

    $ sudo /sbin/badblocks -s -w -t random -v /dev/sdb1
$ sudo /sbin/badblocks -s -w -t random -v /dev/sdb2
$ sudo /sbin/badblocks -s -w -t random -v /dev/sdb3
$ sudo dd if=/dev/urandom of=/dev/sdb{1,2,3}

    These extra steps are untested by me.

    If you want a bit more security install wipe and then run it over the three partitions like so:

    $ sudo aptitude install wipe
$ wipe -kq /dev/sdb{1,2,3}

    If you really want to be secure then you should use dban.

  4. Create the file systems

    Now we need to prepare the partitions with some file systems, I am going to be using ext2 for the first partition (boot), swap for the second (swap) partition and an xfs partition on top of a luks encrypted partition for the system root. You can use ext3 instead of xfs it should work just as well.

    $ sudo mkfs -t ext2 /dev/sdb1
$ sudo mkswap /dev/sdb2
$ sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sdb3
$ sudo cryptsetup luksOpen /dev/sdb3 root
$ sudo mkfs -t xfs /dev/mapper/root

  5. Mount the root

    Now we need to mount the root partition, like so:

    $ sudo mount /dev/mapper/root /mnt

  6. Install Ubuntu 7.04

    This is where be begin to create our base installation of Ubuntu using debootstrap.

    $ export DEBOOTSTRAP_DIR="/usr/lib/debootstrap"
$ sudo debootstrap --include="language-pack-en,language-pack-en-base,dmsetup,cryptsetup,hashalot,initramfs-tools,nano" --components=main,universe --verbose --arch i386 feisty /mnt http://archive.ubuntu.com/ubuntu $DEBOOTSTRAP_DIR/scripts/feisty

    You can adjust http://archive.ubuntu.com/ubuntu with a mirror closer to you and this will help speed up the process and reduce load on the master Ubuntu mirror.

    You are able to change the en to your native language, list of language packs.

    Go get either a beverage, a light snack, or my personal favourite some confectionery this will take a short while, depending on your Internet connection.

  7. Configure Networking

    Once we have our Ubuntu installation we need to configure it, normally the installer would do this but today we take its place. Be careful not to nuke your hosts configuration.

    $ # Set Hostname
$ echo "hostname" | sudo tee /mnt/etc/hostname
$ # Network Config (adjust as required)
$ sudo cp /etc/network/interfaces /mnt/etc/network/
$ sudo cp /etc/resolv.conf /mnt/etc/
$ # Setup hosts file (adjust as required)
$ cat /etc/hosts | sed "s/`cat /etc/hostname`/`cat /mnt/etc/hostname`/" | sudo tee /mnt/etc/hosts

  8. Configure the boot image

    $ sudo nano /mnt/etc/initramfs-tools/modules
    # List of modules that you want to include in your initramfs.
#
# Syntax:  module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod

# IDE Discs
ide-core
ide-cd
ide-disk
ide-generic

# SCSI Discs
scsi_mod
sd_mod

# USB Discs
#usbcore
#ehci-hcd
#ohci-hcd
#uhci-hcd
#usbhid
#usb-storage

# Encryption Stuff
aes
cbc
sha1
sha256
    $ sudo cp /mnt/usr/share/initramfs-tools/hooks/cryptroot /mnt/etc/initramfs-tools/hooks/
$ sudo cp /mnt/usr/share/initramfs-tools/hooks/udev /mnt/etc/initramfs-tools/hooks/
$ sudo cp /mnt/usr/share/initramfs-tools/scripts/local-top/cryptroot /mnt/etc/initramfs-tools/scripts/local-top/
$ sudo cp /mnt/usr/share/initramfs-tools/scripts/init-premount/udev /mnt/etc/initramfs-tools/scripts/init-premount/
$ echo -e "--- /mnt/usr/share/initramfs-tools/scripts/local-top/cryptroot  2007-02-04 20:46:06.000000000 +0000\n+++ /mnt/etc/initramfs-tools/scripts/local-top/cryptroot        2007-02-05 02:13:53.975074750 +0000\n@@ -173,0 +174,5 @@\n+       # Try waiting a little while, maybe udev is being slow (Chris Smith <chris.smith@cs278.org>)\n+       if [ ! -e $cryptsource ]; then\n+               sleep 1\n+       fi\n+\n" | sudo patch -u /mnt/etc/initramfs-tools/scripts/local-top/cryptroot -

    The patch adds a one second sleep in if the device is not found, this is because sometimes the udev symlinks can take a little while to be instated, I have not found a more elegant solution to this that works all the time.

  9. Configure the file systems

    We need to configure the system so it can mount the required partitions once it boots.

    $ sudo nano /mnt/etc/fstab
    # /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# /dev/hda3
/dev/mapper/root /               xfs     defaults         0       1
# /dev/hda1
UUID=hda1_uuid /boot           ext2    defaults        0       2
# /dev/hda2
UUID=hda2_uuid none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0

    We are unable to use the UUID for the root partition because the initramfs-tools cannot handle it, and we are left with an unbootable system

    $ sudo nano /mnt/etc/crypttab
    # <target name> <source device>         <key file>      <options>
root /dev/disk/by-uuid/hda3_uuid none luks

  10. Configure the Kernel

    $ echo "do_initrd = yes" | sudo tee -a /mnt/etc/kernel-img.conf

  11. Prepare to chroot

    Now we need to prepare to chroot into the installation and actually do all the configuration, lets mount all the required bits.

    $ sudo mount /dev/sdb1 /mnt/boot
$ sudo mount -o bind /dev /mnt/dev
$ sudo mount -o bind /sys /mnt/sys
$ sudo mount -t proc proc /mnt/proc

  12. chroot and configure

    Lets chroot in and perform the steps we need to take.

    $ sudo chroot /mnt
# Configure the keyboard
# dpkg-reconfigure console-setup
# aptitude update
# aptitude install grub linux-image-generic

    If you are not using xfs for the root file system you can skip this step.

    # aptitude install xfsprogs

  13. Leave the chroot

    # exit

  14. Install Bootloader

    We must install grub now, from another terminal (outside the chroot).

    $ sudo grub-install --recheck --root-directory=/mnt/ /dev/sdb
$ sudo rm -f /mnt/boot/grub/device.map

  15. Wrapping Up

    Finally:

    $ sudo chroot /mnt update-grub -y
$ sudo umount /mnt/{sys,dev,proc,boot,}
$ sudo cryptsetup luksClose root
$ sudo eject /dev/sdb

  16. First Boot

    The first time you boot the newly prepared installation all should go smoothly, to login use the user name root. You now need to install some important packages to turn this very primitive system in to a full Ubuntu beast.

    Make sure your network is working before you move on!

    WIP: 
    # dpkg-reconfigure --all --unseen-only
    # aptitude -dy install ubuntu-standard ubuntu-desktop
# tasksel install ubuntu-desktop
# reboot

References

Change Log

0.9.1
  * Added <http://www.inittab.de/manuals/debootstrap.html> as a reference
  -- Chris Smith <null@cs278.org>  Tue,  6 Feb 2007 05:24:56 +0000

0.9.0
  * Initial Version
  -- Chris Smith <null@cs278.org>  Sun,  4 Feb 2007 16:35:00 +0000

3 Responses to HOWTO: Install Ubuntu 7.04 using debootstrap to an encrypted root partition

  1. Pingback: Chris’ Blog » Blog Archive » HOWTO: Install Ubuntu 7.04 using debootstrap to an encrypted root partition

  2. Pingback: Hacer un debootstrap de Ubuntu Hardy « Blog Staredsi

  3. Pingback: Fredriks anteckningar » Blog Archive » debootstrap - Tankar, idéer och reflektioner

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>