Documenting Problems That Were Difficult To Find The Answer To

Full Disk Encryption on Xubuntu Precise 12.04

The Xubuntu 12.04 live disk (which I ran on a USB stick installed using the UNetbootin tool) does not provide an installer capable of creating full disk encryption out of the box.

Instead one must pre-format the destination hard drive and create the encrypted partitions before installing the operating system.

The instructions I followed were taken from this blog post however I used a different cipher (aes-cbc-essiv:sha256). Actually for some reason the Ubuntu install disk doesn’t have sha256 support so I used aes-xtc-plain:sha512 which is arguably more secure.

I missed one essential element and this appeared to manifest itself in bug report launchpad bug 1003309 with the symptoms in this bug similar to mine (no enter-password screen on boot). The solution is below.

I will reproduce a large amount of that blog post because I feel that the information is so valuable that I wouldn’t want it to disappear off the Internet. But make no mistake: apart from the solution to preparing for a kernel upgrade (which I discovered) the instructions for encrypting during the install are not my own work.

Encrypting The Disk And Then Installation

Installation occurs after you have encrypted the disk, not before!

Download an Ubuntu or Xubuntu live disk and boot it (“try Ubuntu/Xubuntu without installing” from the boot menu).


From the live desktop run gparted. Create a small (say 5GB) primary partition near the beginning of the disk – specify a type of ext4 and set the mount point to /boot. This partition must not become encrypted – it is necessary for launching the cryptography tools and the operating system.

Then create a large partition – I recommend primary but not strictly necessary – but leave some space at the end (2 x your RAM size, e.g. 16GB). Specify a type of ext4 and set the mount point to /. This will be the root encrypted partition.

Finally create a small partition – I recommend an extended but not strictly necessary – and specify a type of Linux swap.

Prepare For Encryption

Open a terminal in your live desktop and install the packages for encryption:

sudo -i
apt-get install lvm2

Encrypt The Root Partition

In this example my root partition was on /dev/sda2 while my boot partition was on /dev/sda1.

cryptsetup luksFormat -c aes-xts-plain -s 512 -h sha512 /dev/sda2
cryptsetup luksOpen /dev/sda2/ crypt
mkfs.ext4 /dev/mapper/crypt

Format The Boot Partition

mkfs.ext4 /dev/sda1

Install Ubuntu

From the desktop click on the installer icon.

When it asks if you want to use the whole disk (one of the first few choices you are given) click “do something else” and specify your partitions manually. Don’t forget to specify the three partitions! Root (/), boot (/boot), and swap (presumably /dev/sda3).

When installation is complete, don’t reboot! Click “continue testing!”.

Prepare Installed System To Use Encrypted Drive

Open a terminal window and mount the newly-installed partitions.

cd /media
mkdir /media/root
mount /dev/mapper/crypt /media/root
mount /dev/sda1 /boot

Now type sudo blkid and make a note of the UUID for the partition of /dev/sda2 (the root encrypted partition). Then paste it into /etc/crypttab – e.g.

# <target name> <source device>         <key file>      <options>
crypt UUID=176881fa-546a-492e-a3b6-dfbfbfb6a77a none luks

Next run the following command to set up the boot partition to find the encrypted disk.

sudo update-initramfs -u

If you get the error “update-initramfs is disabled since running on read-only media” then continue on and we’ll deal with this later.

Set Up An Encrypted Swap Partition

This will cause the swap to be encrypted with a random seed/key on every boot.

cryptsetup -d /dev/urandom create cryptswap /dev/sda3
mkswap -f /dev/mapper/cryptswap -v1

Then update /etc/crypttab:

# <target name> <source device>         <key file>      <options>
crypt UUID=176881fa-546a-492e-a3b6-dfbfbfb6a77a none luks
cryptswap /dev/sda3 /dev/urandom swap

Open /etc/fstab and change it to specify the UUID of the /boot partition – and specify /dev/mapper/crypt as the root partition – and add the swap partition, too:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/crypt /               ext4    errors=remount-ro 0       1
UUID=3cd4ecfa-d494-469d-978b-327aa095a087 /boot           ext4    defaults        0       2
/dev/mapper/cryptswap   none    swap    sw      0       0

Re-run update-initramfs to be doubly sure and then reboot.

If you get the error “update-initramfs is disabled since running on read-only media” then type the following:


(because we mounted the encrypted Linux partition to /media/root and the update-initramfs that came on the USB stick was always going to be disabled).

Preparing For A Kernel Upgrade

(You do want to be able to unlock the disk by being offered an opportunity to enter your password, right?)

After following the above instructions I could reboot the computer, enter my password for the disk encryption, and boot into Xubuntu.

As most people do I issued an apt-get update and apt-get dist-upgrade which resulted in a new kernel being installed. When I rebooted I got a plain black screen – and it would echo characters I typed but do nothing else. When I rebooted into recovery mode it would get as far as detecting my USB devices and then seem to hang. I was able (by pressing the tab key during boot) to get grub to boot me into my original kernel and that asked me for my disk encryption password as expected and I could boot that way.

The clue to solving this problem was in this Ubuntu help page about encrypted filesystems which specified that the cryptsetup package is not installed by default with modern Ubuntu.

When I ran a dpkg -l I could see I had the cryptsetup-bin package installed but not cryptsetup. So I installed it and this was the produced output:

root@mybox:/# apt-get install cryptsetup
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  linux-headers-3.2.0-29 linux-headers-3.2.0-29-generic python-support
Use 'apt-get autoremove' to remove them.
Suggested packages:
The following NEW packages will be installed
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 80.0 kB of archives.
After this operation, 316 kB of additional disk space will be used.
Get:1 precise/main cryptsetup amd64 2:1.4.1-2ubuntu4 [80.0 kB]
Fetched 80.0 kB in 0s (2,760 kB/s)  
Preconfiguring packages ...
Selecting previously unselected package cryptsetup.
(Reading database ... 172939 files and directories currently installed.)
Unpacking cryptsetup (from .../cryptsetup_2%3a1.4.1-2ubuntu4_amd64.deb) ...
Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
Processing triggers for man-db ...
Setting up cryptsetup (2:1.4.1-2ubuntu4) ...
update-initramfs: deferring update (trigger activated)
WARNING: you need to set all of cipher, hash and size for the plain dm-crypt mapping cryptswap in /etc/crypttab.
Processing triggers for initramfs-tools ...
update-initramfs: Generating /boot/initrd.img-3.2.0-30-generic

Then when I rebooted I found the new kernel asked me for my disk encryption password and booted normally.

Changing the Encrypted Partition’s Password

First find out which partition you want to modify. You can do this operation while the partition is mounted – so, thankfully, no need to reboot.

cat /etc/crypttab

List what keys you presently have for that partition:

root@myserver:~# cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2

Version:       	1
Cipher name:   	aes
Cipher mode:   	cbc-essiv:sha256
Hash spec:     	sha512
Payload offset:	4096
MK bits:       	256
MK digest:     	22 14 a2 bb 34 13 23 65 af f2 ca ad 22 20 04 18 19 d2 2e 2f 
MK salt:       	5a 36 77 17 ca a4 12 02 ac 30 0f b7 52 5c ac 48 
               	7e 3a 57 8c 7f e8 86 9f c1 1a 07 2d 22 19 71 15 
MK iterations: 	14625
UUID:          	314281fa-546a-522e-a716-efa1bfb6ef1a

Key Slot 0: ENABLED
	Iterations:         	58833
	Salt:               	33 5a ca ca 72 01 19 00 12 fc c3 63 79 44 85 5b 
	                      	f1 0c 0d bb 6b 98 93 c0 86 4a ac 12 7e 71 bd 2e 
	Key material offset:	8
	AF stripes:            	4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

Then add a key (you can have up to 8 per partition using luks):

root@myserver:~# cryptsetup luksAddKey /dev/sda2
Enter any passphrase: enter_your_old_password
Enter new passphrase for key slot: enter_new_password
Verify passphrase: enter_new_password

Now if the existing key was in slot 0 (zero) then you’ll have to delete the existing key from that slot. But you’ll have to provide a different key (e.g. the new key you just added) before you’ll be able to complete the operation.

root@myserver:~# cryptsetup luksKillSlot /dev/sda2 0
Enter any remaining LUKS passphrase: enter_new_password

All done.

Double-Check the Encrypted Partition’s Password

If you’re paranoid (and I’m paranoid) that you might have forgotton what your disk’s password is then you can type:

root@myserver:~# cryptsetup luksChangeKey /dev/sda2
Enter LUKS passphrase to be changed: 
Enter new LUKS passphrase: ^C


If you type it wrong you’ll get:

root@myserver:~# cryptsetup luksChangeKey /dev/sda2
Enter LUKS passphrase to be changed: 
No key available with this pass-phrase.

3 responses to “Full Disk Encryption on Xubuntu Precise 12.04

  1. Anonymous February 26, 2013 at 8:44 am

    I just want to say thank you for this article. This is not the only such guide, but it _is_ the most intuitive and easy to follow that I’ve seen.

  2. Anonymous April 19, 2013 at 5:02 pm

    I have been experimenting with this setup for a few days now, this is indeed the most intuitive guide i have found, I would like to know if it is possible to use a USB Thumb drive as the /boot partition, i have tried several times and actually got it to work how ever after doing apt-get upgrade it will no longer reconise the USB by its UUID and dumps into initramfs prompt with warning that UUID XX can not be found, wich is the USB Thumb drive, after doing blkid i do see the USB Thumb dirve only now it has a different UUID. what am i missing here? can you please help i am rather new to cryptsetup. Thanks….

  3. rhaeri September 16, 2013 at 2:37 pm

    Hi there,

    I am trying to follow the steps above but somehow I can never set the mount point from gparted. In Xubuntu 12.04 the Mount menu item was not even visible and in Xubuntu 12.10 the Mount menu item is disabled. Does anybody have any ideas?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: