Home / ubuntu / Questions / 1242962
In Process
Prototype700
Asked: 2020-05-24 15:19:33 +0800 CST

How to install Ubuntu on an encrypted, error-correcting RAID 1 device with dm-crypt?

  • 772

I would like to install Ubuntu on a two-disk RAID 1 with dm-integrity and LUKS2-encryption.

Unfortunately, neither Ubiquity, nor the alternative textmode-installer offer such a solution.

Although this seemed simple to do manually, I haven't been able to install the system, yet.

The layout for both drives was as follows:

  1. /dev/sdX1 [ext2] to be used as unencrypted /boot
  2. /dev/sdX2 [unformatted] to be configured in LVM for encrypted /root & swap

I formatted both drives on a live system in gparted and then executed cryptsetup luksFormat --type luks2 --integrity hmac-sha256 /<device>/<partition> for either drive as a basis in order to create the RAID device, LVM and filesystem on top of later in the manual installer.

However, the manual partitioner does not recognise the encrypted partitions and I can't continue to work with them.

How can I "open" the encrypted partitions to set them up for the system installation without re-formatting them first?

Is there anything else that needs to be considered with this approach? Does Ubuntu demand certain LUKS-parameters or is something advisable to use for this purpose?

Do I have to manually add the devices to a file after the installation to be corrctly decrypted at boot? Is the --integrity option used automatically?

Is this even the best approach or is there another way to accomplish this? (Excluding the usage of Btrfs/ZFS filesystems)

system-installation encryption partitioning raid cryptsetup

1 Answers

  1. First of all, it's likely safer to create the encrypted volumes in an extended, logical partition if using LVM on it later.

    I've tried to format a partition with dm-integrity in Ubuntu 20.04 before opening the installer and while cryptsetup was able to open it, I could not create a volume group or filesystem on it, because mkfs.ext4 would fail and pvcreate resulted in:

    Error reading device /dev/mapper/sda5_crypt at 0 length 512.
Error reading device /dev/mapper/sda5_crypt at 0 length 4096.
Device /dev/mapper/sda5_crypt excluded by a filter.

    The installer also did not know how to handle the partitions and wouldn't let me create any partitions on it.

    I did not try this on a RAID device, but I doubt that would make it any better. I also noticed that dm-integrity creates two crypt devices as seen in lsblk:

    └─sda5               8:6    0 237.3G  0 part  
  └─sda5_crypt_dif 253:0    0 223.2G  0 crypt 
    └─sda5_crypt   253:1    0 223.2G  0 crypt

    The filesystem creation worked fine on a regular luks device without integrity, so I assume that might be the issue.

    When trying to open the dm-integrity device on a virtual console, even after loading all dm-crypt modules, I got the error:

    Kernel doesn't support dm-integrity mapping.

    I searched for the error online and found this blog entry, which deals with a very similar issue: https://kenta.blogspot.com/2019/07/ttvdpsoo-installing-ubuntu-with-luks2.html

    The author suggests to:

    1. Install encrypted to the extent that the regular installer can do it.
    2. Reboot into a live CD.
    3. Basically, create an image of the entire encrypted system partitions
    4. Reformat the encrypted partitions with the integrity option
    5. Push the system images to the new partitions and update crypttab, initramfs

    I haven't tried this and can't comment whether this works or not, but I can see that the live system would get the same errors on step 4 while trying to format the new partitions, so it would have to be a system on USB that can somehow format them correctly.

    The author also mentions at the end that:

    Unfortunately, these instructions do not work for Debian Buster (RC2) (and also probably later versions of Ubuntu), because of recent changes to cryptsetup, in particular /usr/share/initramfs/hooks/cryptroot . The first error ("Source mismatch") happens in print_crypttab_entry, where dmsetup info -c -o devnos_used returns a different major number when dealing with a dm_integrity device.

    At the moment, this doesn't seem to be possible unfortunately, unless one can somehow copy and reformat the entire system without any further issues. Please feel free to correct me if I made an error or there is another option.

    • 2