#1 2016-10-31 21:52:17

martix

Kim Jong-un Stunt Double

Registered: 2016-02-19

Posts: 1,267

Multi(Dual)-boot grub with LUKS encrypted linux partitions

I'd like to post a tuto about dual-booting linux on encrypted partitions. It's about Debian and the Ubuntu based distro LXLE. The starting point was the tutorial at the end of this thread here:
http://www.lxle.net/forums/discussion/4 … rtition/p1
The tutorial above helped me a lot. However in my case it was about getting a multiboot grub with LUKS encrypted linux partitions working. I'll try to describe the steps, someone might find it useful in the future (especially me, if I'm going to try the same on an other machine). The tuto is very detailed, so even noobs should be able to understand the steps. Comments and corrections are welcome.
-----------------------------------------------------------------------------------------------------------------------

Starting point:  I had a dual-boot machine with Windows and Debian. There was a separate boot partition and Debian was on an encrypted partition. This is how the HDD partitioning looked like:
sda1: Windows boot primary partition (100 MB);
sda2: Windows OS primary partition (100GB);
sda3: Grub boot primary partition (500MB);
sda4: Encrypted Debian primary partition (100GB)
-> after that 200 GB unallocated space.
As you can see there are already four primary partitions, which is the maximum. When I tried to install LXLE, it obviously did not let me create a new primary partition in the unallocated area.

This is what I did: I moved sda3 boot partition and sda4 Debian partition to the end and converted sda2 Windows primary partition to an extended (logical) partition. After that I could create two new extended 100GB partitions, one of which I used for LXLE. Here are the steps:

1. First of all making a backup of the whole HDD is crucial!!! There should be a backup anyway. I had an external drive with more free space than the size of the HDD. After the drive was mounted I used the “cd” command (cd /media/UserName/ExternalDrive) in order to get to the folder where I wanted to create an image of the HDD. The command I used is (being root all the time; otherwise use “sudo” if you like):

dd if=/dev/sda of=sda.img bs=32M status=progress

“status=progress” does not work on debian yet, but it works on the lxle live environment. Notice: It creates the .img file in the folder in which you are when using the command above.

2. Making a separate backup of the sda3 boot partition was also necessary. It can be helpful to have a separate backup of the other partitions too, although I did not need them. However they are still important, if e.g. the converting of the windows partition does not work (there is always a risk that something might go wrong). I created an image if the boot partition:

dd if=/dev/sda3 of=sda3.img bs=32M status=progress

Notice: This time it's about creating in image of a partition (sda3), not the whole HDD (sda).

3. Gparted cannot handle encrypted partitions, so I could not use it in order to move sda4. This is the tutorial that helped me solving the “moving the partition to the end” issue (fantastic work btw, kind of complicated issue but very well explained):     http://matthiaslee.com/node/33
First note the locations and sizes of the current partitions:

sfdisk -d /dev/sda

It will show the relevant data (the numbers are just an example from the tuto):
# partition table of /dev/sda
unit: sectors

/dev/sda1 : start=       63, size=404414577, Id= 7
/dev/sda2 : start=404414701, size=223806179, Id= 5
/dev/sda3 : start=628220880, size=143806320, Id= 7
/dev/sda4 : start=772027200, size=204800400, Id=83

4. The following command will show the sectors count on the HDD:

sudo fdisk -l /dev/sda

Something like (just an example, the numbers are nonsense):
“Disk /dev/sda: 400 GiB, 12803567616000 bytes, 25000069680 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
etc.etc.”
What we need here is the number of sectors on the HDD, which is 25000069680 sectors.

5. Now the dumping and editing of the partition table:

sfdisk -d /dev/sda > partition.dump

This will create a partition.dump file. It will be edited, but first the beginning of the partition has to be calculated (after it goes to the end). Take the total number of sectors 25000069680 (see above) minus the size of the partition that goes to the end (sda4), which is 204800400 sectors: (25000069680-204800400)= 24795269280.
If you want to have the partition at the very end, you have to add “1”, so the number we get is: 24795269281.  Why do we need +1? Let's say you have a 10 sectors HDD and want to move a 3 sectors partition to the end. You take 10 minus 3, which is 7. If you use sector 7 as the starting sector, the first sector of the 3 goes to sector 7, the second to 8, the third to sector 9. There will be one sector left at the end.
Now we got the starting sector, we need to edit partition.dump:

nano partition.dump

# partition table of /dev/sda
unit: sectors

/dev/sda1 : start=       63, size=404414577, Id= 7
/dev/sda2 : start=404414701, size=223806179, Id= 5
/dev/sda3 : start=628220880, size=143806320, Id= 7
/dev/sda4 : start=24795269281, size=204800400, Id=83

As we want to move sda4, we replaced the old start-sector number by the number we just calculated (notice the number after “start” 24795269281).

6. Here comes the magic. Create a dd command that will copy the partition we want to move sector by sector to the end:

dd if=/dev/sda of=/dev/sda bs=512 skip=BEGIN_OLD_SDA4 \
                       count=SIZE_SDA4 seek=BEGIN_NEW_SDA4 

In the example it woulde be:

dd if=/dev/sda of=/dev/sda bs=512 skip=772027200 count=204800400 seek= 24795269281

The blocksize is set to 512, which is the size of each sector. The command starts reading at block 772027200 (start of the old location), 204800400 blocks will be copied to the seek location (new start of the partition) at 24795269281.

7. After the copy finished, the new partition table has to be implemented. This is where the partition.dump file, wich was created before, gets used:

sfdisk --force /dev/sda < partiton.dump

8. When these steps are finished, the partition sda4 has its new location on the HDD at the very end. I used the same steps to move the boot partition (sda3) to the end before sda4 (It seems that it would have been possible to move both partitions together. I moved them separately. When calculating the new starting sector of sda3, obviously not the total number of sectors is needed, but the beginning sector of sda4 at the new location minus the size of sda3 (plus 1).

9. After those partitions were succesfully moved to the end, I booted into Windows. I used the software called “Minitool Partition Wizard”, which has a “converting primary to logical partition” feature. So first I made a logical partition out of the Windows partition sda2. After this step I could creat other two extended (unformatted) 100 GB partitions via Minitool Partition Wizard.
-------------------------------------------------------------------------------------------------------------------------------------------------------------

10. After this step back to linux again. I created a bootable 64 bit LXLE USB stick from the image via the dd command. I used it in order to boot into the live system. Here I basically followed the steps in the tutorial above.

11. First an encrypted partition has to be created. Notice that at this step I already had six partitions and the numbers did not represent their physical order on the HDD (which is 1,2,5,6,3,4):
sda1: Windows boot primary partition, nothing changed here.
sda2: Windows OS, which partition was converted to a logical partition.
sda3: Boot partition, moved to the end.
sda4: Encrypted Debian partition, moved to the very end.
sda5: Unformatted 100GB extended partition.
sda6: Unformatted 100GB extended partition.
I decided to use the partition sda6 for the new LXLE install. I started “Install LXLE” on the desktop of the live system. After one or two steps the partition table will be shown. After choosing sda6, there is the button “change”, which allows to set it to “Use it as physical partition for encryption”(or something like that). I created an encrypted partition this way and aborted the further install. However someone could simply open a terminal in the live system and after getting root (sudo su) the following command is needed:

cryptsetup luksFormat /dev/sda6

Why did I use the Install-GUI at this step? I tried the terminal command and did not manage to boot into the system. I just wanted to change something. However basically it should not matter how the encrypted partition is created.

12. There was an encrypted partition created, let's open it:

cryptsetup luksOpen /dev/sda6 sda6_crypt

Notice: I've choosen to use the name “sda6_crypt”, it's crypt_sda6 in the tutorial above. You can use whatever you want, as long as it will be used correctly at the appropriate places and commands.

13. On the encrypted partition create a physical volume:

 pvcreate /dev/mapper/sda6_crypt

14. Create a volume group:

vgcreate volumegroup /dev/mapper/sda6_crypt

Notice: The name of the volume group is “volumegroup”. Of course the name could be something different.

15. Let's create root, home and swap logical volumes:

lvcreate -n lvroot -L 10g volumegroup

lvcreate -n lvhome -L 86g volumegroup

lvcreate -n lvswap -L 4g volumegroup

As you can see, I named them lvroot, lvhome and lvswap. Basically it's the same structure as in the tutorial above. Notice that the size of the partitions is also given here.

16. Minimize all opened windows and click on the icon for LXLE14 installation at the desktop. In the Install-GUI there will be the logical volumes available, so choose lvroot, set it to ext4 and mount point root “/”. Same with lvhome, ext4, mount point “home” and lvswap, “swap area”. At this step choose sda3 as boot partition and check “formatting” (ext3). It will overwrite the old boot partition, but don't worry about it as a backup was created before (see step 2).

17. I give step 17 as a gift to Winnie the Pooh.

18. Click install, check that everything is correct and let's the installer do the work. Do NOT allow to reboot at the end!

19. Open terminal, get root, let's mount the root partition we just installed.

mount /dev/mapper/volumegroup-lvroot /mnt

mount --bind /dev /mnt/dev

Also the boot partition:

mount /dev/sda3 /mnt/boot

Chroot into it:

chroot /mnt

Mount some more stuff:

mount -t proc proc /proc

mount -t sysfs sys /sys

mount -t devpts devpts /dev/pts

(Someone could maybe comment on these steps. Are they correct? I just took them from an other tutorial and it worked).

20. Use the command “blkid” in order to get the UUID of /dev/sda6. Create /etc/crypttab with the following content:
sda6_crypt UUID=66666666-6666-6666-6666-666666666666 none luks

21. Create /usr/share/initramfs-tools/conf-hooks.d/forcecryptsetup file with the following content:
export CRYPTSETUP=y

22. Create /usr/share/initramfs-tools/conf.d/cryptroot file with the following content:
target=crypt_sda6,source=UUID=66666666-6666-6666-6666-666666666666,key=none,rootdev,lvm=volumegroup-lvroot
target=crypt_sda6,source=UUID=66666666-6666-6666-6666-666666666666,key=none,lvm=volumegroup-lvswap
target=crypt_sda6,source=UUID=66666666-6666-6666-6666-666666666666,key=none,lvm=volumegroup-lvhome

23. At this stage we have basically all the steps from the tutorial above. If I remember correctly, after updating the initramfs (update-initramfs -u), I could boot into the installed LXLE system. Obviously I could not boot into Debian, as the old boot partition got overwritten.
This is how I proceeded: I got out of the chroot system (exit) and did unmount everything.
I made a backup of the new boot partition sda3. This can be still carried out in the LXLE live system. I used the same method as above at step 2:

dd if=/dev/sda3 of=sda3NEW.img bs=32M status=progress

24. Now we need the old sda3 backup we created at step 2. I used it in order to get the old boot partition back, so I could boot into Debian.

dd if=sda3.img of=/dev/sda3 bs=32M status=progress

25. Let's reboot the system (remove the stick). As the old boot partition is back, nothing has changed in the grub menu (even if there is a new distro installed on sda6). Boot into the encrypted debian system.

26. Being in Debian, fire up the terminal, get root and open sda6 with all the logical volumes:

cryptsetup luksOpen /dev/sda6 sda6_crypt

Activate the logical volumes:

vgchange -ay volumegroup

27. We are going to chroot into LXLE, but before that let's mount sda3NEW.img we created before into /mnt (of course you can use an other directory too; use the “cd” command to get to the folder of the .img file):

mount sda3NEW.img /mnt

28. Open /mnt with the content of the LXLE boot partition. Copy  the files abi-4.4etc., config-4.4etc., initrdetc. and two vmlinuzetc. files to /dev/sda3 (I did not use the correct filenames here but you can identify those five files). I used the file manager, but using the cp command is also possible. After that, unmount the image:

umount sda3NEW.img

29. Now let's chroot into LXLE the same way as at step 19:

mount /dev/mapper/volumegroup-lvroot /mnt

mount --bind /dev /mnt/dev

Also the boot partition:

mount /dev/sda3 /mnt/boot

Chroot into it:

chroot /mnt

Mount some more stuff:

mount -t proc proc /proc

mount -t sysfs sys /sys

mount -t devpts devpts /dev/pts

30.Configure grub to unencrypt and find your root partition (notice that the following steps are in the chroot environment!!! So everything is within /mnt).

 nano /etc/default/grub 

Add the following lines to the grub file with the UUID of the encrypted (/dev/sda6) partition:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=66666666-6666-6666-6666-666666666666:sda6_crypt root=/dev/mapper/volumegroup-lvoot"

GRUB_ENABLE_CRYPTODISK=y

31. Edit fstab:
nano /etc/fstab
Adding discard and noatime to the mount options reduce writes to the SSD drive:
/dev/mapper/volumegroup-lvroot        /       ext4    errors=remount-ro,discard,noatime       0       1

/dev/mapper/volumegroup-lvhome        /home   ext4    errors=remount-ro,discard,noatime       0       1

/dev/mapper/volumegroup-lvswap    none       swap      sw         0         0
UUID=12345678-831a-4b9e-8ab3-4389c9b551da       /boot   ext3    defaults,noatime 0       2

Recheck that the UUID of the boot partition (sda3) is correct (command blkid).

32. I'm not sure if this step is necessary but I can remember some issues regarding lvmetad. I edited in the chroot environment /etc/lvm/lvm.conf   and set   “use_lvmetad=0”.

33. Rebuild the ramdisk:
update-initramfs -k all -c

34. Update grub
update-grub
After that making a reboot should lead to a grub menu with LXLE also available on the encrypted partition.

35. Make a backup of the boot partition (see step 23, but choose a different name this time e.g. sda3dualboot.img)

I would like to mention that suspend works well and there is no issue at all with booting Windows as its partition is NOT encrypted, so grub will find it after every grub update. Also be careful when choosing the password for the partition encryption or for user/root and check the keyboard layout (sometimes it sticks with US layout). If there is a distro (kernel) upgrade, it's a bit tricky with grub, but I'll post here the solution I use.

martix

Kim Jong-un Stunt Double

Registered: 2016-02-19

Posts: 1,267

Re: Multi(Dual)-boot grub with LUKS encrypted linux partitions

Kernel Upgrade
If there is a distro(kernel)-upgrade and grub gets updated, it will cause some problems because of the encrypted partitions. Basic solution I found: In order to boot into LXLE I edited /boot/grub/grub.cfg.
When Debian gets an upgrade, it will update grub for Debian – for LXLE I manually put the menuentry in grub.cfg.
If LXLE gets an upgrade, I make a backup of the newly created grub partition files, take the previous (multiboot)grub-partiton backup, restore it and manually copy the new files mentioned at Step 28 to the restored boot partition. After that I correct the grub.cfg LXLE menuentry – that's all.
Here is how the custom menuentry for LXLE looks like. This goes in grub.cfg under ### END /etc/grub.d/40_custom ###:

menuentry 'LXLE Eclectica 16.04.1 64bit GNU/Linux' --class lxle --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-d52ca431-234c-4dd0-be7a-54a2ec3460c6' {
	load_video
	insmod gzio
	if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
	insmod part_msdos
	insmod ext2
	set root='hd0,msdos3'
	if [ x$feature_platform_search_hint = xy ]; then
	  search --no-floppy --fs-uuid --set=root --hint='lvmid/etcetcetceteceetcetec'  XXXXXXXXXXXX-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
	else
	  search --no-floppy --fs-uuid --set=root XXXXXXXXXXXX-xxxxx-xxxxx-xxxxx-xxxxxxxxxxxxx
	fi
	linux	/vmlinuz-4.4.0-45-generic root=/dev/mapper/logicalvolume-lvmroot ro cryptdevice=UUID=6666666666666666666666666666666:sda6_crypt root=/dev/mapper/logicalvolume-lvmroot quiet splash $vt_handoff
	initrd	/initrd.img-4.4.0-45-generic
}

I guess there is one line superfluous in the menuentry above, but it does not really matter. At the first sight it might look more complicated as it actually is. Basically if Debian gets an upgrade, the LXLE menuentry has to be put back in grub.cfg. If LXLE gets an upgrade, the new boot files go to the restored boot partition and the LXLE menuentry has to be manually updated. I tried some other solutions like updating grub from a chrooted LXLE environment in Debian but they just did not work. Grub has issues if there is more than one encrypted system partition, so the custom grub menuentry was the workaround I found.