Installing Ubuntu on a (pre-existing) LUKS encrypted LVM system.

For the last 3 or more years I have been unsuccessfully trying to install Ubuntu on an encrypted hard drive. I’ve tried both installing everything fresh(with Ubuntu handing the initial partition setup, etc.) as well as trying to install on my existing system. In almost every case it failed miserably for one reason or another. 

Today, that is history and I’ll tell you the most reliable way to install it on a pre-existing system(the hardest setup to deal with apparently).

First of all, despite what you’re told, do NOT get the “alternate” version of the installer disk. I have spent no less than 2 weeks(that’s 24/7 x2) with each of the alternate installers since 8.10 and they’re utter nonsense.

Under your current primary Linux installation, create a partition on your LVM for your Ubuntu installation. 

Grab a desktop version and boot from it. 

Setup your network and in a terminal run ‘apt-get update’ and then ‘apt-get install lvm2 cryptsetup hashalot’(depending on what version of Ubuntu you’re installing, you have have to omit the hashalot entry).

Use cryptsetup to open your LUKS partition with ‘cryptsetup luksOpen /dev/yourharddrive crypted’(‘crypted’ can be any name within reason)

Use ‘vgchange -ay’ to create nodes for your partitions in the LUKS container.

NOW install Ubuntu the way you would normally. Be sure to select your /boot partition for the /boot mountpoint and tell it not to format the partition, and of course use the partition you created earlier, you will need this later. Once the installer hits the end, do NOT reboot; hit ‘continue testing’.

 

Now it gets kinda tricky because at this point you’ve got an installed system but the initramfs doesn’t know it’s dealing with a LUKS container, much less *how* to deal with it. Fortunately once you understand what you’re doing, this won’t take long. For the most part everything you need to do will be done as root so go ahead and “sudo -i” so you don’t have to ‘sudo’ everything. 

 

In a terminal type

‘blkid |grep LUKS’

which should give you the UUID of the LUKS container(if not you may need to use blkid by itself to fiind this yourself). Make note of that UUID.

Next you want to make a temporary directory to mount your new root(and boot) filesystem, something like(substitute your information where needed):

mkdir /mnt/ubuntu
mount /dev/mapper/vg-root /mnt/ubuntu
mount /dev/sdb1 /mnt/ubuntu/boot

Then chroot to that directory and mount the /sys and /proc directories

chroot /mnt/ubuntu

mount -t proc proc /proc
mount -t sysfs sys /sys

Now you need to look to see if /etc/initramfs-tools/conf.d/cryptroot exists. If not create it with these contents

“CRYPTROOT=target=pvcrypt,source=/dev/sdb5″

(minus quotes of course), replacing “sdb5″ with the partition that holds your LUKS partition, you may also replace the “pvcrypt” with your own but you need to replace it everywhere…I find this utterly unnecessary.
Now in the terminal you need to install lvm2, cryptsetup and hashalot(if necessary) onto the system since it wasn’t installed by default.

apt-get update

apt-get install hashalot lvm2 cryptsetup

Next, you need to open /etc/crypttab in an editor(I recommend either ‘pico’ or ‘nano’ but anything you’re comfortable with that can also handle being run as root will do) and fill it with the following:

pvcrypt      /dev/disk/by-uuid/<uuid from above>         none         luks

Next, check /etc/fstab and for the ‘/’ mount, replace the “UUID=<UUID of drive>” with something that looks like:

/dev/mapper/vg-root / ext4  defaults 0 1

Next in what is hopefully the final step:
update-initramfs -u
***********
Assuming that your GRUB entries aren’t borked to hell(that was my problem right after this but it’s a different problem and beyond the scope of this article), you should be able to boot into your system with few errors. The only error I remember getting is something akin to “cryptsetup lvm fs found but no lvm configured” but the system continues booting regardless. 
I owe a good portion of this information to this article: Backtrack 5 – Bootable USB Thumb Drive with “Full” Disk Encryption though there was other info(that I’ve since lost track of) that filled in the blanks as to why the cryptroot file was missing and how to fix it. If I find that link again, I’ll be sure to update the post. 

For the record, you can do this whole routine in under 30 seconds with Fedora’s installer(all in the GUI, no special disk, etc, required) since so long ago that I’m truly surprised that Ubuntu hasn’t figured out how to duplicate this basic functionality.