Install Ubuntu 13.10 on top of encrypted lvm

Written by Janne Haapsaari in Ubuntu on Tue 18 March 2014. Tags: encryption, lvm,

Introduction

Ubuntu's installer provides a simple option for installing on top of encrypted lvm. The option however does not allow to modify partition layout and that for me is a showstopper. The other option is to create an encrypted container for all the partitions which works fine but then one has to enter the passphrase to each and every device individually.

This guide explains how to install ubuntu on top of an encrypted lvm and also give user the power of specifying partition layout. Using LVM makes it possible to specify partition sizes and unlock the encrypted device with a single passphrase. The alternative is to use encrypted devices for each partition and store keyfiles, that are used to unlock the other devices, on the root device.

In this example I'm installing Ubuntu on my laptop with a single SSD drive but this guide can be adapted to work on other distributions as well. I started by creating two partitions /dev/sda1 and /dev/sda2. The former will not be encrypted and will be mounted as /boot in our system. The latter partition will be encrypted and used as base for our lvm setup.

Partitioning

To do the actual partitioning the Ubuntu live environment provides gparted, disks and fdisk. Choose whichever suits you best or install an alternative from the repositories.

Filesystems

Now that you've created the partitions described in the previous chapter it's time to write filesystems on them. I'm still prefering ext4 instead of btrfs but your free to chose your favorite.

sudo mkfs.ext4 /dev/sda1
sudo mkfs.ext4 /dev/sda2

LUKS container

The cryptsetup package shipping with Ubuntu 13.10 still uses the cbc-essiv cipher mode. The current cryptsetup package has since then switched to use aes-xts-plain64 mode. The default values are also plenty safe so do as you wish, just pick a really good passphrase. Also the cryptsetup package will be upgraded in Ubuntu 14.04 to use the values I specify here by default.

  1. Create the LUKS container

    sudo cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 /dev/sda2
    

    Verify the command with YES in capital letters. Then write your passphrase twice.

  2. Open the LUKS container.

    sudo cryptsetup luksOpen /dev/sda2 luks_container
    

Create LVM volumes

  1. Create LVM physical volume

    sudo pvcreate /dev/mapper/luks_container
    
  2. Create LVM volume group

    sudo vgcreate vg_system /dev/mapper/luks_container
    
  3. Create logical volumes You can think of logical volumes as partitions. I will create two partitions, one for root and one for home. If you need a swap space then you can create one for yourself now. The root partition will be 40GB and home shall have all the remaining space.

    sudo lvcreate -n lv_root -L 40G vg_system
    sudo lvcreate -n lv_home -l 100%FREE vg_system
    
  4. Write filesystems on the logical volumes

    sudo mkfs.ext4 /dev/mapper/vg_system-lv_root
    sudo mkfs.ext4 /dev/mapper/vg_system-lv_home
    

Installation of Ubuntu

Use the graphical installer to install Ubuntu like always. If you don't know how to install Ubuntu then google some of the many fine guides. During the filesystem layout options, clikc something else and choose the logical volumes we just created. Mount them as / and /home. Do not forget to add regular unencrypted partition /dev/sda1 to /boot. Otherwise you will not be able to boot later on.

The important thing is to NOT restart the machine when the installation finishes! Click continue testing as we are not yet done.

Where the magic happens

No it's time for the tricky part.

  1. Find out the UUID of your encrypted luks container

    sudo blkid /dev/sda2
    /dev/sda2: UUID="93xbb3a7-9x55-4kb1-87ce-7f1l6l45cv4af" TYPE="crypto_LUKS"
    

    Write the UUID down as we will need it later.

  2. Mount the logical volumes chroot to it

    sudo mkdir /mnt/root
    sudo mount /dev/mapper/vg_system-lv_root /mnt/root
    sudo mount /dev/mapper/vg_system-lv_home /mnt/root/home
    sudo mount --bind /dev /mnt/root/dev
    > chroot /mnt/root
    > mount -t proc proc /proc
    > mount -t sysfs sys /sys
    > mount -t devpts devpts /dev/pts
    

    After this point all the commands are run in the chrooted environment!

  3. Create file /etc/crypttab in the chrooted environment with following line. Replace the UUID with the UUID of your luks container.

    # <target name> <source device> <key file> <options>
    luks_container UUID=93xbb3a7-9x55-4kb1-87ce-7f1l6l45cv4af none luks,retry=1,lvm=vg_system
    
  4. Create a file named /etc/initramfs-tools/conf.d/cryptroot in the chrooted environment with following line. Replace the UUID with your luks containers UUID.

    CRYPTROOT=target=luks_container,source=/dev/disk/by-uuid/93xbb3a7-9x55-4kb1-87ce-7f1l6l45cv4af
    
  5. Update your initrd image.

    update-initramfs -k all -c
    
  6. Edit file named /etc/default/grub and find a line that looks like this

    GRUB_CMDLINE_LINX=""
    

    And replace it with following. Again replace the UUID with the one your luks container.

    GRUB_CMDLINE_LINUX="cryptopts=target=luks_system,source=/dev/disk/by-uuid/93xbb3a7-9x55-4kb1-87ce-7f1l6l45cv4af,lvm=vg_system"
    
  7. Update GRUB config with following command

    update-grub
    

Reboot your machine and you should be prompted for password.


IPv6

Written by Janne Haapsaari in Blog on Tue 31 December 2013. Tags: IPv6,

Just a quick note that the this site is now accessible via IPv6. :)

Unlike many others I will not be doing recaps for the past year nor predictions or promises for the next one. Still I wish happy new year for everyone!



New Skype for Android

Written by Janne Haapsaari in misc on Mon 01 July 2013. Tags: Android, software, update,

It's about time! Finally the functional but otherwise not very attractive Skype on android has been updated. User interface has been totally revamped and follows the nowadays so popular flat style. With my initial testing the new version seems to work really well and so far I haven't found anything to complain about. Well except for the most awkward ad I have seen in a long time.



Newsblur

Written by Janne Haapsaari in Newsblur on Mon 17 June 2013. Tags: RSS, Google,

I recently wrote about leaving Google Reader. Of course this decision was made for me when Google announced that they will shutdown Google Creader on 1st of July. In the beginning I simply used thunderbird as my RSS reader but eventually this became too limited as for instance I couldn't easily access my thunderbird installation from work. Then I switched to theoldreader which is more or less a Google Reader clone with additional features. It worked just fine and was free as in it didn't cost anything. However theoldreader failed to fetch all the articles for me. Of course I couldn't complain much as I was not a paying customer but it was enough to push me for searching for an alternative.

After some googling I bumped into NewsBlur which not only worked fast and without errors but also was open source. I have the option of installing it on my own server and also premium service is provided for very affordable 24$/year price. I chose the latter option. So far newsblur has filled all my RSS reading news by being super fast to use and fetching all the articles. They also offer mobile applications for all major platforms albeit I have only used the Android version. It works fine but does not offer the same user experience as the web user interface.

Anyway I can highly recommend newsblur for anyone still looking for replacement for Google Reader. If you don't feel like paying for service that you are most likely using on a daily basis, then just host your own instance. For everyone else there is paid service offered at newsblur.com. They also offer free service but it's fairly limited and will not be enough for most users.


Waiting for Haswell Macbook Pros

Written by Janne Haapsaari in misc on Sat 15 June 2013. Tags: Apple, Gadgets, Linux, OS X,

I am a strong believer of mobile computing and to me a perfect setup is a small laptop that can be connected to a bigger screen via docking station or similar setup. My current setup consists of two year old Lenovo X220 and a high resolution Dell U2711. I've been quite happy with it. Laptop is easy to take out from the docking station, which by the way comes with the device, and it serves as a desktop replacement while at home. However two years is a long time in technology and I constantly find myself drooling after newer laptops.

I've been an full time linux (check out Arch linux, it's awesome!) user for the past eight years, albeit I did own a first generation intel macbook for almost two years. However lately I've been less and less interested about tuning your computer and more interested getting things done. I've also learned to love my external monitor color capabilities and high resolution which makes sure that I will not buy another laptop with 1366x768 resolution. Unfortunately Apple is currently pretty much the only manufacturer with laptops with truly high resolutions. Yes I know laptops with fullhd resolution have multiplied over the past year but it's simply not enough for me. We have mobile phones with similar resolution!

Since I have mostly good memories from my short period of being a part-time mac user I am seriously considering buying the next generation macbook pro. I feel OS X is a good middle ground between productivity and application support. I will have access to most developer tools I'm used to on linux but also services like Netflix will work just fine. Also Apples devices are well built and look gorgeous. That being said I still have my doubts too, mostly regarding restrictions set by Apple. However I am fairly convinced that I can successfully run linux on the device should OS X turn out to be too restrictive for me.

Anyway I was slightly disappointed because Apple didn't update their MBP models to Haswell in the WWDC but I'm sure it will happen soonish. If nothing radical will happen between now and then I will likely be another linux user converting to mac. As far as I can see Lenovo's catalog just isn't enough.


Goodbye Google Reader

Written by Janne Haapsaari in Google on Thu 14 March 2013. Tags: RSS,

So yesterday Google announced that they will retire Google Reader. At first this annoyed me since to me Google Reader was their best service after Google Search of course. Luckily there are plenty of alternatives and for now I chose Thunderbird as I already use it for email.

Good riddance!

From your 55 subscriptions, over the last 30 days you read 9,443 items,
clicked 480 items, starred 1 items, and emailed 0 items. Since May 21,
2010 you have read a total of 237,212 items.

Installing ownCloud on a shared host

Written by Janne Haapsaari in owncloud on Thu 10 January 2013. Tags: kapsi, shared hosting,

I've been using Dropbox and Google Calendar for as long as I can remember and I've rarely had any problems with them. As a matter of a fact both products work great, offer free service and have saved my ass on few occasions. Sounds too good? Yeah... The old truth still stands: If you're not paying for it; You're the product (and sometimes even if you're paying). The part of me that is concerned about privacy issues has never liked the situation but I've argued that the benefits are greater than lack of privacy. Also lately I've been syncing more files to my Dropbox and my free disk quota is running out. Therefore I need to either find a better alternative or start paying for the service. Well yesteday I had some free time on my hands and decided to look for an alternative to Dropbox. Ideal replacement should be easy to use, work well and preferably be open souce. It didn't take me long to bump into ownCloud.

At first sight ownCloud looked great: nice user inteface, open source, media streaming, suppot for applications and most importantly solid enough to have multiple companies offering services using ownCloud. Let's take ownCloud into a test as I happen to have some extra web space. I have to say though that ownCloud uses the word cloud pretty vaguely as by default ownCloud is installed on one server and the support for external storage is only an experimental feature.

Installation itself was pretty straightforward. I simply downloaded the latest ownCloud from their install page and extracted it on my server. Next I navigated to /owncloud/ and created the admin user. Everything went smoothly and I thought that the installation was successful as I managed to import my calendar and contacts from google and create files and folders with the web ui. However when I tried to configure desktop sync client to work with my ownCloud installation, things didn't go as planned. The sync client accepted my credentials during the initial setup but complained that credentials were invalid when ever it tried to sync.

To make WebDAV work I had to edit the .htaccess file in the installation directory.

I changed the existing

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^.well-known/carddav /remote.php/carddav/ [R]
RewriteRule ^.well-known/caldav /remote.php/caldav/ [R]
RewriteRule ^apps/([^/]*)/(.*\.(css|php))$ index.php?app=$1&getfile=$2
[QSA,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
</IfModule>

To

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
RewriteRule ^.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^.well-known/carddav /remote.php/carddav/ [R]
RewriteRule ^.well-known/caldav /remote.php/caldav/ [R]
RewriteRule ^apps/([^/]*)/(.*\.(css|php))$ index.php?app=$1&getfile=$2
[QSA,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
</IfModule>

Spotting the difference is left as an exercise. :D Nah, just kidding it's the HTTP_AUTHORIZATION line and the added ,L at the end.

One problem solved but then apache started complaining about permissions.

[Thu Jan 10 23:51:14 2013] [error] [client xx.xxx.xxx.xxx] client denied
by server configuration: <INSTALL_DIR>/owncloud/remote.php

As as solution I added to the .htaccess file following lines.

Order allow,deny
Allow from all

Voilá and the sync client managed to synchronize everything.

Next step is to configure my desktop and mobile calendar, email client and mobile phone for contacts and of course sync client to synchronize everything important. I have to test ownCloud for few months until I'm confident enought to ditch my current solutions but so far everything looks great.


My first patch to GNOME

Written by Janne Haapsaari in GNOME on Sun 16 December 2012. Tags: linux, open source, gnome, programming,

I've used open source software for many years now but I haven't really contributed back to any of the open source communities. I have filled some bug reports but other than that I've been simply a happy (and sometimes less happy) user. However yesterday I took the first step by doing tiny tiny contribution to GNOME or to be specific to gnome-session. The funny thing is that it was all because of selfish reasons.

I was writing my script called osinfo and found out that gnome-session gave exit value 1 when called with --version argument. This was easily tested doing the following.

[haaja@jarvis ~]$ gnome-session --version
gnome-session 3.6.2
[haaja@jarvis ~]$ echo $?
1

Exit value 1 with non-error cases is problematic because usually exit values other than 0 are interpreted as an error. This was also the case with Python's subprocess module and specifically its check_output function.

Since I knew that this was trivial to fix I thought that I might just as well fix it. The problem was that I had never before contributed to GNOME so I had no clue how and where to send patches. Luckily after some help from google and I was directed to their bugzilla. ~~Unfortunately GNOME documentation isn't the easiest for the beginner because they are quite dated and I really didn't want setup IRC client to join their IRC channels and ask for help.~~ So I spent most of the time browsing their bugzilla and reading git logs to determine conventions used for commit messages and bug reports.

EDIT: I finally did find the documentation Contributing patches.

Finally I created a bug report and attached a patch for the bug. Few minutes later one of the developers reviewed my patch and a while later I received email that my patch was committed to the master branch. Everything went smoothly and surprisingly fast so I might just do this again next time I find something that bothers me in GNOME.