Install Debian on Existing encrypted LVM

[carachi]

Hello,
I am trying to install Debian 7 64bits on my computer on existing encrypted LVM.
My Hard Disk Configuration is:

sda1 /boot
sda5 encrypted partition that contain the LVM
|--- / Debian 7 OS partition
|--- /home home partition
|--- /swap partition

I did the installation of the operating system from a Live Debian CD unlocking the encrypted partition from the Desktop enviroment.
However, when I reboot the laptop I am not able to run Debian because, after that I decided to run Debian from grub, it replies to me that it is not able to find the root partition with the operating system.
I think that debian didn't compile the initramfs with the crypto instruction... is it possible?

Searching online I found that I need to created a new file called /etc/cryptab with the UUID of the partition and after regenerate the initramfs. I did it but... nothing changed...

How can I solve this problem?? There is a way to say in the installation process that I am using an encripted LVM partition instead a normal partition without format all the hard drive?
There is any command to recreate grub and all the other part in such way that it include also the crypto instruction??

Thank you very much.

[dilberts_left_nut]

Probably the installer doesn't know it is on an encrypted lvm partition.
I would just use the standard installer not the one from inside a live session.

[carachi]

Hello dilberts_left_nut,
Thank you very much for you interest.
I tried with the standard CD of Debian 7 but, using it, I am not able to decrypt my encrypted partition neither from the command line. I am only enable to create a new encrypted partition, but I don't want to do that because I will delete all the data in my /home partition.

There is a way to say to the Debian installer that this is an encryted LVM partition?
Or can I re-install Grub and all the other necessary stuff running the live cd-rom ?

Thank you very much

[kiyop]

Can you unlock (decrypt) the LVM after booting with the live debian?
If you can, you may be able to chroot to the installed debian and to generate initramfs which involves proper module to enable decryption.

I did the installation of the operating system from a Live Debian CD unlocking the encrypted partition from the Desktop enviroment.
However, when I reboot the laptop I am not able to run Debian because, after that I decided to run Debian from grub, it replies to me that it is not able to find the root partition with the operating system.
I think that debian didn't compile the initramfs with the crypto instruction... is it possible?

Searching online I found that I need to created a new file called /etc/cryptab with the UUID of the partition and after regenerate the initramfs. I did it but... nothing changed...

Write concretely what you did and what error messages you got.

[carachi]

Hello kiyop,
I am sorry if I am not explained well. This is what I did:
- run live Debian CD rom
- I unlock the encrypted partition and the LVM
- I install the new version of debian on the correct partition and selecting also the home directory.
- I reboot the machine

However, the new installation of debian doesn't start correctly becuase it say that it is not able to find the OS/root (the / partition inside the LVM ).
The strange thing is that it doesn't ask me the password to unlock the encrypted LVM.

So, running again the Live Debian CD rom, I mounted the partitions and entered in chroot mode and I tried to recreate the initramfs (because I think that this is the problem, but I am not sure), I reboot but nothing change. It countinue to say to me that it is not able to find the partition where there is the operatin system.

I don't know what else to do or how I can recreate the initramfs including the proper modules to decrypt the partition and how to say that this is an encrypted LVM partition.

Thank you very much for your help.
Bye

[kiyop]

Hi! carachi

- run live Debian CD rom

Could you please write the concrete URL where you downloaded the image?

However, the new installation of debian doesn't start correctly becuase it say that it is not able to find the OS/root (the / partition inside the LVM ).
The strange thing is that it doesn't ask me the password to unlock the encrypted LVM.

So, running again the Live Debian CD rom, I mounted the partitions and entered in chroot mode and I tried to recreate the initramfs (because I think that this is the problem, but I am not sure), I reboot but nothing change.

As dilberts_left_nut suggested, it may be due to that you started installation of debian after decrypting the encrypted LVM.
I am not sure if the following solves your problem:

AFAIK, you can add module names to /etc/initramfs-tools/modules, so that they are involved in initramfs. After inserting the names of the modules to it, regenerate initramfs.

Furthermore, you can modify init script in initramfs by extracting the initramfs (/boot/initrd.img-* ) to current directory by

Code: Select all

gzip -dc /boot/initrd.img-PROPER_VERSION_WORDS |cpio -i

and modifying some and regenerating to new initramfs by

Code: Select all

find .|cpio -H newc -o|gzip -9 > NEW_INITRAMFS_FILE_NAME

If kernel and initramfs files are loaded (started), and if / partition is not detected, busybox may start. At busybox, can you decrypt the LVM?

[fsmithred]

Try rebuilding the initrd in chroot with

Code: Select all

update-initramfs.orig.initramfs-tools -u

instead of just using update-initramfs. The live-tools package replaces (disables) update-initramfs, and you need to use the original version to be able to boot an encrypted partition. I ran into a similar problem with a live installer I maintain. Here's a discussion - no lvm, just encrypted partitions, but maybe something here is helpful - http://refracta.freeforums.org/encrypte ... -t308.html

[carachi]

Hi Everyone,
Thank you for your interest and suggestions.
I tried to do in these days what you suggest but however I didn't have success

Try rebuilding the initrd in chroot with

Code: Select all

update-initramfs.orig.initramfs-tools -u

instead of just using update-initramfs. The live-tools package replaces (disables) update-initramfs, and you need to use the original version to be able to boot an encrypted partition. I ran into a similar problem with a live installer I maintain. Here's a discussion - no lvm, just encrypted partitions, but maybe something here is helpful - http://refracta.freeforums.org/encrypte ... -t308.html

I tried to recreate the initramfs but .... it creates the some initramfs file... as the previous one...

So I tried to unzip it as suggest here:

Furthermore, you can modify init script in initramfs by extracting the initramfs (/boot/initrd.img-* ) to current directory by

Code: Select all

gzip -dc /boot/initrd.img-PROPER_VERSION_WORDS |cpio -i

and modifying some and regenerating to new initramfs by

Code: Select all

find .|cpio -H newc -o|gzip -9 > NEW_INITRAMFS_FILE_NAME

If kernel and initramfs files are loaded (started), and if / partition is not detected, busybox may start. At busybox, can you decrypt the LVM?

And I analysed the content of this file. I also compared it with an other machine (created in virtual box) and I saw that all the file related to the crypto, the crypto library and the configuration file to the encrypted partition are missing. I tried to copy and paste those file in my initramfs and change the configuration file, but ... It doesn't work... Probably I missed to change something I don't know where.

So... What can I do??
How can I force Debian to include the crytpo library, the configuration file and all the other stuff inside the initramfs file?

There is a way during the installation process to say to the installer that this is an encrypted partition?

Thank you
Bye

[kiyop]

How can I force Debian to include the crytpo library, the configuration file and all the other stuff inside the initramfs file?

I do not konw well but, you can include modules into initramfs (/boot/initrd.img-.*) by adding the modules names into /etc/initramfs-tools/modules and executing "update-initramfs -u". "linux-headers-.*" package and so on may be necessary.
The following may be useful, although I do not know well:
https://wiki.debian.org/ModuleAssistant
https://wiki.debian.org/Modules
Also, read

Code: Select all

man lsmod
man modprobe

to know how to show the currently-used modules and how to enable modules.

[fsmithred]

Make sure that cryptsetup is installed in the installed system. (check for /sbin/cryptsetup). I'm not sure if the debian installer adds everything that's on the live-CD or if it just installs the same things as the regular installation CD.

Make sure dm-mod is in the initrd - in mine, it's lib/modules/3.2.0-4-amd64/kernel/drivers/md/dm-mod.ko.

[carachi]

Hi all
thank you for your help! I really appriciate that.
In order:

I do not konw well but, you can include modules into initramfs (/boot/initrd.img-.*) by adding the modules names into /etc/initramfs-tools/modules and executing "update-initramfs -u". "linux-headers-.*" package and so on may be necessary.
The following may be useful, although I do not know well:
https://wiki.debian.org/ModuleAssistant
https://wiki.debian.org/Modules
Also, read

Code: Select all

man lsmod
man modprobe

to know how to show the currently-used modules and how to enable modules.

I started the live Debian CD-Rom and I installed lvm2 (to open the LVM after decrypt the partition) and module-assistant . I followed the instruction reported on the Debian website but in the module-assistant menu there are nothing about the crypto or lvm modules....

After that I followed the fsmithred suggestion:

Make sure that cryptsetup is installed in the installed system. (check for /sbin/cryptsetup). I'm not sure if the debian installer adds everything that's on the live-CD or if it just installs the same things as the regular installation CD.

Make sure dm-mod is in the initrd - in mine, it's lib/modules/3.2.0-4-amd64/kernel/drivers/md/dm-mod.ko.

I checked that the live Debian cointatins the cryptsetup, with success. After I checked if the initramfs cointains the dm-mod.ko modules. However It doesn't contain it.
So I included the following modules inside the /etc/initramfs-tools/modules and I recreated the initramfs:

Code: Select all

 echo "aes" >> /etc/initramfs-tools/modules
  echo "aes_x86_64" >> /etc/initramfs-tools/modules
  echo "aes_generic" >> /etc/initramfs-tools/modules
  echo "dm-crypt" >> /etc/initramfs-tools/modules
  echo "dm-mod" >> /etc/initramfs-tools/modules
  echo "sha256" >> /etc/initramfs-tools/modules
  echo "sha256_generic" >> /etc/initramfs-tools/modules
  echo "lrw" >> /etc/initramfs-tools/modules
  echo "xts" >> /etc/initramfs-tools/modules
  echo "crypto_blkcipher" >> /etc/initramfs-tools/modules
  echo "gf128mul" >> /etc/initramfs-tools/modules
  echo "dm-crypt" >> /etc/modules
  update-initramfs.orig.initramfs-tools  -u -k all

I re-checked if it cointants all tha crypto packages, and fortunatelly now there are!!!
So, I reboot the system, but unforunatelly now I have an other error messages:

Code: Select all

modprobe: can't load module padlock_aes (kernel/drivers/crypto/padlock-aes.ko) No such device
modprobe: can't load module aesni_intel (kernel/drivers/crypto/aesni-intel.ko) No such device
Volume group "OS" not found
Skypping volume group OS
Unable to find LVM volume OS/root

I checked and the padlock_aes and aesni_intel files are cointained in the initramfs file....
Do you have any idea about these errors?

Thank you very much
Bye

[kiyop]

I do not know the command "update-initramfs.orig.initramfs-tools".
How do you confirm that the necessary modules are in the used initramfs?
Where in the initramfs root directory are they?
You do not explicitly echo'ed "padlock_aes" nor "aesni_intel" to /etc/initramfs-tools/modules.

And in one of my debian wheezy, there is not aes-ni.intel.ko in /lib/modules/3.2.0-4-686-pae/kernel/crypto/

Code: Select all

$ find /lib/modules -iname aes*
/lib/modules/3.2.0-4-686-pae/kernel/crypto/aes_generic.ko
/lib/modules/3.2.0-4-686-pae/kernel/arch/x86/crypto/aes-i586.ko
/lib/modules/3.2.0-4-686-pae/kernel/arch/x86/crypto/aesni-intel.ko

"-" and "_" seems to be recognized interchangeably by modprobe.

[carachi]

Finally I solved the problem in this way.
I ran that commands:

Code: Select all

cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/cryptroot
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/cryptroot

I created this file in /etc/initramfs-tools/conf.d/cryptroot with:

Code: Select all

target=sda5_crypt,source=UUID=ee0a6525-c864-283d-969b-6be334c8f35c,key=none,rootdev,lvm=OS-root

And I had regenerate the initramfs file:

Code: Select all

update-initramfs.orig.initramfs-tools -u -k all

I reboot and now seems works!!!

Thank you very much to all for the help. I hope that this information could help also some other persons.
Bye

[kiyop]

Great! Congratulations!

[narcisgarcia]

I had a similar issue (but also with RAID), and wanted to know how DebianInstaller does a good job.
Installing Debian 7.5 I needed to put the following layers order:

• > /boot in a traditional partition

• > Physical volume for RAID, on each disk

• • >>Physical volume for LVM

• • • >>>Physical volume for encryption

• • • • >>>>Physical volume for LVM

Yes, to LVM+Crypt work without manual patches, there must be a LVM layer outside LUKS layer.
Once the system is installed, then it's enough with installing package lvm2 in a chroot session.

I believe that there is a bug in DebianInstaller because it doesn't install lvm2 package when necessary, and some other issue in initramfs/cryptsetup configuration that avoids the unlock prompt when LVM layer is only inside the encrypted one.

[Eddy_W]

Hey,

I had the same problems with installin Debian (Wheezy (7.5) in an existing, encrypted LUKS-Container with LVM-Volume-Group inside and a non-encrypted boot partition outside the LUKS-Container. I solved it the following way:

First backup the file /etc/crypttab from your "old system" installed in the LUKS-container you want to reuse, if existing. You can use it to easy restore your system later on.
I choosed the normal installation (not expert). This installation does not load "cryptsetup" into it's installation kernel for some reasons. Therefore you have to switch with "<CTRL>+<Alt>+2" to another terminal right at the beginning of the installation (before you choose your language) and "mark" the packages "cryptsetup-udeb" and "crypto-dm-modules" to be loaded into the kernel during installation with following commands:

Code: Select all

anna-install cryptsetup-udeb
anna-install crypto-dm-modules

Switch back to the Installtion with <CTRL>+<Alt>+1 and follow the process as ususal till the partitioning part. Here you have to switch again into the second terminal. Now you have to decrypt your LUKS container and activate the containing LVM-Volume-Group with following commands:

Code: Select all

modprobe dm-crypt # loading the kernel-module. Didn't load automatically in my case
cryptsetup luksOpen /dev/sdxY sdxY_crypt # Opens Luks container (xY has to be adapted to local settings, e.g sda5)
vgscan # detects existing LVM-Volume-Groups
vgchange -a y 'Name-of-LVM-Volume-Group' # Activates LVM-Volume-Group (check output from vgscan for the right name)

After this, switch back to the Installtion and rescan the Hardware by going one step back in the installation. After rescanning you should end up in the manuell partitioning menu. Here the first step is to configure the LVM-Volume-Group. It has to be done to reuse your existing LVM-Group. Nothing has to be change on the LVM-Volume-Group here, as long as you don't want to of course. Be careful in this step and don't accidently format a partition you don't want to format. When you start the LVM-Volume-group configuration and the prompt doesn't mention anything about formating a certain partition, nothing should happen to your data, when you continue.
After that you choose the partition(s) you want your system and /boot installed on as you would normally do and follow the installation.

Before choosing your additional software you should switch again to the 2nd terminal and install cryptsetup. Instead it won't be installed in the final system, for whatever reason.

Code: Select all

apt-install cryptsetup

Now, finish the installation and reboot the system from a live system (in my case Lubuntu 14.04). The normal boot to your fresh installed system will fail because it doesn't decrypt the LUKS-container.

Start a terminal in the Live-System and prepare a chroot session by mounting following devices:

Code: Select all

sudo cryptsetup /dev/sdxY sdxY_crypt # Opens the LUKS-container
sudo mount /dev/mapper/'LV-with-installed-system-on' /mnt
sudo mount /dev/mapper/'LV-with-home-folder-on /mnt/home # If necessary
sudo mount /dev/sdxY /mnt/boot # mount non-encrypted boot partition

Get acces to important Hardware and System-information:

Code: Select all

sudo mount -t devtmpfs /dev /mnt/dev
sudo mount -t devpts /dev/pts /mnt/dev/pts
sudo mount -t sysfs /sys /mnt/sys
sudo mount -t proc /proc /mnt/proc
sudo cp /proc/mounts /mnt/etc/mtab

Finally enter the chroot environment:

Code: Select all

sudo chroot /mnt /bin/bash

I didn't had internet connection in the chroot-environment but you don't need it when cryptsetup was installed during installation.

Now the file /etc/crypttab must be edited with an editor. The easiest way is to restore the content from a backup version from your "old system" which was installed in the same LUKS-container before. However you can easily create a new entry.

Code: Select all

nano /etc/crypttab 

and add the line:

sdxY UUID="UUID-of-sdxY" none luks

Find out the UUID with:

Code: Select all

sudo blkid /dev/sdxY 

Afterwards you should update your initrd.img with following command to save the new settings and make it available to grub for booting:

Code: Select all

update-initramfs -k all -c -t

There shouldn't be any warning popping up like "cryptsetup: WARNING: invalid line in /etc/crypttab". If so, make sure that you mounted your LUKS-Container with the same name used in /etc/crypttab (sdxY_crypt is the best choice). When you have no warning, you can leave the chroot environment with "exit" and reboot the system.
After booting your fresh installed Debian system everything should work and you should be asked for the passphrase to decrypt your LUKS-container.

Most if my informations I got from these pages and this thread. So for additional help check out:
http://blog.hartwork.org/?p=1757
http://ubuntuforums.org/showthread.php?t=1205372
http://wiki.ubuntuusers.de/chroot/Live-CD (German)


Best wishes

[maddes]

Thanks to Eddy_W I was able install Debian on my existing LUKS+LVM partition setup.
I found some more Information for Debian 8 "Jessie" and the upcoming Debian 9 "Stretch".
Therefore I post how I setup Debian 8 on my system, where the system booted correctly directly after Installation.
Still it is recommended having a live media at hand.

#0 Preparation

• Get the installer image of the wanted Debian version.
  This guide has been tested with Debian 7 "Wheezy", 8 "Jessie" and 9 "Strecth" (installer alpha5).
  But should work on other versions too (maybe you have to manually load lvm2-udeb, lvmcfg-utils, mdadm-udeb, md-modules, mdcfg-utils, etc.).
• Get the corresponding live image of that Debian version with the preferred desktop.
  Check that the live version boots on the system.
  Check how to change the keyboard layout and that it applies to a terminal session, as passwords with special characters have to be entered maybe.
• Make a backup of /etc/crypttab from the old installation.
  Placing it on a usb stick/drive is recommended, but it can also be put on a separate partition of the system (if it's not intended to format this partition, e.g. /home).
• Make a backup of all important data from the old installation that is located on the root partition.
  As it is recommended to format the root partition to have a clean installation.
  Therefore it is also recommended to have a separate partition for /home and maybe other mounts like /var, /srv, /opt depending on your needs.
• This guide works with the text and graphical installer, differences between these are noted where they apply.
• During installation several terminal consoles will be accessed via CTRL+ALT+Fx.
  Here is a list of these with their corresponding number:
  #1 Text Installer -or- Log from Graphical Installer itself
  #2 free (will be used for shell access to execute additonal tasks)
  #3 free
  #4 Installation Log (APT, etc.)
  #5 Graphical Installer
• Expert Install mode is not necessary, but provides more options and steps are not running automatically.
• Debian Installer (d-i) manual is available at https://d-i.debian.org/manual/en.amd64/install.en.txt
• US keymap available at https://en.wikipedia.org/wiki/Keyboard_ ... al_layouts
• Comments after a command (" ; #...") must not be entered.

IMPORTANT is that the commands are exactly executed at the mentioned step of the installation.
Otherwise the file systems on the LVM partition won't get recognized, and you have to start over again from the beginning.

#1 Directly at the beginning of the installation (at least before selecting the keymap)

• Switch to console #2
• Press enter to activate the console.
  At this time the keymap will be US only.
• Queue some UDEB packages for later installation.
  BEWARE OF TYPOS, the package name is not checked at this time and you only have US keyboard layout!
  Do not DEL key at all, and do not use TAB when entering package names.

  Code: Select all

  anna-install cryptsetup-udeb
  anna-install crypto-dm-modules
  anna-install crypto-modules
  

• Switch to console #4
• Check that the package names have no typos, e.g. CRYPTsetup vs. cryptO-..., or weird chars (e.g. tab, del).
• Switch back to installer console.
• Continue setup.

#2 Directly when configuring hostname (at least before defining all users)

• Switch to console #2
• Make sure the selected keymap (in /etc/default/keyboard) is applied to terminal console.
  Especially the Graphical Installer does not do that.
  This is important to enter the password correctly.

  Code: Select all

  setupcon

• Open the encrypted partition so that the file systems on it are recognized by the partitioner "partman".
  Shell variables are used to avoid typos and use consistent names.

  Code: Select all

  DEV='/dev/sdXn'
  DMNAME="${DEV##/dev/}_crypt" ; # sets variable to "sdXn_crypt"
  cryptsetup luksOpen $DEV $DMNAME
  ls /dev/mapper

  If anything went wrong (var name), then close the encrypted partition and repeat previous commands.

  Code: Select all

  cryptsetup luksClose $DMNAME

• Switch back to installer console.
• Continue setup.

#3 Directly when partitioner ("partman") comes up

• Switch to console #2
• Check that LVM volumes are active. Otherwise activate them.

  Code: Select all

  lvs
  #
  vgscan ; # detect all volume groups
  vgchange -a y <vg> ; # activate all volumes of a volume group
  

• Switch back to installer console.
• DO NOT continue setup.
  GO BACK ONE STEP to "Detect disks".
• All LVM partitions should be available INCLUDING their file systems.
  If not, e.g. no file systems, then it is likely that something was done wrongly and start over again from the beginning.
• Now map the partitions as usual while keeping their file system under "Use as".
  Do not forget the extra boot partition.
  Do not format the partitions if you want to keep their data.
  It is suggested to format the root (/) and boot (/boot) partitions. Make sure there is a backup of the individual data that is/was stored on it.
• Continue setup.

#4 Directly when Software Selection comes up (before installing additional software, e.g. desktop, etc.)

• To create a correctly working initrd make sure cryptsetup is installed in /target, if not add it via apt-install.
  On 8.0 and later cryptsetup should be already installed, otherwise use apt-install.

  Code: Select all

  ls /target/sbin/crypt*
  #
  apt-install cryptsetup

• Create /etc/crypttab in /target (or copy your old crypttab to the new system, e.g. from a USB stick or one of your LVM volumes under /target (e.g. /target/home)).

  Code: Select all

  cat /target/etc/crypttab
  #
  printf "$DMNAME\tUUID=%s\tnone\tluks\n" "$(cryptsetup luksUUID $DEV)" >>/target/etc/crypttab 
  # or from USB
  list-devices usb-partition
  mount /dev/sdXn /mnt
  cp /mnt/crypttab /target/etc/crypttab
  umount /mnt
  #
  cat /target/etc/crypttab
  nano /target/etc/crypttab

If your system does not boot then you have to create a new initramfs in a chroot environment via a live medium, as mentioned above by Eddy, but I also had to bind some LVM related directories.

Code: Select all

mount -o bind /dev /mnt/dev
mount -o bind /dev/pts /mnt/dev/pts
mount -o bind /dev/shm /mnt/dev/shm
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
#
mount -o bind /run /mnt/run
mount -o bind /run/lock /mnt/run/lock

Regards
Maddes