Ubuntu

Cannot boot into encrypted root file system

Asked by tdn

I am trying to set up encrypted root file system with cryptsetup and LUKS.

This is what I have done:

I created these partitions

~ $ sudo fdisk -l /dev/sda
Password:

Disk /dev/sda: 80.0 GB, 80026361856 bytes
16 heads, 63 sectors/track, 155061 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

   Device Boot Start End Blocks Id System
/dev/sda1 * 1 31012 15630016+ 7 HPFS/NTFS
/dev/sda2 * 31013 31603 297864 83 Linux
/dev/sda3 31604 145800 57555257 5 Extended
/dev/sda4 145801 155055 4664520 c W95 FAT32 (LBA)
/dev/sda5 31604 141079 55175872+ 83 Linux
/dev/sda6 141080 145800 2379352+ 82 Linux swap / Solaris

Then I installed the base system with sda6 as / and sda2 as /boot.
I used a Kubuntu 7.04 desktop install cd for installation.

Then I created a LUKS partition on sda5 with:
cryptsetup luksFormat /dev/sda5

Then I copied the base installation from sda6 to sda5:
cryptsetup luksOpen /dev/sda5 root
mount /dev/mapper/root /mnt
cp -ax / /mnt

Then I chrooted into /mnt:
mount -o bind /dev /mnt/dev
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
chroot /mnt

Then I edited /etc/fstab to look like this:
root@bart:/# cat /etc/fstab
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# /dev/sda6
#UUID=c7045f36-d8be-4ef3-8585-e9d7d41b540 / ext3 defaults,errors=remount-ro 0 1
# /dev/mapper/root
#UUID=09712129-a956-48ce-810d-9b7bd6bd2178 / ext3 defaults,errors=remount-ro 0 1
/dev/mapper/root / ext3 defaults,errors=remount-ro 0 1
# /dev/sda2
UUID=aef3f30b-106c-497b-ac90-7cd705bc339b /boot ext3 defaults 0 2
# /dev/sda1
UUID=80C2F69090FA0800 /media/sda1 ntfs defaults,nls=utf8,umask=007,gid=46 0 1
# /dev/sda4
UUID=1B33-0A00 /media/sda4 vfat defaults,utf8,umask=007,gid=46 0 1
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0

Then I edited /etc/crypttab to look like this:
root@bart:/# cat /etc/crypttab
# <target name> <source device> <key file> <options>
root /dev/sda5 none cipher=aes-cbc-essiv:sha256

Then I edited /boot/grub/menu.lst to look like this:
root@bart:/# cat /boot/grub/menu.lst
# menu.lst - See: grub(8), info grub, update-grub(8)
# grub-install(8), grub-floppy(8),
# grub-md5-crypt, /usr/share/doc/grub
# and /usr/share/doc/grub-doc/.

## default num
# Set the default entry to the entry number NUM. Numbering starts from 0, and
# the entry number 0 is the default if the command is not used.
#
# You can specify 'saved' instead of a number. In this case, the default entry
# is the entry saved with the command 'savedefault'.
# WARNING: If you are using dmraid do not change this entry to 'saved' or your
# array will desync and will not let you boot your system.
default 0

## timeout sec
# Set a timeout, in SEC seconds, before automatically booting the default entry
# (normally the first entry defined).
timeout 10

## hiddenmenu
# Hides the menu by default (press ESC to see the menu)
#hiddenmenu

# Pretty colours
color cyan/blue white/blue

## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret

#
# examples
#
# title Windows 95/98/NT/2000
# root (hd0,0)
# makeactive
# chainloader +1
#
# title Linux
# root (hd0,1)
# kernel /vmlinuz root=/dev/hda2 ro
#

#
# Put static boot stanzas before and/or after AUTOMAGIC KERNEL LIST

### BEGIN AUTOMAGIC KERNELS LIST
## lines between the AUTOMAGIC KERNELS LIST markers will be modified
## by the debian update-grub script except for the default options below

## DO NOT UNCOMMENT THEM, Just edit them to your needs

## ## Start Default Options ##
## default kernel options
## default kernel options for automagic boot options
## If you want special options for specific kernels use kopt_x_y_z
## where x.y.z is kernel version. Minor versions can be omitted.
## e.g. kopt=root=/dev/hda1 ro
## kopt_2_6_8=root=/dev/hdc1 ro
## kopt_2_6_8_2_686=root=/dev/hdc2 ro
# kopt=root=UUID=c7045f36-d8be-4ef3-8585-e9d7d41b5480 ro

## Setup crashdump menu entries
## e.g. crashdump=1
# crashdump=0

## default grub root device
## e.g. groot=(hd0,0)
# groot=(hd0,1)

## should update-grub create alternative automagic boot options
## e.g. alternative=true
## alternative=false
# alternative=true

## should update-grub lock alternative automagic boot options
## e.g. lockalternative=true
## lockalternative=false
# lockalternative=false

## additional options to use with the default boot option, but not with the
## alternatives
## e.g. defoptions=vga=791 resume=/dev/hda5
# defoptions=

## should update-grub lock old automagic boot options
## e.g. lockold=false
## lockold=true
# lockold=false

## Xen hypervisor options to use with the default Xen boot option
# xenhopt=

## Xen Linux kernel options to use with the default Xen boot option
# xenkopt=console=tty0

## altoption boot targets option
## multiple altoptions lines are allowed
## e.g. altoptions=(extra menu suffix) extra boot options
## altoptions=(recovery) single
# altoptions=(recovery mode) single

## controls how many kernels should be put into the menu.lst
## only counts the first occurence of a kernel, not the
## alternative kernel options
## e.g. howmany=all
## howmany=7
# howmany=all

## should update-grub create memtest86 boot option
## e.g. memtest86=true
## memtest86=false
# memtest86=true

## should update-grub adjust the value of the default booted system
## can be true or false
# updatedefaultentry=false

## ## End Default Options ##

title Ubuntu, kernel 2.6.20-15-generic
root (hd0,1)
kernel /vmlinuz-2.6.20-15-generic root=UUID=c7045f36-d8be-4ef3-8585-e9d7d41b5480 ro
initrd /initrd.img-2.6.20-15-generic
quiet
savedefault

title Ubuntu, kernel 2.6.20-15-generic (recovery mode)
root (hd0,1)
kernel /vmlinuz-2.6.20-15-generic root=UUID=c7045f36-d8be-4ef3-8585-e9d7d41b5480 ro single
initrd /initrd.img-2.6.20-15-generic

title Ubuntu, memtest86+
root (hd0,1)
kernel /memtest86+.bin
quiet

### END DEBIAN AUTOMAGIC KERNELS LIST

# This is a divider, added to separate the menu items below from the Debian
# ones.
title Other operating systems:
root

title Ubuntu, encrypted root
root (hd0,1)
#kernel /vmlinuz-2.6.20-15-generic root=UUID=09712129-a956-48ce-810d-9b7bd6bd2178 ro
kernel /vmlinuz-2.6.20-15-generic root=/dev/mapper/root ro
initrd /initrd.img-2.6.20-15-generic
quiet
savedefault
boot

# This entry automatically added by the Debian installer for a non-linux OS
# on /dev/sda4
title Windows NT/2000/XP
root (hd0,3)
savedefault
makeactive
chainloader +1

Then I ran:
update-initramfs -u all

Finally I rebooted.

I selected the entry for the encrypted root fs in the GRUB menu.
Then it started booting.
When it came to this:
sd 0:0:0:0: Attached scsi disk sda
sr0: scsi3-mmc drive: 24x/24x writer cd/rw ca/form2 cdda tray
Uniform CD-ROM driver Revision 3.20
sd 0:0:0:0: Attached scsi generic sg0 type 0
sr 1:0:0:0: Attached generic sg0 type 5

...it just hangs....

Nothing happens. I press Ctrl+Alt+Del to reboot and boot into the normal unencrypted version of Ubuntu.

I hope you can help me set up the system to start the encrypted version, so that I can wipe sda6 and use it as swap. (2.5GB is not much space for a complete system! :))

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
uptimebox
Solved:
Last query:
Last reply:
Revision history for this message
Best uptimebox (uptimebox) said : 		#1

you need to

# mount -o bind /boot /mnt/boot

before chroot, or

# mount /boot

after chroot

Revision history for this message
tdn (spam-thomasdamgaard) said : 		#2

Thanks Mikhail Lukyanchenko, that solved my question.