Revisiting (almost) full disk encryption

I find the instructions for (almost) full disk encryption very useful. There is room for some improvements, however.

First of all, chroot is not required in tj’s scenario, because you don’t need to add a keyfile right away; you just have to type in the passphrase an extra time in the first reboot. Once the newly installed Ubuntu is up and running, you can add the keyfile and then update initramfs without chroot. I have installed multiple Ubuntu versions into the same LUKS container (with /boot included, to make space reservations easier), and I have indeed needed chroot when adding a new installation beside an existing one (and even then only because I wanted to copy&paste files from my earlier installation), but never when installing the first one.

Furthermore, reading tj’s instructions, I realized that besides grub setup, initramfs too is built rather late in the installation. Therefore, also the keyfile can be added during installation the same way as the grub setting. First, before launching the installer, you create a keyfile (not on disk but in the virtual memory that Ubuntu is running in when started from installation media), and you prepare a script that you can run during the installation. Next, you launch the installer and the script in parallel. The script then adds the keyfile and the crypttab file, as well as the grub setting, as soon as the installer has created the required paths, well before the installer updates initramfs and grub.

Currently, though, cryptsetup refuses to add a keyfile into initramfs, in clear disagreement with cryptsetup documentation (see bug #1879146).

2 Likes