LVM on LUKS on bcache

Question

7

How to install Ubuntu with both disk encryption AND SSD caching

rated 0 times [ 7] [ 0] / answers: 1 / hits: 5822 / 2 Years ago, sun, february 27, 2022, 2:40:20

I'm using Ubuntu in a corporate environment, and our security policy states that we have to use full disk encryption.

I've also got a laptop with a 32GB mSATA SSD and 750GB of spinning rust. My current installation uses bcache to leverage this, installed using this procedure. This provides a very welcome performance boost without me having to worry about filling up the SSD.

This will be a bountied question. The bounty will be awarded for :

A clear, reliable method of performing a fresh install of Ubuntu
- Any release is acceptable but 15.04 (Vivid) will be fine

The entire filesystem will be encrypted
- The preference here is to use the relevant checkbox in the default Ubiquity installer program (dm-crypt encryption)

The filesystem will be cached on an SSD
- For preference, the kernel dm-cache / lvmcache method see here for method to do this with Debian Jessie
- The cache must also be secured (ie encrypted)
- There must be a clear explanation as to why the cache is also encrypted

Have already tried the method for Debian Jessie above, but it refuses to boot for me. Have not so far tried the method described in the comments here.

The posted solutions will be tested on a VirtualBox VM with two blank virtual disks and a release copy of 15.04 desktop (amd64 release). Bounty goes to the first solution that I adopt to reinstall my actual hardware.

Please write your solution as if it were going into the community wiki.

I've awarded the bounty - I think there is still potential for a "LUKS-on-LVM" solution that combines the ease of the approved answer in only having one password, with only using device-mapper components.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

tusmuumu

Add To Favorites

Follow

Total Points: 195

Total Questions: 122

Total Answers: 104

Location: Oman

Member since Tue, Feb 7, 2023

1 Year ago

answered 2 Years ago ainubt · Accepted Answer

LVM on LUKS on bcache

Here the russian doll game is a little deeper with 3 stacks/layers...

My initial idea about this question was to use a default Ubuntu install with LVM on LUKS and convert it into a bcache backing device with blocks but it did not work for me on my test with LVM.

Moreover, the ubuntu installer (ubiquity) is too limited to install inside a bcache device prepared in advance (at least with LUKS on LVM), so we fallback to a method of doing things manually.

Boot into the live CD/USB and choose "Try Ubuntu" and open up a terminal

Pre-install

sudo -i

# Define some variable to avoid confusion and error

luks_part=/dev/sda3

boot=/dev/sda2                    # boot partition

caching_bcache=/dev/sdb           # SSD or partition in SSD



# Do secure erase of encrypted backing and caching device (see Notes [1])

dd if=/dev/urandom of=$luks_part || dd if=/dev/urandom of=$caching_bcache

# Go and grab some coffe, this will take a while...



apt-get install bcache-tools

# Setup bcache caching and backing devices

make-bcache -C $caching_bcache -B $luks_part

# (Optional) Tweak bcache

echo writeback > /sys/block/bcache0/bcache/cache_mode



# Below we now create manually what ubiquity should have done for us

# Setup LUKS device on bcache device

cryptsetup --key-size 512 luksFormat /dev/bcache0

cryptsetup luksOpen /dev/bcache0 crypted



# Setup LVM on LUKS

# You can skip that part if you don't want to use a swap

# or don't want to use multiple partition. Use /dev/mapper/crypted

# as you root latter on

pvcreate  /dev/mapper/crypted

vgcreate vg /dev/mapper/crypted

lvcreate -L 1G vg -n swap

lvcreate -l 100%FREE vg -n root

Installation

Keep the terminal opened and now run the installation.
Choose "Something else" when partitioning and specify

your boot partition (/dev/sda2)

your root partition (/dev/mapper/vg-root)

your swap (/dev/mapper/vg-swap)

and check the checkbox to format your partitions

At the end of the installation, don't reboot but just click "Continue trying ubuntu"

Post-install

In our opened terminal

# Install bcache-tools to add bcache module to initramfs

mount /dev/mapper/vg-root /mnt

mount $boot /mnt/boot

mount -o bind /sys /mnt/sys

mount -o bind /proc /mnt/proc

mount -o bind /dev /mnt/dev

chroot /mnt

# To get apt-get running in the chroot

echo 'nameserver 8.8.8.8' > /run/resolvconf/resolv.conf

apt-get install bcache-tools



# Create /etc/crypttab to add crypted bcached partition

echo "crypted UUID=`blkid -o value /dev/bcache0|head -1` none luks" > /etc/crypttab



exit

sync

umount /mnt/sys

umount /mnt/proc

umount /mnt/dev

umount /mnt/boot

umount /mnt

vgchange -an /dev/mapper/crypted

cryptsetup luksClose crypted

sync



# Reboot & enjoy

There is a known Ubuntu 15.04 reboot bug from Live CD/USB so you might have to force reboot/shutdown

Check

Once booted, you can check that /dev/bcache0 is in fact a LUKS partition with

if sudo cryptsetup isLuks /dev/bcache0; then 

    echo "crypted";

    else echo "unencrypted";

fi

This is because it is the cache of your LUKS partition, and you now access your data via the device /dev/bcache0 and never from the original backing device (/dev/sda3 here)

References

http://bcache.evilpiepirate.org/

https://wiki.archlinux.org/index.php/Bcache

https://wiki.archlinux.org/index.php/Dm-crypt

bcache-status is not officially merged into bcache-tools, yet. You can have it here: https://gist.github.com/djwong/6343451

[1] There might be better ways to do this wiping