Solved: Installing an encrypted /, /home and swap while preserving existing partitions


You can find these instructions also on the Ubuntu forum, but as I recently switched from Ubuntu to Zorin OS it turns out that these instructions also work for Zorin OS 16, so I am posting these instructions here for reference.

I wanted to switch from an encrypted Ubuntu installation to an encrypted Zorin OS 16 installation while preserving two other (encrypted ZFS) partitions. The installer only gives you the option to erase the entire disk if you want to encrypt the Zorin OS installation, and if you choose 'Something else' you cannot choose an encryption method. I am posting these instructions now for reference if you want a similar setup. The following instructions have been tested against Zorin OS 16:

The scenario:
I had an existing Ubuntu installation with a /dev/sda1 /boot partition, an encrypted /dev/sda2 partition and (encrypted ZFS) /dev/sda3 and /dev/sda4 partitions that I wanted to preserve.

Boot from the Zorin OS 16 Live CD and choose 'Try Zorin OS'.

Start gparted, delete the /dev/sda1 and /dev/sda2 partitions, create a /dev/sda1 partition with label '/boot' with a size of 1GB and a /dev/sda2 partition with label 'rootvg' in the remaining space. Open a terminal and encrypt the /dev/sda2 partition that will contain the volume group rootvg:
$ sudo cryptsetup -y -v -s 512 luksFormat /dev/sda2
$ sudo cryptsetup luksOpen /dev/sda2 rootvg

Create the volume group 'rootvg' and create the logical volumes 'swap' and 'root' in the volume group:

$ sudo vgcreate rootvg /dev/mapper/rootvg
$ sudo lvcreate -n swap -L <Desired size of the swap logical volume in Gigabytes>g rootvg

Check how many Physical Extents are left in the volume group:

$ sudo pvdisplay

Create the root logical volume in the remaining space:

$ sudo lvcreate -n root -l <Free PE number shown in the output of pvdisplay command> rootvg

Start the installer and install Zorin OS, choose 'Something else' as Installation type, mount /dev/sda1 on /boot, formatted as ext2; mount /dev/mapper/rootvg-root on /, formatted as ext4 and select /dev/mapper/rootvg-swap as swap. Do NOT reboot after installation.

Switch back to the terminal and get the blkid of the encrypted partition:

$ sudo blkid /dev/sda2

Prepare for update-initramfs

$ sudo mount /dev/rootvg/root /mnt
$ sudo mount /dev/sda1 /mnt/boot
$ sudo mount --bind /dev /mnt/dev
$ sudo mount --bind /proc /mnt/proc
$ sudo mount --bind /sys /mnt/sys
$ sudo echo "rootvg UUID=<UUID shown in the output of the blkid command without quotes> none luks,discard" | sudo tee /mnt/etc/crypttab
$ sudo chroot /mnt
$ update-initramfs -k all -c -v
$ exit

Prepare for reboot:

$ sudo umount /mnt/sys
$ sudo umount /mnt/proc
$ sudo umount /mnt/dev
$ sudo umount /mnt/boot
$ sudo umount /mnt
$ sudo swapoff -a
$ sudo vgchange -a n rootvg
$ sudo cryptsetup luksClose rootvg

Reboot and you will be prompted for the password to unlock the root volume group!



This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.