Setting Up Full Disk Encrypted LVM on RAID-1 for Ubuntu

For several years now, I have run ZFS on Linux on my home Ubuntu desktop. My friend, Matt, and I have even thrown together some pretty handy scripts for some simple Linux tasks with ZFS, such as deleting sets of snapshots and simplifying backups. It was always a lot of fun to play with, and I always felt a deep sense of loyalty to ZFS, having proudly worked at Sun Microsystems. But, sadly, the romance is over. I found myself regularly running into stability and performance issues with ZFS on Linux. Combined with a deep desire for full disk encryption (which was never open sourced by Oracle, unlike the rest of ZFS), I finally decided to pull the plug.

So what to replace it with? Well, for my personal machine, what I really wanted is reliability, flexibility, and encryption. The first, I figured, would be covered by a mirrored RAID array, although perhaps it's a bit of a stretch to call 2 disk RAID 1 an "array." The second would be covered by LVM, and for the third I'd use the standard Ubuntu LUKS setup.

I quickly learned the good news: the default Ubuntu 13.10 installer installation is a LUKS fully disk encryption setup on LVM! So I started digging around for the RAID option so I could get going. Sadly, it was nowhere to be found, and the Internet confirmed it. Everyone suggested using the Ubuntu server install to get a RAID setup. However, I really don't like messing around to find every package to get the exact right desktop setup; if at all possible, I really wanted to use the standard installer.

So I dug, and dug, and dug, and I couldn't find anything with a proper explanation of how to do a standard installation with RAID. The closest I found was this EncryptedFilesystemLVMHowTo guide. So I spent long time trying to get it all right, and I figured I ought to share the knowledge in case anyone is looking to do the same.

1. Start by booting the Live CD or USB to the "Try Ubuntu" Desktop. The straight installer is not going to do you any good.
2. Open a terminal and sudo -i. You'll need this root shell throughout.
3. In the terminal, run apt-get install mdadm. This is the standard Linux software RAID manager.
4. Open gparted and create your partitions. I ran into a bit of trouble because my disks are 3TB each. This is a problem because the standard partition table can't handle disks larger than 2TB, so I had to create a GPT partition table.
5. In my case, because I was using GPT, I needed to create a 1Mb parition at the start of both disks and turn on the "bios_grub" flag.
6. I then made two more partitions on each disk: a 256Mb partition which will be the boot partition, and the rest of the disk which will be the raid array. Thus, in my setup, the final partitioned devices were:
   /dev/sda1 /dev/sda2 /dev/sda3/dev/sdb1 /dev/sdb2 /dev/sdb3
   The devices that end in 2, I formatted as ext4. The other devices I left "unformatted," but you can format them however you like as they'll be overwritten shortly anyway.
7. Next I created the RAID array my running in the shell:mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sda3 /dev/sdb3
   This should start up a new device, /dev/md0, automatically.
8. Next, I created the encrypted LUKS device. In this particular case, the Ubuntu GUI works quite well, so I used the "Disks" utility provided by ubuntu, selected the md0 device, selected "format," and chose the "encrypted + ext4" option. Enter in your password of choice, and click "OK."
9. Now you should have a new encrypted device whose unencrypted version is mapped inside /dev/mapper. It will probably be a long, complicated ID, but let's call it /dev/mapper/luks-dev for this tutorial.
10. Now to create the LVM partitions. I wanted 3 LVM partitions: 1 for swap, 1 for my root install, and 1 for my home directory. Part of the beauty of LVM, though, is that you can change these up later. I set them up with the following:
1. pvcreate /dev/mapper/luks-dev
2. vgcreate ubuntu /dev/mapper/luks-dev
3. lvcreate -L 20G swap ubuntu
4. lvcreate -L 300G root ubuntu
5. lvcreate -L 2.5T home ubuntu
11. After the previous step, you should now have the /dev/mapper/ubuntu-swap, /dev/mapper/ubuntu-root, and /dev/mapper/ubuntu-home devices. Now start the Ubuntu installer, following the onscreen instructions until you get to the partition screen.
12. Select "other" for the partitioning method. You will have to tell the installer where you want everything to go.
13. Select your swap, root, and home partitions, telling the installer to format swap as a swap partition and root and home as ext4, setting their mount points to / and /home, respectively. Additionally, select /dev/sda2, setting the mount point to /boot.
14. Finally, click "install" and follow the on screen instructions until it has completely finished.
15. Almost there, but not quite. Unfortunately, the installer didn't know that you were installing on top of RAID, LUKS, or LVM, so you're going to have to manually update some of the installation yourself. First things first, you need to mount your new installation and chroot into it. Run the following to get that setup:
1. mount /dev/mapper/ubuntu-root /mnt
2. mount /dev/mapper/ubuntu-home /mnt/home
3. mount /dev/sda2 /mnt/boot
4. mount --bind /dev /mnt/dev
5. mount --bind /sys /mnt/sys
6. mount --bind /proc /mnt/proc
7. mount --bind /etc/resolv.conf /mnt/etc/resolv.conf
8. chroot /mnt
16. You should now be in a chroot of your new install. Run apt-get install mdadm initramfs-tools to make sure you have RAID and initramfs setup tools installed on your system.
17. Next, edit /etc/crypttab in your text editor of choice. It may not exist yet, but that's okay. Add the following line:
    luks-dev   /dev/md0   none   luks,retry=1,lvm=ubuntu
    where luks-dev is the name of your encrypted device that we're calling /dev/mapper/luks-dev.
18. Next, you need to update your initramfs so the system knows how to boot, then install it on your grub device so the system can find it. Do this by running the following:
1. update-initramfs -k all -c
2. update-grub
3. grub-install /dev/sda
19. Finally, you probably want to copy your grub partition to your second RAID device so you can theoretically boot from either disk (in practice, these will get out of sync, so if your main boot device fails, you'll probably have to boot into a Live CD/USB and reinstall grub to the second disk). To do this copy, you'll need to first load gparted to get the starting sector of /dev/sda3 (let's pretend that number is 50000), and subtracting 1. Then run dd if=/dev/sda of=/dev/sdb count=49999.
20. Now reboot, and you should be good to go!

Creating a new GNOME screen lock button (or any other applicationbutton)

The reasons are not super important, but I want a screen lock button in my panel. I happen to be using lxpanel, although this should work for adding a screen lock button to the menu of any GNOME system. I could have sworn this existed in the past, but I could not find head nor tail of it anymore. In any case, what I really want is to add a menu item to GNOME. Much of what I did was shameless taken from http://forum.lxde.org/viewtopic.php?f=8&t=31300. What I did is as follows:

1. Open up a new file /usr/share/applications/screenlock.desktop. Obviously, you can name this whatever you want, and you will probably want to name it appropriately for whatever application you are adding to your menu, although it must end in .desktop.


2. In this new .desktop file, add the following:

   [Desktop Entry]
   Name=ScreenLock
   Comment=Lock your screen
   Icon=system-lock-screen
   Exec=gnome-screensaver-command --lock
   NoDisplay=false
   Type=Application
   Categories=Settings;DesktopSettings
   

3. Obviously, change the name, comment, and icon for whatever you want to add. Most importantly, make sure to update Exec to whatever command it is you actually want to execute. You can change the categories, too, although I have not explored them much and don't really know what categories exist.


4. Now you should have a new menu item. If you have a GNOME menu accessible, you should be able go to Menu -> Preferences and see the new ScreenLock entry. However, what I want is to add it to my panel. I'll describe this for lxpanel, but I believe it should be quite similar for the GNOME 3 panel. Start by right clicking on your panel and going to "Panel Settings."


5. Click on Panel Applets -> Add and select Application Launch Bar.


6. From here, you can select the menu item to execute. In this case, I selected Preferences -> ScreenLock and then clicked Add.

That's about it; you should have a screen lock button in your panel now.

Running commands on resume on a Linux laptop

I recently installed Ubuntu 12.04 on a MacBook Air. There are some great instructions on how to do this on the Ubuntu wiki and everything basically went smoothly (of course, my desire to install ZFS on Linux added many complications). However, I quickly ran into a problem that I've experienced on numerous Linux laptops in the past: how to middle click.

Of course, on a normal Linux machine, middle click is an invaluable copy and paste tool. Unfortunately, modern laptops don't have any buttons, much less a middle click. Generally speaking, button clicks are simulated via multitouch capabilities of trackpads, and they do not, by default simulate middle clicks. Fortunately, it turns out that if you're using the synaptic trackpad driver (the default if you follow the instructions on the MacBook Air install wiki page), there's an easy command to turn on middle click simulation with a three-fingered click:

synclient TapButton3=2 ClickFinger3=2 PalmDetect=1

Great! Works perfectly! Except, it resets every time you suspend and resume your laptop. Apparently, when you resume from a suspend, the trackpad disappears and then reappears so the options to the synaptic driver are reset. Very frustrating. This brings us to the second problem that I've run into in the past: how to run a script on resume, which seems to be the only way to reset these settings.

How to do this varies from setup to setup, but in my case (Ubuntu on a Macbook Air), it seems that the Gnome Power Management (pm) module controls these things. In fact, it turns out that one can add a new script to run in the /etc/pm/sleep.d directory that will get run on suspend and resume.

Unfortunately, solving our particular problem is not as straightforward as we'd like. When we resume, you have to (a) wait for the X server to start up again, and (b) select what display you want to do this on. It took a while, but I was able to find a good suggestion on how to do this on a web form that you can find here.

I created the following script that solves my problems. Don't forget, you'll also need to run the command on login, but that generally is much easier. Of course, you can pretty easily generalize this script to run just about anything you need on resume.

#!/bin/sh
#/etc/pm/sleep.d/01_middle_click
resume_middle_click()
{
 echo "updating middle click..."
 sleep 5
 DISPLAY=:0.0 su jww -c "synclient TapButton3=2 ClickFinger3=2 PalmDetect=1"
 echo "middle click update succeeded!"
}
case "${1}" in
 resume|thaw) resume_middle_click & ;;
esac