On this page

  1. Encrypted Root LVM

Encrypted Root LVM

I am assuming that you already know how to set up an encrypted file system using cryptsetup with luks (or something else). There are several howtos. I am also assuming that you are familiar with LVM2.

This tutorial deals only with how to add an extra encrypted physical volume to a volume group pool containing other encrypted physical volumes. This is typical scenario if, at first, you have set up your encryption at a physical partition level (/dev/sdaX where X is the a number of your partition), then you setup your LVM on top of the encrypted partition. If at some later time you want to add another partition in your volume group, you will also want to have it encrypted in order to maintain the same level of security.  In order for your machine to boot, initramfs needs to be able to unlock both PVs in order to reconstruct the entire volume group where your root lv is lying.

Some few weeks ago I installed Ubuntu (Hardy Heron 8.04) on my thinkpad T60. My boss recommended that I set it up with encrypted LVM (at least for the home logical volume). I used a tutorial at https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto.

 After I was done, I ended up with something looking like this:

My initial encrypted lvm setup

As you can see in the figure above, everything  is encrypted except the /boot partition. This setup worked fine. When I booted after initramfs loaded my kernel image, it proceeded to prompt for the password to unlock pvcrypt. Without this step, it wouldn't be able to decrypt and mount the root logical volume.

A problem arose as soon as I thought it was time to add the remaining 20GB on /dev/sda3  into my volume group. The issue is pvcrypt (/dev/sda2) is encrypted, and it will break my whole security if I just created a physical volume from /dev/sda3 and then add it to the volume group. Why? Because it wouldn't be encrypted and the data that would end up on it from the logical volumes wouldn't be encrypted. The quickest way to deal with the issue was to encrypt it too as pvcrypt0 then I would add it to my volume group and end up with something like in the following figure.

My encrypted LVM

The figure above shows my lvm setup after adding the 20GB partition in the volume group as an encrypted pv (pvcrypt0).

The problem with this is that initramfs needs to be told to ask for the second password in order to unlock pvcrypt0 and reconstruct the volume group. If you don't do this, initramfs will only prompt for the password of pvcrypt but it will ultimately fail to boot since it won't be able to unlock the pvcrypt0.

First examine the file cryptroot in your kernel image. To do this unpack your kernel image in a directory:

mkdir /tmp/foo
cd /tmp/foo
zcat /boot/initrd.img-$(uname -r) | cpio -iv
cat conf/conf.d/cryptroot

Your cryproot file should look like this:


Obviously, you won't be prompted for pvcrypt0 password. To tell initramfs to ask for the second password at boot time, you need to add it to the cryptroot (eventually create it) file in /etc/initramfs-tools/conf.d:

cd /etc/initramfs-tools/conf.d
vim cryptroot

Add this this line and save the file.


Now run update-initramfs (update the kernel boot image(s)):

update-initramfs -k all -u

When this is done, you can now check if your updated kernel image knows about pvcrypt0:

cd /tmp/foo
zcat /boot/initrd.img-$(uname -r) | cpio -iv
cat conf/conf.d/cryptroot

This time you should get two lines:


Et voilà. When you reboot. Initramfs will ask for two password. It will be nice if there was a way of telling initramfs to attempt to use the same password. A simple way to not have to type the second password would be to actually have it in a key file.

Share this page:

Suggested articles

4 Comment(s)

Add comment


By: Anonymous

With the Debian / Ubuntu alternate installer (text), you can select the options of Use whole disk, Use whole disk / lvm, Use whole disk with crypto.

With the last option, it sets up all the encryption - no fuss, no problem,  at install.

Much easier than that old Ubuntu Tutorial.

By: Carlos C

This was really helpful to me, and I succeeded in adding an encrypted physical volume while running under Ubuntu 10.04. However, there are a few things I would like to contribute that might help the next person reading this article. The arguments "lvm=vg0-root,lvm=vg0" from the line added to cryptroot do not seem to be correct as far as I can tell. The correct syntax is "lvm=/dev/mapper/vgname-lvname" where vgname is the volume group name and lvname is the logical volume name. In the scenario described above you only need ONE per line, not TWO. Eg Give "lvm=XXX", not "lvm=XXX,lvm=YYY" on a single line of cryptroot. Since I couldn't find the syntax of cryptroot documented anywhere, I went to the source to figure out the syntax: /usr/share/initramfs-tools/scripts/local-top. [Developers can read methods activate_vg(), setup_mapping(), and parse_options() for details ] The target variable contains the name of the device file created in /dev/mapper that is associated with the decrypted physical volume. So "target=pvcrypt0" results in the file /dev/mapper/pvcrypt0, which you can then use in a command such as "vgextend vg0 /dev/mapper/pvcrypt0". The source variable can also be used with UUIDs: "source=UUID=ENTER_YOUR_UUID_VALUE_HERE" You might want to create a backup of your initrd files prior to running "update-initramfs" if you aren't 100% sure of what you're doing. Backup the files returned by "ls /boot/initrd.img-*". Note that the file /etc/initramfs-tools/conf.d/cryptroot may not already exist, so just create it.

By: Anonymous

Holy grail! Those f*cking diagrams you made above helped me to finish with my 2 days trying to install debian in a hard disk with windows on it and encrypting the different partitions (root, home and swap) with only one keypassphrase.

Thank you so much dude! I owe you a beer! ;-)

By: romulo

It really helped me, there exist a lot of mess around there on internet about root partition encryption, a mix of grub, crypttab, initram, etc. Thanks!