Debian/Ubuntu 2TB+ GPT-HDD, RAID & encrypted LVM


Not just as a reminder for myself but for everyone having troubles setting up a crypted LVM on top of a Linux Software-RAID ON TOP of two or more 2TB+ Hard-Disks. The tricky part here is the hard disks which need to have a GPT Partition Table. Another issue are todays new (U)EFI Mainboards.

Another positive aspect is that you can secure your data much more against typical suspects like the NSA or other surveillance parties.

Whats the problem with (U)EFI?

Well, mainly nothing except it makes ones life harder to set up operating systems and choosing the right bootloader. Is it just Grub2 or Grub-EFI?
I'll show you a good method here that i have tested on Ubuntu 12.04 LTS and on a Debian Wheezy machine (should also work on other distros as well). One on real hardware with UEFI and one with two 2TB disks in a virtualbox-vm (to show you some helpful screenshots)

Let's start with the (U)EFI part

Let us start with the most basic part, (U)EFI. You can find it on every newer mainboard. For our successful setup you need to set it to "Legacy" or "Legacy+UEFI" mode in your BIOS. Please refer to your mainboard manual on how to accomplish that. It is important to do that, so that the installer will install the classic GRUB2 instead of GRUB-EFI. See Partitioner #1 "reserved BIOS boot area part.

How to boot the Install-CD?

Which is also a key part of the whole installation is how you boot the installer. Debian and Ubuntu uses the debian-installer which has an expert mode. This is what we need.
On Ubuntu, before boot the installer, press F6 and mark the expert mode there. On a Debian CD just go to "Advanced Options" and boot the expert mode.

How to Boot the Installer

I'll explain later why this is important.

The Installer components

After booting, continue like you always would until you come to the "Installer Components" part where you have to choose some of them: choose-mirror, crypto-dm-modules...(only on Debian), load-media and parted-udeb.

Which installer components do we need?

Then continue the installation process until you reach the partitioner

Partitioner #1

At first, create empty partition tables on each of your hard drives. Here comes the key part as of this step the expert install allows us to choose "gpt" as the partition table which is necessary for 2TB or larger hard drives!

Partition Table Type

Now create a "1MB" large partition on every drive and use it as a "reserved BIOS boot area".

EFI BIOS Partition

This will become important for a successful GRUB installation as it will install itself on those small partitions, since there is no MBR anymore on GPT disks, so this will do the trick.

Partitioner #2

Now create two more partitions on each drive. By the way, it's important to create the exact same partitions and sizes on each drive for a successful RAID creation.

The first partition should have around 256MB of size. This will become our RAID-device for /boot. The second partition can take up all the rest of your hard disk. This will become our crypted LVM raid-disk. For both partitions use the "physical volume for RAID" setting.

Now your partition table should look like the following.

Partition Table Step One

Configure the RAID devices

Now we will configure the software RAID by creating two MD devices. One with both smaller partitions and one with the two larger ones. That's it.

Configure RAID

Configure the crypto device (for LVM use later)

Use the larger partition as a "physical volume for encryption" then let us "configure encrypted volumes". The recommendations on Debian Wheezy and Ubuntu are as follows.

Configure Crypto Device

If you cannot wait, you can also abort the erase of the volume. Now define a passphrase (if you have choosen the defaults) for your encrypted volume but beware: NEVER LOOSE THAT PASSPHRASE OR YOU WILL LOOSE YOUR DATA.

Create the LVM on your new crypto volume

Now use the new crypto volume as a "physical volume for LVM". The whole thing now feels like a matryoshka doll, doesn't it?

Creating LVM on Crypto Device

Now let us configure the LVM. This will be quite basic stuff again. At first create a volume group "vg0" for example. Then create logical volumes for your most basic partitions like swap or the root filesystem with its sizes you desire. Special tip here: You can safely use smaller partitions sizes in a LVM since you can mostly do an online resize of the disks if you need more space.
After you have done this and created the mount points everything is done and it should look like this. (Did you remember to create the /boot partition on the smaller first RAID device? Check the picture if not!)

Configure LVM Volumes

Almost done

Now write all changes to disk and continue the installation. At this point where you need to install GRUB, just do it like its advised to install in the MBR (it will mostly choose /dev/sda for it automatically). Now finish the installation and after a smooth reboot you'll be presented with a "Enter passphrase" Login for your personal fort knox.

Booted System

Have fun encrypting your data!