The reason for doing this is that the installer doesn't seem to work properly for LUKS and the server installer doesn't even support LUKS anymore. When you use the GUI install on Desktop for LUKS it won't boot and will just hang after you enter your password. So the only reliable way is to do it ourselves.
1.) Make a default minimal install of Ubuntu
2.) Have a secondary disk on the server or VM.
ssh-keygen -p -f /path/to/your/id_rsa
Enter new passphrase (empty for no passphrase):
After that your rsa private key will be encrypted which is a layer of protection and security in the event that somehow someone acquires your key and tries to access servers that the key is authorized on.........
The key thing here is to know the actual partition that is encrypted.
Often in Linux Mint's installer that ends up being partition 5 or /dev/sda5
sudo cryptsetup luksOpen /dev/sda5 anynamehere
You will then be prompted for your irrecoverable passphrase:
Enter passphrase for /dev/sda5:
If all goes well it won't say anything further. If it says ""No key available with this passphr........
The easiest way to recover or mount an off-line ecryptfs directory is the built-in command from ecryptfs
sudo ecryptfs-recover-private It will find your wrapped passphrase and ask for your password and mount it in tmp. Much easier especially when your current active OS is using ecryptfs too.
This a fantastic tool when going through old backups.........
Enter your login passphrase:
Inserted auth tok with sig [ee16d84] "into the user session keyring
mount: No such file or directory"
[ 156.118113] ecryptfs_mount: kern_path() failed
[ 156.118431] Reading sb failed; rc = [-2]
[ 164.233055] traps: mate-notificati trap int3 ip:7f43d7002c13 sp:7fff162c6600 error:0
[ 166.017061] ecryptfs_mount: kern_path() failed........
This is based on Debian Linux but should apply equally to any *nix distro.
apt-get install cryptsetup
Setup your LUKS Partition
Of course change /dev/md2 with whatever partition you intend to use LUKS on.
cryptsetup --verbose --verify-passphrase luksFormat /dev/md2
You'll be asked to verify your decryption password twice
*DO NOT FORGET THIS PASSWORD AS IT IS NOT RECOVERABLE!........
Shortcut/Easiest Way To Create A Self-Signed Key:
openssl req -new -x509 -nodes -days 1530 -out server.crt -keyout server.key
Using the above, you instantly create a self-signed certificate valid for 1530 days and you can simply skip to step #5.) below.
If You Need a Real SSLCertificate (eg. Equifax/Openssl) then you need to create a CSR request (you'll need to follow Steps 1.) and 2.) in order to create the CSR. You then upload the CSR Certi........