[GH-ISSUE #367] Unable to encrypt /home before the installation #97

New issue

Closed

opened 2026-05-07 00:18:51 +02:00 by BreizhHardware · 12 comments

BreizhHardware commented 2026-05-07 00:18:51 +02:00

Owner

Copy link

Originally created by @fluuflute on GitHub (Mar 2, 2023).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/367

Hello,

If we follow the documentation, we can't encrypt /home before the installation : https://ovh.github.io/the-bastion/installation/basic.html#encrypt-home. We get this error :

root@server:~# /opt/bastion/bin/admin/setup-encryption.sh
*** Checking whether the proper tools are installed
`-> [ OK ]
*** Checking whether the install script has run
`-> [ERR.] The '/etc/bastion/luks-config.sh' file doesn't exist, did you run the '/opt/bastion/bin/admin/install' script before?

Originally created by @fluuflute on GitHub (Mar 2, 2023). Original GitHub issue: https://github.com/ovh/the-bastion/issues/367 Hello, If we follow the documentation, we can't encrypt /home before the installation : https://ovh.github.io/the-bastion/installation/basic.html#encrypt-home. We get this error : ``` root@server:~# /opt/bastion/bin/admin/setup-encryption.sh *** Checking whether the proper tools are installed `-> [ OK ] *** Checking whether the install script has run `-> [ERR.] The '/etc/bastion/luks-config.sh' file doesn't exist, did you run the '/opt/bastion/bin/admin/install' script before? ```

BreizhHardware closed this issue 2026-05-07 00:18:51 +02:00

BreizhHardware commented 2026-05-07 00:18:51 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Mar 2, 2023):

Hello,

Thanks for the report, this is actually fixed in this branch: https://github.com/ovh/the-bastion/pull/366

It's not yet merged, if you want to go through manually, you can run this before calling setup-encryption.sh:

cp /opt/bastion/etc/bastion/luks-config.sh.dist /etc/bastion/luks-config.sh

<!-- gh-comment-id:1452247025 --> @speed47 commented on GitHub (Mar 2, 2023): Hello, Thanks for the report, this is actually fixed in this branch: https://github.com/ovh/the-bastion/pull/366 It's not yet merged, if you want to go through manually, you can run this before calling `setup-encryption.sh`: `cp /opt/bastion/etc/bastion/luks-config.sh.dist /etc/bastion/luks-config.sh`

BreizhHardware commented 2026-05-07 00:18:52 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Mar 3, 2023):

Fix merged to main branch, closing as fixed. Please reopen if needed :)

<!-- gh-comment-id:1453235616 --> @speed47 commented on GitHub (Mar 3, 2023): Fix merged to main branch, closing as fixed. Please reopen if needed :)

BreizhHardware commented 2026-05-07 00:18:52 +02:00

Author

Owner

Copy link

@fluuflute commented on GitHub (Mar 3, 2023):

Thank you!

<!-- gh-comment-id:1453248629 --> @fluuflute commented on GitHub (Mar 3, 2023): Thank you!

BreizhHardware commented 2026-05-07 00:18:52 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Mar 15, 2023):

Hello @speed47,

I'm not able to encrypt /home before installation like this issue, i've done this cp /opt/bastion/etc/bastion/luks-config.sh.dist /etc/bastion/luks-config.sh when i've this error [ERR.] The '/etc/bastion/luks-config.sh' file doesn't exist, did you run the '/opt/bastion/bin/admin/install' script before?

and this :

modified in the script

but i've the error aswell

do you have any idea ?

Kélian

<!-- gh-comment-id:1469686497 --> @ksourdrille commented on GitHub (Mar 15, 2023): Hello @speed47, I'm not able to encrypt /home before installation like this issue, i've done this ```cp /opt/bastion/etc/bastion/luks-config.sh.dist /etc/bastion/luks-config.sh``` when i've this error ``` [ERR.] The '/etc/bastion/luks-config.sh' file doesn't exist, did you run the '/opt/bastion/bin/admin/install' script before?``` and this :  modified in the script  but i've the error aswell  do you have any idea ? Kélian

BreizhHardware commented 2026-05-07 00:18:52 +02:00

Author

Owner

Copy link

@fluuflute commented on GitHub (Mar 15, 2023):

Hello @keliansrdl,

To resolve the problem, I install the bastion, then I encrypt the /home :

/opt/bastion/bin/admin/install --new-install
/opt/bastion/bin/admin/setup-encryption.sh

<!-- gh-comment-id:1469790831 --> @fluuflute commented on GitHub (Mar 15, 2023): Hello @keliansrdl, To resolve the problem, I install the bastion, then I encrypt the /home : ``` /opt/bastion/bin/admin/install --new-install /opt/bastion/bin/admin/setup-encryption.sh ```

BreizhHardware commented 2026-05-07 00:18:53 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Mar 15, 2023):

Hello @f-fatien, Thanks for answer, i already tried this, my bastion is installed now and i have the error :

i saw this :

i had to run this command before launch the script ?

UPDATE : i've generated codes with the command before run script, and i've the error aswell

Kélian

<!-- gh-comment-id:1469799451 --> @ksourdrille commented on GitHub (Mar 15, 2023): Hello @f-fatien, Thanks for answer, i already tried this, my bastion is installed now and i have the error :  i saw this :  i had to run this command before launch the script ? UPDATE : i've generated codes with the command before run script, and i've the error aswell Kélian

BreizhHardware commented 2026-05-07 00:18:53 +02:00

Author

Owner

Copy link

@fluuflute commented on GitHub (Mar 15, 2023):

No, pwgen is just to generate a strong password for the passphrase.
Maybe the script abort because you write 'yes' in lowercase. Try to write YES in capital letters.

<!-- gh-comment-id:1469811354 --> @fluuflute commented on GitHub (Mar 15, 2023): No, pwgen is just to generate a strong password for the passphrase. Maybe the script abort because you write 'yes' in lowercase. Try to write YES in capital letters.

BreizhHardware commented 2026-05-07 00:18:53 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Mar 15, 2023):

Ok you're right, that was "YES" instead of "yes" but now I have a new error 😢 thanks

Do you know if LVM impact this ?

Kélian

<!-- gh-comment-id:1469872248 --> @ksourdrille commented on GitHub (Mar 15, 2023): Ok you're right, that was "YES" instead of "yes" but now I have a new error 😢 thanks  Do you know if LVM impact this ? Kélian

BreizhHardware commented 2026-05-07 00:18:54 +02:00

Author

Owner

Copy link

@speed47 commented on GitHub (Mar 16, 2023):

The script tries to umount the partition before calling cryptsetup on it, this is precisely to ensure the partition is not currently used. So either the umount didn't work (but the script should have told you and abort), or you have this partition mounted in several different places (maybe using mount -o bind).

The script can't detect all cases and oddities that can occur on all systems, this is just a helper to save you some time. You can always encrypt your /home partition yourself before installing the bastion. If you want to retry it, can you try a clean reinstall, and if it fails, paste the complete non-truncated output you have?

Side note: LVM shouldn't cause any problem, we use it without issues.

<!-- gh-comment-id:1472646559 --> @speed47 commented on GitHub (Mar 16, 2023): The script tries to `umount` the partition before calling `cryptsetup` on it, this is precisely to ensure the partition is not currently used. So either the `umount` didn't work (but the script should have told you and abort), or you have this partition mounted in several different places (maybe using `mount -o bind`). The script can't detect all cases and oddities that can occur on all systems, this is just a helper to save you some time. You can always encrypt your `/home` partition yourself before installing the bastion. If you want to retry it, can you try a clean reinstall, and if it fails, paste the complete non-truncated output you have? Side note: LVM shouldn't cause any problem, we use it without issues.

BreizhHardware commented 2026-05-07 00:18:54 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Mar 17, 2023):

Hello @speed47,

Same on a clean install,

i'm able to umount /home without error :

where i can see if /home is in use and blocking the script ?

Kélian

<!-- gh-comment-id:1473595854 --> @ksourdrille commented on GitHub (Mar 17, 2023): Hello @speed47, Same on a clean install,  i'm able to ```umount /home``` without error :  where i can see if /home is in use and blocking the script ? Kélian

BreizhHardware commented 2026-05-07 00:18:54 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Mar 17, 2023):

@speed47
UPDATE : i've uninstalled snapd and it's good now :

*** Checking whether the proper tools are installed
`-> [ OK ]
*** Checking whether the install script has run
`-> [ OK ]
*** Checking whether /home is a separate partition
`-> [ OK ] ... found /dev/mapper/ubuntu--vg-homedir
*** Checking whether /home is in /etc/fstab
`-> [ OK ] ... # /home was on /dev/ubuntu-vg/homedir during curtin installation
/dev/disk/by-id/dm-uuid-LVM-U3Qe7Pacb26uyDdpO9D0KbYfzrvxRI1K0VECS0UZMkQ1T1b6GAmXiPy1cixe0ztW /home ext4 defaults 0 1
*** Checking whether we can umount /home
`-> [ OK ]
*** Checking whether we can remount /home
`-> [ OK ]
*** Checking used space in /home
`-> [ OK ] ... 1 MiB
*** Checking available space in /
`-> [ OK ] ... 9021 MiB
*** Checking whether there is enough available space in / to hold /home contents temporarily
`-> [ OK ]
*** Creating temporary /tmphome
`-> [ OK ]
*** Rsyncing /home to /tmphome
sending incremental file list
./
user/
user/.bash_history
             27 100%    0,00kB/s    0:00:00 (xfr#1, to-chk=8/11)
user/.bash_logout
            220 100%  214,84kB/s    0:00:00 (xfr#2, to-chk=7/11)
user/.bashrc
          3.771 100%    3,60MB/s    0:00:00 (xfr#3, to-chk=6/11)
user/.profile
            807 100%  788,09kB/s    0:00:00 (xfr#4, to-chk=5/11)
user/.sudo_as_admin_successful
              0 100%    0,00kB/s    0:00:00 (xfr#5, to-chk=4/11)
user/.cache/
user/.cache/motd.legal-displayed
              0 100%    0,00kB/s    0:00:00 (xfr#6, to-chk=1/11)
user/.ssh/
user/.ssh/authorized_keys
              0 100%    0,00kB/s    0:00:00 (xfr#7, to-chk=0/11)

sent 5.531 bytes  received 168 bytes  11.398,00 bytes/sec
total size is 4.825  speedup is 0,85
`-> [ OK ]
*** Rsync done, here are some details:
`-> ls /home   : . ./lost+found ./user ./user/.ssh ./user/.ssh/authorized_keys ./user/.bashrc ./user/.profile ./user/.bash_history ./user/.cache ./user/.cache/motd.legal-displayed ./user/.bash_logout ./user/.sudo_as_admin_successful
`-> ls /tmphome: . ./user ./user/.bashrc ./user/.bash_logout ./user/.bash_history ./user/.profile ./user/.sudo_as_admin_successful ./user/.cache ./user/.cache/motd.legal-displayed ./user/.ssh ./user/.ssh/authorized_keys
`-> du -shc /home   : 48K       total
`-> du -shc /tmphome: 32K       total
`->
`-> Does this look reasonable? [CTRL+C if not]

*** Umounting /home
`-> [ OK ]
*** Erasing /home block device and encrypting it (last chance to cancel!)
`-> You should generate a strong password on your desk, with e.g. `pwgen -s 10`
WARNING: Device /dev/mapper/ubuntu--vg-homedir already contains a 'ext4' superblock signature.

WARNING!
========
This will overwrite data on /dev/mapper/ubuntu--vg-homedir irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/mapper/ubuntu--vg-homedir:
Verify passphrase:
`-> [ OK ]
*** Opening newly encrypted block device
Enter passphrase for /dev/mapper/ubuntu--vg-homedir:
`-> [ OK ]
*** Creating a new filesystem on top of the encrypted block device
mke2fs 1.46.5 (30-Dec-2021)
Creating filesystem with 3789824 4k blocks and 3789952 inodes
Filesystem UUID: 96685440-2a58-4f6b-86f0-cea0fe1e2e27
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208

Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done

`-> [ OK ]
*** Setting up /etc/bastion/luks-config.sh with encrypted block device
`-> [ OK ]
*** Setting up /etc/fstab with encrypted block device
`-> [ OK ]
*** Remounting /home after encryption
`-> [ OK ]
*** Rsyncing back /home contents
sending incremental file list
./
user/
user/.bash_history
             27 100%    0,00kB/s    0:00:00 (xfr#1, to-chk=8/11)
user/.bash_logout
            220 100%  214,84kB/s    0:00:00 (xfr#2, to-chk=7/11)
user/.bashrc
          3.771 100%    3,60MB/s    0:00:00 (xfr#3, to-chk=6/11)
user/.profile
            807 100%  788,09kB/s    0:00:00 (xfr#4, to-chk=5/11)
user/.sudo_as_admin_successful
              0 100%    0,00kB/s    0:00:00 (xfr#5, to-chk=4/11)
user/.cache/
user/.cache/motd.legal-displayed
              0 100%    0,00kB/s    0:00:00 (xfr#6, to-chk=1/11)
user/.ssh/
user/.ssh/authorized_keys
              0 100%    0,00kB/s    0:00:00 (xfr#7, to-chk=0/11)

sent 5.526 bytes  received 336 bytes  11.724,00 bytes/sec
total size is 4.825  speedup is 0,82
`-> [ OK ]
*** Removing /tmphome
`-> [ OK ]
*** Testing whether we can properly unlock /home after boot
Mounting /dev/mapper/ubuntu--vg-homedir as home
Enter passphrase for /dev/mapper/ubuntu--vg-homedir:
Mounting...
Success!
`-> [ OK ] 

Thanks for all

Kélian

<!-- gh-comment-id:1473780677 --> @ksourdrille commented on GitHub (Mar 17, 2023): @speed47 UPDATE : i've uninstalled ```snapd``` and it's good now : ``` → /opt/bastion/bin/admin/setup-encryption.sh *** Checking whether the proper tools are installed `-> [ OK ] *** Checking whether the install script has run `-> [ OK ] *** Checking whether /home is a separate partition `-> [ OK ] ... found /dev/mapper/ubuntu--vg-homedir *** Checking whether /home is in /etc/fstab `-> [ OK ] ... # /home was on /dev/ubuntu-vg/homedir during curtin installation /dev/disk/by-id/dm-uuid-LVM-U3Qe7Pacb26uyDdpO9D0KbYfzrvxRI1K0VECS0UZMkQ1T1b6GAmXiPy1cixe0ztW /home ext4 defaults 0 1 *** Checking whether we can umount /home `-> [ OK ] *** Checking whether we can remount /home `-> [ OK ] *** Checking used space in /home `-> [ OK ] ... 1 MiB *** Checking available space in / `-> [ OK ] ... 9021 MiB *** Checking whether there is enough available space in / to hold /home contents temporarily `-> [ OK ] *** Creating temporary /tmphome `-> [ OK ] *** Rsyncing /home to /tmphome sending incremental file list ./ user/ user/.bash_history 27 100% 0,00kB/s 0:00:00 (xfr#1, to-chk=8/11) user/.bash_logout 220 100% 214,84kB/s 0:00:00 (xfr#2, to-chk=7/11) user/.bashrc 3.771 100% 3,60MB/s 0:00:00 (xfr#3, to-chk=6/11) user/.profile 807 100% 788,09kB/s 0:00:00 (xfr#4, to-chk=5/11) user/.sudo_as_admin_successful 0 100% 0,00kB/s 0:00:00 (xfr#5, to-chk=4/11) user/.cache/ user/.cache/motd.legal-displayed 0 100% 0,00kB/s 0:00:00 (xfr#6, to-chk=1/11) user/.ssh/ user/.ssh/authorized_keys 0 100% 0,00kB/s 0:00:00 (xfr#7, to-chk=0/11) sent 5.531 bytes received 168 bytes 11.398,00 bytes/sec total size is 4.825 speedup is 0,85 `-> [ OK ] *** Rsync done, here are some details: `-> ls /home : . ./lost+found ./user ./user/.ssh ./user/.ssh/authorized_keys ./user/.bashrc ./user/.profile ./user/.bash_history ./user/.cache ./user/.cache/motd.legal-displayed ./user/.bash_logout ./user/.sudo_as_admin_successful `-> ls /tmphome: . ./user ./user/.bashrc ./user/.bash_logout ./user/.bash_history ./user/.profile ./user/.sudo_as_admin_successful ./user/.cache ./user/.cache/motd.legal-displayed ./user/.ssh ./user/.ssh/authorized_keys `-> du -shc /home : 48K total `-> du -shc /tmphome: 32K total `-> `-> Does this look reasonable? [CTRL+C if not] *** Umounting /home `-> [ OK ] *** Erasing /home block device and encrypting it (last chance to cancel!) `-> You should generate a strong password on your desk, with e.g. `pwgen -s 10` WARNING: Device /dev/mapper/ubuntu--vg-homedir already contains a 'ext4' superblock signature. WARNING! ======== This will overwrite data on /dev/mapper/ubuntu--vg-homedir irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/mapper/ubuntu--vg-homedir: Verify passphrase: `-> [ OK ] *** Opening newly encrypted block device Enter passphrase for /dev/mapper/ubuntu--vg-homedir: `-> [ OK ] *** Creating a new filesystem on top of the encrypted block device mke2fs 1.46.5 (30-Dec-2021) Creating filesystem with 3789824 4k blocks and 3789952 inodes Filesystem UUID: 96685440-2a58-4f6b-86f0-cea0fe1e2e27 Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208 Allocating group tables: done Writing inode tables: done Creating journal (16384 blocks): done Writing superblocks and filesystem accounting information: done `-> [ OK ] *** Setting up /etc/bastion/luks-config.sh with encrypted block device `-> [ OK ] *** Setting up /etc/fstab with encrypted block device `-> [ OK ] *** Remounting /home after encryption `-> [ OK ] *** Rsyncing back /home contents sending incremental file list ./ user/ user/.bash_history 27 100% 0,00kB/s 0:00:00 (xfr#1, to-chk=8/11) user/.bash_logout 220 100% 214,84kB/s 0:00:00 (xfr#2, to-chk=7/11) user/.bashrc 3.771 100% 3,60MB/s 0:00:00 (xfr#3, to-chk=6/11) user/.profile 807 100% 788,09kB/s 0:00:00 (xfr#4, to-chk=5/11) user/.sudo_as_admin_successful 0 100% 0,00kB/s 0:00:00 (xfr#5, to-chk=4/11) user/.cache/ user/.cache/motd.legal-displayed 0 100% 0,00kB/s 0:00:00 (xfr#6, to-chk=1/11) user/.ssh/ user/.ssh/authorized_keys 0 100% 0,00kB/s 0:00:00 (xfr#7, to-chk=0/11) sent 5.526 bytes received 336 bytes 11.724,00 bytes/sec total size is 4.825 speedup is 0,82 `-> [ OK ] *** Removing /tmphome `-> [ OK ] *** Testing whether we can properly unlock /home after boot Mounting /dev/mapper/ubuntu--vg-homedir as home Enter passphrase for /dev/mapper/ubuntu--vg-homedir: Mounting... Success! `-> [ OK ] ``` Thanks for all Kélian

BreizhHardware commented 2026-05-07 00:18:54 +02:00

Author

Owner

Copy link

@ksourdrille commented on GitHub (Mar 17, 2023):

another question @speed47 , is it normal that with encryption the connection is not instantly? I have to wait ~1m30s for it to connect me

video link where i try to connect : https://youtu.be/THCfnwCp3Zg

UPDATE : i've installed a new VM with a new bastion install and that's works fine, i can connect instantly, all good 👍

Thanks :)

Kélian

<!-- gh-comment-id:1474291689 --> @ksourdrille commented on GitHub (Mar 17, 2023): another question @speed47 , is it normal that with encryption the connection is not instantly? I have to wait ~1m30s for it to connect me video link where i try to connect : https://youtu.be/THCfnwCp3Zg UPDATE : i've installed a new VM with a new bastion install and that's works fine, i can connect instantly, all good 👍 Thanks :) Kélian

BreizhHardware referenced this issue 2026-05-07 00:19:56 +02:00

[PR #102] [MERGED] feat: accountModify: add --osh-only (closes #97) #235

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#97

No description provided.