Manual Install with encrypted boot
Expanding on Install LVM LUKS, but with encrypted /boot
Not meant to be copy&pasted, please think for yourself.
- Follow the instructions under Install LVM LUKS but do not put /boot on a separate partition. Instead, include it in the root filesystem (which will hence be on /dev/sda1
Once you have chrooted into the target system, and before running grub-install, create a LUKS keyfile for the root file system.
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin chmod 000 /crypto_keyfile.bin chmod -R g-rwx,o-rwx /boot
Now edit /etc/default/grub to include the following options:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm" GRUB_ENABLE_CRYPTODISK=y
Add an entry to /etc/crypttab (which will be included into the initial ramdisk.) It should look something like this:
# <name> <device> <password> <options> crypt-pool /dev/sda1 /crypto_keyfile.bin luks
Lastly, we also need dracut to include the keyfile into the initial ramdisk. Dracut has an "install_items" option to inject custom files. We can set it by creating a configuration file /etc/dracut.conf.d/10-crypt.conf with the following content:
install_items+="/crypto_keyfile.bin /etc/crypttab"
Including crypttab so that password only needs to be entered once
Note: The keyfile creation code and some of the instructions to tell grub to decrypt the root filesystem are based on instructions from Pavel Kogan's Blog the link to which you can find in the Arch Wiki.
Note 2: The keyfile and its inclusion in the initial ramdisk is only needed to avoid having to type the password twice. In other words, if you don't mind typing the password twice upon boot, all you need is this modification in /etc/default/grub:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm" GRUB_ENABLE_CRYPTODISK=y
Note 3: rohlix pointed out that a patch on lvm_scan.sh is not necessary. Instead, /etc/crypttab should be in initramfs. More info: rohlix.wordpress.com/2016/07/23/voidlinux-full-disk-encryption/