Manual Install with encrypted boot

From Void Linux Wiki
Jump to: navigation, search

Expanding on Install LVM LUKS, but with encrypted /boot

Not meant to be copy&pasted, please think for yourself.

  • Follow the instructions under Install LVM LUKS but do not put /boot on a separate partition. Instead, include it in the root filesystem (which will hence be on /dev/sda1
  • Once you have chrooted into the target system, and before running grub-install, create a LUKS keyfile for the root file system.

    dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
    cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
    chmod 000 /crypto_keyfile.bin
    chmod -R g-rwx,o-rwx /boot
  • Now edit /etc/default/grub to include the following options:

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
    GRUB_ENABLE_CRYPTODISK=y
  • Including crypttab so that password only needs to be entered once

  • Add an entry to /etc/crypttab (which will be included into the initial ramdisk.) It should look something like this:

    # <name>       <device>         <password>              <options>
    crypt-pool      /dev/sda1        /crypto_keyfile.bin     luks
  • Lastly, we also need dracut to include the keyfile into the initial ramdisk. Dracut has an "install_items" option to inject custom files. We can set it by creating a configuration file /etc/dracut.conf.d/10-crypt.conf with the following content:

    install_items+="/crypto_keyfile.bin /etc/crypttab"

Note: The keyfile creation code and some of the instructions to tell grub to decrypt the root filesystem are based on instructions from Pavel Kogan's Blog the link to which you can find in the Arch Wiki.

Note 2: The keyfile and its inclusion in the initial ramdisk is only needed to avoid having to type the password twice. In other words, if you don't mind typing the password twice upon boot, all you need is this modification in /etc/default/grub:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
GRUB_ENABLE_CRYPTODISK=y

Note 3: rohlix pointed out that a patch on lvm_scan.sh is not necessary. Instead, /etc/crypttab should be in initramfs. More info: rohlix.wordpress.com/2016/07/23/voidlinux-full-disk-encryption/