Warning: THE VOID WIKI IS DEPRECATED. It is no longer being maintained, contains outdated and incorrect information, and will eventually be shut down. Please refer to the Void Handbook, https://docs.voidlinux.org/, for the official documentation. If you can't find the information you're seeking, please raise an issue at https://github.com/void-linux/void-docs/issues

Difference between revisions of "Install LVM LUKS"

From Void Linux Wiki
Jump to navigation Jump to search
Line 1: Line 1:
=== Expanding on [[Install LVM LUKS|Install LVM LUKS]], but with encrypted /boot ===
+
<h3>Rough notes on a manual installation, with unencrypted /boot and encrypted / on LVM</h3>
 
+
<p>Not meant to be copy&amp;pasted, please think for yourself.</p>
Not meant to be copy&amp;pasted, please think for yourself.
 
 
 
 
<ul>
 
<ul>
<li>Follow the instructions under [[Install LVM LUKS|Install LVM LUKS]] but do not put /boot on a separate partition. Instead, include it in the root filesystem (which will hence be on /dev/sda1</li>
+
<li>boot the Void Linux live CD</li>
<li><p>Once you have chrooted into the target system, and before running grub-install, create an luks keyfile for the root file system.</p>
+
<li>cfdisk /dev/sda
<pre>dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
+
<ul>
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
+
<li>create two partitions:
chmod 000 /crypto_keyfile.bin
+
<ul>
chmod -R g-rwx,o-rwx /boot</pre></li>
+
<li>/dev/sda1 of size 1G to mount as <code>/boot</code></li>
<li><p>Now edit /etc/default/grub to include the following options:</p>
+
<li>/dev/sda2 of all remaining free space to mount as <code>/</code></li>
<pre>GRUB_CMDLINE_LINUX=&quot;cryptdevice=/dev/sda1:lvm&quot;
+
</ul>
GRUB_CRYPTODISK_ENABLE=y  # This option worked on void
+
</li>
GRUB_ENABLE_CRYPTODISK=y  # This one worked on Arch. It is safe to include both just in case</pre></li>
+
</ul>
<li>At the time of writing the file /usr/lib/dracut/modules.d/90lvm/lvm_scan.sh needed to [https://github.com/haraldh/dracut/compare/master...dracut-mailing-devs:87zj3ot089.fsf%40gmail.com patched] for this setup to work.</li>
+
</li>
<li><p>Add an entry to /etc/crypttab (which will be included into the initial ramdisk.) It should look something like this:</p>
+
<li>mkfs.ext2 -L boot /dev/sda1</li>
<pre># &lt;name&gt;       &lt;device&gt;         &lt;password&gt;             &lt;options&gt;
+
<li>cryptsetup luksFormat /dev/sda2</li>
pool-root      /dev/sda1        /crypto_keyfile.bin    luks</pre></li>
+
<li>cryptsetup luksOpen /dev/sda2 crypt-pool</li>
<li><p>Lastly, we also need dracut to include the keyfile into the initial ramdisk. Dracut has an &quot;install_items&quot; option to inject custom files. We can set it by creating a configuration file /etc/dracut.conf.d/10-crypt.conf with the following content:</p>
+
<li>vgcreate pool /dev/mapper/crypt-pool</li>
<pre>install_items+=&quot;/crypto_keyfile.bin&quot;</pre></li></ul>
+
<li>lvcreate --name root -L 20G pool</li>
 
+
<li>mkfs.ext4 -L root /dev/mapper/pool-root</li>
Note: The keyfile creation code and some of the instructions to tell grub to decrypt the root filesystem are based on instructions from Pavel Kogan's Blog the link to which you can find in the Arch Wiki.
+
<li>mount /dev/mapper/pool-root /mnt</li>
 
+
<li>mkdir /mnt/{boot,dev,proc,sys}</li>
Note 2: The keyfile and its inclusion in the initial ramdisk is only needed to avoid having to type the password twice. In other words, if you don't mind typing the password twice upon boot, all you need is this modification in /etc/default/grub:
+
<li>mount /dev/sda1 /mnt/boot</li>
 
+
<li>mount --rbind /dev /mnt/dev</li>
<pre>GRUB_CMDLINE_LINUX=&quot;cryptdevice=/dev/sda1:lvm&quot;
+
<li>mount --rbind /proc /mnt/proc</li>
GRUB_CRYPTODISK_ENABLE=y
+
<li>mount --rbind /sys /mnt/sys</li>
GRUB_ENABLE_CRYPTODISK=y</pre>
+
<li>xbps-install -S -R http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub</li>
 
+
<li>chroot /mnt /bin/bash</li>
[[Category:Guides]]
+
<li>passwd root</li>
[[Category:Installation]]
+
<li>chown root:root /</li>
 +
<li>chmod 755 /</li>
 +
<li>vi /etc/rc.conf</li>
 +
<li>echo void-crypt &gt;/etc/hostname</li>
 +
<li>vi /etc/fstab</li>
 +
<li>grub-install /dev/sda</li>
 +
<li>echo "LANG=en_US.UTF-8" &gt; /etc/locale.conf</li>
 +
<li>echo "en_US.UTF-8 UTF-8" &gt;> /etc/default/libc-locales</li>
 +
<li>xbps-reconfigure -f glibc-locales</li>
 +
<li>echo hostonly=yes &gt; /etc/dracut.conf.d/hostonly</li>
 +
<li>add <code>rd.auto=1</code> to GRUB<em>CMDLINE</em>LINUX_DEFAULT variable in /etc/default/grub</li>
 +
<li>if you want to use a different keyboard layout (e.g. dvorak) to enter your LUKS passphrase, add <code>rd.vconsole.keymap=dvorak</code> to GRUB<em>CMDLINE</em>LINUX_DEFAULT variable in /etc/default/grub</li>
 +
<li>force update of dracut and grub: xbps-reconfigure -f linux4.1</li>
 +
<li>^D</li>
 +
<li>reboot</li>
 +
</ul>

Revision as of 12:20, 21 December 2015

Rough notes on a manual installation, with unencrypted /boot and encrypted / on LVM

Not meant to be copy&pasted, please think for yourself.

  • boot the Void Linux live CD
  • cfdisk /dev/sda
    • create two partitions:
      • /dev/sda1 of size 1G to mount as /boot
      • /dev/sda2 of all remaining free space to mount as /
  • mkfs.ext2 -L boot /dev/sda1
  • cryptsetup luksFormat /dev/sda2
  • cryptsetup luksOpen /dev/sda2 crypt-pool
  • vgcreate pool /dev/mapper/crypt-pool
  • lvcreate --name root -L 20G pool
  • mkfs.ext4 -L root /dev/mapper/pool-root
  • mount /dev/mapper/pool-root /mnt
  • mkdir /mnt/{boot,dev,proc,sys}
  • mount /dev/sda1 /mnt/boot
  • mount --rbind /dev /mnt/dev
  • mount --rbind /proc /mnt/proc
  • mount --rbind /sys /mnt/sys
  • xbps-install -S -R http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub
  • chroot /mnt /bin/bash
  • passwd root
  • chown root:root /
  • chmod 755 /
  • vi /etc/rc.conf
  • echo void-crypt >/etc/hostname
  • vi /etc/fstab
  • grub-install /dev/sda
  • echo "LANG=en_US.UTF-8" > /etc/locale.conf
  • echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
  • xbps-reconfigure -f glibc-locales
  • echo hostonly=yes > /etc/dracut.conf.d/hostonly
  • add rd.auto=1 to GRUBCMDLINELINUX_DEFAULT variable in /etc/default/grub
  • if you want to use a different keyboard layout (e.g. dvorak) to enter your LUKS passphrase, add rd.vconsole.keymap=dvorak to GRUBCMDLINELINUX_DEFAULT variable in /etc/default/grub
  • force update of dracut and grub: xbps-reconfigure -f linux4.1
  • ^D
  • reboot