Difference between revisions of "Install LVM LUKS on UEFI GPT"

From Void Linux Wiki
Jump to: navigation, search
(Created page with "=== Expanding on Install LVM LUKS, but with encrypted /boot === Not meant to be copy&pasted, please think for yourself. <ul> <li>Follow the instruct...")
 
Line 28: Line 28:
 
GRUB_CRYPTODISK_ENABLE=y
 
GRUB_CRYPTODISK_ENABLE=y
 
GRUB_ENABLE_CRYPTODISK=y</pre>
 
GRUB_ENABLE_CRYPTODISK=y</pre>
 +
 +
[[Category:Guides]]
 +
[[Category:Installation]]

Revision as of 12:25, 3 November 2015

Expanding on Install LVM LUKS, but with encrypted /boot

Not meant to be copy&pasted, please think for yourself.

  • Follow the instructions under Install LVM LUKS but do not put /boot on a separate partition. Instead, include it in the root filesystem (which will hence be on /dev/sda1
  • Once you have chrooted into the target system, and before running grub-install, create an luks keyfile for the root file system.

    dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
    cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
    chmod 000 /crypto_keyfile.bin
    chmod -R g-rwx,o-rwx /boot
  • Now edit /etc/default/grub to include the following options:

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
    GRUB_CRYPTODISK_ENABLE=y  # This option worked on void
    GRUB_ENABLE_CRYPTODISK=y  # This one worked on Arch. It is safe to include both just in case
  • At the time of writing the file /usr/lib/dracut/modules.d/90lvm/lvm_scan.sh needed to patched for this setup to work.
  • Add an entry to /etc/crypttab (which will be included into the initial ramdisk.) It should look something like this:

    # <name>       <device>         <password>              <options>
    pool-root      /dev/sda1        /crypto_keyfile.bin     luks
  • Lastly, we also need dracut to include the keyfile into the initial ramdisk. Dracut has an "install_items" option to inject custom files. We can set it by creating a configuration file /etc/dracut.conf.d/10-crypt.conf with the following content:

    install_items+="/crypto_keyfile.bin"

Note: The keyfile creation code and some of the instructions to tell grub to decrypt the root filesystem are based on instructions from Pavel Kogan's Blog the link to which you can find in the Arch Wiki.

Note 2: The keyfile and its inclusion in the initial ramdisk is only needed to avoid having to type the password twice. In other words, if you don't mind typing the password twice upon boot, all you need is this modification in /etc/default/grub:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
GRUB_CRYPTODISK_ENABLE=y
GRUB_ENABLE_CRYPTODISK=y