Difference between revisions of "Install LVM LUKS on UEFI GPT"

From Void Linux Wiki
Jump to: navigation, search
m (Fix spacing in one line from last edit)
 
(22 intermediate revisions by 9 users not shown)
Line 1: Line 1:
<h1>LVM on LUKS (UEFI+GPT)</h1>
+
This guide describes how to install [[Void Linux]] on a UEFI system with root over encrypted LVM.
  
<p>This guide describes how to install <code>Void Linux</code> on a UEFI system with root over encrypted LVM.</p>
+
==Introduction==
 +
{{Warning|If you do not boot from UEFI mode, the bootloader installation will fail!}}
  
<h2>Introduction</h2>
+
To follow this guide, first you need to boot from a Linux live CD/USB of your choice in UEFI mode.
  
<p>To follow this guide, first you need to boot from a Linux live CD/USB of your choice in UEFI mode.</p>
+
For UEFI boot, the disk needs to be {{ic|GPT}} partitioned and an {{ic|EFI System Partition}} (ESP) must be present. The size of the ESP must be at least {{ic|260M}} or more, type {{ic|EF00}}, and formatted with {{ic|FAT32}}.
  
<p>For UEFI boot, the disk needs to be <code>GPT</code> partitioned and an <code>EFI System Partition</code> (ESP) must be present.
+
This partition will serve as your {{ic|/boot}} filesystem as well as the partition that the UEFI firmware can read to load the bootloader.
The size of the ESP must be at least <code>260M</code> or more, type <code>EF00</code>, and formatted with <code>FAT32</code>.</p>
 
  
<p>This partition will serve as your <code>/boot</code> filesystem as well as the partition that the UEFI firmware can read to load the bootloader.</p>
+
From now on, {{ic|/dev/sda1}} will be the ESP ({{ic|/boot}}) and {{ic|/dev/sda2}} will be the encrypted partition with LVM.
  
<p>From now on, <code>/dev/sda1</code> will be the ESP (<code>/boot</code>) and <code>/dev/sda2</code> will be the encrypted partition with LVM.</p>
+
==Installation==
  
<h2>Installation</h2>
+
===Preparing the disk===
  
<h3>Preparing the installer</h3>
+
The first step is to use {{ic|gdisk}} (or {{ic|cgdisk}}) to create the GPT partitions:
  
<p>Make sure the local install media is up to date before starting.</p>
+
# gdisk /dev/sda
  
<pre># xbps-install -Su
+
{{Note|You can also use {{ic|fdisk}} or {{ic|cfdisk}} (needs {{pkg|util-linux}} 2.25 or newer)}}
</pre>
 
  
<h3>Preparing the disk</h3>
+
===Encrypting the partition===
  
<p>The first step is to use <code>gdisk</code> (or <code>cgdisk</code>) to create the GPT partitions:</p>
+
We will encrypt the entire {{ic|/dev/sda2}} partition and then unlock the container to start setting up LVM:
  
<pre># gdisk /dev/sda
+
# cryptsetup luksFormat /dev/sda2
</pre>
+
# cryptsetup luksOpen /dev/sda2 crypt
  
<blockquote>
+
The decrypted container will be now available at {{ic|/dev/mapper/crypt}}.
<p><strong>Tip</strong>: you can also use <code>fdisk/cfdisk</code> (needs <code>util-linux&gt;=2.25</code>).</p>
 
</blockquote>
 
  
<h3>Encrypting the partition</h3>
+
You can view [https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_with_dm-crypt the dm-crypt documentation on the Arch Wiki] for more settings when using luksFormat.
  
<p>We will encrypt the entire <code>/dev/sda2</code> partition and then unlock the container to start setting up LVM:</p>
+
{{Warning|The default keyboard layout is {{ic|us}}. If you enter the passphrase using a different keymap, you likely won't be able to unlock your crypted volume.}}
  
<pre># cryptsetup luksFormat /dev/sda2
+
===Creating logical volumes===
# cryptsetup luksOpen /dev/sda2 crypt
 
</pre>
 
  
<p>The decrypted container will be now available at <code>/dev/mapper/crypt</code>.</p>
+
First, we will create a physical volume on top of the opened LUKS container and a volume group, named {{ic|void}}. Then, we will setup the logical volumes on the volume group. The partition scheme is defined as follows:
  
<blockquote>
+
<center>
<p><strong>Warning</strong>: the default keyboard layout is <code>us</code>. If you enter the passphrase using a different keymap, you likely won't be able to unlock your crypted volume.</p>
+
{| class="wikitable"
</blockquote>
+
|-
 +
| swap
 +
| 2G (optional)
 +
|-
 +
| /
 +
| 20G
 +
|-
 +
| /home
 +
| the remaining free space
 +
|}
 +
</center>
  
<h3>Creating logical volumes</h3>
+
{{Note|The above partitioning scheme is an example. Please, change it to suit your needs.}}
  
<p>First, we will create a physical volume on top of the opened LUKS container and a volume group, named <code>void</code>. Then, we will setup the logical volumes on the volume group. The partition scheme is defined as follows:</p>
+
# pvcreate /dev/mapper/crypt
 +
# vgcreate void /dev/mapper/crypt
 +
# lvcreate -C y -L 2G -n swap void (optional)
 +
# lvcreate -L 20G -n root void
 +
# lvcreate -l 100%FREE -n home void
  
<ul>
+
===Creating filesystems and mounting the partitions===
<li>
 
<code>swap</code> -- 2G (optional)</li>
 
<li>
 
<code>/</code> -- 20G</li>
 
<li>
 
<code>/home</code> -- the remaining free space</li>
 
</ul>
 
  
<blockquote>
+
The ESP '''must''' be formatted in {{ic|FAT32}}. The root and home partitions are formatted using the {{ic|ext4}} filesystem.
<p><strong>Note</strong>: the above partitioning scheme is an example. Please, change it to suit your needs.</p>
 
</blockquote>
 
  
<pre># pvcreate /dev/mapper/crypt
+
The root partition is mounted on {{ic|/mnt}}, while the ESP is on {{ic|/mnt/boot}}.
# vgcreate void /dev/mapper/crypt
 
# lvcreate -C y -L 2G -n swap void (optional)
 
# lvcreate -L 20G -n root void
 
# lvcreate -l 100%FREE -n home void
 
</pre>
 
  
<h3>Creating filesystems and mounting the partitions</h3>
+
# mkfs.fat -F32 /dev/sda1
 +
# mkfs.ext4 /dev/mapper/void-root
 +
# mkfs.ext4 /dev/mapper/void-home
 +
# mount /dev/mapper/void-root /mnt
 +
# mkdir /mnt/boot
 +
# mount /dev/sda1 /mnt/boot
  
<p>The ESP <strong>must</strong> be formatted in <code>FAT32</code>. The root and home partition are formatted using the <code>ext4</code> filesystem.</p>
+
If you have created a swap partition, then you have to format and activate it:
  
<p>The root partition is mounted on <code>/mnt</code>, while the ESP to <code>/mnt/boot</code>.</p>
+
# mkswap /dev/mapper/void-swap
 +
# swapon /dev/mapper/void-swap
  
<pre># mkfs.fat -F32 /dev/sda1
+
===Install the base system===
# mkfs.ext4 /dev/mapper/void-root
 
# mkfs.ext4 /dev/mapper/void-home
 
# mount /dev/mapper/void-root /mnt
 
# mkdir /mnt/boot
 
# mount /dev/sda1 /mnt/boot
 
</pre>
 
  
<p>If you have created a swap partition, then you have to format and activate it:</p>
+
====If doing this from a Void live CD or any Void system====
  
<pre># mkswap /dev/mapper/void-swap
+
# xbps-install -S --repository=<nowiki>https://alpha.de.repo.voidlinux.org/current</nowiki> -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi
# swapon /dev/mapper/void-swap
 
</pre>
 
  
<h3>Install the base system</h3>
+
You may also wish to install any other packages here that you want to use during installation, like nano, if you'd rather not use vi to edit files.
  
<h5>If doing this from a void live cd or any void system</h5>
+
====From any other Linux====
  
<pre># xbps-install -S --repository=http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi
+
# wget <nowiki>https://alpha.de.repo.voidlinux.org/static/xbps-static-latest.x86_64-musl.tar.xz</nowiki>
</pre>
+
# tar xf xbps-static-latest.x86_64-musl.tar.xz -C /mnt
 +
# /mnt/usr/bin/xbps-install -S --repository=<nowiki>https://alpha.de.repo.voidlinux.org/current</nowiki> -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi
  
<h5>From any other linux</h5>
+
===Chroot into Void===
  
<pre># wget http://repo.voidlinux.eu/static/xbps-static-latest.x86_64-musl.tar.xz
+
Now that the base system is installed, it's time to enter our new Void Linux environment by chrooting into it:
# tar xf xbps-static-latest.x86_64-musl.tar.xz -C /mnt
 
# /mnt/usr/sbin/xbps-install -S --repository=http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi
 
</pre>
 
  
<h3>Chroot into Void</h3>
+
# mkdir /mnt/{dev,proc,sys}
 +
# mount -t proc /proc /mnt/proc
 +
# mount --rbind /dev /mnt/dev
 +
# mount --rbind /sys /mnt/sys
 +
# chroot /mnt /bin/bash
  
<p>Now that the base system is installed, it's time to enter our new Void Linux environment by chrooting into it:</p>
+
===Configure the base system===
  
<pre># mkdir /mnt/{dev,proc,sys}
+
1. Set the root password:
# mount -t proc /proc /mnt/proc
 
# mount --rbind /dev /mnt/dev
 
# mount --rbind /sys /mnt/sys
 
# chroot /mnt /bin/bash
 
</pre>
 
  
<h3>Configure the base system</h3>
+
# passwd root
  
<p>In this step, we will set the root password, edit the mandatory configuration files and install the bootloader (GRUB).</p>
+
2. Make sure files have proper ownership and permissions:
  
<pre># passwd root
+
# chown root:root /
# chown root:root /
+
# chmod 755 /
# chmod 755 /
 
# vi /etc/rc.conf
 
# vi /etc/fstab
 
# echo myhostname &gt; /etc/hostname
 
# grub-mkconfig -o /boot/grub/grub.cfg
 
# grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Void Linux [GRUB]" --recheck
 
</pre>
 
  
<blockquote>
+
3. Edit the Void system configuration file:
<p><strong>Warning</strong>: do not forget to uncomment <code>hostonly=yes</code> in <code>/etc/dracut.conf</code> and add <code>rd.auto=1</code> to the kernel cmdline <code>/boot/grub/grub.cfg</code>.</p>
 
</blockquote>
 
  
<h2>Configure glibc locale</h2>
+
# vi /etc/rc.conf
  
<p>Uncomment your preferred locales in /etc/default/libc-locales </p>
+
4. Tell your system where its partitions are:
  
<pre># xbps-reconfigure -f glibc-locales
+
First, get the UUID of your boot partition with the command
</pre>
 
  
<h2>Configure dracut</h2>
+
# lsblk -f
  
<p>Finally, force update of dracut with:</p>
+
Here is an example output of the previous command:
  
<pre># xbps-reconfigure -f linux4.xx
+
NAME                                  FSTYPE      LABEL UUID                                  FSAVAIL FSUSE% MOUNTPOINT
</pre>
+
sda                                                                                                         
 +
├─sda1                                vfat              6EF3-45A2
 +
└─sda2                                crypto_LUKS      01a173cc-f5aa-4e27-92cd-367804916283
 +
  └─luks-01a173cc-f5aa-4e27-92cd-367804916283
 +
                                      LVM2_member      dNp93t-tOSD-EYI3-2Tuc-elLn-XSf3-XcJfl5               
 +
    ├─void-swap                      swap              8521b8ce-5471-408c-9850-f53e74f4481f
 +
    ├─void-root                      ext4              7fb48cd9-2f72-41e4-a841-c66f27c508fc
 +
    └─void-home                      ext4              c7c0ff55-6b8e-4fdd-b05f-ccbae4c54227
  
<h3>Exit chroot, unmount the partitions and reboot</h3>
+
The UUID of your boot partition should be 9 characters long in the format XXXX-XXXX with X being random characters. The boot UUID in this example is "6EF3-45A2". If you're still having difficulty discerning which partition is boot, it's probably the UUID for 'sda1'.
  
<pre># exit
+
Then, edit your /etc/fstab file to look like this:
# umount -R /mnt
 
# reboot
 
</pre>
 
  
<p>If this fails to boot, try the technique described here: [[A Note About GRUB And UEFI|A Note About GRUB And UEFI]]</p>
+
#
 +
# See fstab(5).
 +
#
 +
# <file system>         <dir>  <type>  <options>              <dump>  <pass>
 +
UUID=XXXX-XXXX          /boot   vfat    defaults                0      2
 +
/dev/mapper/void-root  /      ext4    defaults                0      1
 +
/dev/mapper/void-home  /home  ext4    defaults                0      2
 +
/dev/mapper/void-swap  none    swap    defaults                0      1
 +
tmpfs                  /tmp    tmpfs  defaults,nosuid,nodev  0      0
  
<p>Note that we used /boot and not /boot/efi, so you need to drop the ../efi/.. and run</p>
+
Replace XXXX-XXXX with your boot partition's UUID. If you didn't add a swap partition earlier, omit the "/dev/mapper/void-swap" line.
  
<pre>mkdir /boot/EFI/BOOT
+
Note that pretty spacing isn't necessary; the example is just formatted that way for easy readability on this page.
cp -p /boot/EFI/GRUB/grubx64.efi /boot/EFI/BOOT/bootx64.efi
 
</pre>
 
  
<p>Enjoy and welcome to the Void!</p>
+
5. Update hostname:
 +
 
 +
# echo myhostname &gt; /etc/hostname
 +
 
 +
6.Install GRUB:
 +
 
 +
# grub-mkconfig -o /boot/grub/grub.cfg
 +
# grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Void Linux [GRUB]" --recheck
 +
 
 +
{{Warning|Add {{ic|1=hostonly=yes}} in {{path|/etc/dracut.conf.d/hostonly.conf}}. Also, in {{path|/etc/default/grub}} you must add {{ic|1=rd.auto=1}} to the line {{ic|1=GRUB_CMDLINE_LINUX_DEFAULT="..."}}.}}
 +
 
 +
==Configure glibc locale==
 +
 
 +
Uncomment your preferred locales in {{path|/etc/default/libc-locales}}.
 +
 
 +
# xbps-reconfigure -f glibc-locales
 +
 
 +
Then, configure dracut and finally force update of dracut with:
 +
 
 +
# xbps-reconfigure -f linuxY.xx
 +
 
 +
Where Y.xx corresponds to your installed kernel version (e.g. linux4.19). You can check which version is installed with the command
 +
 
 +
# xbps-query -s "linux-"
 +
 
 +
===Exit chroot, unmount the partitions and reboot===
 +
 
 +
# exit
 +
# umount -R /mnt
 +
# reboot
 +
 
 +
If this fails to boot, see [[Installation on UEFI, via chroot#If GRUB cannot be found (a note about UEFI)|this note about UEFI]].
 +
 
 +
Note that we used /boot and not /boot/efi, so you need to drop the ../efi/.. and then run:
 +
 
 +
# mkdir /boot/EFI/BOOT
 +
# cp -p /boot/EFI/GRUB/grubx64.efi /boot/EFI/BOOT/bootx64.efi
 +
 
 +
Enjoy, and welcome to the Void!
 +
 
 +
You may now wish to view the [[Post Installation]] page.
  
   
 
 
[[Category:Guides]]
 
[[Category:Guides]]
 
[[Category:Installation]]
 
[[Category:Installation]]
 +
[[Category:Security]]

Latest revision as of 04:50, 8 June 2019

This guide describes how to install Void Linux on a UEFI system with root over encrypted LVM.

Introduction

Warning: If you do not boot from UEFI mode, the bootloader installation will fail!

To follow this guide, first you need to boot from a Linux live CD/USB of your choice in UEFI mode.

For UEFI boot, the disk needs to be GPT partitioned and an EFI System Partition (ESP) must be present. The size of the ESP must be at least 260M or more, type EF00, and formatted with FAT32.

This partition will serve as your /boot filesystem as well as the partition that the UEFI firmware can read to load the bootloader.

From now on, /dev/sda1 will be the ESP (/boot) and /dev/sda2 will be the encrypted partition with LVM.

Installation

Preparing the disk

The first step is to use gdisk (or cgdisk) to create the GPT partitions:

# gdisk /dev/sda
Note: You can also use fdisk or cfdisk (needs util-linux 2.25 or newer)

Encrypting the partition

We will encrypt the entire /dev/sda2 partition and then unlock the container to start setting up LVM:

# cryptsetup luksFormat /dev/sda2 
# cryptsetup luksOpen /dev/sda2 crypt

The decrypted container will be now available at /dev/mapper/crypt.

You can view the dm-crypt documentation on the Arch Wiki for more settings when using luksFormat.

Warning: The default keyboard layout is us. If you enter the passphrase using a different keymap, you likely won't be able to unlock your crypted volume.

Creating logical volumes

First, we will create a physical volume on top of the opened LUKS container and a volume group, named void. Then, we will setup the logical volumes on the volume group. The partition scheme is defined as follows:

swap 2G (optional)
/ 20G
/home the remaining free space
Note: The above partitioning scheme is an example. Please, change it to suit your needs.
# pvcreate /dev/mapper/crypt
# vgcreate void /dev/mapper/crypt
# lvcreate -C y -L 2G -n swap void (optional)
# lvcreate -L 20G -n root void
# lvcreate -l 100%FREE -n home void

Creating filesystems and mounting the partitions

The ESP must be formatted in FAT32. The root and home partitions are formatted using the ext4 filesystem.

The root partition is mounted on /mnt, while the ESP is on /mnt/boot.

# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/mapper/void-root
# mkfs.ext4 /dev/mapper/void-home
# mount /dev/mapper/void-root /mnt
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

If you have created a swap partition, then you have to format and activate it:

# mkswap /dev/mapper/void-swap
# swapon /dev/mapper/void-swap

Install the base system

If doing this from a Void live CD or any Void system

# xbps-install -S --repository=https://alpha.de.repo.voidlinux.org/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi

You may also wish to install any other packages here that you want to use during installation, like nano, if you'd rather not use vi to edit files.

From any other Linux

# wget https://alpha.de.repo.voidlinux.org/static/xbps-static-latest.x86_64-musl.tar.xz
# tar xf xbps-static-latest.x86_64-musl.tar.xz -C /mnt
# /mnt/usr/bin/xbps-install -S --repository=https://alpha.de.repo.voidlinux.org/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi

Chroot into Void

Now that the base system is installed, it's time to enter our new Void Linux environment by chrooting into it:

# mkdir /mnt/{dev,proc,sys}
# mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt /bin/bash

Configure the base system

1. Set the root password:

# passwd root

2. Make sure files have proper ownership and permissions:

# chown root:root /
# chmod 755 /

3. Edit the Void system configuration file:

# vi /etc/rc.conf

4. Tell your system where its partitions are:

First, get the UUID of your boot partition with the command

# lsblk -f

Here is an example output of the previous command:

NAME                                  FSTYPE      LABEL UUID                                   FSAVAIL FSUSE% MOUNTPOINT
sda                                                                                                           
├─sda1                                vfat              6EF3-45A2
└─sda2                                crypto_LUKS       01a173cc-f5aa-4e27-92cd-367804916283 
  └─luks-01a173cc-f5aa-4e27-92cd-367804916283
                                      LVM2_member       dNp93t-tOSD-EYI3-2Tuc-elLn-XSf3-XcJfl5                
    ├─void-swap                       swap              8521b8ce-5471-408c-9850-f53e74f4481f
    ├─void-root                       ext4              7fb48cd9-2f72-41e4-a841-c66f27c508fc
    └─void-home                       ext4              c7c0ff55-6b8e-4fdd-b05f-ccbae4c54227

The UUID of your boot partition should be 9 characters long in the format XXXX-XXXX with X being random characters. The boot UUID in this example is "6EF3-45A2". If you're still having difficulty discerning which partition is boot, it's probably the UUID for 'sda1'.

Then, edit your /etc/fstab file to look like this:

#
# See fstab(5).
#
# <file system>         <dir>   <type>  <options>               <dump>  <pass>
UUID=XXXX-XXXX          /boot   vfat    defaults                0       2
/dev/mapper/void-root   /       ext4    defaults                0       1
/dev/mapper/void-home   /home   ext4    defaults                0       2
/dev/mapper/void-swap   none    swap    defaults                0       1
tmpfs                   /tmp    tmpfs   defaults,nosuid,nodev   0       0

Replace XXXX-XXXX with your boot partition's UUID. If you didn't add a swap partition earlier, omit the "/dev/mapper/void-swap" line.

Note that pretty spacing isn't necessary; the example is just formatted that way for easy readability on this page.

5. Update hostname:

# echo myhostname > /etc/hostname

6.Install GRUB:

# grub-mkconfig -o /boot/grub/grub.cfg
# grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Void Linux [GRUB]" --recheck
Warning: Add hostonly=yes in /etc/dracut.conf.d/hostonly.conf. Also, in /etc/default/grub you must add rd.auto=1 to the line GRUB_CMDLINE_LINUX_DEFAULT="...".

Configure glibc locale

Uncomment your preferred locales in /etc/default/libc-locales.

# xbps-reconfigure -f glibc-locales

Then, configure dracut and finally force update of dracut with:

# xbps-reconfigure -f linuxY.xx

Where Y.xx corresponds to your installed kernel version (e.g. linux4.19). You can check which version is installed with the command

# xbps-query -s "linux-"

Exit chroot, unmount the partitions and reboot

# exit
# umount -R /mnt
# reboot

If this fails to boot, see this note about UEFI.

Note that we used /boot and not /boot/efi, so you need to drop the ../efi/.. and then run:

# mkdir /boot/EFI/BOOT
# cp -p /boot/EFI/GRUB/grubx64.efi /boot/EFI/BOOT/bootx64.efi

Enjoy, and welcome to the Void!

You may now wish to view the Post Installation page.