Difference between revisions of "Install LVM LUKS on UEFI GPT"
|Line 28:||Line 28:|
Revision as of 16:23, 3 January 2016
Expanding on Install LVM LUKS, but with encrypted /boot
Not meant to be copy&pasted, please think for yourself.
- Follow the instructions under Install LVM LUKS but do not put /boot on a separate partition. Instead, include it in the root filesystem (which will hence be on /dev/sda1
Once you have chrooted into the target system, and before running grub-install, create an luks keyfile for the root file system.
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin chmod 000 /crypto_keyfile.bin chmod -R g-rwx,o-rwx /boot
Now edit /etc/default/grub to include the following options:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm" GRUB_CRYPTODISK_ENABLE=y # This option worked on void GRUB_ENABLE_CRYPTODISK=y # This one worked on Arch. It is safe to include both just in case
- At the time of writing the file /usr/lib/dracut/modules.d/90lvm/lvm_scan.sh needed to patched for this setup to work.
Add an entry to /etc/crypttab (which will be included into the initial ramdisk.) It should look something like this:
# <name> <device> <password> <options> pool-root /dev/sda1 /crypto_keyfile.bin luks
Lastly, we also need dracut to include the keyfile into the initial ramdisk. Dracut has an "install_items" option to inject custom files. We can set it by creating a configuration file /etc/dracut.conf.d/10-crypt.conf with the following content:
Note: The keyfile creation code and some of the instructions to tell grub to decrypt the root filesystem are based on instructions from Pavel Kogan's Blog the link to which you can find in the Arch Wiki.
Note 2: The keyfile and its inclusion in the initial ramdisk is only needed to avoid having to type the password twice. In other words, if you don't mind typing the password twice upon boot, all you need is this modification in /etc/default/grub:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm" GRUB_CRYPTODISK_ENABLE=y GRUB_ENABLE_CRYPTODISK=y
Note 3: In case you're having trouble to boot, in my system "cryptdevice=/dev/sda1:lvm" was not a recognized option (had no effect), but "rd.luks.uuid=/dev/sda1 root=<UUID of decrypted device>" worked. Just put "rd.luks.uuid" instead of "cryptdevice" and grub figures the rest out.