Difference between revisions of "Install LVM LUKS on UEFI GPT"

From Void Linux Wiki
Jump to: navigation, search
m
Line 1: Line 1:
=== Expanding on [[Install LVM LUKS|Install LVM LUKS]], but with encrypted /boot ===
+
<h1>LVM on LUKS (UEFI+GPT)</h1>
  
Not meant to be copy&amp;pasted, please think for yourself.
+
<p>This guide describes how to install <code>Void Linux</code> on a UEFI system with root over encrypted LVM.</p>
 +
 
 +
<h2>Introduction</h2>
 +
 
 +
<p>To follow this guide, first you need to boot from a Linux live CD/USB of your choice in UEFI mode.</p>
 +
 
 +
<p>For UEFI boot, the disk needs to be <code>GPT</code> partitioned and an <code>EFI System Partition</code> (ESP) must be present.
 +
The size of the ESP must be at least <code>260M</code> or more, type <code>EF00</code>, and formatted with <code>FAT32</code>.</p>
 +
 
 +
<p>This partition will serve as your <code>/boot</code> filesystem as well as the partition that the UEFI firmware can read to load the bootloader.</p>
 +
 
 +
<p>From now on, <code>/dev/sda1</code> will be the ESP (<code>/boot</code>) and <code>/dev/sda2</code> will be the encrypted partition with LVM.</p>
 +
 
 +
<h2>Installation</h2>
 +
 
 +
<h3>Preparing the installer</h3>
 +
 
 +
<p>Make sure the local install media is up to date before starting.</p>
 +
 
 +
<pre># xbps-install -Su
 +
</pre>
 +
 
 +
<h3>Preparing the disk</h3>
 +
 
 +
<p>The first step is to use <code>gdisk</code> (or <code>cgdisk</code>) to create the GPT partitions:</p>
 +
 
 +
<pre># gdisk /dev/sda
 +
</pre>
 +
 
 +
<blockquote>
 +
<p><strong>Tip</strong>: you can also use <code>fdisk/cfdisk</code> (needs <code>util-linux&gt;=2.25</code>).</p>
 +
</blockquote>
 +
 
 +
<h3>Encrypting the partition</h3>
 +
 
 +
<p>We will encrypt the entire <code>/dev/sda2</code> partition and then unlock the container to start setting up LVM:</p>
 +
 
 +
<pre># cryptsetup luksFormat /dev/sda2
 +
# cryptsetup luksOpen /dev/sda2 crypt
 +
</pre>
 +
 
 +
<p>The decrypted container will be now available at <code>/dev/mapper/crypt</code>.</p>
 +
 
 +
<blockquote>
 +
<p><strong>Warning</strong>: the default keyboard layout is <code>us</code>. If you enter the passphrase using a different keymap, you likely won't be able to unlock your crypted volume.</p>
 +
</blockquote>
 +
 
 +
<h3>Creating logical volumes</h3>
 +
 
 +
<p>First, we will create a physical volume on top of the opened LUKS container and a volume group, named <code>void</code>. Then, we will setup the logical volumes on the volume group. The partition scheme is defined as follows:</p>
  
 
<ul>
 
<ul>
<li>Follow the instructions under [[Install LVM LUKS|Install LVM LUKS]] but do not put /boot on a separate partition. Instead, include it in the root filesystem (which will hence be on /dev/sda1</li>
+
<li>
<li><p>Once you have chrooted into the target system, and before running grub-install, create an luks keyfile for the root file system.</p>
+
<code>swap</code> -- 2G (optional)</li>
<pre>dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
+
<li>
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
+
<code>/</code> -- 20G</li>
chmod 000 /crypto_keyfile.bin
+
<li>
chmod -R g-rwx,o-rwx /boot</pre></li>
+
<code>/home</code> -- the remaining free space</li>
<li><p>Now edit /etc/default/grub to include the following options:</p>
+
</ul>
<pre>GRUB_CMDLINE_LINUX=&quot;cryptdevice=/dev/sda1:lvm&quot;
+
 
GRUB_CRYPTODISK_ENABLE=y  # This option worked on void
+
<blockquote>
GRUB_ENABLE_CRYPTODISK=y  # This one worked on Arch. It is safe to include both just in case</pre></li>
+
<p><strong>Note</strong>: the above partitioning scheme is an example. Please, change it to suit your needs.</p>
<li>At the time of writing the file /usr/lib/dracut/modules.d/90lvm/lvm_scan.sh needed to [https://github.com/haraldh/dracut/compare/master...dracut-mailing-devs:87zj3ot089.fsf%40gmail.com patched] for this setup to work.</li>
+
</blockquote>
<li><p>Add an entry to /etc/crypttab (which will be included into the initial ramdisk.) It should look something like this:</p>
+
 
<pre># &lt;name&gt;      &lt;device&gt;        &lt;password&gt;              &lt;options&gt;
+
<pre># pvcreate /dev/mapper/crypt
pool-root      /dev/sda1        /crypto_keyfile.bin     luks</pre></li>
+
# vgcreate void /dev/mapper/crypt
<li><p>Lastly, we also need dracut to include the keyfile into the initial ramdisk. Dracut has an &quot;install_items&quot; option to inject custom files. We can set it by creating a configuration file /etc/dracut.conf.d/10-crypt.conf with the following content:</p>
+
# lvcreate -C y -L 2G -n swap void (optional)
<pre>install_items+=&quot;/crypto_keyfile.bin&quot;</pre></li></ul>
+
# lvcreate -L 20G -n root void
 +
# lvcreate -l 100%FREE -n home void
 +
</pre>
 +
 
 +
<h3>Creating filesystems and mounting the partitions</h3>
 +
 
 +
<p>The ESP <strong>must</strong> be formatted in <code>FAT32</code>. The root and home partition are formatted using the <code>ext4</code> filesystem.</p>
 +
 
 +
<p>The root partition is mounted on <code>/mnt</code>, while the ESP to <code>/mnt/boot</code>.</p>
 +
 
 +
<pre># mkfs.fat -F32 /dev/sda1
 +
# mkfs.ext4 /dev/mapper/void-root
 +
# mkfs.ext4 /dev/mapper/void-home
 +
# mount /dev/mapper/void-root /mnt
 +
# mkdir /mnt/boot
 +
# mount /dev/sda1 /mnt/boot
 +
</pre>
 +
 
 +
<p>If you have created a swap partition, then you have to format and activate it:</p>
 +
 
 +
<pre># mkswap /dev/mapper/void-swap
 +
# swapon /dev/mapper/void-swap
 +
</pre>
 +
 
 +
<h3>Install the base system</h3>
 +
 
 +
<h5>If doing this from a void live cd or any void system</h5>
 +
 
 +
<pre># xbps-install -S --repository=http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi
 +
</pre>
 +
 
 +
<h5>From any other linux</h5>
 +
 
 +
<pre># wget http://repo.voidlinux.eu/static/xbps-static-latest.x86_64-musl.tar.xz
 +
# tar xf xbps-static-latest.x86_64-musl.tar.xz -C /mnt
 +
# /mnt/usr/sbin/xbps-install -S --repository=http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi
 +
</pre>
 +
 
 +
<h3>Chroot into Void</h3>
 +
 
 +
<p>Now that the base system is installed, it's time to enter our new Void Linux environment by chrooting into it:</p>
 +
 
 +
<pre># mkdir /mnt/{dev,proc,sys}
 +
# mount -t proc /proc /mnt/proc
 +
# mount --rbind /dev /mnt/dev
 +
# mount --rbind /sys /mnt/sys
 +
# chroot /mnt /bin/bash
 +
</pre>
 +
 
 +
<h3>Configure the base system</h3>
 +
 
 +
<p>In this step, we will set the root password, edit the mandatory configuration files and install the bootloader (GRUB).</p>
 +
 
 +
<pre># passwd root
 +
# chown root:root /
 +
# chmod 755 /
 +
# vi /etc/rc.conf
 +
# vi /etc/fstab
 +
# echo myhostname &gt; /etc/hostname
 +
# grub-mkconfig -o /boot/grub/grub.cfg
 +
# grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Void Linux [GRUB]" --recheck
 +
</pre>
 +
 
 +
<blockquote>
 +
<p><strong>Warning</strong>: do not forget to uncomment <code>hostonly=yes</code> in <code>/etc/dracut.conf</code> and add <code>rd.auto=1</code> to the kernel cmdline <code>/boot/grub/grub.cfg</code>.</p>
 +
</blockquote>
 +
 
 +
<h2>Configure glibc locale</h2>
 +
 
 +
<p>Uncomment your preferred locales in /etc/default/libc-locales </p>
 +
 
 +
<pre># xbps-reconfigure -f glibc-locales
 +
</pre>
 +
 
 +
<h2>Configure dracut</h2>
 +
 
 +
<p>Finally, force update of dracut with:</p>
 +
 
 +
<pre># xbps-reconfigure -f linux4.xx
 +
</pre>
 +
 
 +
<h3>Exit chroot, unmount the partitions and reboot</h3>
 +
 
 +
<pre># exit
 +
# umount -R /mnt
 +
# reboot
 +
</pre>
  
Note: The keyfile creation code and some of the instructions to tell grub to decrypt the root filesystem are based on instructions from Pavel Kogan's Blog the link to which you can find in the Arch Wiki.
+
<p>If this fails to boot, try the technique described here: [[A Note About GRUB And UEFI|A Note About GRUB And UEFI]]</p>
  
Note 2: The keyfile and its inclusion in the initial ramdisk is only needed to avoid having to type the password twice. In other words, if you don't mind typing the password twice upon boot, all you need is this modification in /etc/default/grub:
+
<p>Note that we used /boot and not /boot/efi, so you need to drop the ../efi/.. and run</p>
  
<pre>GRUB_CMDLINE_LINUX=&quot;cryptdevice=/dev/sda1:lvm&quot;
+
<pre>mkdir /boot/EFI/BOOT
GRUB_CRYPTODISK_ENABLE=y
+
cp -p /boot/EFI/GRUB/grubx64.efi /boot/EFI/BOOT/bootx64.efi
GRUB_ENABLE_CRYPTODISK=y</pre>
+
</pre>
  
Note 3: In case you're having trouble to boot, in my system &quot;cryptdevice=/dev/sda1:lvm&quot; was not a recognized option (had no effect), but &quot;rd.luks.uuid=/dev/sda1 root=<UUID of '''decrypted''' device>&quot; worked. Just put &quot;rd.luks.uuid&quot; instead of &quot;cryptdevice&quot; and grub figures the rest out.
+
<p>Enjoy and welcome to the Void!</p>
  
 +
   
 
[[Category:Guides]]
 
[[Category:Guides]]
 
[[Category:Installation]]
 
[[Category:Installation]]

Revision as of 15:11, 13 April 2016

LVM on LUKS (UEFI+GPT)

This guide describes how to install Void Linux on a UEFI system with root over encrypted LVM.

Introduction

To follow this guide, first you need to boot from a Linux live CD/USB of your choice in UEFI mode.

For UEFI boot, the disk needs to be GPT partitioned and an EFI System Partition (ESP) must be present. The size of the ESP must be at least 260M or more, type EF00, and formatted with FAT32.

This partition will serve as your /boot filesystem as well as the partition that the UEFI firmware can read to load the bootloader.

From now on, /dev/sda1 will be the ESP (/boot) and /dev/sda2 will be the encrypted partition with LVM.

Installation

Preparing the installer

Make sure the local install media is up to date before starting.

# xbps-install -Su

Preparing the disk

The first step is to use gdisk (or cgdisk) to create the GPT partitions:

# gdisk /dev/sda

Tip: you can also use fdisk/cfdisk (needs util-linux>=2.25).

Encrypting the partition

We will encrypt the entire /dev/sda2 partition and then unlock the container to start setting up LVM:

# cryptsetup luksFormat /dev/sda2
# cryptsetup luksOpen /dev/sda2 crypt

The decrypted container will be now available at /dev/mapper/crypt.

Warning: the default keyboard layout is us. If you enter the passphrase using a different keymap, you likely won't be able to unlock your crypted volume.

Creating logical volumes

First, we will create a physical volume on top of the opened LUKS container and a volume group, named void. Then, we will setup the logical volumes on the volume group. The partition scheme is defined as follows:

  • swap -- 2G (optional)
  • / -- 20G
  • /home -- the remaining free space

Note: the above partitioning scheme is an example. Please, change it to suit your needs.

# pvcreate /dev/mapper/crypt
# vgcreate void /dev/mapper/crypt
# lvcreate -C y -L 2G -n swap void (optional)
# lvcreate -L 20G -n root void
# lvcreate -l 100%FREE -n home void

Creating filesystems and mounting the partitions

The ESP must be formatted in FAT32. The root and home partition are formatted using the ext4 filesystem.

The root partition is mounted on /mnt, while the ESP to /mnt/boot.

# mkfs.fat -F32 /dev/sda1
# mkfs.ext4 /dev/mapper/void-root
# mkfs.ext4 /dev/mapper/void-home
# mount /dev/mapper/void-root /mnt
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

If you have created a swap partition, then you have to format and activate it:

# mkswap /dev/mapper/void-swap
# swapon /dev/mapper/void-swap

Install the base system

If doing this from a void live cd or any void system
# xbps-install -S --repository=http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi
From any other linux
# wget http://repo.voidlinux.eu/static/xbps-static-latest.x86_64-musl.tar.xz
# tar xf xbps-static-latest.x86_64-musl.tar.xz -C /mnt
# /mnt/usr/sbin/xbps-install -S --repository=http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi

Chroot into Void

Now that the base system is installed, it's time to enter our new Void Linux environment by chrooting into it:

# mkdir /mnt/{dev,proc,sys}
# mount -t proc /proc /mnt/proc
# mount --rbind /dev /mnt/dev
# mount --rbind /sys /mnt/sys
# chroot /mnt /bin/bash

Configure the base system

In this step, we will set the root password, edit the mandatory configuration files and install the bootloader (GRUB).

# passwd root
# chown root:root /
# chmod 755 /
# vi /etc/rc.conf
# vi /etc/fstab
# echo myhostname > /etc/hostname
# grub-mkconfig -o /boot/grub/grub.cfg
# grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Void Linux [GRUB]" --recheck

Warning: do not forget to uncomment hostonly=yes in /etc/dracut.conf and add rd.auto=1 to the kernel cmdline /boot/grub/grub.cfg.

Configure glibc locale

Uncomment your preferred locales in /etc/default/libc-locales

# xbps-reconfigure -f glibc-locales

Configure dracut

Finally, force update of dracut with:

# xbps-reconfigure -f linux4.xx

Exit chroot, unmount the partitions and reboot

# exit
# umount -R /mnt
# reboot

If this fails to boot, try the technique described here: A Note About GRUB And UEFI

Note that we used /boot and not /boot/efi, so you need to drop the ../efi/.. and run

mkdir /boot/EFI/BOOT
cp -p /boot/EFI/GRUB/grubx64.efi /boot/EFI/BOOT/bootx64.efi

Enjoy and welcome to the Void!