Full Disk Encryption w/Encrypted Boot
For MBR Based Systems
Boot the live CD as normal and login.
Your drive's block device and other information may be different, so keep an eye out.
Create a single physical partition on the disk using `cfdisk`, marking it bootable. When done, `fdisk` output should look like this:
# fdisk -l /dev/sda Disk /dev/sda: 48 GiB, 51539607552 bytes, 100663296 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0x4d532059 Device Boot Start End Sectors Size Id Type /dev/sda1 * 2048 100663295 100661248 48G 83 Linux
Configure the encrypted volume. Be sure to choose a strong password, and don't forget it!
# cryptsetup luksFormat --type luks1 /dev/sda1 WARNING! ======== This will overwrite data on /dev/sda1 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase:
Once the volume is created, it needs to be opened. You can replace voidvm with any name you want.
# cryptsetup luksOpen /dev/sda1 voidvm Enter passphrase for /dev/sda1:
Once the LUKS container is opened, create the LVM volume group using that partition.
# vgcreate voidvm /dev/mapper/voidvm Volume group "voidvm" successfully created
You should now have an empty volume group named `voidvm`. Other instructions I've seen use different names for the encrypted volume and the volume group, but in my experience I haven't seen any issues.
For this system, I chose 10G for `/`, 2G for `swap`, and will assign the rest to `/home`. You can choose whatever values work for your system.
# lvcreate --name root -L 10G voidvm Logical volume "root" created. # lvcreate --name swap -L 2G voidvm Logical volume "swap" created. # lvcreate --name home -l 100%FREE voidvm Logical volume "home" created.
Next, create the filesystems.
# mkfs.xfs -L root /dev/voidvm/root meta-data=/dev/voidvm/root isize=512 agcount=4, agsize=655360 blks ... # mkfs.xfs -L home /dev/voidvm/home meta-data=/dev/voidvm/home isize=512 agcount=4, agsize=2359040 blks ... mkswap /dev/voidvm/swap Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
Now, we can setup the chroot and get the base system installed.
# mount /dev/voidvm/root /mnt # for dir in dev proc sys run; do > mkdir -p /mnt/$dir > mount --rbind /$dir /mnt/$dir > done # mkdir -p /mnt/home # mount /dev/voidvm/home /mnt/home
Before we enter the chroot to finish up configuration, we do the actual install.
# xbps-install -Sy -R http://alpha.de.repo.voidlinux.org/current -r /mnt base-system lvm2 cryptsetup grub [*] Updating `http://alpha.de.repo.voidlinux.org/current/x86_64-repodata' ... x86_64-repodata: 1516KB [avg rate: 83KB/s] `http://alpha.de.repo.voidlinux.org/current' repository has been RSA signed by "Void Linux" Fingerprint: 60:ae:0c:d6:f0:95:17:80:bc:93:46:7a:89:af:a3:2d Do you want to import this public key? [Y/n] y 123 packages will be downloaded: ...
This part may take a while.
When it's done, we can enter the `chroot` and finish up the configuration.
# chroot /mnt # chown root:root / # chmod 755 / # passwd root # echo voidvm > /etc/hostname # echo "LANG=en_US.UTF-8" > /etc/locale.conf # echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales # xbps-reconfigure -f glibc-locales
The next step is editing `/etc/fstab`, which will depend on how you configured and named your filesystems. For this example, the file should look like this:
# <file system> <dir> <type> <options> <dump> <pass> tmpfs /tmp tmpfs defaults,nosuid,nodev 0 0 /dev/voidvm/root / xfs defaults 0 0 /dev/voidvm/home /home xfs defaults 0 0 /dev/voidvm/swap swap swap defaults 0 0
Next, we need to configure `grub` to be able to unlock the filesystem.
# cat >> /etc/default/grub <<END > GRUB_ENABLE_CRYPTODISK=y > END
In the same file, we need to tell the kernel where the crypto device is. First, find the UUID of the device.
# lsblk -f NAME FSTYPE LABEL UUID MOUNTPOINT sda └─sda1 crypto_LUKS 135f3c06-26a0-437f-a05e-287b036440a4 └─voidvm LVM2_member gjOBNB-SXiK-qcGn-uHxp-ZdBZ-14wd-4FIL7p ├─voidvm-root xfs root b4e4aa35-e819-42a4-bbfc-cdcd74f1df8a / ├─voidvm-swap swap 1f8e9ca3-65bc-45b8-b7d0-6300587dfcf8 [SWAP] └─voidvm-home xfs home b6cedb19-d8f6-4629-8519-cd2e7279ec2c /home sr0
Edit the `GRUB_CMDLINE_LINUX_DEFAULT=` line in `/etc/default/grub` to tell the system to automatically configure any dm-raid/dm-crypt devices. Make sure the UUID matches from the output of your `lsblk` command from above.
# sed -i '/GRUB_CMDLINE_LINUX_DEFAULT=/s/"$/ rd.auto=1 cryptdevice=UUID=135f3c06-26a0-437f-a05e-287b036440a4:lvm&/' /etc/default/grub
And now to avoid having to enter the password twice on boot, we'll configure a (protected) key file.
# dd bs=512 count=4 if=/dev/urandom of=/boot/volume.key 4+0 records in 4+0 records out 2048 bytes (2.0 kB, 2.0 KiB) copied, 0.000421265 s, 4.9 MB/s # cryptsetup luksAddKey /dev/sda1 /boot/volume.key Enter any existing passphrase: # chmod 000 /boot/volume.key # chmod -R g-rwx,o-rwx /boot
This keyfile will need to be added to the `crypttab`.
# cat >> /etc/crypttab <<END > voidvm /dev/sda1 /boot/volume.key luks > END
And then the keyfile and `crypttab` need to be included in the initramfs.
# cat >> /etc/dracut.conf.d/10-crypt.conf <<END > install_items+=" /boot/volume.key /etc/crypttab " > END
Now we can finish up the last few stages of installation.
# grub-install /dev/sda # xbps-reconfigure -f linux4.17 # ^D # reboot
The system should prompt for a password at the grub prompt, like so:
And then boot like a normal system from then on! From here on, you can finish the configuration of your system including user creation, environment installation, etc.
For EFI/UEFI
Only a few changes are necessary.
1. Physical partition should have a separate "EFI System" as vfat on /boot/efi
# fdisk -l /dev/sda Disk /dev/sda: 48 GiB, 51539607552 bytes, 100663296 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: EE4F2A1A-8E7F-48CA-B3D0-BD7A01F6D8A0 Device Start End Sectors Size Type /dev/sda1 2048 264191 262144 128M EFI System /dev/sda2 264192 100663262 100399071 47.9G Linux filesystem
2. Initialize the volume, then mount the `/dev/sda1` as `/mnt/boot/efi`, after mounting `/dev/voidvm/root` at `/mnt`
# mkdir -p /mnt/boot/efi # mkfs.vfat /dev/sda1 # mount /dev/sda1 /mnt/boot/efi
3. Manual installation command should use EFI grub
# xbps-install -Sy -R http://alpha.de.repo.voidlinux.org/current -r /mnt base-system cryptsetup grub-x86_64-efi lvm2
4. Don't forget the fstab entry for /boot/efi:
/dev/sda1 /boot/efi vfat defaults 0 0
5. And all references to sda1 as the cryptdevice should of course be sda2.