Difference between revisions of "Rootfs over encrypted lvm"

From Funtoo
Jump to: navigation, search
(Create logical volumes)
 
(90 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive  
+
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive. It is not meant to be a standalone installation guide, rather, it is meant to be read alongside the [[Funtoo Linux Installation]] Guide.
  
= Prepare the hard drive and partitions =
+
== Prepare the hard drive and partitions ==
 
This is an example partition scheme, you may want to choose differently.
 
This is an example partition scheme, you may want to choose differently.
 
<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
 
<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
 +
* <code>/dev/sda1</code> -- <code>/boot</code> partition.
 +
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR.
 +
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
  
<pre>/dev/sda1  
+
With UEFI:
/dev/sda2
+
* <code>/dev/sda1</code> -- <tt>/boot</tt>
dd if=/dev/zero of=/dev/sda2 bs=100M
+
* <code>/dev/sda2</code> -- <tt>/</tt> partition
dd if=/dev/urandom of=/dev/sda2 bs=100M</pre>  
+
dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.
+
  
Note that you will get a message about reaching the end of the device. That's intentional and desired in this case so that this command works without knowing the size of your device.
+
=== Wipe the hard drive ===
 +
<console>
 +
# ##i##gdisk /dev/sda
  
= Encrypting the drive =
+
Command: ##i##x ↵
 +
Expert command: ##i##z ↵
 +
About to wipe out GPT on /dev/sda. Proceed?: ##i##y ↵
 +
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
 +
Blank out MBR?: ##i##y ↵
 +
</console>
 +
{{Fancywarning|This action will destroy all data on the disk.}}
  
 +
== Encrypting the drive ==
 +
Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/]
 
<console>
 
<console>
##r### ##b##cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2
+
# ##i##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
##r### ##b##cryptsetup luksOpen /dev/sda2 dmcrypt_root
+
# ##i##cryptsetup luksOpen /dev/sda3 dmcrypt_root
 
</console>
 
</console>
  
Line 24: Line 35:
 
= Create logical volumes =
 
= Create logical volumes =
 
<console>
 
<console>
##r## ##b##pvcreate /dev/mapper/dmcrypt_root
+
# ##i##pvcreate /dev/mapper/dmcrypt_root
##r## ##b##vgcreate vg /dev/mapper/dmcrypt_root
+
# ##i##vgcreate vg /dev/mapper/dmcrypt_root
##r## ##b##lvcreate -L10G --name root vg           
+
# ##i##lvcreate -L10G --name root vg           
##r## ##b##lvcreate -L2G --name swap vg
+
# ##i##lvcreate -L2G --name swap vg
##r## ##b##lvcreate -L5G --name portage vg
+
# ##i##lvcreate -L5G --name portage vg
##r## ##b##lvcreate -l 100%FREE -nhome vg
+
# ##i##lvcreate -l 100%FREE -nhome vg
 
</console>
 
</console>
 
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
 
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
  
 
= Create a filesystem on volumes =
 
= Create a filesystem on volumes =
<pre>mkfs.ext2 /dev/sda1
+
<console>
mkswap /dev/mapper/vg-swap
+
# ##i##mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/mapper/vg-root
+
# ##i##mkswap /dev/mapper/vg-swap
mkreiserfs /dev/mapper/vg-portage
+
# ##i##mkfs.ext4 /dev/mapper/vg-root
mkfs.xfs /dev/mapper/vg-home</pre>
+
# ##i##mkfs.ext4 /dev/mapper/vg-portage
 +
# ##i##mkfs.ext4 /dev/mapper/vg-home
 +
</console>
  
 
= Basic system setup =
 
= Basic system setup =
<pre>swapon /dev/mapper/vg-swap
+
<console>
mount /dev/mapper/vg-root /mnt/funtoo
+
# ##i##swapon /dev/mapper/vg-swap
mkdir /mnt/funtoo/boot
+
# ##i##mkdir /mnt/funtoo
mount /dev/sda1 /mnt/funtoo/boot</pre>
+
# ##i##mount /dev/mapper/vg-root /mnt/funtoo
 +
# ##i##mkdir -p /mnt/funtoo/{boot,usr/portage,home}
 +
# ##i##mount /dev/sda1 /mnt/funtoo/boot
 +
# ##i##mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage
 +
# ##i##mount /dev/mapper/vg-home /mnt/funtoo/home
 +
</console>
 
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]
 
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]
don't forget to emerge next packages:
+
don't forget to emerge the following before your install is finished:
  
<pre># emerge cryptsetup lvm2 grub foo-sources</pre>
+
* '''cryptsetup'''
 +
* '''lvm2'''
 +
* '''a bootloader (grub recommended)'''
 +
* '''kernel sources '''
  
Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag
+
= Editing the fstab =
 +
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:
  
= Kernel options =
 
Important, do not miss this part.
 
Under General setup --->
 
<pre>[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support</pre>
 
  
Under Device Drivers --->  
+
<pre>
<pre>Generic Driver Options --->
+
# <fs>                  <mountpoint<type>    <opts>                          <dump/pass>
   [*] Maintain a devtmpfs filesystem to mount at /dev
+
/dev/sda1              /boot        ext2      noauto,noatime                  1 2
[*] Multiple devices driver support  --->
+
/dev/mapper/vg-swap    none          swap      sw                              0 0
   <*>Device Mapper Support
+
/dev/mapper/vg-root    /            ext4      noatime,nodiratime,defaults    0 1
  <*> Crypt target support
+
/dev/sr0                /mnt/cdrom   auto      noauto,ro                      0 0
 +
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
 +
/dev/mapper/vg-home    /home        ext4      noatime,nodiratime              0 0
 
</pre>
 
</pre>
  
Under Cryptographic API --->
+
== Kernel options ==
<pre>-*-AES cipher algorithms
+
{{fancynote| This part is particularly important: pay close attention. }}<br>
 
+
{{kernelop
<*> XTS support (EXPERIMENTAL)</pre>
+
|title=
 
+
|desc=
 +
General setup --->
 +
      [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
 +
}}
 +
{{kernelop
 +
|title=
 +
|desc=
 +
Device Drivers --->
 +
      Generic Driver Options --->
 +
      [*] Maintain a devtmpfs filesystem to mount at /dev
 +
}}
 +
{{kernelop
 +
|title=
 +
|desc=
 +
Device Drivers --->
 +
      [*] Multiple devices driver support --->
 +
      <*>Device Mapper Support
 +
        <*> Crypt target support
 +
}}
 +
{{kernelop
 +
|title=
 +
|desc=
 +
Cryptographic API --->
 +
      <*> XTS support
 +
      -*-AES cipher algorithms
 +
}}
  
 
= Initramfs setup and configuration =
 
= Initramfs setup and configuration =
Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.
+
== Better-initramfs ==
 +
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''
  
{{fancynote|better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices.}}
+
{{Note}} better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices and file system support.
  
<pre># git clone git@bitbucket.org:piotrkarbowski/better-initramfs.git
+
<console>
# cd better-initramfs
+
# ##i##cd /opt
# less README.rst
+
# ##i##git clone git://github.com/slashbeast/better-initramfs.git
# bootstrap/bootstrap-all
+
# ##i##cd better-initramfs
# make prepare
+
# ##i##less README.rst
# make image
+
# ##i##bootstrap/bootstrap-all
</pre>
+
# ##i##make prepare
 +
# ##i##make image
 +
</console>
  
Copy resulting <code>initramfs.cpio.gz</code> to <code>/boot</code>.
+
Copy resulting <code>initramfs.cpio.gz</code> to <code>/boot</code>:
<pre># cp output/initramfs.cpio.gz /boot
+
<console># ##i##cp output/initramfs.cpio.gz /boot</console>
</pre>
+
 
Alternatively pre-compiled binary initramfs available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
+
Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
<pre># wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
+
<console>
# tar xf release-x86_64-v0.5.tar.bz2
+
# ##i##wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
# cd release*
+
# ##i##tar xf release-x86_64-v0.5.tar.bz2
# gzip initramfs.cpio
+
# ##i##cd release*
# cp initramfs.cpio.gz /boot</pre>
+
# ##i##gzip initramfs.cpio
 +
# ##i##cp initramfs.cpio.gz /boot
 +
</console>
  
 
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with <code>git</code>. Go to the better-initramfs source dir and follow:
 
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with <code>git</code>. Go to the better-initramfs source dir and follow:
<pre># git pull
+
<console>
# less ChangeLog
+
# ##i##cd /opt/better-initramfs
</pre>
+
# ##i##git pull
Please, read the ChangeLog carefuly and do necessary updates, to <code>/etc/boot.conf</code>, the example config below. Please, backup working <code>initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating initramfs.
+
# ##i##less ChangeLog
 +
</console>
 +
{{Note}}Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.
  
= Genkernel approach =
+
== Genkernel ==
 
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
 
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
<pre>genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all</pre>
+
<console>
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:
+
# ##i##genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all </console>
  
{{code|/etc/boot.conf|<pre>
+
== Bootloader Configuration ==
 +
=== Grub2 configuration ===
 +
==== better-initramfs ====
 +
An example <code>/etc/boot.conf</code> for better-initramfs:
 +
 
 +
<pre>
 
boot {
 
boot {
 
   generate grub
 
   generate grub
Line 112: Line 169:
 
}
 
}
 
"Funtoo Linux" {
 
"Funtoo Linux" {
   kernel kernel-genkernel-x86_64-2.6.39
+
   kernel vmlinuz[-v]
   initrd initramfs-genkernel-x86_64-2.6.39
+
   initrd /initramfs.cpio.gz
   params += crypt_root=/dev/sda2 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
+
   params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}</pre>}}
+
</pre>
  
= Grub2 configuration =
+
Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
An example of <code>/etc/boot.conf</code> for better-initramfs
+
 
{{code|/etc/boot.conf|<pre>
+
==== genkernel ====
 +
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code>:
 +
 
 +
<pre>
 
boot {
 
boot {
 
   generate grub
 
   generate grub
Line 126: Line 186:
 
}
 
}
 
"Funtoo Linux" {
 
"Funtoo Linux" {
   kernel bzImage[-v]
+
   kernel kernel-genkernel-x86_64-3.13.0
   initrd /initramfs.cpio.gz
+
   initrd initramfs-genkernel-x86_64-3.13.0
   params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
+
   params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}</pre>}}
+
</pre>
  
{{code|/etc/fstab|
+
== Lilo configuration ==
<pre>
+
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
# <fs>                 <mountpoint> <type>    <opts>                          <dump/pass>
+
<console>
/dev/sda1              /boot        ext2      noauto,noatime                  1 2
+
# ##i##echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
/dev/mapper/vg-swap    none          swap      sw                              0 0
+
# ##i##emerge lilo
/dev/mapper/vg-root    /            ext4      noatime,nodiratime,defaults    0 1
+
</console>
/dev/sr0                /mnt/cdrom    auto      noauto,ro                      0 0
+
 
/dev/mapper/vg-portage  /usr/portage  reiserfs  noatime,nodiratime              0 0
+
Example <code>/etc/lilo.conf</code>:
/dev/mapper/vg-home    /home        xfs      noatime,nodiratime,osyncisdsync 0 0</pre>}}
+
  
= Lilo configuration =
 
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
 
 
<pre>
 
<pre>
# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
+
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
# emerge lilo</pre>
+
 
+
{{code|/etc/lilo.conf|<pre>append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
+
 
boot=/dev/sda
 
boot=/dev/sda
 
compact
 
compact
Line 155: Line 209:
 
read-only
 
read-only
 
timeout=50
 
timeout=50
image=/boot/kernel-genkernel-x86_64-2.6.39
+
image=/boot/kernel-genkernel-x86_64-3.13.0
initrd=/boot/initramfs-genkernel-x86_64-2.6.39
+
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
 
label=funtoo
 
label=funtoo
</pre>}}
+
</pre>
= Syslinux bootloader setup =
+
 
Syslinux is another advanced bootloader which you can find on all live CD's.  
+
== Syslinux bootloader setup ==
<pre>
+
Syslinux is another advanced bootloader which you can find on all live CD's. Syslinux bootloader does not require additional BIOS boot partition. /dev/sda2 is the root partition.
# emerge syslinux
+
<console>
# mkdir /boot/extlinux
+
# ##i##emerge syslinux
# extlinux --install /boot/extlinux
+
# ##i##mkdir /boot/extlinux
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
+
# ##i##extlinux --install /boot/extlinux
 +
# ##i##dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
 
- or -
 
- or -
# sgdisk /dev/sda --attributes=1:set:2
+
# ##i##sgdisk /dev/sda --attributes=1:set:2
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition</pre>  
+
# ##i##dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
{{code|/boot/extlinux/extlinux.conf|<pre>LABEL kernel1_bzImage-3.2.1
+
</console>
 +
 
 +
Example <code>/boot/extlinux/extlinux.conf</code>:
 +
 
 +
<pre>
 +
LABEL kernel1_bzImage-3.2.1
 
MENU LABEL Funtoo Linux bzImage-3.2.1
 
MENU LABEL Funtoo Linux bzImage-3.2.1
 
LINUX /bzImage-3.2.1
 
LINUX /bzImage-3.2.1
 
INITRD /initramfs.cpio.gz
 
INITRD /initramfs.cpio.gz
 
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
 
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
</pre>}}
+
</pre>
  
= Final steps =
+
== Final steps ==
 
Umount everything, close encrypted drive and reboot
 
Umount everything, close encrypted drive and reboot
<pre>umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot)
+
<console>
vgchange -a n
+
# ##i##umount -l -v /mnt/funtoo/{dev, proc, home, usr/portage, boot}
cryptsetup luksClose /dev/sda2 dmcrypt_root</pre>
+
# ##i##vgchange -a n
 +
# ##i##cryptsetup luksClose /dev/sda2 dmcrypt_root
 +
</console>
 
After reboot you will get the following:
 
After reboot you will get the following:
<pre>>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
+
<console>
 +
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
 
>>> Create all the symlinks to /bin/busybox.
 
>>> Create all the symlinks to /bin/busybox.
 
>>> Initiating /dev/dir
 
>>> Initiating /dev/dir
Line 190: Line 253:
 
No volume group found
 
No volume group found
 
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
 
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:</pre>
+
Enter passphrase fore /dev/sda2:
 +
</console>
 
Type your password
 
Type your password
  
<pre>>>> Again, getting LVM volumes up (if any, after map dmcrypt).
+
<console>
 +
>>> Again, getting LVM volumes up (if any, after map dmcrypt).
 
   Reading all physical volumes.  This may take a while...
 
   Reading all physical volumes.  This may take a while...
 
   Found volume group "vg" using metadata type lvm2
 
   Found volume group "vg" using metadata type lvm2
Line 208: Line 273:
 
Password:
 
Password:
 
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
 
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %</pre>
+
oleg@orion ~ %
 +
</console>
  
= Additional links =
+
== Additional links and information ==
 
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
 
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
 
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
 
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
 +
* [http://en.wikipedia.org/wiki/Logical_volume_management Wikipedia article on LVM]
 +
* [https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS Arch Wiki article]
  
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]

Latest revision as of 00:03, 22 February 2014

This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive. It is not meant to be a standalone installation guide, rather, it is meant to be read alongside the Funtoo Linux Installation Guide.

Contents

[edit] Prepare the hard drive and partitions

This is an example partition scheme, you may want to choose differently. /dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM.

  • /dev/sda1 -- /boot partition.
  • /dev/sda2 -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [1] for more information on GPT and MBR.
  • /dev/sda3 -- / partition, will be the drive with LUKS and LVM.

With UEFI:

  • /dev/sda1 -- /boot
  • /dev/sda2 -- / partition

[edit] Wipe the hard drive

# gdisk /dev/sda

Command: x ↵
Expert command: z ↵
About to wipe out GPT on /dev/sda. Proceed?: y ↵
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
Blank out MBR?: y ↵
Warning: This action will destroy all data on the disk.

[edit] Encrypting the drive

Read more about different cipher options here: [2]

# cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
# cryptsetup luksOpen /dev/sda3 dmcrypt_root

There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.

[edit] Create logical volumes

# pvcreate /dev/mapper/dmcrypt_root
# vgcreate vg /dev/mapper/dmcrypt_root
# lvcreate -L10G --name root vg           
# lvcreate -L2G --name swap vg
# lvcreate -L5G --name portage vg
# lvcreate -l 100%FREE -nhome vg

Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.

[edit] Create a filesystem on volumes

# mkfs.ext2 /dev/sda1
# mkswap /dev/mapper/vg-swap
# mkfs.ext4 /dev/mapper/vg-root
# mkfs.ext4 /dev/mapper/vg-portage
# mkfs.ext4 /dev/mapper/vg-home

[edit] Basic system setup

# swapon /dev/mapper/vg-swap
# mkdir /mnt/funtoo
# mount /dev/mapper/vg-root /mnt/funtoo
# mkdir -p /mnt/funtoo/{boot,usr/portage,home}
# mount /dev/sda1 /mnt/funtoo/boot
# mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage
# mount /dev/mapper/vg-home /mnt/funtoo/home

Now perform all the steps required for basic system install, please follow [3] don't forget to emerge the following before your install is finished:

  • cryptsetup
  • lvm2
  • a bootloader (grub recommended)
  • kernel sources

[edit] Editing the fstab

Fire up your favorite text editor to edit /etc/fstab. You want to put the following in the file:


# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1               /boot         ext2      noauto,noatime                  1 2
/dev/mapper/vg-swap     none          swap      sw                              0 0
/dev/mapper/vg-root     /             ext4      noatime,nodiratime,defaults     0 1
/dev/sr0                /mnt/cdrom    auto      noauto,ro                       0 0
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
/dev/mapper/vg-home     /home         ext4      noatime,nodiratime              0 0

[edit] Kernel options

Note: This part is particularly important: pay close attention.

General setup --->
      [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Device Drivers --->
      Generic Driver Options ---> 
      [*] Maintain a devtmpfs filesystem to mount at /dev
Device Drivers --->
      [*] Multiple devices driver support --->
      <*>Device Mapper Support
        <*> Crypt target support
Cryptographic API --->
      <*> XTS support
      -*-AES cipher algorithms

[edit] Initramfs setup and configuration

[edit] Better-initramfs

Build your initramfs with better-initramfs project.

Note Note: better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices and file system support.

# cd /opt
# git clone git://github.com/slashbeast/better-initramfs.git
# cd better-initramfs
# less README.rst
# bootstrap/bootstrap-all
# make prepare
# make image

Copy resulting initramfs.cpio.gz to /boot:

# cp output/initramfs.cpio.gz /boot

Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads

# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
# tar xf release-x86_64-v0.5.tar.bz2
# cd release*
# gzip initramfs.cpio
# cp initramfs.cpio.gz /boot

Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:

# cd /opt/better-initramfs
# git pull
# less ChangeLog

Note Note: Please read the ChangeLog carefuly and perform necessary updates to /etc/boot.conf. Also, please backup the working /boot/initramfs.cpio.gz and /etc/boot.conf before updating better-initramfs.

[edit] Genkernel

Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:

# genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all 

[edit] Bootloader Configuration

[edit] Grub2 configuration

[edit] better-initramfs

An example /etc/boot.conf for better-initramfs:

boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel vmlinuz[-v]
  initrd /initramfs.cpio.gz
  params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet

Now, run boot-update to write the configuration files to /boot/grub/grub.cfg

[edit] genkernel

Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing /etc/boot.conf:

boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel kernel-genkernel-x86_64-3.13.0
  initrd initramfs-genkernel-x86_64-3.13.0
  params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet

[edit] Lilo configuration

For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support

# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
# emerge lilo

Example /etc/lilo.conf:

append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
boot=/dev/sda
compact
default=funtoo
lba32
prompt
read-only
timeout=50
image=/boot/kernel-genkernel-x86_64-3.13.0
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
label=funtoo

[edit] Syslinux bootloader setup

Syslinux is another advanced bootloader which you can find on all live CD's. Syslinux bootloader does not require additional BIOS boot partition. /dev/sda2 is the root partition.

# emerge syslinux
# mkdir /boot/extlinux
# extlinux --install /boot/extlinux
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
- or -
# sgdisk /dev/sda --attributes=1:set:2
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition

Example /boot/extlinux/extlinux.conf:

LABEL kernel1_bzImage-3.2.1
MENU LABEL Funtoo Linux bzImage-3.2.1
LINUX /bzImage-3.2.1
INITRD /initramfs.cpio.gz
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root

[edit] Final steps

Umount everything, close encrypted drive and reboot

# umount -l -v /mnt/funtoo/{dev, proc, home, usr/portage, boot} 
# vgchange -a n
# cryptsetup luksClose /dev/sda2 dmcrypt_root

After reboot you will get the following:

>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:

Type your password

>>> Again, getting LVM volumes up (if any, after map dmcrypt).
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
  4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
   
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %

[edit] Additional links and information