Difference between revisions of "Rootfs over encrypted lvm"
From Funtoo Linux
(I fixed up the links.) |
(I fixed up the document structure.) |
||
| Line 1: | Line 1: | ||
You can do many things with Funtoo Linux. This is just a sample of how to do some tasks. | You can do many things with Funtoo Linux. This is just a sample of how to do some tasks. | ||
| − | |||
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive | This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive | ||
| − | + | = Prepape the hard drive and make partitions = | |
This is an example partition scheme, you may want to choose defferent. | This is an example partition scheme, you may want to choose defferent. | ||
/dev/sda1 used as /boot /dev/sda2 will be encrypted drive with LVM | /dev/sda1 used as /boot /dev/sda2 will be encrypted drive with LVM | ||
| Line 14: | Line 13: | ||
| − | + | = Encrypting the drive = | |
<pre>cryptsetup -c aes-xts-plain luksFormat /dev/sda2 | <pre>cryptsetup -c aes-xts-plain luksFormat /dev/sda2 | ||
cryptsetup luksOpen /dev/sda2 dmcrypt_root</pre> | cryptsetup luksOpen /dev/sda2 dmcrypt_root</pre> | ||
| Line 20: | Line 19: | ||
there you'll be promted to enter your password phrase for encrypted drive, type your paranoid password there | there you'll be promted to enter your password phrase for encrypted drive, type your paranoid password there | ||
| − | + | = Create logical volumes = | |
<pre>pvcreate /dev/mapper/dmcrypt_root | <pre>pvcreate /dev/mapper/dmcrypt_root | ||
vgcreate vg /dev/mapper/dmcrypt_root | vgcreate vg /dev/mapper/dmcrypt_root | ||
| Line 30: | Line 29: | ||
Feel free to specify your desired size | Feel free to specify your desired size | ||
| − | + | = Create a filesystem on volumes = | |
<pre>mkfs.ext2 /dev/sda1 | <pre>mkfs.ext2 /dev/sda1 | ||
mkswap /dev/mapper/vg-swap | mkswap /dev/mapper/vg-swap | ||
| Line 37: | Line 36: | ||
mkfs.xfs /dev/mapper/vg-home</pre> | mkfs.xfs /dev/mapper/vg-home</pre> | ||
| − | + | = Basic system setup = | |
<pre>mkfs.ext2 /dev/sda1 | <pre>mkfs.ext2 /dev/sda1 | ||
mkswap /dev/mapper/vg-swap | mkswap /dev/mapper/vg-swap | ||
| Line 54: | Line 53: | ||
| − | + | = Kernel options = | |
Important, do not miss this part. | Important, do not miss this part. | ||
Under General setup ---> | Under General setup ---> | ||
| Line 71: | Line 70: | ||
| − | + | = Initramfs setup and configuration = | |
Piotr Karbowski initramfs project used for making initrd | Piotr Karbowski initramfs project used for making initrd | ||
[http://github.com/slashbeast/better-initramfs] | [http://github.com/slashbeast/better-initramfs] | ||
| Line 81: | Line 80: | ||
Copy resulting initramfs.cpio.gz to /boot | Copy resulting initramfs.cpio.gz to /boot | ||
| − | + | = Grub2 configuration = | |
An example of /etc/boot/conf, which reflects partition setup | An example of /etc/boot/conf, which reflects partition setup | ||
<pre> | <pre> | ||
| Line 105: | Line 104: | ||
/dev/mapper/vg-home /home xfs noatime,nodiratime,osyncisdsync 0 0</pre> | /dev/mapper/vg-home /home xfs noatime,nodiratime,osyncisdsync 0 0</pre> | ||
| − | + | = Final steps = | |
Umount everything, close encrypted drive and reboot | Umount everything, close encrypted drive and reboot | ||
<pre>umount /mnt/gentoo/proc (/dev, /home,/usr/portage, /boot) | <pre>umount /mnt/gentoo/proc (/dev, /home,/usr/portage, /boot) | ||
| Line 137: | Line 136: | ||
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1 | Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1 | ||
oleg@orion ~ %</pre> | oleg@orion ~ %</pre> | ||
| − | + | = Additional links = | |
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]] | * [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]] | ||
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt] | * [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt] | ||
[[Category:HOWTO]] | [[Category:HOWTO]] | ||
Revision as of 16:52, 7 November 2010
You can do many things with Funtoo Linux. This is just a sample of how to do some tasks. This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive
Contents |
Prepape the hard drive and make partitions
This is an example partition scheme, you may want to choose defferent. /dev/sda1 used as /boot /dev/sda2 will be encrypted drive with LVM
/dev/sda1 /dev/sda2 dd if=/dev/zero of=/dev/sda2 bs=100M dd if=/dev/urandom of=/dev/sda2 bs=100M
dd part is optional, only for security reason, with /dev/urandom it takes around 6 hours to complete for 200GB drive.
Encrypting the drive
cryptsetup -c aes-xts-plain luksFormat /dev/sda2 cryptsetup luksOpen /dev/sda2 dmcrypt_root
there you'll be promted to enter your password phrase for encrypted drive, type your paranoid password there
Create logical volumes
pvcreate /dev/mapper/dmcrypt_root vgcreate vg /dev/mapper/dmcrypt_root lvcreate -L10G -nroot vg lvcreate -L2G -nswap vg lvcreate -L5G -nportage vg lvcreate -l 100%FREE -nhome vg
Feel free to specify your desired size
Create a filesystem on volumes
mkfs.ext2 /dev/sda1 mkswap /dev/mapper/vg-swap mkfs.ext4 /dev/mapper/vg-root mkreiserfs /dev/mapper/vg-portage mkfs.xfs /dev/mapper/vg-home
Basic system setup
mkfs.ext2 /dev/sda1 mkswap /dev/mapper/vg-swap mkfs.ext4 /dev/mapper/vg-root mkreiserfs /dev/mapper/vg-portage mkfs.xfs /dev/mapper/vg-home swapon /dev/mapper/vg-swap mount /dev/maper/vg-root /mnt/gentoo mount /dev/sda1 /mnt/gentoo/boot
Now perform all the steps required for basic system install, please follow [1] don't forget to emerge next packages:
# emerge cryptsetup lvm2 grub foo-sources
Re-emerge busybox with "static" USE flag
Kernel options
Important, do not miss this part. Under General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Under Device Drivers --->
[*] Multiple devices driver support <*>Device Mapper Support <*> Crypt target support
Under Cryptographic API --->
-*-AES cipher algorithms <*> XTS supprot (EXPERIMENTAL)
Initramfs setup and configuration
Piotr Karbowski initramfs project used for making initrd [2]
git clone git://github.com/slashbeast/better-initramfs.git oleg@orion ~ % cd better-initramfs oleg@orion better-initramfs % make >>> initramfs.cpio.gz is ready
Copy resulting initramfs.cpio.gz to /boot
Grub2 configuration
An example of /etc/boot/conf, which reflects partition setup
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel bzImage[-v]
initrd /initramfs.cpio.gz
params += dmcrypt_root=true enc_root=/dev/sda2 lvm=true root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
/etc/fstab
# <fs> <mountpoint> <type> <opts> <dump/pass> /dev/sda1 /boot ext2 noauto,noatime 1 2 /dev/mapper/vg-swap none swap sw 0 0 /dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 /dev/sr0 /mnt/cdrom auto noauto,ro 0 0 /dev/mapper/vg-portage /usr/portage reiserfs noatime,nodiratime 0 0 /dev/mapper/vg-home /home xfs noatime,nodiratime,osyncisdsync 0 0
Final steps
Umount everything, close encrypted drive and reboot
umount /mnt/gentoo/proc (/dev, /home,/usr/portage, /boot) cryptsetup luksClose /dev/sda2 dmcrypt_root
After reboot you will get the following:
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10 >>> Create all the symlinks to /bin/busybox. >>> Initiating /dev/dir >>> Getting LVM volumes up (if any) Reding all physical volumes. This make take awhile... No volume group found No volume group found >>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root Enter passphrase fore /dev/sda2:
Type you password
>>> Again, getting LVM volumes up (if any, after map dmcrypt). Reading all physical volumes. This may take a while... Found volume group "vg" using metadata type lvm2 4 logical volume(s) in volume group "vg" now active >>> Mounting rootfs to /newroot >>> Umounting /sys and /proc. >>> Switching root to /newroot and executing /sbin/init. INIT: version 2.88 booting Loading /libexec/rc/console/keymap OpenRC 0.6.1 is starting up Funtoo Linux (x86_64) ...boot messages omitted for clarity orion login: oleg Password: Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1 oleg@orion ~ %
