Difference between revisions of "Rootfs over encrypted lvm"
(better-initramfs needs enc_root not crypt_root) |
m (→Basic system setup) |
||
| Line 41: | Line 41: | ||
= Basic system setup = | = Basic system setup = | ||
<pre>swapon /dev/mapper/vg-swap | <pre>swapon /dev/mapper/vg-swap | ||
| − | mount /dev/mapper/vg-root /mnt/ | + | mount /dev/mapper/vg-root /mnt/funtoo |
| − | mkdir /mnt/ | + | mkdir /mnt/funtoo/boot |
| − | mount /dev/sda1 /mnt/ | + | mount /dev/sda1 /mnt/funtoo/boot</pre> |
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation] | Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation] | ||
don't forget to emerge next packages: | don't forget to emerge next packages: | ||
| Line 50: | Line 50: | ||
Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag | Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag | ||
| − | |||
= Kernel options = | = Kernel options = | ||
Revision as of 11:06, 23 May 2012
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive
Prepare the hard drive and partitions
This is an example partition scheme, you may want to choose differently.
/dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM.
/dev/sda1 /dev/sda2 dd if=/dev/zero of=/dev/sda2 bs=100M dd if=/dev/urandom of=/dev/sda2 bs=100M
dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.
Note that you will get a message about reaching the end of the device. That's intentional and desired in this case so that this command works without knowing the size of your device.
Encrypting the drive
# cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2 # cryptsetup luksOpen /dev/sda2 dmcrypt_root
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
Create logical volumes
pvcreate /dev/mapper/dmcrypt_root vgcreate vg /dev/mapper/dmcrypt_root lvcreate -L10G -nroot vg lvcreate -L2G -nswap vg lvcreate -L5G -nportage vg lvcreate -l 100%FREE -nhome vg
Feel free to specify your desired size
Create a filesystem on volumes
mkfs.ext2 /dev/sda1 mkswap /dev/mapper/vg-swap mkfs.ext4 /dev/mapper/vg-root mkreiserfs /dev/mapper/vg-portage mkfs.xfs /dev/mapper/vg-home
Basic system setup
swapon /dev/mapper/vg-swap mount /dev/mapper/vg-root /mnt/funtoo mkdir /mnt/funtoo/boot mount /dev/sda1 /mnt/funtoo/boot
Now perform all the steps required for basic system install, please follow [1] don't forget to emerge next packages:
# emerge cryptsetup lvm2 grub foo-sources
Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag
Kernel options
Important, do not miss this part. Under General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Under Device Drivers --->
Generic Driver Options ---> [*] Maintain a devtmpfs filesystem to mount at /dev [*] Multiple devices driver support ---> <*>Device Mapper Support <*> Crypt target support
Under Cryptographic API --->
-*-AES cipher algorithms <*> XTS support (EXPERIMENTAL)
Initramfs setup and configuration
Build your initramfs with better-initramfs project.
# git clone git://github.com/slashbeast/better-initramfs.git # cd better-initramfs # less README.rst # bootstrap/bootstrap-all # make prepare # make image
Copy resulting initramfs.cpio.gz to /boot.
# cp output/initramfs.cpio.gz /boot
Alternatively pre-compiled binary initramfs available at https://github.com/slashbeast/better-initramfs/downloads
# wget https://github.com/downloads/slashbeast/better-initramfs/release-x86_64-v0.5.tar.bz2 # tar xf release-x86_64-v0.5.tar.bz2 # cd release* # gzip initramfs.cpio # cp initramfs.cpio.gz /boot
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:
# git pull # less ChangeLog
Please, read the ChangeLog carefuly and do necessary updates, to /etc/boot.conf, the example config below. Please, backup working initramfs.cpio.gz and /etc/boot.conf before updating initramfs.
Genkernel approach
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:
| Code: /etc/boot.conf |
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel kernel-genkernel-x86_64-2.6.39
initrd initramfs-genkernel-x86_64-2.6.39
params += crypt_root=/dev/sda2 dolvm real_root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
|
Grub2 configuration
An example of /etc/boot.conf, which reflects partition setup
| Code: /etc/boot.conf |
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel bzImage[-v]
initrd /initramfs.cpio.gz
params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
|
| Code: /etc/fstab |
# <fs> <mountpoint> <type> <opts> <dump/pass> /dev/sda1 /boot ext2 noauto,noatime 1 2 /dev/mapper/vg-swap none swap sw 0 0 /dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 /dev/sr0 /mnt/cdrom auto noauto,ro 0 0 /dev/mapper/vg-portage /usr/portage reiserfs noatime,nodiratime 0 0 /dev/mapper/vg-home /home xfs noatime,nodiratime,osyncisdsync 0 0 |
Lilo configuration
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo # emerge lilo
| Code: /etc/lilo.conf |
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root" boot=/dev/sda compact default=funtoo lba32 prompt read-only timeout=50 image=/boot/kernel-genkernel-x86_64-2.6.39 initrd=/boot/initramfs-genkernel-x86_64-2.6.39 label=funtoo |
Syslinux bootloader setup
Syslinux is another advanced bootloader which you can find on all live CD's.
# emerge syslinux # mkdir /boot/extlinux # extlinux --install /boot/extlinux # dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda - or - # dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
| Code: /boot/extlinux/extlinux.conf |
LABEL kernel1_bzImage-3.2.1 MENU LABEL Funtoo Linux bzImage-3.2.1 LINUX /bzImage-3.2.1 INITRD /initramfs.cpio.gz APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root |
Final steps
Umount everything, close encrypted drive and reboot
umount /mnt/gentoo/proc (/dev, /home, /usr/portage, /boot) vgchange -a n cryptsetup luksClose /dev/sda2 dmcrypt_root
After reboot you will get the following:
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10 >>> Create all the symlinks to /bin/busybox. >>> Initiating /dev/dir >>> Getting LVM volumes up (if any) Reding all physical volumes. This make take awhile... No volume group found No volume group found >>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root Enter passphrase fore /dev/sda2:
Type you password
>>> Again, getting LVM volumes up (if any, after map dmcrypt). Reading all physical volumes. This may take a while... Found volume group "vg" using metadata type lvm2 4 logical volume(s) in volume group "vg" now active >>> Mounting rootfs to /newroot >>> Umounting /sys and /proc. >>> Switching root to /newroot and executing /sbin/init. INIT: version 2.88 booting Loading /libexec/rc/console/keymap OpenRC 0.6.1 is starting up Funtoo Linux (x86_64) ...boot messages omitted for clarity orion login: oleg Password: Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1 oleg@orion ~ %
