Difference between revisions of "Rootfs over encrypted lvm"

From Funtoo Linux
Jump to: navigation, search
(Initramfs setup and configuration)
(36 intermediate revisions by 15 users not shown)
Line 9: Line 9:
 
dd if=/dev/zero of=/dev/sda2 bs=100M  
 
dd if=/dev/zero of=/dev/sda2 bs=100M  
 
dd if=/dev/urandom of=/dev/sda2 bs=100M</pre>  
 
dd if=/dev/urandom of=/dev/sda2 bs=100M</pre>  
dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for 200GB drive.
+
dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.
  
 
Note that you will get a message about reaching the end of the device. That's intentional and desired in this case so that this command works without knowing the size of your device.
 
Note that you will get a message about reaching the end of the device. That's intentional and desired in this case so that this command works without knowing the size of your device.
  
 
= Encrypting the drive =
 
= Encrypting the drive =
{{root|cryptsetup -c aes-xts-plain luksFormat /dev/sda2
 
cryptsetup luksOpen /dev/sda2 dmcrypt_root}}
 
  
there you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
+
<console>
 +
# ##i##cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2
 +
# ##i##cryptsetup luksOpen /dev/sda2 dmcrypt_root
 +
</console>
 +
 
 +
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
  
 
= Create logical volumes =
 
= Create logical volumes =
Line 37: Line 40:
  
 
= Basic system setup =
 
= Basic system setup =
<pre>mkfs.ext2 /dev/sda1
+
<pre>swapon /dev/mapper/vg-swap
mkswap /dev/mapper/vg-swap
+
mount /dev/mapper/vg-root /mnt/funtoo
mkfs.ext4 /dev/mapper/vg-root
+
mkdir /mnt/funtoo/boot
mkreiserfs /dev/mapper/vg-portage
+
mount /dev/sda1 /mnt/funtoo/boot</pre>
mkfs.xfs /dev/mapper/vg-home
+
swapon /dev/mapper/vg-swap
+
mount /dev/maper/vg-root /mnt/gentoo
+
mkdir /mnt/gentoo/boot
+
mount /dev/sda1 /mnt/gentoo/boot</pre>
+
 
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]
 
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]
 
don't forget to emerge next packages:
 
don't forget to emerge next packages:
Line 51: Line 49:
 
<pre># emerge cryptsetup lvm2 grub foo-sources</pre>
 
<pre># emerge cryptsetup lvm2 grub foo-sources</pre>
  
Re-emerge busybox with "static" USE flag
+
Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag
+
  
 
= Kernel options =
 
= Kernel options =
Line 60: Line 57:
  
 
Under Device Drivers --->  
 
Under Device Drivers --->  
<pre>[*] Multiple devices driver support   
+
<pre>Generic Driver Options  --->
<*>Device Mapper Support
+
  [*] Maintain a devtmpfs filesystem to mount at /dev
<*> Crypt target support</pre>
+
[*] Multiple devices driver support  --->
+
  <*>Device Mapper Support
 +
  <*> Crypt target support
 +
</pre>
  
 
Under Cryptographic API --->
 
Under Cryptographic API --->
 
<pre>-*-AES cipher algorithms
 
<pre>-*-AES cipher algorithms
  
<*> XTS supprot (EXPERIMENTAL)</pre>
+
<*> XTS support (EXPERIMENTAL)</pre>
  
  
 
= Initramfs setup and configuration =
 
= Initramfs setup and configuration =
 
Build your initramfs with [http://github.com/slashbeast/better-initramfs better-initramfs] project.
 
Build your initramfs with [http://github.com/slashbeast/better-initramfs better-initramfs] project.
<pre>git clone git://github.com/slashbeast/better-initramfs.git
+
 
oleg@orion ~ % cd better-initramfs 
+
{{fancynote|better-initramfs neither support dynamic modules nor udev, so you should compile kernel with built-in support of your block devices.}}
oleg@orion better-initramfs % make
+
 
>>> initramfs.cpio.gz is ready</pre>
+
<pre># git clone git://github.com/slashbeast/better-initramfs.git
 +
# cd better-initramfs
 +
# less README.rst
 +
# bootstrap/bootstrap-all
 +
# make prepare
 +
# make image
 +
</pre>
  
 
Copy resulting <code>initramfs.cpio.gz</code> to <code>/boot</code>.
 
Copy resulting <code>initramfs.cpio.gz</code> to <code>/boot</code>.
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with <code>git</code>
+
<pre># cp output/initramfs.cpio.gz /boot
<pre>oleg@orion ~ % cd better-initramfs 
+
</pre>
oleg@orion better-initramfs % git pull
+
Alternatively pre-compiled binary initramfs available at https://github.com/slashbeast/better-initramfs/downloads
Already up-to-date
+
<pre># wget https://github.com/downloads/slashbeast/better-initramfs/release-x86_64-v0.5.tar.bz2
oleg@orion better-initramfs % make
+
# tar xf release-x86_64-v0.5.tar.bz2
>>> initramfs.cpio.gz is ready</pre>
+
# cd release*
Please, read the ChangeLog carefuly and do necessary updates, to <code>/etc/boot.conf</code>, read the example config below. Please, backup working <code>initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating initramfs.
+
# gzip initramfs.cpio
 +
# cp initramfs.cpio.gz /boot</pre>
 +
 
 +
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with <code>git</code>. Go to the better-initramfs source dir and follow:
 +
<pre># git pull
 +
# less ChangeLog
 +
</pre>
 +
Please, read the ChangeLog carefuly and do necessary updates, to <code>/etc/boot.conf</code>, the example config below. Please, backup working <code>initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating initramfs.
 +
 
 +
= Genkernel approach =
 +
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
 +
<pre>genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all</pre>
 +
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:
 +
 
 +
{{code|/etc/boot.conf|<pre>
 +
boot {
 +
  generate grub
 +
  default "Funtoo Linux"
 +
  timeout 3
 +
}
 +
"Funtoo Linux" {
 +
  kernel kernel-genkernel-x86_64-2.6.39
 +
  initrd initramfs-genkernel-x86_64-2.6.39
 +
  params += crypt_root=/dev/sda2 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
 +
}</pre>}}
  
 
= Grub2 configuration =
 
= Grub2 configuration =
An example of <code>/etc/boot.conf</code>, which reflects partition setup
+
An example of <code>/etc/boot.conf</code> for better-initramfs
 
{{code|/etc/boot.conf|<pre>
 
{{code|/etc/boot.conf|<pre>
 
boot {
 
boot {
Line 110: Line 139:
 
/dev/mapper/vg-portage  /usr/portage  reiserfs  noatime,nodiratime             0 0
 
/dev/mapper/vg-portage  /usr/portage  reiserfs  noatime,nodiratime             0 0
 
/dev/mapper/vg-home     /home         xfs       noatime,nodiratime,osyncisdsync 0 0</pre>}}
 
/dev/mapper/vg-home     /home         xfs       noatime,nodiratime,osyncisdsync 0 0</pre>}}
 +
 +
= Lilo configuration =
 +
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
 +
<pre>
 +
# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
 +
# emerge lilo</pre>
 +
 +
{{code|/etc/lilo.conf|<pre>append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
 +
boot=/dev/sda
 +
compact
 +
default=funtoo
 +
lba32
 +
prompt
 +
read-only
 +
timeout=50
 +
image=/boot/kernel-genkernel-x86_64-2.6.39
 +
initrd=/boot/initramfs-genkernel-x86_64-2.6.39
 +
label=funtoo
 +
</pre>}}
 +
= Syslinux bootloader setup =
 +
Syslinux is another advanced bootloader which you can find on all live CD's.
 +
<pre>
 +
# emerge syslinux
 +
# mkdir /boot/extlinux
 +
# extlinux --install /boot/extlinux
 +
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
 +
- or -
 +
# sgdisk /dev/sda --attributes=1:set:2
 +
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition</pre>
 +
{{code|/boot/extlinux/extlinux.conf|<pre>LABEL kernel1_bzImage-3.2.1
 +
MENU LABEL Funtoo Linux bzImage-3.2.1
 +
LINUX /bzImage-3.2.1
 +
INITRD /initramfs.cpio.gz
 +
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
 +
</pre>}}
  
 
= Final steps =
 
= Final steps =
 
Umount everything, close encrypted drive and reboot
 
Umount everything, close encrypted drive and reboot
<pre>umount /mnt/gentoo/proc (/dev, /home, /usr/portage, /boot)  
+
<pre>umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot)  
 +
vgchange -a n
 
cryptsetup luksClose /dev/sda2 dmcrypt_root</pre>
 
cryptsetup luksClose /dev/sda2 dmcrypt_root</pre>
 
After reboot you will get the following:
 
After reboot you will get the following:
Line 143: Line 208:
 
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
 
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
 
oleg@orion ~ %</pre>
 
oleg@orion ~ %</pre>
 +
 
= Additional links =
 
= Additional links =
 
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
 
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]

Revision as of 18:50, 9 August 2012

This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive

Contents

Prepare the hard drive and partitions

This is an example partition scheme, you may want to choose differently. /dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM. 

/dev/sda1 
/dev/sda2
dd if=/dev/zero of=/dev/sda2 bs=100M 
dd if=/dev/urandom of=/dev/sda2 bs=100M

dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.

Note that you will get a message about reaching the end of the device. That's intentional and desired in this case so that this command works without knowing the size of your device.

Encrypting the drive 

# cryptsetup -c aes-xts-plain64 luksFormat /dev/sda2
# cryptsetup luksOpen /dev/sda2 dmcrypt_root

There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.

Create logical volumes 

pvcreate /dev/mapper/dmcrypt_root
vgcreate vg /dev/mapper/dmcrypt_root
lvcreate -L10G -nroot vg           
lvcreate -L2G -nswap vg
lvcreate -L5G -nportage vg
lvcreate -l 100%FREE -nhome vg

Feel free to specify your desired size

Create a filesystem on volumes 

mkfs.ext2 /dev/sda1
mkswap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkreiserfs /dev/mapper/vg-portage
mkfs.xfs /dev/mapper/vg-home

Basic system setup 

swapon /dev/mapper/vg-swap
mount /dev/mapper/vg-root /mnt/funtoo
mkdir /mnt/funtoo/boot
mount /dev/sda1 /mnt/funtoo/boot

Now perform all the steps required for basic system install, please follow [1] don't forget to emerge next packages: 

# emerge cryptsetup lvm2 grub foo-sources

Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag

Kernel options

Important, do not miss this part. Under General setup ---> 

[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support

Under Device Drivers ---> 

Generic Driver Options  --->
   [*] Maintain a devtmpfs filesystem to mount at /dev
[*] Multiple devices driver support  --->
   <*>Device Mapper Support
   <*> Crypt target support

Under Cryptographic API ---> 

-*-AES cipher algorithms

<*> XTS support (EXPERIMENTAL)


Initramfs setup and configuration

Build your initramfs with better-initramfs project.

better-initramfs neither support dynamic modules nor udev, so you should compile kernel with built-in support of your block devices. 


# git clone git://github.com/slashbeast/better-initramfs.git
# cd better-initramfs
# less README.rst
# bootstrap/bootstrap-all
# make prepare
# make image

Copy resulting initramfs.cpio.gz to /boot. 

# cp output/initramfs.cpio.gz /boot

Alternatively pre-compiled binary initramfs available at https://github.com/slashbeast/better-initramfs/downloads 

# wget https://github.com/downloads/slashbeast/better-initramfs/release-x86_64-v0.5.tar.bz2
# tar xf release-x86_64-v0.5.tar.bz2
# cd release*
# gzip initramfs.cpio
# cp initramfs.cpio.gz /boot

Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow: 

# git pull
# less ChangeLog

Please, read the ChangeLog carefuly and do necessary updates, to /etc/boot.conf, the example config below. Please, backup working initramfs.cpio.gz and /etc/boot.conf before updating initramfs.

Genkernel approach

Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources: 

genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all

Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:

Code: /etc/boot.conf 
boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel kernel-genkernel-x86_64-2.6.39
  initrd initramfs-genkernel-x86_64-2.6.39
  params += crypt_root=/dev/sda2 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}

Grub2 configuration

An example of /etc/boot.conf for better-initramfs

Code: /etc/boot.conf 
boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel bzImage[-v]
  initrd /initramfs.cpio.gz
  params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
Code: /etc/fstab 
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1               /boot         ext2      noauto,noatime                  1 2
/dev/mapper/vg-swap     none          swap      sw                              0 0
/dev/mapper/vg-root     /             ext4      noatime,nodiratime,defaults     0 1
/dev/sr0                /mnt/cdrom    auto      noauto,ro                       0 0
/dev/mapper/vg-portage  /usr/portage  reiserfs  noatime,nodiratime              0 0
/dev/mapper/vg-home     /home         xfs       noatime,nodiratime,osyncisdsync 0 0

Lilo configuration

For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support 

# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
# emerge lilo
Code: /etc/lilo.conf 
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
boot=/dev/sda
compact
default=funtoo
lba32
prompt
read-only
timeout=50
image=/boot/kernel-genkernel-x86_64-2.6.39
initrd=/boot/initramfs-genkernel-x86_64-2.6.39
label=funtoo

Syslinux bootloader setup

Syslinux is another advanced bootloader which you can find on all live CD's. 

# emerge syslinux
# mkdir /boot/extlinux
# extlinux --install /boot/extlinux
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
- or -
# sgdisk /dev/sda --attributes=1:set:2
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
Code: /boot/extlinux/extlinux.conf 
LABEL kernel1_bzImage-3.2.1
MENU LABEL Funtoo Linux bzImage-3.2.1
LINUX /bzImage-3.2.1
INITRD /initramfs.cpio.gz
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root

Final steps

Umount everything, close encrypted drive and reboot 

umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot) 
vgchange -a n
cryptsetup luksClose /dev/sda2 dmcrypt_root

After reboot you will get the following: 

>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:

Type you password 

>>> Again, getting LVM volumes up (if any, after map dmcrypt).
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
  4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
   
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %

Additional links

Retrieved from "http://www.funtoo.org/index.php?title=Rootfs_over_encrypted_lvm&oldid=2224"
Personal tools
Namespaces

Variants
Actions
Categories
Toolbox
Stuff