Difference between revisions of "Rootfs over encrypted lvm"

From Funtoo
Jump to: navigation, search
 
(6 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR.  
 
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR.  
 
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
 
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
 +
 +
With UEFI:
 +
* <code>/dev/sda1</code> -- <tt>/boot</tt>
 +
* <code>/dev/sda2</code> -- <tt>/</tt> partition
  
 
=== Wipe the hard drive ===
 
=== Wipe the hard drive ===
{{Fancywarning|This action will destroy all data on the disk.}}
 
 
<console>
 
<console>
 
# ##i##gdisk /dev/sda
 
# ##i##gdisk /dev/sda
Line 19: Line 22:
 
Blank out MBR?: ##i##y ↵
 
Blank out MBR?: ##i##y ↵
 
</console>
 
</console>
 
+
{{Fancywarning|This action will destroy all data on the disk.}}
{{Fancynote| You will get a message about reaching the end of the device when the <code>dd</code> command has finished. This behavior is intended.}}
+
  
 
== Encrypting the drive ==
 
== Encrypting the drive ==
Line 71: Line 73:
 
= Editing the fstab =
 
= Editing the fstab =
 
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:
 
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:
{{File
+
 
|/etc/fstab|<pre>
+
 
 +
<pre>
 
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
 
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
 
/dev/sda1              /boot        ext2      noauto,noatime                  1 2
 
/dev/sda1              /boot        ext2      noauto,noatime                  1 2
Line 80: Line 83:
 
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
 
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
 
/dev/mapper/vg-home    /home        ext4      noatime,nodiratime              0 0
 
/dev/mapper/vg-home    /home        ext4      noatime,nodiratime              0 0
</pre>}}
+
</pre>
  
= Kernel options =
+
== Kernel options ==
{{Fancynote|This part is particularly important: pay close attention.}}
+
{{fancynote| This part is particularly important: pay close attention. }}<br>
 
{{kernelop
 
{{kernelop
| <br> |<pre>
+
|title=
 +
|desc=
 
General setup --->
 
General setup --->
 
       [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
 
       [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
</pre>}}
+
}}
 
+
 
{{kernelop
 
{{kernelop
| <br> |<pre>
+
|title=
 +
|desc=
 
Device Drivers --->
 
Device Drivers --->
 
       Generic Driver Options --->  
 
       Generic Driver Options --->  
 
       [*] Maintain a devtmpfs filesystem to mount at /dev
 
       [*] Maintain a devtmpfs filesystem to mount at /dev
</pre>}}
+
}}
 
+
 
{{kernelop
 
{{kernelop
| <br> |<pre>
+
|title=
 +
|desc=
 
Device Drivers --->
 
Device Drivers --->
 
       [*] Multiple devices driver support --->
 
       [*] Multiple devices driver support --->
 
       <*>Device Mapper Support
 
       <*>Device Mapper Support
 
         <*> Crypt target support
 
         <*> Crypt target support
</pre>}}
+
}}
 
+
 
{{kernelop
 
{{kernelop
| <br> |<pre>
+
|title=
 +
|desc=
 
Cryptographic API --->
 
Cryptographic API --->
 
       <*> XTS support
 
       <*> XTS support
 
       -*-AES cipher algorithms
 
       -*-AES cipher algorithms
</pre>}}
+
}}
  
 
= Initramfs setup and configuration =
 
= Initramfs setup and configuration =
Line 116: Line 120:
 
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''
 
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''
  
{{Fancynote| better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices.}}
+
{{Note}} better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices and file system support.
  
 
<console>
 
<console>
Line 146: Line 150:
 
# ##i##less ChangeLog
 
# ##i##less ChangeLog
 
</console>
 
</console>
{{Fancynote| Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.}}
+
{{Note}}Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.
  
 
== Genkernel ==
 
== Genkernel ==
Line 158: Line 162:
 
An example <code>/etc/boot.conf</code> for better-initramfs:
 
An example <code>/etc/boot.conf</code> for better-initramfs:
  
{{File
+
<pre>
|/etc/boot.conf|<pre>
+
 
boot {
 
boot {
 
   generate grub
 
   generate grub
Line 169: Line 172:
 
   initrd /initramfs.cpio.gz
 
   initrd /initramfs.cpio.gz
 
   params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
 
   params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
</pre>}}
+
</pre>
  
 
Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
 
Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
Line 176: Line 179:
 
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code>:
 
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code>:
  
{{File
+
<pre>
|/etc/boot.conf|<pre>
+
 
boot {
 
boot {
 
   generate grub
 
   generate grub
Line 187: Line 189:
 
   initrd initramfs-genkernel-x86_64-3.13.0
 
   initrd initramfs-genkernel-x86_64-3.13.0
 
   params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
 
   params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
</pre>}}
+
</pre>
  
 
== Lilo configuration ==
 
== Lilo configuration ==
Line 198: Line 200:
 
Example <code>/etc/lilo.conf</code>:
 
Example <code>/etc/lilo.conf</code>:
  
{{File
+
<pre>
|/etc/lilo.conf|<pre>
+
 
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
 
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
 
boot=/dev/sda
 
boot=/dev/sda
Line 211: Line 212:
 
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
 
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
 
label=funtoo
 
label=funtoo
</pre>}}
+
</pre>
  
 
== Syslinux bootloader setup ==
 
== Syslinux bootloader setup ==
Line 227: Line 228:
 
Example <code>/boot/extlinux/extlinux.conf</code>:
 
Example <code>/boot/extlinux/extlinux.conf</code>:
  
{{File
+
<pre>
|/boot/extlinux/extlinux.conf|<pre>
+
 
LABEL kernel1_bzImage-3.2.1
 
LABEL kernel1_bzImage-3.2.1
 
MENU LABEL Funtoo Linux bzImage-3.2.1
 
MENU LABEL Funtoo Linux bzImage-3.2.1
Line 234: Line 234:
 
INITRD /initramfs.cpio.gz
 
INITRD /initramfs.cpio.gz
 
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
 
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
</pre>}}
+
</pre>
  
= Final steps =
+
== Final steps ==
 
Umount everything, close encrypted drive and reboot
 
Umount everything, close encrypted drive and reboot
 
<console>
 
<console>
Line 276: Line 276:
 
</console>
 
</console>
  
= Additional links and information =
+
== Additional links and information ==
 
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
 
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
 
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
 
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]

Latest revision as of 00:03, 22 February 2014

This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive. It is not meant to be a standalone installation guide, rather, it is meant to be read alongside the Funtoo Linux Installation Guide.

Contents

[edit] Prepare the hard drive and partitions

This is an example partition scheme, you may want to choose differently. /dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM.

  • /dev/sda1 -- /boot partition.
  • /dev/sda2 -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [1] for more information on GPT and MBR.
  • /dev/sda3 -- / partition, will be the drive with LUKS and LVM.

With UEFI:

  • /dev/sda1 -- /boot
  • /dev/sda2 -- / partition

[edit] Wipe the hard drive

# gdisk /dev/sda

Command: x ↵
Expert command: z ↵
About to wipe out GPT on /dev/sda. Proceed?: y ↵
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
Blank out MBR?: y ↵
Warning: This action will destroy all data on the disk.

[edit] Encrypting the drive

Read more about different cipher options here: [2]

# cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
# cryptsetup luksOpen /dev/sda3 dmcrypt_root

There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.

[edit] Create logical volumes

# pvcreate /dev/mapper/dmcrypt_root
# vgcreate vg /dev/mapper/dmcrypt_root
# lvcreate -L10G --name root vg           
# lvcreate -L2G --name swap vg
# lvcreate -L5G --name portage vg
# lvcreate -l 100%FREE -nhome vg

Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.

[edit] Create a filesystem on volumes

# mkfs.ext2 /dev/sda1
# mkswap /dev/mapper/vg-swap
# mkfs.ext4 /dev/mapper/vg-root
# mkfs.ext4 /dev/mapper/vg-portage
# mkfs.ext4 /dev/mapper/vg-home

[edit] Basic system setup

# swapon /dev/mapper/vg-swap
# mkdir /mnt/funtoo
# mount /dev/mapper/vg-root /mnt/funtoo
# mkdir -p /mnt/funtoo/{boot,usr/portage,home}
# mount /dev/sda1 /mnt/funtoo/boot
# mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage
# mount /dev/mapper/vg-home /mnt/funtoo/home

Now perform all the steps required for basic system install, please follow [3] don't forget to emerge the following before your install is finished:

  • cryptsetup
  • lvm2
  • a bootloader (grub recommended)
  • kernel sources

[edit] Editing the fstab

Fire up your favorite text editor to edit /etc/fstab. You want to put the following in the file:


# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1               /boot         ext2      noauto,noatime                  1 2
/dev/mapper/vg-swap     none          swap      sw                              0 0
/dev/mapper/vg-root     /             ext4      noatime,nodiratime,defaults     0 1
/dev/sr0                /mnt/cdrom    auto      noauto,ro                       0 0
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
/dev/mapper/vg-home     /home         ext4      noatime,nodiratime              0 0

[edit] Kernel options

Note: This part is particularly important: pay close attention.

General setup --->
      [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Device Drivers --->
      Generic Driver Options ---> 
      [*] Maintain a devtmpfs filesystem to mount at /dev
Device Drivers --->
      [*] Multiple devices driver support --->
      <*>Device Mapper Support
        <*> Crypt target support
Cryptographic API --->
      <*> XTS support
      -*-AES cipher algorithms

[edit] Initramfs setup and configuration

[edit] Better-initramfs

Build your initramfs with better-initramfs project.

Note Note: better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices and file system support.

# cd /opt
# git clone git://github.com/slashbeast/better-initramfs.git
# cd better-initramfs
# less README.rst
# bootstrap/bootstrap-all
# make prepare
# make image

Copy resulting initramfs.cpio.gz to /boot:

# cp output/initramfs.cpio.gz /boot

Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads

# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
# tar xf release-x86_64-v0.5.tar.bz2
# cd release*
# gzip initramfs.cpio
# cp initramfs.cpio.gz /boot

Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:

# cd /opt/better-initramfs
# git pull
# less ChangeLog

Note Note: Please read the ChangeLog carefuly and perform necessary updates to /etc/boot.conf. Also, please backup the working /boot/initramfs.cpio.gz and /etc/boot.conf before updating better-initramfs.

[edit] Genkernel

Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:

# genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all 

[edit] Bootloader Configuration

[edit] Grub2 configuration

[edit] better-initramfs

An example /etc/boot.conf for better-initramfs:

boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel vmlinuz[-v]
  initrd /initramfs.cpio.gz
  params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet

Now, run boot-update to write the configuration files to /boot/grub/grub.cfg

[edit] genkernel

Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing /etc/boot.conf:

boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel kernel-genkernel-x86_64-3.13.0
  initrd initramfs-genkernel-x86_64-3.13.0
  params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet

[edit] Lilo configuration

For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support

# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
# emerge lilo

Example /etc/lilo.conf:

append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
boot=/dev/sda
compact
default=funtoo
lba32
prompt
read-only
timeout=50
image=/boot/kernel-genkernel-x86_64-3.13.0
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
label=funtoo

[edit] Syslinux bootloader setup

Syslinux is another advanced bootloader which you can find on all live CD's. Syslinux bootloader does not require additional BIOS boot partition. /dev/sda2 is the root partition.

# emerge syslinux
# mkdir /boot/extlinux
# extlinux --install /boot/extlinux
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
- or -
# sgdisk /dev/sda --attributes=1:set:2
# dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition

Example /boot/extlinux/extlinux.conf:

LABEL kernel1_bzImage-3.2.1
MENU LABEL Funtoo Linux bzImage-3.2.1
LINUX /bzImage-3.2.1
INITRD /initramfs.cpio.gz
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root

[edit] Final steps

Umount everything, close encrypted drive and reboot

# umount -l -v /mnt/funtoo/{dev, proc, home, usr/portage, boot} 
# vgchange -a n
# cryptsetup luksClose /dev/sda2 dmcrypt_root

After reboot you will get the following:

>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:

Type your password

>>> Again, getting LVM volumes up (if any, after map dmcrypt).
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
  4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
   
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %

[edit] Additional links and information