Difference between revisions of "Rootfs over encrypted lvm"

From Funtoo
Jump to navigation Jump to search
 
(→‎Install a bootloader: set to autofs type to be able to load xfs ext vfat or whatever)
 
(109 intermediate revisions by 14 users not shown)
Line 1: Line 1:
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive. It is not meant to be a standalone installation guide, rather, it is meant to be read alongside the [[Funtoo Linux Installation]] Guide.  
This howto describes how to setup LVM, swap, and root with dmcrypt LUKS. It is a standalone installation walk through, based on the official installations finished product.  boot is not encrypted.
 
{{warning| You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own.}}
 
{{warning|this page is for legacy hardware specifically, it will soon be forked to an entire disk encryption page which has an EFI image outside of encrypted boot, and root that decrypts both.  this page is for remote systems that need unlocked in initramfs from ssh. this link is to encrypted boot: https://www.funtoo.org/User:Pnoecker/full_disk_encryption}}


== Prepare the hard drive and partitions ==
== Prepare the hard drive and partitions ==
This is an example partition scheme, you may want to choose differently.
*Before you begin, make sure you are partitioning the correct drive. For the rest of this tutorial, we will be using /dev/sdX as a placeholder.
<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
{{console|body=
* <code>/dev/sda1</code> -- <code>/boot</code> partition.
###i## lsblk
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR.  
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
sda            8:0    0  1.8T  0 disk
├─sda1          8:1    0  512M  0 part
├─sda2          8:2    0    8G  0 part [SWAP]
└─sda3          8:3    0  1.8T  0 part
  ├─main-root 254:0    0  500G  0 lvm  /
  └─main-data 254:1    0  1.3T  0 lvm  /home
}}
 
=== link your drive to /dev/sdX ===
to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste.  just replace the kernel's == sda/mmc/nvme to match your target drive.
hda/sda drives
{{console|body=
###i## echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules
###i## udevadm control --reload-rules
###i## udevadm trigger
}}
 
mmc/nvme drives
{{console|body=
###i## echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules
###i## echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules
###i## udevadm control --reload-rules
###i## udevadm trigger
}}
 
*verify link
{{console|body=
###i## ls -al /dev/sdX*
lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2
}}
 
==Partition==
 
=== MBR [BIOS] Partitioning ===
 
{{Note|Use this method if you are booting using your BIOS, and if your Funtoo LiveCD initial boot menu was light blue. If you're going to use the UEFI/GPT disk format, then please proceed to the next section.}}
 
{{console|body=
###i## fdisk /dev/sdX
}}
 
Within {{c|fdisk}}, follow these steps:
 
'''Empty the partition table''':
 
{{console|body=
Command (m for help): ##i##o ↵
}}
 
'''Create boot partition''':
 
{{console|body=
Command (m for help): ##i##n ↵
Partition type (default p): ##i##↵
Partition number (1-4, default 1): ##i##↵
First sector: ##i##↵
Last sector: ##i##+128M ↵
}}
 
'''Create partition which will be encrypted with LUKS''':
 
{{console|body=
Command (m for help): ##i##n ↵
Partition type (default p): ##i##↵
Partition number (2-4, default 2): ##i##↵
First sector: ##i##↵
Last sector: ##i##↵
}}
 
'''Verify the partition table''':
 
{{console|body=
Command (m for help): ##i##p
 
Disk /dev/sdX: 298.1 GiB, 320072933376 bytes, 625142448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x82abc9a6


With UEFI:
Device    Boot    Start      End    Blocks  Id System
* <code>/dev/sda1</code> -- <tt>/boot</tt>
/dev/sdX1          2048    264191    131072  83 Linux
* <code>/dev/sda2</code> -- <tt>/</tt> partition
/dev/sdX2        4458496 625142447 312439128  83 Linux
}}


=== Wipe the hard drive ===
'''Write the partition table to disk''':
<console>
# ##i##gdisk /dev/sda


Command: ##i##x ↵
{{console|body=Command (m for help): ##i##w}}
Expert command: ##i##z ↵
About to wipe out GPT on /dev/sda. Proceed?: ##i##y ↵
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
Blank out MBR?: ##i##y ↵
</console>
{{Fancywarning|This action will destroy all data on the disk.}}


== Encrypting the drive ==
Your new MBR partition table will now be written to your system disk.
Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/]
<console>
# ##i##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
# ##i##cryptsetup luksOpen /dev/sda3 dmcrypt_root
</console>


There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
=== UEFI Partitioning ===


= Create logical volumes =
{{Note|Use this method if you are interested in booting using UEFI, and if your Funtoo LiveCD initial boot menu was black and white, or the system booted without a boot menu. If it was light blue, this method will not work. Instead, use the instructions in the previous section then skip this section, or reboot LiveCD in UEFI mode first.}}
<console>
# ##i##pvcreate /dev/mapper/dmcrypt_root
# ##i##vgcreate vg /dev/mapper/dmcrypt_root
# ##i##lvcreate -L10G --name root vg         
# ##i##lvcreate -L2G --name swap vg
# ##i##lvcreate -L5G --name portage vg
# ##i##lvcreate -l 100%FREE -nhome vg
</console>
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.


= Create a filesystem on volumes =
{{console|body=###i## gdisk /dev/sdX}}
<console>
# ##i##mkfs.ext2 /dev/sda1
# ##i##mkswap /dev/mapper/vg-swap
# ##i##mkfs.ext4 /dev/mapper/vg-root
# ##i##mkfs.ext4 /dev/mapper/vg-portage
# ##i##mkfs.ext4 /dev/mapper/vg-home
</console>


= Basic system setup =
Within {{c|gdisk}}, follow these steps:
<console>
# ##i##swapon /dev/mapper/vg-swap
# ##i##mkdir /mnt/funtoo
# ##i##mount /dev/mapper/vg-root /mnt/funtoo
# ##i##mkdir -p /mnt/funtoo/{boot,usr/portage,home}
# ##i##mount /dev/sda1 /mnt/funtoo/boot
# ##i##mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage
# ##i##mount /dev/mapper/vg-home /mnt/funtoo/home
</console>
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation]
don't forget to emerge the following before your install is finished:


* '''cryptsetup'''
'''Empty the partition table''':
* '''lvm2'''
{{console|body=
* '''a bootloader (grub recommended)'''
Command: ##i##o ↵
* '''kernel sources '''
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): ##i##y ↵
}}


= Editing the fstab =
'''Create boot partition''':
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:


{{console|body=
Command: ##i##n ↵
Partition Number: ##i##1 ↵
First sector: ##i##↵
Last sector: ##i##+128M ↵
Hex Code: ##i##EF00 ↵
}}


<pre>
'''Create partition which will be encrypted with LUKS''':
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1              /boot        ext2      noauto,noatime                  1 2
/dev/mapper/vg-swap    none          swap      sw                              0 0
/dev/mapper/vg-root    /            ext4      noatime,nodiratime,defaults    0 1
/dev/sr0                /mnt/cdrom    auto      noauto,ro                      0 0
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
/dev/mapper/vg-home    /home        ext4      noatime,nodiratime              0 0
</pre>


== Kernel options ==
{{console|body=
{{fancynote| This part is particularly important: pay close attention. }}<br>
Command: ##i##n ↵
{{kernelop
Partition Number: ##i##2 ↵
|title=
First sector: ##i##↵
|desc=
Last sector: ##i##↵##!i## (for rest of disk)
General setup --->
Hex Code: ##i##↵
      [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
}}
}}
{{kernelop
 
|title=
'''(Optional) Create disk labels''':
|desc=
{{console|body=
Device Drivers --->
Command: ##i##c ↵
      Generic Driver Options --->
Partition Number: ##i##1
      [*] Maintain a devtmpfs filesystem to mount at /dev
Enter name: ##i##BOOT
Command: ##i##c ↵
Partition Number: ##i##2
Enter name: ##i##ROOT
}}
}}
{{kernelop
 
|title=
'''Write Partition Table To Disk''':
|desc=
 
Device Drivers --->
{{console|body=
      [*] Multiple devices driver support --->
Command: ##i##w ↵
      <*>Device Mapper Support
Do you want to proceed? (Y/N): ##i##Y ↵
        <*> Crypt target support
}}
}}
{{kernelop
The partition table will now be written to the disk and {{c|gdisk}} will close.
|title=
 
|desc=
==Create and mount filesystems.==
Cryptographic API --->
'''Create /boot filesystem '''
      <*> XTS support
====For BIOS systems====
      -*-AES cipher algorithms
{{console|body=# ##i##mkfs.ext2 /dev/sdX1}}
 
====For UEFI systems====
{{console|body=# ##i##mkfs.vfat -F 32 /dev/sdX1}}
 
'''Create LUKS encrypted volume'''
{{Note| Cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot.}}
{{Warning| The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.}}
 
{{console|body=
# ##i##cryptsetup luksFormat /dev/sdX2
}}
}}


= Initramfs setup and configuration =
'''Open newly created LUKS volume'''
== Better-initramfs ==
{{console|body=# ##i##cryptsetup open /dev/sdX2 root}}
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''


{{Note}} better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices and file system support.
'''Create LVM volumes for / and swap'''
{{console|body=# ##i##pvcreate /dev/mapper/root}}
{{console|body=# ##i##vgcreate vg /dev/mapper/root}}
{{Note|Replace "16G" with the amount of swap you would like to make available.}}
{{console|body=# ##i##lvcreate -L16G --name swap vg}}
{{console|body=# ##i##lvcreate -l 100%FREE --name root vg}}
{{Note|The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.}}


<console>
'''Create filesystems on LVM volumes'''
# ##i##cd /opt
{{console|body=# ##i##mkswap /dev/mapper/vg-swap}}
# ##i##git clone git://github.com/slashbeast/better-initramfs.git
{{console|body=# ##i##mkfs.ext4 /dev/mapper/vg-root}}
# ##i##cd better-initramfs
# ##i##less README.rst
# ##i##bootstrap/bootstrap-all
# ##i##make prepare
# ##i##make image
</console>


Copy resulting <code>initramfs.cpio.gz</code> to <code>/boot</code>:
'''Create directories for chroot'''
<console># ##i##cp output/initramfs.cpio.gz /boot</console>
{{console|body=# ##i##mkdir -p /mnt/funtoo}}


Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
==Mount filesystems==
<console>
{{console|body=# ##i##mount /dev/mapper/vg-root /mnt/funtoo}}
# ##i##wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
{{console|body=# ##i##mkdir /mnt/funtoo/boot}}
# ##i##tar xf release-x86_64-v0.5.tar.bz2
{{console|body=# ##i##mount /dev/sdX1 /mnt/funtoo/boot}}
# ##i##cd release*
{{console|body=# ##i##mkdir /mnt/funtoo/proc}}
# ##i##gzip initramfs.cpio
{{console|body=# ##i##mount -t proc none /mnt/funtoo/proc}}
# ##i##cp initramfs.cpio.gz /boot
{{console|body=# ##i##mkdir /mnt/funtoo/dev}}
</console>
{{console|body=# ##i##mount --rbind /dev /mnt/funtoo/dev}}
{{console|body=# ##i##mkdir /mnt/funtoo/sys}}
{{console|body=# ##i##mount --rbind /sys /mnt/funtoo/sys}}


Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with <code>git</code>. Go to the better-initramfs source dir and follow:
==Set the date==
<console>
{{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Setting_the_Date setting the date].}}
# ##i##cd /opt/better-initramfs
# ##i##git pull
# ##i##less ChangeLog
</console>
{{Note}}Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.


== Genkernel ==
==Install the Funtoo starge tarball of your choice==
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
{{Note|These instructions will be using the ''intel-haswell'' minimal stage3. You should adjust them accordingly}}
<console>
# ##i##genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all </console>


== Bootloader Configuration ==
{{console|body=# ##i##cd /mnt/funtoo}}
=== Grub2 configuration ===
{{console|body=# ##i##wget https://build.funtoo.org/1.4-release-std/x86-64bit/intel64-haswell/2021-03-10/stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz}}
==== better-initramfs ====
{{console|body=# ##i##tar --numeric-owner --xattrs --xattrs-include='*' -xpf stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz && rm -f stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz}}
An example <code>/etc/boot.conf</code> for better-initramfs:


<pre>
==Chroot into your new system==
boot {
{{console|body=# ##i##env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo bash -l}}
  generate grub
 
  default "Funtoo Linux"
==Configure your system==
  timeout 3
'''Set a new root password'''
}
{{console|body=# ##i##passwd}}
"Funtoo Linux" {
 
  kernel vmlinuz[-v]
'''Set hostname'''
  initrd /initramfs.cpio.gz
{{console|body=# ##i##echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname}}
  params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
 
</pre>
'''Set up DNS resolution'''
{{Note|We are using the Cloudflare DNS server address here. Feel free to use your own.}}
{{console|body=# ##i##echo "nameserver 1.1.1.1" > /etc/resolv.conf}}
 
'''Set your timezone'''
{{console|body=# ##i##ln -sf /usr/share/zoneinfo/$(tzselect) /etc/localtime}}
 
'''Note your filesystem information'''
{{console|body=# ##i##blkid}}
{{console|body=
/dev/sdX1: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sdX2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"}}
 
'''Configure /etc/fstab'''
{{Note|The UUID parameter is set to the UUID of your boot partition as found from the blkid command above.}}
{{console|body=# ##i##cat > /etc/fstab << 'EOF'
UUID=6453-0C55 /boot vfat noauto,noatime 1 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
EOF}}
 
'''Create /etc/crypttab'''
{{Note|The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.}}
{{console|body=# ##i##echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab}}
 
'''Create /etc/dmtab'''
{{console|body=# ##i##dmsetup table >> /etc/dmtab}}
 
==Portage==
'''Download the portage tree'''
{{console|body=# ##i##ego sync}}
 
'''Change your ego profile to include encrypted root support'''
{{console|body=# ##i##epro mix-in encrypted-root}}
 
'''Edit package USE-flags'''
{{console|body=# ##i##cat > /etc/portage/package.use <<'EOF'
*/* device-mapper lvm luks
sys-kernel/linux-firmware initramfs
sys-fs/cryptsetup -dynamic
EOF}}


Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
'''Install necessary packages'''
{{console|body=# ##i##emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool}}


==== genkernel ====
'''Configure services to start at boot'''
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code>:
{{console|body=# ##i##rc-update add device-mapper sysinit}}
{{console|body=# ##i##rc-update add dmcrypt sysinit}}
{{console|body=# ##i##rc-update add lvmetad sysinit}}
{{console|body=# ##i##rc-update add haveged default}}
{{console|body=# ##i##rc-update add busybox-ntpd default}}


<pre>
==Install a bootloader==
'''Configure /etc/boot.conf'''
{{Note|The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.}}
{{console|body=# ##i##cat > /etc/boot.conf <<'EOF'
boot {
boot {
  generate grub
    generate grub
  default "Funtoo Linux"
    default "Funtoo Linux"
  timeout 3
    timeout 3
}
}
"Funtoo Linux" {
"Funtoo Linux" {
  kernel kernel-genkernel-x86_64-3.13.0
    kernel kernel[-v]
  initrd initramfs-genkernel-x86_64-3.13.0
    initrd initramfs[-v]
  params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
    params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=auto resume=/dev/mapper/vg-swap quiet
</pre>
}
EOF}}


== Lilo configuration ==
'''Install GRUB'''
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
====For BIOS systems====
<console>
{{console|body=# ##i##grub-install --target=i386-pc --no-floppy /dev/sdX}}
# ##i##echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo
{{console|body=# ##i##ego boot update}}
# ##i##emerge lilo
</console>


Example <code>/etc/lilo.conf</code>:
====For UEFI systems====
{{console|body=# ##i##mount -o remount,rw /sys/firmware/efi/efivars}}
{{Note|For 32 bit systems, the following command should be changed to:
{{console|body=# ##i##grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX}}}}
{{console|body=# ##i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX}}
{{console|body=# ##i##ego boot update}}


<pre>
'''Generate a new initramfs'''
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
{{console|body=# ##i##genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* {{!}} tail -c +17) initramfs}}
boot=/dev/sda
compact
default=funtoo
lba32
prompt
read-only
timeout=50
image=/boot/kernel-genkernel-x86_64-3.13.0
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
label=funtoo
</pre>


== Syslinux bootloader setup ==
==Finishing installation==
Syslinux is another advanced bootloader which you can find on all live CD's. Syslinux bootloader does not require additional BIOS boot partition. /dev/sda2 is the root partition.
From this point, you should be able to finish following the [https://www.funtoo.org/Install/Network official Funtoo Linux install instructions]
<console>
# ##i##emerge syslinux
# ##i##mkdir /boot/extlinux
# ##i##extlinux --install /boot/extlinux
# ##i##dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda
- or -
# ##i##sgdisk /dev/sda --attributes=1:set:2
# ##i##dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
</console>


Example <code>/boot/extlinux/extlinux.conf</code>:
==Managing your LUKS volume==
'''Change your LUKs-encrypted drive's passphrase'''
You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:


<pre>
{{console|body=
LABEL kernel1_bzImage-3.2.1
# ##i##cryptsetup luksChangeKey /dev/sdx3
MENU LABEL Funtoo Linux bzImage-3.2.1
}}
LINUX /bzImage-3.2.1
INITRD /initramfs.cpio.gz
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
</pre>
 
== Final steps ==
Umount everything, close encrypted drive and reboot
<console>
# ##i##umount -l -v /mnt/funtoo/{dev, proc, home, usr/portage, boot}
# ##i##vgchange -a n
# ##i##cryptsetup luksClose /dev/sda2 dmcrypt_root
</console>
After reboot you will get the following:
<console>
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:
</console>
Type your password


<console>
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase.
>>> Again, getting LVM volumes up (if any, after map dmcrypt).
You will not be asked to confirm your new passphrase, so be careful when running this operation.
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
  4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
 
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %
</console>


== Additional links and information ==
== Additional links and information ==
* [https://www.freedesktop.org/software/systemd/man/crypttab.html crypttab]
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
* [https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS arch encrypt entire system]
* [http://en.wikipedia.org/wiki/Logical_volume_management Wikipedia article on LVM]
* [http://en.wikipedia.org/wiki/Logical_volume_management Wikipedia article on LVM]
* [https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS Arch Wiki article]
* [https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS Arch Wiki article]


[[Category:HOWTO]]
[[Category:HOWTO]]

Latest revision as of 21:03, May 22, 2023

This howto describes how to setup LVM, swap, and root with dmcrypt LUKS. It is a standalone installation walk through, based on the official installations finished product. boot is not encrypted.

   Warning
You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own.
   Warning

this page is for legacy hardware specifically, it will soon be forked to an entire disk encryption page which has an EFI image outside of encrypted boot, and root that decrypts both. this page is for remote systems that need unlocked in initramfs from ssh. this link is to encrypted boot: https://www.funtoo.org/User:Pnoecker/full_disk_encryption

Prepare the hard drive and partitions

  • Before you begin, make sure you are partitioning the correct drive. For the rest of this tutorial, we will be using /dev/sdX as a placeholder.
root # lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda             8:0    0  1.8T  0 disk 
├─sda1          8:1    0  512M  0 part 
├─sda2          8:2    0    8G  0 part [SWAP]
└─sda3          8:3    0  1.8T  0 part 
  ├─main-root 254:0    0  500G  0 lvm  /
  └─main-data 254:1    0  1.3T  0 lvm  /home

link your drive to /dev/sdX

to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste. just replace the kernel's == sda/mmc/nvme to match your target drive. hda/sda drives

root # echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules
root # udevadm control --reload-rules
root # udevadm trigger

mmc/nvme drives

root # echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules
root # echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules
root # udevadm control --reload-rules
root # udevadm trigger
  • verify link
root # ls -al /dev/sdX*
lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2

Partition

MBR [BIOS] Partitioning

   Note

Use this method if you are booting using your BIOS, and if your Funtoo LiveCD initial boot menu was light blue. If you're going to use the UEFI/GPT disk format, then please proceed to the next section.

root # fdisk /dev/sdX

Within fdisk, follow these steps:

Empty the partition table:

Command (m for help): o ↵

Create boot partition:

Command (m for help): n ↵
Partition type (default p): 
Partition number (1-4, default 1): 
First sector: 
Last sector: +128M ↵

Create partition which will be encrypted with LUKS:

Command (m for help): n ↵
Partition type (default p): 
Partition number (2-4, default 2): 
First sector: 
Last sector: 

Verify the partition table:

Command (m for help): p

Disk /dev/sdX: 298.1 GiB, 320072933376 bytes, 625142448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x82abc9a6

Device    Boot     Start       End    Blocks  Id System
/dev/sdX1           2048    264191    131072  83 Linux
/dev/sdX2        4458496 625142447 312439128  83 Linux

Write the partition table to disk:

Command (m for help): w

Your new MBR partition table will now be written to your system disk.

UEFI Partitioning

   Note

Use this method if you are interested in booting using UEFI, and if your Funtoo LiveCD initial boot menu was black and white, or the system booted without a boot menu. If it was light blue, this method will not work. Instead, use the instructions in the previous section then skip this section, or reboot LiveCD in UEFI mode first.

root # gdisk /dev/sdX

Within gdisk, follow these steps:

Empty the partition table:

Command: o ↵
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y ↵

Create boot partition:

Command: n ↵
Partition Number: 1 ↵
First sector: 
Last sector: +128M ↵
Hex Code: EF00 ↵

Create partition which will be encrypted with LUKS:

Command: n ↵
Partition Number: 2 ↵
First sector: 
Last sector:  (for rest of disk)
Hex Code: 

(Optional) Create disk labels:

Command: c ↵
Partition Number: 1
Enter name: BOOT 
Command: c ↵
Partition Number: 2
Enter name: ROOT

Write Partition Table To Disk:

Command: w ↵
Do you want to proceed? (Y/N): Y ↵

The partition table will now be written to the disk and gdisk will close.

Create and mount filesystems.

Create /boot filesystem

For BIOS systems

root # mkfs.ext2 /dev/sdX1

For UEFI systems

root # mkfs.vfat -F 32 /dev/sdX1

Create LUKS encrypted volume

   Note
Cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot.
   Warning
The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.
root # cryptsetup luksFormat /dev/sdX2

Open newly created LUKS volume

root # cryptsetup open /dev/sdX2 root

Create LVM volumes for / and swap

root # pvcreate /dev/mapper/root
root # vgcreate vg /dev/mapper/root
   Note

Replace "16G" with the amount of swap you would like to make available.

root # lvcreate -L16G --name swap vg
root # lvcreate -l 100%FREE --name root vg
   Note

The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.

Create filesystems on LVM volumes

root # mkswap /dev/mapper/vg-swap
root # mkfs.ext4 /dev/mapper/vg-root

Create directories for chroot

root # mkdir -p /mnt/funtoo

Mount filesystems

root # mount /dev/mapper/vg-root /mnt/funtoo
root # mkdir /mnt/funtoo/boot
root # mount /dev/sdX1 /mnt/funtoo/boot
root # mkdir /mnt/funtoo/proc
root # mount -t proc none /mnt/funtoo/proc
root # mkdir /mnt/funtoo/dev
root # mount --rbind /dev /mnt/funtoo/dev
root # mkdir /mnt/funtoo/sys
root # mount --rbind /sys /mnt/funtoo/sys

Set the date

   Note

See the official Funtoo docs on setting the date.

Install the Funtoo starge tarball of your choice

   Note

These instructions will be using the intel-haswell minimal stage3. You should adjust them accordingly

root # cd /mnt/funtoo
root # wget https://build.funtoo.org/1.4-release-std/x86-64bit/intel64-haswell/2021-03-10/stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz
root # tar --numeric-owner --xattrs --xattrs-include='*' -xpf stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz && rm -f stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz

Chroot into your new system

root # env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo bash -l

Configure your system

Set a new root password

root # passwd

Set hostname

root # echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname

Set up DNS resolution

   Note

We are using the Cloudflare DNS server address here. Feel free to use your own.

root # echo "nameserver 1.1.1.1" > /etc/resolv.conf

Set your timezone

root # ln -sf /usr/share/zoneinfo/$(tzselect) /etc/localtime

Note your filesystem information

root # blkid
/dev/sdX1: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sdX2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"

Configure /etc/fstab

   Note

The UUID parameter is set to the UUID of your boot partition as found from the blkid command above.

root # cat > /etc/fstab << 'EOF'
UUID=6453-0C55 /boot vfat noauto,noatime 1 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
EOF

Create /etc/crypttab

   Note

The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.

root # echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab

Create /etc/dmtab

root # dmsetup table >> /etc/dmtab

Portage

Download the portage tree

root # ego sync

Change your ego profile to include encrypted root support

root # epro mix-in encrypted-root

Edit package USE-flags

root # cat > /etc/portage/package.use <<'EOF'
*/* device-mapper lvm luks
sys-kernel/linux-firmware initramfs
sys-fs/cryptsetup -dynamic
EOF

Install necessary packages

root # emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool

Configure services to start at boot

root # rc-update add device-mapper sysinit
root # rc-update add dmcrypt sysinit
root # rc-update add lvmetad sysinit
root # rc-update add haveged default
root # rc-update add busybox-ntpd default

Install a bootloader

Configure /etc/boot.conf

   Note

The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.

root # cat > /etc/boot.conf <<'EOF'
boot {
    generate grub
    default "Funtoo Linux"
    timeout 3
}
"Funtoo Linux" {
    kernel kernel[-v]
    initrd initramfs[-v]
    params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=auto resume=/dev/mapper/vg-swap quiet
}
EOF

Install GRUB

For BIOS systems

root # grub-install --target=i386-pc --no-floppy /dev/sdX
root # ego boot update

For UEFI systems

root # mount -o remount,rw /sys/firmware/efi/efivars
   Note

For 32 bit systems, the following command should be changed to:

root # grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX
root # grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX
root # ego boot update

Generate a new initramfs

root # genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs

Finishing installation

From this point, you should be able to finish following the official Funtoo Linux install instructions

Managing your LUKS volume

Change your LUKs-encrypted drive's passphrase You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:

root # cryptsetup luksChangeKey /dev/sdx3

You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will not be asked to confirm your new passphrase, so be careful when running this operation.

Additional links and information