Rootfs over encrypted lvm

From Funtoo Linux
Revision as of 16:58, 7 November 2010 by Brantgurga (Talk)

Jump to: navigation, search

You can do many things with Funtoo Linux. This is just a sample of how to do some tasks. This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive

Contents

Prepape the hard drive and make partitions

This is an example partition scheme, you may want to choose defferent. /dev/sda1 used as /boot /dev/sda2 will be encrypted drive with LVM 

/dev/sda1 
/dev/sda2
dd if=/dev/zero of=/dev/sda2 bs=100M 
dd if=/dev/urandom of=/dev/sda2 bs=100M

dd part is optional, only for security reason, with /dev/urandom it takes around 6 hours to complete for 200GB drive.


Encrypting the drive 

cryptsetup -c aes-xts-plain luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 dmcrypt_root

there you'll be promted to enter your password phrase for encrypted drive, type your paranoid password there

Create logical volumes 

pvcreate /dev/mapper/dmcrypt_root
vgcreate vg /dev/mapper/dmcrypt_root
lvcreate -L10G -nroot vg           
lvcreate -L2G -nswap vg
lvcreate -L5G -nportage vg
lvcreate -l 100%FREE -nhome vg

Feel free to specify your desired size

Create a filesystem on volumes 

mkfs.ext2 /dev/sda1
mkswap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkreiserfs /dev/mapper/vg-portage
mkfs.xfs /dev/mapper/vg-home

Basic system setup 

mkfs.ext2 /dev/sda1
mkswap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkreiserfs /dev/mapper/vg-portage
mkfs.xfs /dev/mapper/vg-home
swapon /dev/mapper/vg-swap
mount /dev/maper/vg-root /mnt/gentoo
mount /dev/sda1 /mnt/gentoo/boot

Now perform all the steps required for basic system install, please follow [1] don't forget to emerge next packages: 

# emerge cryptsetup lvm2 grub foo-sources

Re-emerge busybox with "static" USE flag


Kernel options

Important, do not miss this part. Under General setup ---> 

[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support

Under Device Drivers ---> 

[*] Multiple devices driver support  
<*>Device Mapper Support
<*> Crypt target support


Under Cryptographic API ---> 

-*-AES cipher algorithms

<*> XTS supprot (EXPERIMENTAL)


Initramfs setup and configuration

Piotr Karbowski initramfs project used for making initrd [2] 

git clone git://github.com/slashbeast/better-initramfs.git
oleg@orion ~ % cd better-initramfs 
oleg@orion better-initramfs % make
>>> initramfs.cpio.gz is ready

Copy resulting initramfs.cpio.gz to /boot

Grub2 configuration

An example of /etc/boot.conf, which reflects partition setup

Code: /etc/boot.conf 
boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel bzImage[-v]
  initrd /initramfs.cpio.gz
  params += dmcrypt_root=true enc_root=/dev/sda2 lvm=true root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
Code: /etc/fstab 
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1               /boot         ext2      noauto,noatime                  1 2
/dev/mapper/vg-swap     none          swap      sw                              0 0
/dev/mapper/vg-root     /             ext4      noatime,nodiratime,defaults     0 1
/dev/sr0                /mnt/cdrom    auto      noauto,ro                       0 0
/dev/mapper/vg-portage  /usr/portage  reiserfs  noatime,nodiratime              0 0
/dev/mapper/vg-home     /home         xfs       noatime,nodiratime,osyncisdsync 0 0

Final steps

Umount everything, close encrypted drive and reboot 

umount /mnt/gentoo/proc (/dev, /home,/usr/portage, /boot) 
cryptsetup luksClose /dev/sda2 dmcrypt_root

After reboot you will get the following: 

>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:

Type you password 

>>> Again, getting LVM volumes up (if any, after map dmcrypt).
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
  4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
   
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %

Additional links

Retrieved from "http://www.funtoo.org/index.php?title=Rootfs_over_encrypted_lvm&oldid=2178"
Personal tools
Namespaces

Variants
Actions
Categories
Toolbox
Stuff