Changes

Jump to: navigation, search

Encrypted Root

6,165 bytes added, 2 months ago
clean up the build, add crypto label, and set crypto label in grub, hopefully were not FORCED into the known working uuid grub configuration.
This document describes how to setup a swapless encrypted root partition without lvm.
== Prepare the hard drive and partitions ==*List the device to be partitioned, mine is on /dev/sdc{{warningconsole|out of orderbody=###i## lsblk -o name,size,label,partlabel}}
==Partition==
{{console|body=
###i## cgdisk /dev/sdc}}
delete everything.
 
{{console|body=
Command: ##i## new ↵
First sector: ##i##↵
Last sector: ##i##+1M ↵
Hex Code: ##i##EF02 ↵
Enter name: ##i##BIOS Boot ↵
}}
 
scroll down to large chunk of free space:
{{console|body=
Command: ##i##new ↵
First sector: ##i##↵
Last sector: ##i##+128M ↵
Hex Code: ##i##EF00 ↵
Enter name: ##i##BOOT ↵
}}
 
scroll down to large chunk of free space:
{{console|body=
Command: ##i##new ↵
First sector: ##i##↵
Last sector: ##i##↵
Hex Code: ##i## 8304 ↵
Enter name: ##i##FUNTOO ↵
}}
 
{{console|body=
 
Disk Drive: /dev/sdc
Size: 62333952, 29.7 GiB
 
Part. # Size Partition Type Partition Name
----------------------------------------------------------------
1007.0 KiB free space
1 1024.0 KiB BIOS boot partition BIOS Boot
2 256.0 MiB EFI System BOOT
3 29.5 GiB Linux x86-64 root (/) FUNTOO
}}
 
{{console|body=
Command: ##i##write ↵
Command: ##i##quit ↵
}}
 
== Encrypt the drive ==
{{console|body=
###i## cryptsetup luksFormat --type luks2 --label=FUNTOO /dev/sdc3
}}
* YES not yes....
*enter your password:
 
== Initialize the volume ==
Initialize the volume:
 
{{console|body=
###i## cryptsetup luksOpen /dev/sdc3 dmcrypt_root
}}
 
=== Create your filesystem ===
{{console|body=
###i## mkfs.vfat -F 32 /dev/sdc2
###i## fatlabel /dev/sdc2 "BOOT"
###i## mkfs.ext4 /dev/mapper/dmcrypt_root
}}
 
=== Mount ===
{{console|body=
###i## mkdir /mnt/funtoo
###i## mount /dev/mapper/dmcrypt_root /mnt/funtoo
###i## mkdir /mnt/funtoo/boot
###i## mount /dev/sdc2 /mnt/funtoo/boot
}}
 
==Get Funtoo Gnome==
You can pull your [[Subarches]] gnome tarball if you wish:
 
{{console|body=
###i## cd /mnt/funtoo
###i## wget https://build.funtoo.org/1.4-release-std/x86-64bit/generic_64/gnome-latest.tar.xz
###i## tar --numeric-owner --xattrs --xattrs-include='*' -xpf *gnome* && rm -f *gnome*
}}
 
==Load Funtoo==
*expand your run tmpfs to be half of your ram:
{{console|body=
###i## mount -t tmpfs tmpfs /run
}}
 
*mount up:
{{console|body=
###i## cd /mnt/funtoo && mount -t proc none proc
mount --rbind /sys sys
mount --rbind /dev dev
mount --rbind /run run
}}
 
*chroot in:
{{console|body=
###i## cd /mnt/funtoo && env -i HOME=/root TERM=$TERM chroot . bash -l
}}
 
*Set yo password:
*set yo hostname:
*set cloudflare dns resolution for installing:
*Set yo time zone:
{{console|body=
###i## passwd
###i## echo 'hostname="crypto"' > /etc/conf.d/hostname
###i## echo "nameserver 1.1.1.1" > /etc/resolv.conf
###i## ln -sf /usr/share/zoneinfo/America/Detroit /etc/localtime
}}
=== load your fstab ===
*Deploy your fstab:
{{console|body=
###i## cat > /etc/fstab << "EOF"
LABEL=BOOT /boot vfat noauto,noatime 1 2
/dev/mapper/dmcrypt_root / ext4 noatime,nodiratime,defaults 0 1
tmpfs /run tmpfs rw,nodev,nosuid 0 0
EOF
}}
 
*load your crypttab:
{{console|body=
###i## echo "dmcrypt_root PARTLABEL=FUNTOO none luks" >> /etc/crypttab
###i## dmsetup table >> /etc/dmtab
}}
 
*compile in ram:
{{console|body=
###i## echo 'PORTAGE_TMPDIR="/run"' > /etc/portage/make.conf
}}
 
*Sync & deploy your profile:
{{console|body=
###i## ego sync && ego profile mix-in encrypted-root
}}
 
*Deploy your package.use file:
{{console|body=
###i## cat > /etc/portage/package.use << "EOF"
*/* lvm device-mapper
sys-kernel/linux-firmware initramfs
EOF
}}
 
{{console|body=
###i## emerge grub haveged intel-microcode linux-firmware eix cryptsetup debian-sources-lts && emerge debian-sources && emerge -vuND @world && emerge --depclean
}}
 
*set services:
{{console|body=
###i## rc-update del swap boot && rc-update add haveged && rc-update add gpm && rc-update add busybox-ntpd
###i## rc-update add device-mapper boot
###i## rc-update add dmcrypt boot
}}
 
== Bootloader Configuration ==
=== /etc/boot.conf ===
 
<pre>
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel kernel[-v]
initrd initramfs[-v]
params += crypt_root=LABEL=FUNTOO dolvm luks=yes root=/dev/mapper/dmcrypt_root rootfstype=ext4
}
</pre>
 
== GRUB ==
*Install grub in legacy mode:
{{console|body=
###i## grub-install --target=i386-pc /dev/sdc
###i## ego boot update}}
 
=== EFI from Legacy ===
*manually make efi directory:
*remount /dev/sdc2 to /boot/efi:
*install efi images:
{{console|body=
###i## mkdir /boot/efi
###i## mount /dev/sdc2 /boot/efi
###i## grub-install --target=x86_64-efi /boot/efi
}}
 
=== EFI from EFI ===
{{console|body=
###i##mount -o remount,rw /sys/firmware/efi/efivars
###i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux [GRUB]" --recheck /dev/sda
###i##ego boot update
}}
 
== Final steps ==
*exit chroot, unmount everything,and close encrypted root:
{{console|body=
###i## exit
###i## cd ..
###i## umount -lR funtoo
# ##i##cryptsetup luksClose dmcrypt_root
}}
 
==management==
=== Change your LUKs-encrypted drive's passphrase ===
You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
 
{{console|body=
###i## cryptsetup luksChangeKey /dev/sda3
}}
 
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase.
You will not be asked to confirm your new passphrase, so be careful when running this operation.
 
== External Resources ==
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
* [https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS arch encrypt entire system]
* [http://en.wikipedia.org/wiki/Logical_volume_management Wikipedia article on LVM]
* [https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS Arch Wiki article]
[[Category:HOWTO]]
625
edits

Navigation menu