Changes

Jump to: navigation, search

Encrypted Root

1,591 bytes removed, 2 months ago
clean up the build, add crypto label, and set crypto label in grub, hopefully were not FORCED into the known working uuid grub configuration.
This howto document describes how to setup a swapless encrypted root partition without llvmlvm.{{warning|out of order}}{{warning|This build is currently broken}}
== Prepare the hard drive and partitions ==
== Encrypt the drive ==
{{console|body=
# ##i##cryptsetup luksFormat --type luks2 --label=FUNTOO /dev/sdc3
}}
* YES not yes....*enter your password:
== Initialize the volume ==
Initialize the volume:
 
{{console|body=
# ##i##cryptsetup luksOpen /dev/sdc3 dmcrypt_root
}}
###i## mkfs.vfat -F 32 /dev/sdc2
###i## fatlabel /dev/sdc2 "BOOT"
# ##i##mkfs.ext4 /dev/mapper/dmcrypt_root
}}
=== Basic system setup Mount ===
{{console|body=
# ##i##mkdir /mnt/funtoo# ##i##mount /dev/mapper/dmcrypt_root /mnt/funtoo# ##i##mkdir /mnt/funtoo/boot# ##i##mount /dev/sdc2 /mnt/funtoo/boot
}}
tmpfs /run tmpfs rw,nodev,nosuid 0 0
EOF
}}
 
*load your crypttab:
{{console|body=
###i## echo "dmcrypt_root PARTLABEL=FUNTOO none luks" >> /etc/crypttab
###i## dmsetup table >> /etc/dmtab
}}
{{console|body=
###i## echo 'PORTAGE_TMPDIR="/run"' > /etc/portage/make.conf
}}
 
*Sync & deploy your profile:
{{console|body=
###i## ego sync && ego profile mix-in encrypted-root
}}
{{console|body=
###i## cat > /etc/portage/package.use << "EOF"
sys-kernel*/debian-sources lukssys-kernel/debian-sources-lts lukssys-boot/grub * lvm device-mapper
sys-kernel/linux-firmware initramfs
EOF
}}
*merge stuff:
{{console|body=
###i## ego syncemerge grub haveged intel-microcode linux-firmware eix cryptsetup debian-sources-lts && emerge debian-sources && emerge -vuND @world && emerge --depclean
}}
*Deploy your ego profile:
{{console|body=
###i## ego profile mix-in encrypted-root
}}
 
{{console|body=
###i## emerge grub haveged intel-microcode linux-firmware eix cryptsetup debian-sources-lts && emerge debian-sources && emerge -vuND @world
}}
*set services:
{{console|body=
###i## rc-update del swap boot && rc-update add haveged && rc-update add gpm && rc-update add busybox-ntpd
###i## rc-update add device-mapper sysinitboot###i## rc-update add dmcrypt sysinitboot
}}
kernel kernel[-v]
initrd initramfs[-v]
params += crypt_root=PARTLABELLABEL=FUNTOO lvm dolvm luks =yes root=/dev/mapper/dmcrypt_root rootfstype=ext4
}
</pre>
 
Now, run <code>ego boot update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
 
=== Another Example ===
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for grub2. You will be editing <code>/etc/boot.conf</code>:
 
<pre>
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel kernel[-v]
initrd initramfs[-v]
params += crypt_root=PARTLABEL=FUNTOO dolvm real_root=/dev/mapper/dmcrypt_root rootfstype=ext4
</pre>
###i## grub-install --target=x86_64-efi /boot/efi
}}
 
=== EFI from EFI ===
 
{{console|body=
###i##mount -o remount,rw /sys/firmware/efi/efivars
== Final steps ==
*exit chroot, unmount everything, and close encrypted drive and rebootroot:
{{console|body=
###i## exit
# ##i##cryptsetup luksClose dmcrypt_root
}}
After reboot you will get the following:
<console>
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:
</console>
Type your password
 
<console>
>>> Again, getting LVM volumes up (if any, after map dmcrypt).
Reading all physical volumes. This may take a while...
Found volume group "vg" using metadata type lvm2
4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %
</console>
==management==
{{console|body=
# ##i##cryptsetup luksChangeKey /dev/sda3
}}
You will not be asked to confirm your new passphrase, so be careful when running this operation.
 == Additional links and information External Resources ==
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
625
edits

Navigation menu