Changes

Jump to: navigation, search

Rootfs over encrypted lvm

2,481 bytes added, 1 year ago
Better-initramfs
== Prepare the hard drive and partitions ==
This is an example (and simple) partition scheme, you . You may want to choose differently.<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
* <code>/dev/sda1</code> -- <code>/boot</code> partition.
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - Note: this is only needed required if you are using GPT) This step required booting via EFI, or for booting with GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR. )
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
 
With UEFI:
* <code>/dev/sda1</code> -- <tt>/boot</tt>
* <code>/dev/sda2</code> -- <tt>/</tt> partition
=== Wipe the hard drive ===
{{Fancywarning|This action will destroy all data on the disk.}}
<console>
# ##i##gdisk /dev/sda
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
Blank out MBR?: ##i##y ↵
</console>
{{Fancywarning|This action will destroy all data on the disk.}}
 
== Encrypting the drive ==
Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/]
<console>
# ##i##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
</console>
 
Or use SHA512 for increase security. Do NOT use SHA-1: LUKS disk encryption. As the cryptography expert Bruce Schneier already told in year 2005, do not use SHA-1 because its broken. See his article here: [http://www.schneier.com/blog/archives/2005/02/sha1_broken.html]
 
<console>
# ##i##cryptsetup --cipher twofish-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sda3
</console>
 
{{Warning|Support for ''twofish-xts-plain64'' is '''NOT''' in the default debian-kernel. You will need to configure and compile your own kernel if you choose this.}}
 
== Change your LUKs-encrypted drive's passphrase ==
You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
 
<console>
# ##i##cryptsetup luksChangeKey /dev/sda3
</console>
{{Note}} You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will get a message about reaching the end of the device not be asked to confirm your new passphrase, so be careful when the <code>dd</code> command has finished. This behavior is intendedrunning this operation.
 = Encrypting = Initializes the drive volume ==Initializes the volume, and sets an initial key or passphrase:
<console>
# ##i##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
# ##i##cryptsetup luksOpen /dev/sda3 dmcrypt_root
</console>
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
{{Fancywarning|The default keymap at boot time is '''us'''. If you enter your passphrase using a different keymap, you won't be able to unlock your crypt volume if the passphrase contains any characters that are located elsewere on your keyboard layout that with the us layout.}}
= Create logical volumes =
<console>
</console>
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
{{Note|Please, notice that above mentioned partitioning scheme is an example and not a default recommendation, change it accordingly to desired scheme.}}
= Create a filesystem on volumes =
# ##i##mount /dev/mapper/vg-home /mnt/funtoo/home
</console>
Now perform all the steps required for basic system install, please follow the [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation[Funtoo Linux Installation]]Guide, but don't forget to emerge the following before your install is finished:
* '''cryptsetup'''
= Editing the fstab =
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:
 {{Filefile|name=/etc/fstab|<pre>desc= |body=
# <fs> <mountpoint> <type> <opts> <dump/pass>
/dev/sda1 /boot ext2 noauto,noatime 1 2
/dev/mapper/vg-portage /usr/portage ext4 noatime,nodiratime 0 0
/dev/mapper/vg-home /home ext4 noatime,nodiratime 0 0
</pre>}}
== Kernel options =={{Note}}|This part is particularly important: pay close attention. }}<br>Note: If you are using debian-sources as included in mid-May 2015 and later Funtoo stages, you do <em>not</em> need to rebuild the kernel. The following instructions are for other kernels that you may choose to install.
{{kernelop
| <br> title=|<pre>desc=
General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Device Drivers --->
[*] Multiple devices driver support --->
<*>Device Mapper Support
<*> Crypt target support
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Cryptographic API --->
<*> XTS support
-*-AES cipher algorithms
</pre>}}
= Initramfs setup and configuration =
== Better-initramfs ==
{{Note|As of August 2016, better-initramfs is not required with debian-sources as included in current Funtoo stages. Unless you are doing something not with debian-sources as comes with the Funtoo stage, you can safely skip to the section on editing <code>/etc/boot.conf</code>.}}
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''
{{note}}Note|better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devicesand file system support.}}
<console>
# ##i##cd /opt
# ##i##git clone githttps://githubbitbucket.comorg/slashbeastpiotrkarbowski/better-initramfs.git
# ##i##cd better-initramfs
# ##i##less README.rst
# ##i##less ChangeLog
</console>
{{Note}}|Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.}}Alternatively and much faster is to install better-initramfs-bin package, recently added to Funtoo's portage tree:<console># ##i##emerge better-initramfs-bin</console>
== Genkernel ==
<console>
# ##i##genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all </console>
Configure the bootloader as described above, == Bootloader Configuration ===== Grub2 configuration ===Emerge Grub2 with correct kernel and device-mapper support<console># ##i##echo 'sys-boot/grub device-mapper' >> /etc/portage/package.use/grub# ##i##emerge grub</console> ==== better-initramfs images names. ====An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code>for better-initramfs:
<pre>
}
"Funtoo Linux" {
kernel kernelvmlinuz[-genkernel-x86_64-2.6.39v] initrd /initramfs-genkernel-x86_64-2.6cpio.39gz params += crypt_rootenc_root=/dev/sda3 dolvm real_rootlvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet}
</pre>
Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code> === Bootloader Configuration =genkernel == Grub2 configuration ==Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code> for better-initramfs:
<pre>
}
"Funtoo Linux" {
kernel bzImage[kernel-v]genkernel-x86_64-3.13.0 initrd /initramfs-genkernel-x86_64-3.cpio13.gz0 params += enc_rootcrypt_root=/dev/sda3 lvm luks rootdolvm real_root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet}
</pre>
Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code> === Lilo configuration ===
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
<console>
</console>
Example <code>/etc/lilo.conf</code>for genkernel
<pre>
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
read-only
timeout=50
image=/boot/kernel-genkernel-x86_64-23.613.390initrd=/boot/initramfs-genkernel-x86_64-23.613.390
label=funtoo
</pre>
=== Syslinux bootloader setup ===
Syslinux is another advanced bootloader which you can find on all live CD's. Syslinux bootloader does not require additional BIOS boot partition. /dev/sda2 is the root partition.
<console>
# ##i##dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
</console>
 Example <code>/boot/extlinux/extlinux.conf</code>for better-initramfs
<pre>
LABEL kernel1_bzImage-3.2.1
</pre>
== Final steps ==
Umount everything, close encrypted drive and reboot
<console>
# ##i##umount -l -v /mnt/funtoo/{dev, proc, home, usr/portage, boot}
# ##i##vgchange -a n
# ##i##cryptsetup luksClose /dev/sda2 dmcrypt_root
</console>
After reboot you will get the following:
</console>
== Additional links and information ==
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
Bureaucrats, Administrators, wiki-admins, wiki-staff
6,317
edits

Navigation menu