Changes

Jump to: navigation, search

Rootfs over encrypted lvm

2,191 bytes added, 2 years ago
Better-initramfs
== Prepare the hard drive and partitions ==
This is an example (and simple) partition scheme, you . You may want to choose differently.<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
* <code>/dev/sda1</code> -- <code>/boot</code> partition.
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - Note: this is only needed required if you are using GPT) This step required booting via EFI, or for booting with GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR. )
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
 
With UEFI:
* <code>/dev/sda1</code> -- <tt>/boot</tt>
* <code>/dev/sda2</code> -- <tt>/</tt> partition
=== Wipe the hard drive ===
{{Fancywarning|This action will destroy all data on the disk.}}
<console>
# ##i##gdisk /dev/sda
Blank out MBR?: ##i##y ↵
</console>
 {{Note}} You Fancywarning|This action will get a message about reaching destroy all data on the end of the device when the <code>dd</code> command has finished. This behavior is intendeddisk.}}
== Encrypting the drive ==
Read more about different cipher options here: [[http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/]]
<console>
# ##i##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
</console>
 
Or use SHA512 for increase security. Do NOT use SHA-1: LUKS disk encryption. As the cryptography expert Bruce Schneier already told in year 2005, do not use SHA-1 because its broken. See his article here: [http://www.schneier.com/blog/archives/2005/02/sha1_broken.html]
 
<console>
# ##i##cryptsetup --cipher twofish-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sda3
</console>
 
{{Warning|Support for ''twofish-xts-plain64'' is '''NOT''' in the default debian-kernel. You will need to configure and compile your own kernel if you choose this.}}
 
== Change your LUKs-encrypted drive's passphrase ==
You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
 
<console>
# ##i##cryptsetup luksChangeKey /dev/sda3
</console>
 
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will not be asked to confirm your new passphrase, so be careful when running this operation.
 
 
== Initializes the volume ==
Initializes the volume, and sets an initial key or passphrase:
<console>
# ##i##cryptsetup luksOpen /dev/sda3 dmcrypt_root
</console>
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
{{Fancywarning|The default keymap at boot time is '''us'''. If you enter your passphrase using a different keymap, you won't be able to unlock your crypt volume if the passphrase contains any characters that are located elsewere on your keyboard layout that with the us layout.}}
= Create logical volumes =
<console>
</console>
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
{{Note|Please, notice that above mentioned partitioning scheme is an example and not a default recommendation, change it accordingly to desired scheme.}}
= Create a filesystem on volumes =
# ##i##mount /dev/mapper/vg-home /mnt/funtoo/home
</console>
Now perform all the steps required for basic system install, please follow the [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation[Funtoo Linux Installation]]Guide, but don't forget to emerge the following before your install is finished:
* '''cryptsetup'''
= Editing the fstab =
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:
 {{Filefile|name=/etc/fstab|<pre>desc= |body=
# <fs> <mountpoint> <type> <opts> <dump/pass>
/dev/sda1 /boot ext2 noauto,noatime 1 2
/dev/mapper/vg-portage /usr/portage ext4 noatime,nodiratime 0 0
/dev/mapper/vg-home /home ext4 noatime,nodiratime 0 0
</pre>}}
== Kernel options =={{Note}}|This part is particularly important: pay close attention. }}<br>Note: If you are using debian-sources as included in mid-May 2015 and later Funtoo stages, you do <em>not</em> need to rebuild the kernel. The following instructions are for other kernels that you may choose to install.
{{kernelop
| <br> title=|<pre>desc=
General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Device Drivers --->
[*] Multiple devices driver support --->
<*>Device Mapper Support
<*> Crypt target support
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Cryptographic API --->
<*> XTS support
-*-AES cipher algorithms
</pre>}}
= Initramfs setup and configuration =
== Better-initramfs ==
{{Note|As of August 2016, better-initramfs is not required with debian-sources as included in current Funtoo stages. Unless you are doing something not with debian-sources as comes with the Funtoo stage, you can safely skip to the section on editing <code>/etc/boot.conf</code>.}}
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''
{{note}}Note|better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devicesand file system support.}}
<console>
# ##i##cd /opt
# ##i##git clone githttps://githubbitbucket.comorg/slashbeastpiotrkarbowski/better-initramfs.git
# ##i##cd better-initramfs
# ##i##less README.rst
# ##i##less ChangeLog
</console>
{{Note}}|Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.}}Alternatively and much faster is to install better-initramfs-bin package, recently added to Funtoo's portage tree:<console># ##i##emerge better-initramfs-bin</console>
== Genkernel ==
== Bootloader Configuration ==
=== Grub2 configuration ===
Emerge Grub2 with device-mapper support
<console>
# ##i##echo 'sys-boot/grub device-mapper' >> /etc/portage/package.use/grub
# ##i##emerge grub
</console>
 
==== better-initramfs ====
An example <code>/etc/boot.conf</code> for better-initramfs:
{{File|/etc/boot.conf|<pre>
boot {
generate grub
initrd /initramfs.cpio.gz
params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}</pre>}}
Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code>:
{{File|/etc/boot.conf|<pre>
boot {
generate grub
initrd initramfs-genkernel-x86_64-3.13.0
params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}</pre>}}
=== Lilo configuration ===
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
<console>
</console>
Example <code>/etc/lilo.conf</code>for genkernel:
{{File|/etc/lilo.conf|<pre>
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
boot=/dev/sda
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
label=funtoo
</pre>}}
=== Syslinux bootloader setup ===
Syslinux is another advanced bootloader which you can find on all live CD's. Syslinux bootloader does not require additional BIOS boot partition. /dev/sda2 is the root partition.
<console>
</console>
Example <code>/boot/extlinux/extlinux.conf</code>for better-initramfs:
{{File|/boot/extlinux/extlinux.conf|<pre>
LABEL kernel1_bzImage-3.2.1
MENU LABEL Funtoo Linux bzImage-3.2.1
INITRD /initramfs.cpio.gz
APPEND rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/vg-root
</pre>}}
== Final steps ==
Umount everything, close encrypted drive and reboot
<console>
# ##i##umount -l -v /mnt/funtoo/{dev, proc, home, usr/portage, boot}
# ##i##vgchange -a n
# ##i##cryptsetup luksClose /dev/sda2 dmcrypt_root
</console>
After reboot you will get the following:
</console>
== Additional links and information ==
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
Bureaucrats, Administrators, wiki-admins, wiki-staff
6,575
edits

Navigation menu