|
|
Line 1: |
Line 1: |
− | This howto describes how to setup a swapless encrypted root partition without llvm.
| + | |
| {{warning|out of order}} | | {{warning|out of order}} |
− | {{warning|This build is currently broken}}
| |
− |
| |
− | == Prepare the hard drive and partitions ==
| |
− | *List the device to be partitioned, mine is on /dev/sdc
| |
− | {{console|body=
| |
− | ###i## lsblk -o name,size,label,partlabel
| |
− | }}
| |
− |
| |
− | ==Partition==
| |
− | {{console|body=
| |
− | ###i## cgdisk /dev/sdc}}
| |
− |
| |
− | delete everything.
| |
− |
| |
− | {{console|body=
| |
− | Command: ##i## new ↵
| |
− | First sector: ##i##↵
| |
− | Last sector: ##i##+1M ↵
| |
− | Hex Code: ##i##EF02 ↵
| |
− | Enter name: ##i##BIOS Boot ↵
| |
− | }}
| |
− |
| |
− | scroll down to large chunk of free space:
| |
− | {{console|body=
| |
− | Command: ##i##new ↵
| |
− | First sector: ##i##↵
| |
− | Last sector: ##i##+128M ↵
| |
− | Hex Code: ##i##EF00 ↵
| |
− | Enter name: ##i##BOOT ↵
| |
− | }}
| |
− |
| |
− | scroll down to large chunk of free space:
| |
− | {{console|body=
| |
− | Command: ##i##new ↵
| |
− | First sector: ##i##↵
| |
− | Last sector: ##i##↵
| |
− | Hex Code: ##i## 8304 ↵
| |
− | Enter name: ##i##FUNTOO ↵
| |
− | }}
| |
− |
| |
− | {{console|body=
| |
− |
| |
− | Disk Drive: /dev/sdc
| |
− | Size: 62333952, 29.7 GiB
| |
− |
| |
− | Part. # Size Partition Type Partition Name
| |
− | ----------------------------------------------------------------
| |
− | 1007.0 KiB free space
| |
− | 1 1024.0 KiB BIOS boot partition BIOS Boot
| |
− | 2 256.0 MiB EFI System BOOT
| |
− | 3 29.5 GiB Linux x86-64 root (/) FUNTOO
| |
− | }}
| |
− |
| |
− | {{console|body=
| |
− | Command: ##i##write ↵
| |
− | Command: ##i##quit ↵
| |
− | }}
| |
− |
| |
− | == Encrypt the drive ==
| |
− | {{console|body=
| |
− | # ##i##cryptsetup luksFormat /dev/sdc3
| |
− | }}
| |
− | *enter your password
| |
− |
| |
− | == Initialize the volume ==
| |
− | Initialize the volume:
| |
− | {{console|body=
| |
− | # ##i##cryptsetup luksOpen /dev/sdc3 dmcrypt_root
| |
− | }}
| |
− |
| |
− | === Create your filesystem ===
| |
− | {{console|body=
| |
− | ###i## mkfs.vfat -F 32 /dev/sdc2
| |
− | ###i## fatlabel /dev/sdc2 "BOOT"
| |
− | # ##i##mkfs.ext4 /dev/mapper/dmcrypt_root
| |
− | }}
| |
− |
| |
− | === Basic system setup ===
| |
− | {{console|body=
| |
− | # ##i##mkdir /mnt/funtoo
| |
− | # ##i##mount /dev/mapper/dmcrypt_root /mnt/funtoo
| |
− | # ##i##mkdir /mnt/funtoo/boot
| |
− | # ##i##mount /dev/sdc2 /mnt/funtoo/boot
| |
− | }}
| |
− |
| |
− | ==Get Funtoo Gnome==
| |
− | You can pull your [[Subarches]] gnome tarball if you wish:
| |
− |
| |
− | {{console|body=
| |
− | ###i## cd /mnt/funtoo
| |
− | ###i## wget https://build.funtoo.org/1.4-release-std/x86-64bit/generic_64/gnome-latest.tar.xz
| |
− | ###i## tar --numeric-owner --xattrs --xattrs-include='*' -xpf *gnome* && rm -f *gnome*
| |
− | }}
| |
− |
| |
− | ==Load Funtoo==
| |
− | *expand your run tmpfs to be half of your ram:
| |
− | {{console|body=
| |
− | ###i## mount -t tmpfs tmpfs /run
| |
− | }}
| |
− |
| |
− | *mount up:
| |
− | {{console|body=
| |
− | ###i## cd /mnt/funtoo && mount -t proc none proc
| |
− | mount --rbind /sys sys
| |
− | mount --rbind /dev dev
| |
− | mount --rbind /run run
| |
− | }}
| |
− |
| |
− | *chroot in:
| |
− | {{console|body=
| |
− | ###i## cd /mnt/funtoo && env -i HOME=/root TERM=$TERM chroot . bash -l
| |
− | }}
| |
− |
| |
− | *Set yo password:
| |
− | *set yo hostname:
| |
− | *set cloudflare dns resolution for installing:
| |
− | *Set yo time zone:
| |
− | {{console|body=
| |
− | ###i## passwd
| |
− | ###i## echo 'hostname="crypto"' > /etc/conf.d/hostname
| |
− | ###i## echo "nameserver 1.1.1.1" > /etc/resolv.conf
| |
− | ###i## ln -sf /usr/share/zoneinfo/America/Detroit /etc/localtime
| |
− | }}
| |
− | === load your fstab ===
| |
− | *Deploy your fstab:
| |
− | {{console|body=
| |
− | ###i## cat > /etc/fstab << "EOF"
| |
− | LABEL=BOOT /boot vfat noauto,noatime 1 2
| |
− | /dev/mapper/dmcrypt_root / ext4 noatime,nodiratime,defaults 0 1
| |
− | tmpfs /run tmpfs rw,nodev,nosuid 0 0
| |
− | EOF
| |
− | }}
| |
− |
| |
− | *compile in ram:
| |
− | {{console|body=
| |
− | ###i## echo 'PORTAGE_TMPDIR="/run"' > /etc/portage/make.conf
| |
− | }}
| |
− |
| |
− | *Deploy your package.use file:
| |
− | {{console|body=
| |
− | ###i## cat > /etc/portage/package.use << "EOF"
| |
− | sys-kernel/debian-sources luks
| |
− | sys-kernel/debian-sources-lts luks
| |
− | sys-boot/grub device-mapper
| |
− | sys-kernel/linux-firmware initramfs
| |
− | EOF
| |
− | }}
| |
− |
| |
− | *merge stuff:
| |
− | {{console|body=
| |
− | ###i## ego sync
| |
− | }}
| |
− |
| |
− | *Deploy your ego profile:
| |
− | {{console|body=
| |
− | ###i## ego profile mix-in encrypted-root
| |
− | }}
| |
− |
| |
− | {{console|body=
| |
− | ###i## emerge grub haveged intel-microcode linux-firmware eix cryptsetup debian-sources-lts && emerge debian-sources && emerge -vuND @world
| |
− | }}
| |
− | *set services:
| |
− | {{console|body=
| |
− | ###i## rc-update del swap boot && rc-update add haveged && rc-update add gpm && rc-update add busybox-ntpd
| |
− | ###i## rc-update add device-mapper sysinit
| |
− | ###i## rc-update add dmcrypt sysinit
| |
− | }}
| |
− |
| |
− | == Bootloader Configuration ==
| |
− | === /etc/boot.conf ===
| |
− |
| |
− | <pre>
| |
− | boot {
| |
− | generate grub
| |
− | default "Funtoo Linux"
| |
− | timeout 3
| |
− | }
| |
− | "Funtoo Linux" {
| |
− | kernel kernel[-v]
| |
− | initrd initramfs[-v]
| |
− | params += crypt_root=PARTLABEL=FUNTOO lvm luks root=/dev/mapper/dmcrypt_root rootfstype=ext4
| |
− | }
| |
− | </pre>
| |
− |
| |
− | Now, run <code>ego boot update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
| |
− |
| |
− | === Another Example ===
| |
− | Configure the bootloader as described above, with correct kernel and initramfs images names. An example for grub2. You will be editing <code>/etc/boot.conf</code>:
| |
− |
| |
− | <pre>
| |
− | boot {
| |
− | generate grub
| |
− | default "Funtoo Linux"
| |
− | timeout 3
| |
− | }
| |
− | "Funtoo Linux" {
| |
− | kernel kernel[-v]
| |
− | initrd initramfs[-v]
| |
− | params += crypt_root=PARTLABEL=FUNTOO dolvm real_root=/dev/mapper/dmcrypt_root rootfstype=ext4
| |
− | </pre>
| |
− |
| |
− | == GRUB ==
| |
− | *Install grub in legacy mode:
| |
− | {{console|body=
| |
− | ###i## grub-install --target=i386-pc /dev/sdc
| |
− | ###i## ego boot update}}
| |
− |
| |
− | === EFI from Legacy ===
| |
− | *manually make efi directory:
| |
− | *remount /dev/sdc2 to /boot/efi:
| |
− | *install efi images:
| |
− | {{console|body=
| |
− | ###i## mkdir /boot/efi
| |
− | ###i## mount /dev/sdc2 /boot/efi
| |
− | ###i## grub-install --target=x86_64-efi /boot/efi
| |
− | }}
| |
− | === EFI from EFI ===
| |
− |
| |
− | {{console|body=
| |
− | ###i##mount -o remount,rw /sys/firmware/efi/efivars
| |
− | ###i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux [GRUB]" --recheck /dev/sda
| |
− | ###i##ego boot update
| |
− | }}
| |
− |
| |
− | == Final steps ==
| |
− | exit chroot, unmount everything, close encrypted drive and reboot
| |
− | {{console|body=
| |
− | ###i## exit
| |
− | ###i## cd ..
| |
− | ###i## umount -lR funtoo
| |
− | # ##i##cryptsetup luksClose dmcrypt_root
| |
− | }}
| |
− | After reboot you will get the following:
| |
− | <console>
| |
− | >>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
| |
− | >>> Create all the symlinks to /bin/busybox.
| |
− | >>> Initiating /dev/dir
| |
− | >>> Getting LVM volumes up (if any)
| |
− | Reding all physical volumes. This make take awhile...
| |
− | No volume group found
| |
− | No volume group found
| |
− | >>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
| |
− | Enter passphrase fore /dev/sda2:
| |
− | </console>
| |
− | Type your password
| |
− |
| |
− | <console>
| |
− | >>> Again, getting LVM volumes up (if any, after map dmcrypt).
| |
− | Reading all physical volumes. This may take a while...
| |
− | Found volume group "vg" using metadata type lvm2
| |
− | 4 logical volume(s) in volume group "vg" now active
| |
− | >>> Mounting rootfs to /newroot
| |
− | >>> Umounting /sys and /proc.
| |
− | >>> Switching root to /newroot and executing /sbin/init.
| |
− | INIT: version 2.88 booting
| |
− | Loading /libexec/rc/console/keymap
| |
− | OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
| |
− | ...boot messages omitted for clarity
| |
− |
| |
− | orion login: oleg
| |
− | Password:
| |
− | Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
| |
− | oleg@orion ~ %
| |
− | </console>
| |
− |
| |
− | ==management==
| |
− | === Change your LUKs-encrypted drive's passphrase ===
| |
− | You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
| |
− |
| |
− | {{console|body=
| |
− | # ##i##cryptsetup luksChangeKey /dev/sda3
| |
− | }}
| |
− |
| |
− | You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase.
| |
− | You will not be asked to confirm your new passphrase, so be careful when running this operation.
| |
| | | |
| | | |
− | == Additional links and information ==
| |
− | * [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
| |
− | * [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
| |
− | * [https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS arch encrypt entire system]
| |
− | * [http://en.wikipedia.org/wiki/Logical_volume_management Wikipedia article on LVM]
| |
− | * [https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS Arch Wiki article]
| |
| | | |
| [[Category:HOWTO]] | | [[Category:HOWTO]] |