Difference between revisions of "Encrypted Root"

From Funtoo
Jump to navigation Jump to search
(Replaced content with " {{warning|out of order}} Category:HOWTO")
Tag: Replaced
Line 1: Line 1:
This howto describes how to setup a swapless encrypted root partition without llvm.
 
{{warning|out of order}}
{{warning|out of order}}
{{warning|This build is currently broken}}
== Prepare the hard drive and partitions ==
*List the device to be partitioned, mine is on /dev/sdc
{{console|body=
###i## lsblk -o name,size,label,partlabel
}}
==Partition==
{{console|body=
###i## cgdisk /dev/sdc}}
delete everything.
{{console|body=
Command: ##i## new ↵
First sector: ##i##↵
Last sector: ##i##+1M ↵
Hex Code: ##i##EF02 ↵
Enter name: ##i##BIOS Boot ↵
}}
scroll down to large chunk of free space:
{{console|body=
Command: ##i##new ↵
First sector: ##i##↵
Last sector: ##i##+128M ↵
Hex Code: ##i##EF00 ↵
Enter name: ##i##BOOT ↵
}}
scroll down to large chunk of free space:
{{console|body=
Command: ##i##new ↵
First sector: ##i##↵
Last sector: ##i##↵
Hex Code: ##i## 8304 ↵
Enter name: ##i##FUNTOO ↵
}}
{{console|body=
                              Disk Drive: /dev/sdc
                            Size: 62333952, 29.7 GiB
Part. #    Size        Partition Type            Partition Name
----------------------------------------------------------------
            1007.0 KiB  free space
  1        1024.0 KiB  BIOS boot partition   BIOS Boot
  2        256.0 MiB  EFI System                BOOT
  3        29.5 GiB    Linux x86-64 root (/)    FUNTOO
}}
{{console|body=
Command: ##i##write ↵
Command: ##i##quit ↵
}}
== Encrypt the drive ==
{{console|body=
# ##i##cryptsetup luksFormat /dev/sdc3
}}
*enter your password
== Initialize the volume ==
Initialize the volume:
{{console|body=
# ##i##cryptsetup luksOpen /dev/sdc3 dmcrypt_root
}}
=== Create your filesystem ===
{{console|body=
###i## mkfs.vfat -F 32 /dev/sdc2
###i## fatlabel /dev/sdc2 "BOOT"
# ##i##mkfs.ext4 /dev/mapper/dmcrypt_root
}}
=== Basic system setup ===
{{console|body=
# ##i##mkdir /mnt/funtoo
# ##i##mount /dev/mapper/dmcrypt_root /mnt/funtoo
# ##i##mkdir  /mnt/funtoo/boot
# ##i##mount /dev/sdc2 /mnt/funtoo/boot
}}
==Get Funtoo Gnome==
You can pull your [[Subarches]] gnome tarball if you wish:
{{console|body=
###i## cd /mnt/funtoo
###i## wget https://build.funtoo.org/1.4-release-std/x86-64bit/generic_64/gnome-latest.tar.xz
###i## tar --numeric-owner --xattrs --xattrs-include='*' -xpf *gnome* && rm -f *gnome*
}}
==Load Funtoo==
*expand your run tmpfs to be half of your ram:
{{console|body=
###i## mount -t tmpfs tmpfs /run
}}
*mount up:
{{console|body=
###i## cd /mnt/funtoo && mount -t proc none proc
mount --rbind /sys sys
mount --rbind /dev dev
mount --rbind /run run
}}
*chroot in:
{{console|body=
###i## cd /mnt/funtoo && env -i HOME=/root TERM=$TERM chroot . bash -l
}}
*Set yo password:
*set yo hostname:
*set cloudflare dns resolution for installing:
*Set yo time zone:
{{console|body=
###i## passwd
###i## echo 'hostname="crypto"' > /etc/conf.d/hostname
###i## echo "nameserver 1.1.1.1" > /etc/resolv.conf
###i## ln -sf /usr/share/zoneinfo/America/Detroit /etc/localtime
}}
=== load your fstab ===
*Deploy your fstab:
{{console|body=
###i## cat > /etc/fstab << "EOF"
LABEL=BOOT /boot vfat noauto,noatime 1 2
/dev/mapper/dmcrypt_root / ext4 noatime,nodiratime,defaults 0 1
tmpfs /run tmpfs rw,nodev,nosuid 0 0
EOF
}}
*compile in ram:
{{console|body=
###i## echo 'PORTAGE_TMPDIR="/run"' > /etc/portage/make.conf
}}
*Deploy your package.use file:
{{console|body=
###i## cat > /etc/portage/package.use << "EOF"
sys-kernel/debian-sources luks
sys-kernel/debian-sources-lts luks
sys-boot/grub device-mapper
sys-kernel/linux-firmware initramfs
EOF
}}
*merge stuff:
{{console|body=
###i## ego sync
}}
*Deploy your ego profile:
{{console|body=
###i## ego profile mix-in encrypted-root
}}
{{console|body=
###i## emerge grub haveged intel-microcode linux-firmware eix cryptsetup debian-sources-lts && emerge debian-sources && emerge -vuND @world
}}
*set services:
{{console|body=
###i## rc-update del swap boot && rc-update add haveged && rc-update add gpm && rc-update add busybox-ntpd
###i## rc-update add device-mapper sysinit
###i## rc-update add dmcrypt sysinit
}}
== Bootloader Configuration ==
=== /etc/boot.conf ===
<pre>
boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
kernel kernel[-v]
initrd initramfs[-v]
  params += crypt_root=PARTLABEL=FUNTOO lvm luks root=/dev/mapper/dmcrypt_root rootfstype=ext4
}
</pre>
Now, run <code>ego boot update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
=== Another Example ===
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for grub2. You will be editing <code>/etc/boot.conf</code>:
<pre>
boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
kernel kernel[-v]
initrd initramfs[-v]
  params += crypt_root=PARTLABEL=FUNTOO dolvm real_root=/dev/mapper/dmcrypt_root  rootfstype=ext4
</pre>
== GRUB ==
*Install grub in legacy mode:
{{console|body=
###i## grub-install --target=i386-pc /dev/sdc
###i## ego boot update}}
=== EFI from Legacy ===
*manually make efi directory:
*remount /dev/sdc2 to /boot/efi:
*install efi images:
{{console|body=
###i## mkdir /boot/efi
###i## mount /dev/sdc2 /boot/efi
###i## grub-install --target=x86_64-efi /boot/efi
}}
=== EFI from EFI ===
{{console|body=
###i##mount -o remount,rw /sys/firmware/efi/efivars
###i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux [GRUB]" --recheck /dev/sda
###i##ego boot update
}}
== Final steps ==
exit chroot, unmount everything, close encrypted drive and reboot
{{console|body=
###i## exit
###i## cd ..
###i## umount -lR funtoo
# ##i##cryptsetup luksClose dmcrypt_root
}}
After reboot you will get the following:
<console>
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10
>>> Create all the symlinks to /bin/busybox.
>>> Initiating /dev/dir
>>> Getting LVM volumes up (if any)
Reding all physical volumes. This make take awhile...
No volume group found
No volume group found
>>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root
Enter passphrase fore /dev/sda2:
</console>
Type your password
<console>
>>> Again, getting LVM volumes up (if any, after map dmcrypt).
  Reading all physical volumes.  This may take a while...
  Found volume group "vg" using metadata type lvm2
  4 logical volume(s) in volume group "vg" now active
>>> Mounting rootfs to /newroot
>>> Umounting /sys and /proc.
>>> Switching root to /newroot and executing /sbin/init.
INIT: version 2.88 booting
Loading /libexec/rc/console/keymap
  OpenRC 0.6.1 is starting up Funtoo Linux (x86_64)
...boot messages omitted for clarity
 
orion login: oleg
Password:
Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1
oleg@orion ~ %
</console>
==management==
=== Change your LUKs-encrypted drive's passphrase ===
You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
{{console|body=
# ##i##cryptsetup luksChangeKey /dev/sda3
}}
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase.
You will not be asked to confirm your new passphrase, so be careful when running this operation.




== Additional links and information ==
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
* [https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS arch encrypt entire system]
* [http://en.wikipedia.org/wiki/Logical_volume_management Wikipedia article on LVM]
* [https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS Arch Wiki article]


[[Category:HOWTO]]
[[Category:HOWTO]]

Revision as of 07:12, November 30, 2020

   Warning

out of order

Retrieved from "https://www.funtoo.org/index.php?title=Encrypted_Root&oldid=34521"