Changes

Jump to: navigation, search

Rootfs over encrypted lvm

2,353 bytes added, 1 year ago
Better-initramfs
== Prepare the hard drive and partitions ==
This is an example (and simple) partition scheme, you . You may want to choose differently.<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM.
* <code>/dev/sda1</code> -- <code>/boot</code> partition.
* <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - Note: this is only needed required if you are using GPT) This step required booting via EFI, or for booting with GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR. )
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM.
 
With UEFI:
* <code>/dev/sda1</code> -- <tt>/boot</tt>
* <code>/dev/sda2</code> -- <tt>/</tt> partition
=== Wipe the hard drive ===
{{Fancywarning|This action will destroy all data on the disk.}}
<console>
# ##i##gdisk /dev/sda
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
Blank out MBR?: ##i##y ↵
</console>
{{Fancywarning|This action will destroy all data on the disk.}}
 
== Encrypting the drive ==
Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/]
<console>
# ##i##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
</console>
{{Note}} You will get a message about reaching Or use SHA512 for increase security. Do NOT use SHA-1: LUKS disk encryption. As the end of the device when the <code>dd<cryptography expert Bruce Schneier already told in year 2005, do not use SHA-1 because its broken. See his article here: [http://code> command has finishedwww.schneier. This behavior is intendedcom/blog/archives/2005/02/sha1_broken.html]
= Encrypting the drive =
<console>
# ##i##cryptsetup --cipher aestwofish-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sda3</console> {{Warning|Support for ''twofish-xts-plain64'' is '''NOT''' in the default debian-kernel. You will need to configure and compile your own kernel if you choose this.}} == Change your LUKs-encrypted drive's passphrase ==You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root: <console># ##i##cryptsetup luksChangeKey /dev/sda3</console> You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will not be asked to confirm your new passphrase, so be careful when running this operation.  == Initializes the volume ==Initializes the volume, and sets an initial key or passphrase:<console>
# ##i##cryptsetup luksOpen /dev/sda3 dmcrypt_root
</console>
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
{{Fancywarning|The default keymap at boot time is '''us'''. If you enter your passphrase using a different keymap, you won't be able to unlock your crypt volume if the passphrase contains any characters that are located elsewere on your keyboard layout that with the us layout.}}
= Create logical volumes =
<console>
</console>
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
{{Note|Please, notice that above mentioned partitioning scheme is an example and not a default recommendation, change it accordingly to desired scheme.}}
= Create a filesystem on volumes =
# ##i##mount /dev/mapper/vg-home /mnt/funtoo/home
</console>
Now perform all the steps required for basic system install, please follow the [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation[Funtoo Linux Installation]]Guide, but don't forget to emerge the following before your install is finished:
* '''cryptsetup'''
= Editing the fstab =
Fire up your favorite text editor to edit <code>/etc/fstab</code>. You want to put the following in the file:
 {{Filefile|name=/etc/fstab|<pre>desc= |body=
# <fs> <mountpoint> <type> <opts> <dump/pass>
/dev/sda1 /boot ext2 noauto,noatime 1 2
/dev/mapper/vg-portage /usr/portage ext4 noatime,nodiratime 0 0
/dev/mapper/vg-home /home ext4 noatime,nodiratime 0 0
</pre>}}
== Kernel options =={{Note}}|This part is particularly important: pay close attention. }}<br>Note: If you are using debian-sources as included in mid-May 2015 and later Funtoo stages, you do <em>not</em> need to rebuild the kernel. The following instructions are for other kernels that you may choose to install.
{{kernelop
| <br> title=|<pre>desc=
General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Device Drivers --->
[*] Multiple devices driver support --->
<*>Device Mapper Support
<*> Crypt target support
</pre>}} 
{{kernelop
| <br> title=|<pre>desc=
Cryptographic API --->
<*> XTS support
-*-AES cipher algorithms
</pre>}}
= Initramfs setup and configuration =
== Better-initramfs ==
{{Note|As of August 2016, better-initramfs is not required with debian-sources as included in current Funtoo stages. Unless you are doing something not with debian-sources as comes with the Funtoo stage, you can safely skip to the section on editing <code>/etc/boot.conf</code>.}}
'''Build your initramfs with [https://bitbucket.org/piotrkarbowski/better-initramfs better-initramfs] project.'''
{{note}}Note|better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devicesand file system support.}}
<console>
# ##i##cd /opt
# ##i##git clone githttps://githubbitbucket.comorg/slashbeastpiotrkarbowski/better-initramfs.git
# ##i##cd better-initramfs
# ##i##less README.rst
# ##i##less ChangeLog
</console>
{{Note}}|Please read the ChangeLog carefuly and perform necessary updates to <code>/etc/boot.conf</code>. Also, please backup the working <code>/boot/initramfs.cpio.gz</code> and <code>/etc/boot.conf</code> before updating better-initramfs.}}Alternatively and much faster is to install better-initramfs-bin package, recently added to Funtoo's portage tree:<console># ##i##emerge better-initramfs-bin</console>
== Genkernel ==
== Bootloader Configuration ==
=== Grub2 configuration ===
Emerge Grub2 with device-mapper support
<console>
# ##i##echo 'sys-boot/grub device-mapper' >> /etc/portage/package.use/grub
# ##i##emerge grub
</console>
 
==== better-initramfs ====
An example <code>/etc/boot.conf</code> for better-initramfs:
{{File|/etc/boot.conf|<pre>
boot {
generate grub
}
"Funtoo Linux" {
kernel bzImagevmlinuz[-v]
initrd /initramfs.cpio.gz
params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}</pre>}}
Now, run <code>boot-update</code> to write the configuration files to <code>/boot/grub/grub.cfg</code>
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2. You will be editing <code>/etc/boot.conf</code>:
{{File|/etc/boot.conf|<pre>
boot {
generate grub
}
"Funtoo Linux" {
kernel kernel-genkernel-x86_64-23.613.390 initrd initramfs-genkernel-x86_64-23.613.390
params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}</pre>}}
=== Lilo configuration ===
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
<console>
</console>
Example <code>/etc/lilo.conf</code>for genkernel:
{{File|/etc/lilo.conf|<pre>
append="init=/linuxrc dolvm crypt_root=/dev/sda2 real_root=/dev/mapper/vg-root"
boot=/dev/sda
initrd=/boot/initramfs-genkernel-x86_64-3.13.0
label=funtoo
</pre>}}
=== Syslinux bootloader setup ===
Syslinux is another advanced bootloader which you can find on all live CD's. Syslinux bootloader does not require additional BIOS boot partition. /dev/sda2 is the root partition.
<console>
# ##i##dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
</console>
 Example <code>/boot/extlinux/extlinux.conf</code>for better-initramfs
<pre>
LABEL kernel1_bzImage-3.2.1
</pre>
== Final steps ==
Umount everything, close encrypted drive and reboot
<console>
# ##i##umount -l -v /mnt/funtoo/{dev, proc, home, usr/portage, boot}
# ##i##vgchange -a n
# ##i##cryptsetup luksClose /dev/sda2 dmcrypt_root
</console>
After reboot you will get the following:
</console>
== Additional links and information ==
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
Bureaucrats, Administrators, wiki-admins, wiki-staff
6,315
edits

Navigation menu