The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "User:Pnoecker/full disk encryption"
(→32bit systems: sbat for 32bit usb keys also) |
(→Traditional Method: -p mkdir, don't warn if already exists) |
||
(17 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
This howto describes how to setup LVM, boot, swap, and root with dmcrypt LUKS 1 with grub unlocking the encrypted drive. It is a standalone installation walk through, loosely based on the official installations finished product. | This howto describes how to setup LVM, boot, swap, and root with dmcrypt LUKS 1 with grub unlocking the encrypted drive. It is a standalone installation walk through, loosely based on the official installations finished product. | ||
{{warning| You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation, and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own!}} | {{warning|You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation, and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own!}} | ||
*standard lvm install without encryption can be found here: https://www.funtoo.org/User:Pnoecker/standard_install | |||
== Prepare the hard drive and partitions == | == Prepare the hard drive and partitions == | ||
Line 96: | Line 98: | ||
{{console|body=# ##i##mkfs.vfat -F 32 /dev/sdX2}} | {{console|body=# ##i##mkfs.vfat -F 32 /dev/sdX2}} | ||
*label esp system for fstab later on: | |||
{{console|body=# ##i##fatlabel /dev/sdX2 "EFI"}} | |||
'''Create LUKS encrypted volume''' | '''Create LUKS encrypted volume''' | ||
{{Warning| The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.}} | {{Warning|The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.}} | ||
{{console|body= | {{console|body= | ||
Line 145: | Line 152: | ||
==Chroot into your new system== | ==Chroot into your new system== | ||
===Traditional Method=== | ===Traditional Method=== | ||
{{console|body=# ##i##mkdir /mnt/funtoo/proc}} | {{console|body=# ##i##mkdir -p /mnt/funtoo/proc}} | ||
{{console|body=# ##i##mount -t proc none /mnt/funtoo/proc}} | {{console|body=# ##i##mount -t proc none /mnt/funtoo/proc}} | ||
{{console|body=# ##i##mkdir /mnt/funtoo/dev}} | {{console|body=# ##i##mkdir -p /mnt/funtoo/dev}} | ||
{{console|body=# ##i##mount --rbind /dev /mnt/funtoo/dev}} | {{console|body=# ##i##mount --rbind /dev /mnt/funtoo/dev}} | ||
{{console|body=# ##i##mkdir /mnt/funtoo/sys}} | {{console|body=# ##i##mkdir -p /mnt/funtoo/sys}} | ||
{{console|body=# ##i##mount --rbind /sys /mnt/funtoo/sys}} | {{console|body=# ##i##mount --rbind /sys /mnt/funtoo/sys}} | ||
{{console|body=# ##i##env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo /bin/bash -l}} | {{console|body=# ##i##env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo /bin/bash -l}} | ||
Line 180: | Line 187: | ||
'''Configure /etc/fstab''' | '''Configure /etc/fstab''' | ||
*if installing to xfs change ext4 to xfs | |||
{{console|body=# ##i##cat > /etc/fstab << 'EOF' | {{console|body=# ##i##cat > /etc/fstab << 'EOF' | ||
/dev/mapper/vg-swap none swap sw 0 0 | /dev/mapper/vg-swap none swap sw 0 0 | ||
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 | /dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 | ||
tmpfs /var/tmp/portage tmpfs uid=portage,gid=portage,mode=775,noatime 0 0 | tmpfs /var/tmp/portage tmpfs uid=portage,gid=portage,mode=775,noatime 0 0 | ||
LABEL=EFI /boot/efi vfat umask=0077 0 1 | |||
EOF}} | EOF}} | ||
Line 201: | Line 210: | ||
{{Note|The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.}} | {{Note|The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.}} | ||
{{console|body=# ##i##echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab}} | {{console|body=# ##i##echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab}} | ||
==Portage== | ==Portage== | ||
'''Download the portage tree''' | '''Download the portage tree''' | ||
{{console|body=# ##i##ego sync}} | {{console|body=# ##i##ego sync}} | ||
'''Edit package USE-flags''' | '''Edit package USE-flags''' | ||
{{console|body=# ##i##cat > /etc/portage/package.use <<'EOF' | {{console|body=# ##i##cat > /etc/portage/package.use <<'EOF' | ||
*/* device-mapper | */* device-mapper | ||
sys-kernel/linux-firmware initramfs | sys-kernel/linux-firmware initramfs | ||
sys-fs/cryptsetup -dynamic | sys-fs/cryptsetup -dynamic | ||
Line 220: | Line 223: | ||
'''Install necessary packages''' | '''Install necessary packages''' | ||
{{console|body=# ##i##emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 | {{console|body=# ##i##emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 iucode_tool shim mokutil}} | ||
'''Update as much world as possible (optional)''' | |||
{{console|body=# ##i##emerge -avuND @world --keep-going}} | |||
'''Configure services to start at boot''' | '''Configure services to start at boot''' | ||
Line 228: | Line 234: | ||
{{console|body=# ##i##rc-update add haveged default}} | {{console|body=# ##i##rc-update add haveged default}} | ||
{{console|body=# ##i##rc-update add busybox-ntpd default}} | {{console|body=# ##i##rc-update add busybox-ntpd default}} | ||
'''Create /etc/dmtab''' | |||
{{console|body=# ##i##dmsetup table >> /etc/dmtab}} | |||
==Install a bootloader== | ==Install a bootloader== | ||
Line 241: | Line 250: | ||
kernel kernel[-v] | kernel kernel[-v] | ||
initrd initramfs[-v] | initrd initramfs[-v] | ||
params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 | params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 ramdisk.activate=luks,lvm real_root=auto rootfstype=auto resume=/dev/mapper/vg-swap quiet | ||
} | } | ||
EOF}} | EOF}} | ||
Line 257: | Line 266: | ||
*load efi directory: | *load efi directory: | ||
{{console|body= | {{console|body= | ||
###i## mkdir / | ###i## mkdir /boot/efi | ||
###i## mount / | ###i## mount /boot/efi | ||
}} | }} | ||
Line 270: | Line 279: | ||
===64bit systems=== | ===64bit systems=== | ||
{{console|body=# ##i##grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/ | {{console|body=# ##i##grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX}} | ||
{{console|body= | {{console|body= | ||
###i## cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi / | ###i## cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/Funtoo | ||
}} | }} | ||
*For usb keys & removable drives: | *For usb keys & removable drives: | ||
{{console|body=# ##i##grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/ | {{console|body=# ##i##grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX}} | ||
{{console|body= | {{console|body= | ||
###i## cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi / | ###i## cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/BOOT | ||
}} | }} | ||
===32bit systems=== | ===32bit systems=== | ||
{{console|body=# ##i##grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/ | {{console|body=# ##i##grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX}} | ||
{{console|body= | {{console|body= | ||
###i## cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi / | ###i## cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/Funtoo | ||
}} | }} | ||
*For usb keys & removable drives: | *For usb keys & removable drives: | ||
{{console|body=# ##i##grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/ | {{console|body=# ##i##grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX}} | ||
{{console|body= | {{console|body= | ||
###i## cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi / | ###i## cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/BOOT | ||
}} | }} | ||
====Generate Grub menu==== | ====Generate Grub menu==== | ||
'''Generate a new initramfs''' | '''Generate a new initramfs that supports encryption''' | ||
{{console|body=# ##i##genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* {{!}} tail -c +17) initramfs}} | {{console|body=# ##i##genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* {{!}} tail -c +17) initramfs}} | ||
====Generate Grub menu==== | |||
{{console|body=# ##i##ego boot update}} | |||
==Finishing installation== | ==Finishing installation== | ||
Line 321: | Line 332: | ||
{{console|body= | {{console|body= | ||
###i## cryptsetup open /dev/sdX3 root | ###i## cryptsetup open /dev/sdX3 root | ||
###i## mkdir /mnt/funtoo | |||
###i## mount /dev/mapper/vg-root /mnt/funtoo | ###i## mount /dev/mapper/vg-root /mnt/funtoo | ||
###i## cd /mnt/funtoo | ###i## cd /mnt/funtoo | ||
###i## fchroot . | ###i## fchroot . | ||
}} | |||
*remount efi: | |||
{{console|body= | |||
###i## mount /boot/efi | |||
}} | |||
If you intend to compile in ram again, mount /var/tmp/portage | |||
{{console|body= | |||
###i## mount /var/tmp/portage | |||
}} | |||
update available ebuilds, and rebuild world: | |||
{{console|body= | |||
###i## ego sync && emerge -avuND @world | |||
}} | }} | ||
Latest revision as of 06:42, May 29, 2024
This howto describes how to setup LVM, boot, swap, and root with dmcrypt LUKS 1 with grub unlocking the encrypted drive. It is a standalone installation walk through, loosely based on the official installations finished product.
You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation, and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own!
- standard lvm install without encryption can be found here: https://www.funtoo.org/User:Pnoecker/standard_install
Prepare the hard drive and partitions
- Before you begin, make sure you are partitioning the correct drive. For the rest of this tutorial, we will be using /dev/sdX as a placeholder.
root # lsblk #NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT #sda 8:0 0 1.8T 0 disk #├─sdX1 8:1 0 1M 0 bios_boot #├─sdX2 8:2 0 8G 0 esp /efi #└─sdX3 8:3 0 1.8T 0 part # ├─main-root 254:0 0 500G 0 lvm / # └─main-data 254:1 0 1.3T 0 lvm /home
link your drive to /dev/sdX
to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste. just replace the kernel's == sda/mmc/nvme to match your target drive.
- hda/sda drives:
root # echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules root # udevadm control --reload-rules root # udevadm trigger
- mmc/nvme drives:
root # echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules root # echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules root # udevadm control --reload-rules root # udevadm trigger
- verify linking
root # ls -al /dev/sdX* lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1 lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2
Partition
UEFI Partitioning
root # gdisk /dev/sdX
Within gdisk
, follow these steps:
Empty the partition table:
Command: o ↵ This option deletes all partitions and creates a new protective MBR. Proceed? (Y/N): y ↵
Create bios boot partition:
Command: n ↵ Partition Number: 1 ↵ First sector: ↵ Last sector: +1M ↵ Hex Code: EF02 ↵
Create efi esp partition:
Command: n ↵ Partition Number: 2 ↵ First sector: ↵ Last sector: +64M ↵ Hex Code: EF00 ↵
Create partition which will be encrypted with LUKS:
Command: n ↵ Partition Number: 3 ↵ First sector: ↵ Last sector: ↵ (for rest of disk) Hex Code: 8309↵
Write Partition Table To Disk:
Command: w ↵ Do you want to proceed? (Y/N): Y ↵
The partition table will now be written to the disk and gdisk
will close.
Create and mount filesystems.
Create esp filesystem
root # mkfs.vfat -F 32 /dev/sdX2
- label esp system for fstab later on:
root # fatlabel /dev/sdX2 "EFI"
Create LUKS encrypted volume
The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.
root # cryptsetup luksFormat --type luks1 /dev/sdX3
Open newly created LUKS volume
root # cryptsetup open /dev/sdX3 root
Create LVM volumes for / and swap
root # pvcreate /dev/mapper/root
root # vgcreate vg /dev/mapper/root
Replace "2G" with the amount of swap you would like to make available.
root # lvcreate -L2G --name swap vg
root # lvcreate -l 100%FREE --name root vg
The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.
Create filesystems on LVM volumes
root # mkswap /dev/mapper/vg-swap
- for ext4:
root # mkfs.ext4 /dev/mapper/vg-root
- for xfs:
root # mkfs.xfs /dev/mapper/vg-root
Create directories for chroot
root # mkdir -p /mnt/funtoo
Mount filesystems
root # mount /dev/mapper/vg-root /mnt/funtoo
Set the date
See the official Funtoo docs on setting the date.
Install the Funtoo starge tarball of your choice
These instructions will be using the generic64 next minimal stage3. You should adjust them accordingly.
or a stage more closely aligned to your hardware:
or funtoo from scratch generated stages:
root # cd /mnt/funtoo
root # wget https://build.funtoo.org/next/x86-64bit/generic_64/2022-09-13/stage3-generic_64-next-2022-09-13.tar.xz
root # tar --numeric-owner --xattrs --xattrs-include='*' -xpf *stage3*.tar.xz && rm -f *stage3*.tar.xz
Chroot into your new system
Traditional Method
root # mkdir -p /mnt/funtoo/proc
root # mount -t proc none /mnt/funtoo/proc
root # mkdir -p /mnt/funtoo/dev
root # mount --rbind /dev /mnt/funtoo/dev
root # mkdir -p /mnt/funtoo/sys
root # mount --rbind /sys /mnt/funtoo/sys
root # env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo /bin/bash -l
Fchroot Method
root # fchroot .
Configure your system
Set a new root password
root # passwd
Set hostname
root # echo 'hostname="FullEncryption"' > /etc/conf.d/hostname
Set up DNS resolution
We are using the Cloudflare DNS server address here. Feel free to use your own.
root # echo "nameserver 1.1.1.1" > /etc/resolv.conf
Set your timezone
root # ln -sf /usr/share/zoneinfo/$(tzselect) /etc/localtime
Note your filesystem information
root # blkid
/dev/sdX2: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f" /dev/sdX3: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f" /dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member" /dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap" /dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"
Configure /etc/fstab
- if installing to xfs change ext4 to xfs
root # cat > /etc/fstab << 'EOF' /dev/mapper/vg-swap none swap sw 0 0 /dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 tmpfs /var/tmp/portage tmpfs uid=portage,gid=portage,mode=775,noatime 0 0 LABEL=EFI /boot/efi vfat umask=0077 0 1 EOF
compile in ram:
root # mkdir /var/tmp/portage root # chown portage:portage /var/tmp/portage root # mount /var/tmp/portage
or exclude compiling in ram if your machine's not powerful enough:
root # umount /var/tmp/portage
Create /etc/crypttab
The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.
root # echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab
Portage
Download the portage tree
root # ego sync
Edit package USE-flags
root # cat > /etc/portage/package.use <<'EOF' */* device-mapper sys-kernel/linux-firmware initramfs sys-fs/cryptsetup -dynamic EOF
Install necessary packages
root # emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 iucode_tool shim mokutil
Update as much world as possible (optional)
root # emerge -avuND @world --keep-going
Configure services to start at boot
root # rc-update add device-mapper sysinit
root # rc-update add dmcrypt sysinit
root # rc-update add lvmetad sysinit
root # rc-update add haveged default
root # rc-update add busybox-ntpd default
Create /etc/dmtab
root # dmsetup table >> /etc/dmtab
Install a bootloader
Configure /etc/boot.conf
The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.
root # cat > /etc/boot.conf <<'EOF' boot { generate grub default "Funtoo Linux" timeout 3 } "Funtoo Linux" { kernel kernel[-v] initrd initramfs[-v] params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 ramdisk.activate=luks,lvm real_root=auto rootfstype=auto resume=/dev/mapper/vg-swap quiet } EOF
Install GRUB
For BIOS systems & UEFI legacy mode support
root # echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
root # grub-install --target=i386-pc --no-floppy /dev/sdX
For UEFI systems
root # mount -o remount,rw /sys/firmware/efi/efivars
Install grub & shim
- load efi directory:
root # mkdir /boot/efi root # mount /boot/efi
- generate a sbat file to install with grub:
root # cat > /usr/share/grub/sbat.csv << EOF sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/ EOF
64bit systems
root # grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX
root # cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/Funtoo
- For usb keys & removable drives:
root # grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX
root # cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/BOOT
32bit systems
root # grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX
root # cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/Funtoo
- For usb keys & removable drives:
root # grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX
root # cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/BOOT
Generate a new initramfs that supports encryption
root # genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs
root # ego boot update
Finishing installation
From this point, you should be able to finish following the official Funtoo Linux install instructions
Managing your LUKS volume
Change your LUKs-encrypted drive's passphrase You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
root # cryptsetup luksChangeKey /dev/sdx3
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will not be asked to confirm your new passphrase, so be careful when running this operation.
Rechroot
In the event of build failure, to rechroot requires unlocking the root, re-mounting, and re-chroot.
root # cryptsetup open /dev/sdX3 root root # mkdir /mnt/funtoo root # mount /dev/mapper/vg-root /mnt/funtoo root # cd /mnt/funtoo root # fchroot .
- remount efi:
root # mount /boot/efi
If you intend to compile in ram again, mount /var/tmp/portage
root # mount /var/tmp/portage
update available ebuilds, and rebuild world:
root # ego sync && emerge -avuND @world