Note
The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Rootfs over encrypted lvm"
Jump to navigation
Jump to search
(better-initramfs location has changed) |
|||
| (13 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
<code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM. | <code>/dev/sda1</code> used as <code>/boot</code>. <code>/dev/sda2</code> will be encrypted drive with LVM. | ||
< | * <code>/dev/sda1</code> -- <code>/boot</code> partition. | ||
/dev/sda2 | * <code>/dev/sda2</code> -- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [http://www.funtoo.org/Funtoo_Linux_Installation#Prepare_Hard_Disk] for more information on GPT and MBR. | ||
* <code>/dev/sda3</code> -- <code>/</code> partition, will be the drive with LUKS and LVM. | |||
Note that you will get a message about reaching the end of the device. | <console> | ||
##r### ##b##dd if=/dev/zero of=/dev/sda3 bs=100M | |||
##r### ##b##dd if=/dev/urandom of=/dev/sda3 bs=100M | |||
</console> | |||
The <code>dd</code> part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive. | |||
Note that you will get a message about reaching the end of the device when the <code>dd</code> command has finished. This behavior is intended. | |||
= Encrypting the drive = | = Encrypting the drive = | ||
<console> | <console> | ||
# ## | ##r### ##b##cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3 | ||
# ## | ##r### ##b##cryptsetup luksOpen /dev/sda3 dmcrypt_root | ||
</console> | </console> | ||
| Line 23: | Line 27: | ||
= Create logical volumes = | = Create logical volumes = | ||
< | <console> | ||
vgcreate vg /dev/mapper/dmcrypt_root | ##r### ##b##pvcreate /dev/mapper/dmcrypt_root | ||
lvcreate -L10G - | ##r### ##b##vgcreate vg /dev/mapper/dmcrypt_root | ||
lvcreate -L2G - | ##r### ##b##lvcreate -L10G --name root vg | ||
lvcreate -L5G - | ##r### ##b##lvcreate -L2G --name swap vg | ||
lvcreate -l 100%FREE -nhome vg</ | ##r### ##b##lvcreate -L5G --name portage vg | ||
##r### ##b##lvcreate -l 100%FREE -nhome vg | |||
Feel free to specify your desired size | </console> | ||
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G. | |||
= Create a filesystem on volumes = | = Create a filesystem on volumes = | ||
< | <console> | ||
mkswap /dev/mapper/vg-swap | ##r### ##b##mkfs.ext2 /dev/sda1 | ||
mkfs.ext4 /dev/mapper/vg-root | ##r### ##b##mkswap /dev/mapper/vg-swap | ||
##r### ##b##mkfs.ext4 /dev/mapper/vg-root | |||
mkfs. | ##r### ##b##mkfs.ext4 /dev/mapper/vg-portage | ||
##r### ##b##mkfs.ext4 /dev/mapper/vg-home | |||
</console> | |||
= Basic system setup = | = Basic system setup = | ||
< | <console> | ||
mount /dev/mapper/vg-root /mnt/funtoo | ##r### ##b##swapon /dev/mapper/vg-swap | ||
mkdir /mnt/funtoo/boot | ##r### ##b##mkdir /mnt/funtoo | ||
mount /dev/sda1 /mnt/funtoo/boot</ | ##r### ##b##mount /dev/mapper/vg-root /mnt/funtoo | ||
##r### ##b##mkdir /mnt/funtoo/boot | |||
##r### ##b##mkdir -p /mnt/funtoo/usr/portage | |||
##r### ##b##mkdir /mnt/funtoo/home | |||
##r### ##b##mount /dev/sda1 /mnt/funtoo/boot | |||
##r### ##b##mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage | |||
##r### ##b##mount /dev/mapper/vg-home /mnt/funtoo/home | |||
</console> | |||
Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation] | Now perform all the steps required for basic system install, please follow [http://docs.funtoo.org/wiki/Funtoo_Linux_Installation] | ||
don't forget to emerge next packages: | don't forget to emerge next packages: | ||
| Line 120: | Line 134: | ||
{{code|/etc/boot.conf|<pre> | {{code|/etc/boot.conf|<pre> | ||
boot { | boot { | ||
generate grub | |||
default "Funtoo Linux" | |||
timeout 3 | |||
} | } | ||
"Funtoo Linux" { | "Funtoo Linux" { | ||
kernel bzImage[-v] | |||
initrd /initramfs.cpio.gz | |||
params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet | |||
}</pre>}} | }</pre>}} | ||
{{code|/etc/fstab| | {{code|/etc/fstab| | ||
<pre> | <pre> | ||
# <fs> | # <fs> <mountpoint> <type> <opts> <dump/pass> | ||
/dev/ | /dev/sda1 /boot ext2 noauto,noatime 1 2 | ||
/dev/mapper/vg- | /dev/mapper/vg-swap none swap sw 0 0 | ||
/dev/mapper/vg- | /dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 | ||
/dev/ | /dev/sr0 /mnt/cdrom auto noauto,ro 0 0 | ||
/dev/mapper/vg- | /dev/mapper/vg-portage /usr/portage reiserfs noatime,nodiratime 0 0 | ||
/dev/mapper/vg- | /dev/mapper/vg-home /home xfs noatime,nodiratime,osyncisdsync 0 0</pre>}} | ||
= Lilo configuration = | = Lilo configuration = | ||
| Line 193: | Line 207: | ||
<pre>>>> Again, getting LVM volumes up (if any, after map dmcrypt). | <pre>>>> Again, getting LVM volumes up (if any, after map dmcrypt). | ||
Reading all physical volumes. This may take a while... | |||
Found volume group "vg" using metadata type lvm2 | |||
4 logical volume(s) in volume group "vg" now active | |||
>>> Mounting rootfs to /newroot | >>> Mounting rootfs to /newroot | ||
>>> Umounting /sys and /proc. | >>> Umounting /sys and /proc. | ||
| Line 201: | Line 215: | ||
INIT: version 2.88 booting | INIT: version 2.88 booting | ||
Loading /libexec/rc/console/keymap | Loading /libexec/rc/console/keymap | ||
OpenRC 0.6.1 is starting up Funtoo Linux (x86_64) | |||
...boot messages omitted for clarity | ...boot messages omitted for clarity | ||
orion login: oleg | orion login: oleg | ||
Password: | Password: | ||
Revision as of 16:15, December 7, 2013
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive
Prepare the hard drive and partitions
This is an example partition scheme, you may want to choose differently.
/dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM.
/dev/sda1--/bootpartition./dev/sda2-- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [1] for more information on GPT and MBR./dev/sda3--/partition, will be the drive with LUKS and LVM.
root ##r### dd if=/dev/zero of=/dev/sda3 bs=100M root ##r### dd if=/dev/urandom of=/dev/sda3 bs=100M
The dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.
Note that you will get a message about reaching the end of the device when the dd command has finished. This behavior is intended.
Encrypting the drive
root ##r### cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3 root ##r### cryptsetup luksOpen /dev/sda3 dmcrypt_root
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
Create logical volumes
root ##r### pvcreate /dev/mapper/dmcrypt_root root ##r### vgcreate vg /dev/mapper/dmcrypt_root root ##r### lvcreate -L10G --name root vg root ##r### lvcreate -L2G --name swap vg root ##r### lvcreate -L5G --name portage vg root ##r### lvcreate -l 100%FREE -nhome vg
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
Create a filesystem on volumes
root ##r### mkfs.ext2 /dev/sda1 root ##r### mkswap /dev/mapper/vg-swap root ##r### mkfs.ext4 /dev/mapper/vg-root root ##r### mkfs.ext4 /dev/mapper/vg-portage root ##r### mkfs.ext4 /dev/mapper/vg-home
Basic system setup
root ##r### swapon /dev/mapper/vg-swap root ##r### mkdir /mnt/funtoo root ##r### mount /dev/mapper/vg-root /mnt/funtoo root ##r### mkdir /mnt/funtoo/boot root ##r### mkdir -p /mnt/funtoo/usr/portage root ##r### mkdir /mnt/funtoo/home root ##r### mount /dev/sda1 /mnt/funtoo/boot root ##r### mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage root ##r### mount /dev/mapper/vg-home /mnt/funtoo/home
Now perform all the steps required for basic system install, please follow [2] don't forget to emerge next packages:
# emerge cryptsetup lvm2 grub foo-sources
Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag
Kernel options
Important, do not miss this part. Under General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Under Device Drivers --->
Generic Driver Options ---> [*] Maintain a devtmpfs filesystem to mount at /dev [*] Multiple devices driver support ---> <*>Device Mapper Support <*> Crypt target support
Under Cryptographic API --->
-*-AES cipher algorithms <*> XTS support (EXPERIMENTAL)
Initramfs setup and configuration
Build your initramfs with better-initramfs project.
Note
better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices.
# git clone git@bitbucket.org:piotrkarbowski/better-initramfs.git # cd better-initramfs # less README.rst # bootstrap/bootstrap-all # make prepare # make image
Copy resulting initramfs.cpio.gz to /boot.
# cp output/initramfs.cpio.gz /boot
Alternatively pre-compiled binary initramfs available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2 # tar xf release-x86_64-v0.5.tar.bz2 # cd release* # gzip initramfs.cpio # cp initramfs.cpio.gz /boot
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:
# git pull # less ChangeLog
Please, read the ChangeLog carefuly and do necessary updates, to /etc/boot.conf, the example config below. Please, backup working initramfs.cpio.gz and /etc/boot.conf before updating initramfs.
Genkernel approach
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:
Grub2 configuration
An example of /etc/boot.conf for better-initramfs
Template:Code
Lilo configuration
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo # emerge lilo
Syslinux bootloader setup
Syslinux is another advanced bootloader which you can find on all live CD's.
# emerge syslinux # mkdir /boot/extlinux # extlinux --install /boot/extlinux # dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda - or - # sgdisk /dev/sda --attributes=1:set:2 # dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
Final steps
Umount everything, close encrypted drive and reboot
umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot) vgchange -a n cryptsetup luksClose /dev/sda2 dmcrypt_root
After reboot you will get the following:
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10 >>> Create all the symlinks to /bin/busybox. >>> Initiating /dev/dir >>> Getting LVM volumes up (if any) Reding all physical volumes. This make take awhile... No volume group found No volume group found >>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root Enter passphrase fore /dev/sda2:
Type your password
>>> Again, getting LVM volumes up (if any, after map dmcrypt). Reading all physical volumes. This may take a while... Found volume group "vg" using metadata type lvm2 4 logical volume(s) in volume group "vg" now active >>> Mounting rootfs to /newroot >>> Umounting /sys and /proc. >>> Switching root to /newroot and executing /sbin/init. INIT: version 2.88 booting Loading /libexec/rc/console/keymap OpenRC 0.6.1 is starting up Funtoo Linux (x86_64) ...boot messages omitted for clarity orion login: oleg Password: Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1 oleg@orion ~ %