The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Encrypted Root"
(Patching MODULES_CRYPTO is no longer needed.) |
m (add warning that this build is incomplete.) |
||
(10 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
{{warning|You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own.}} | {{warning|You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own.}} | ||
{{warning|[[Rootfs_over_encrypted_lvm]] is the only known working encrypted root page. this page is a work in progress to strip out LVM, and is known to be incomplete.}} | |||
== Prepare the hard drive and partitions == | == Prepare the hard drive and partitions == | ||
Line 14: | Line 16: | ||
├─main-root 254:0 0 500G 0 lvm / | ├─main-root 254:0 0 500G 0 lvm / | ||
└─main-data 254:1 0 1.3T 0 lvm /home | └─main-data 254:1 0 1.3T 0 lvm /home | ||
}} | |||
===Link your drive to /dev/sdX=== | |||
to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste. just replace the kernel's sda/mmc/nvme to match your target drive. | |||
====ATA/SATA/SCSI drives (ex. hda, sda)==== | |||
{{console|body= | |||
###i## echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules | |||
###i## udevadm control --reload-rules | |||
###i## udevadm trigger | |||
}} | |||
====MMC/NVMe drives (ex. mmcblk0, nvme0n1)==== | |||
{{console|body= | |||
###i## echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules | |||
###i## echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules | |||
###i## udevadm control --reload-rules | |||
###i## udevadm trigger | |||
}} | |||
====Verify links==== | |||
{{console|body= | |||
###i## ls -al /dev/sdX* | |||
lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde | |||
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1 | |||
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2 | |||
}} | }} | ||
Line 130: | Line 158: | ||
The partition table will now be written to the disk and {{c|gdisk}} will close. | The partition table will now be written to the disk and {{c|gdisk}} will close. | ||
==Create | ==Create filesystems== | ||
'''Create /boot filesystem ''' | '''Create /boot filesystem ''' | ||
====For BIOS systems==== | ====For BIOS systems==== | ||
Line 147: | Line 175: | ||
'''Open newly created LUKS volume''' | '''Open newly created LUKS volume''' | ||
{{console|body=# ##i##cryptsetup open | {{console|body=# ##i##cryptsetup open /dev/sdX2 root}} | ||
'''Create LVM volumes for / and swap''' | '''Create LVM volumes for / and swap''' | ||
Line 158: | Line 186: | ||
'''Create filesystems on LVM volumes''' | '''Create filesystems on LVM volumes''' | ||
{{console|body=# ##i##mkswap /dev/mapper/vg-swap}} | {{console|body= | ||
# ##i##mkswap /dev/mapper/vg-swap | |||
# ##i##swapon /dev/mapper/vg-swap | |||
}} | |||
{{console|body=# ##i##mkfs.ext4 /dev/mapper/vg-root}} | {{console|body=# ##i##mkfs.ext4 /dev/mapper/vg-root}} | ||
Line 168: | Line 199: | ||
{{console|body=# ##i##mkdir /mnt/funtoo/boot}} | {{console|body=# ##i##mkdir /mnt/funtoo/boot}} | ||
{{console|body=# ##i##mount /dev/sdX1 /mnt/funtoo/boot}} | {{console|body=# ##i##mount /dev/sdX1 /mnt/funtoo/boot}} | ||
==Set the date== | ==Set the date== | ||
{{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Setting_the_Date setting the date].}} | {{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Setting_the_Date setting the date].}} | ||
== | ==Download and extract stage3== | ||
{{Note| | {{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Download_and_Extract_Stage3 downloading and extracting stage3].}} | ||
==Chroot into your new system== | ==Chroot into your new system== | ||
{{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Chroot chrooting into your new system] if you are using a LiveCD or USB media other than Funtoo to install Funtoo.}} | |||
{{console|body= | {{console|body= | ||
# ##i## | # ##i##fchroot /mnt/funtoo /bin/bash --login | ||
}} | |||
==Configure your system== | ==Configure your system== | ||
Line 287: | Line 309: | ||
{{console|body= | {{console|body= | ||
# ##i##cryptsetup luksChangeKey /dev/ | # ##i##cryptsetup luksChangeKey /dev/sdX2 | ||
}} | }} | ||
Latest revision as of 03:58, January 13, 2023
This howto describes how to setup LVM, swap, and root with dmcrypt LUKS. It is a standalone installation walk through, based on the official installations finished product. boot is not encrypted.
You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own.
Rootfs_over_encrypted_lvm is the only known working encrypted root page. this page is a work in progress to strip out LVM, and is known to be incomplete.
Prepare the hard drive and partitions
- Before you begin, make sure you are partitioning the correct drive. For the rest of this tutorial, we will be using /dev/sdX as a placeholder.
root # lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 1.8T 0 disk ├─sda1 8:1 0 512M 0 part ├─sda2 8:2 0 8G 0 part [SWAP] └─sda3 8:3 0 1.8T 0 part ├─main-root 254:0 0 500G 0 lvm / └─main-data 254:1 0 1.3T 0 lvm /home
Link your drive to /dev/sdX
to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste. just replace the kernel's sda/mmc/nvme to match your target drive.
ATA/SATA/SCSI drives (ex. hda, sda)
root # echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules root # udevadm control --reload-rules root # udevadm trigger
MMC/NVMe drives (ex. mmcblk0, nvme0n1)
root # echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules root # echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules root # udevadm control --reload-rules root # udevadm trigger
Verify links
root # ls -al /dev/sdX* lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1 lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2
Partition
MBR [BIOS] Partitioning
Use this method if you are booting using your BIOS, and if your Funtoo LiveCD initial boot menu was light blue. If you're going to use the UEFI/GPT disk format, then please proceed to the next section.
root # fdisk /dev/sdX
Within fdisk
, follow these steps:
Empty the partition table:
Command (m for help): o ↵
Create boot partition:
Command (m for help): n ↵ Partition type (default p): ↵ Partition number (1-4, default 1): ↵ First sector: ↵ Last sector: +128M ↵
Create partition which will be encrypted with LUKS:
Command (m for help): n ↵ Partition type (default p): ↵ Partition number (2-4, default 2): ↵ First sector: ↵ Last sector: ↵
Verify the partition table:
Command (m for help): p
Disk /dev/sdX: 298.1 GiB, 320072933376 bytes, 625142448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x82abc9a6
Device Boot Start End Blocks Id System
/dev/sdX1 2048 264191 131072 83 Linux
/dev/sdX2 4458496 625142447 312439128 83 Linux
Write the partition table to disk:
Command (m for help): w
Your new MBR partition table will now be written to your system disk.
UEFI Partitioning
Use this method if you are interested in booting using UEFI, and if your Funtoo LiveCD initial boot menu was black and white, or the system booted without a boot menu. If it was light blue, this method will not work. Instead, use the instructions in the previous section then skip this section, or reboot LiveCD in UEFI mode first.
root # gdisk /dev/sdX
Within gdisk
, follow these steps:
Empty the partition table:
Command: o ↵ This option deletes all partitions and creates a new protective MBR. Proceed? (Y/N): y ↵
Create boot partition:
Command: n ↵ Partition Number: 1 ↵ First sector: ↵ Last sector: +128M ↵ Hex Code: EF00 ↵
Create partition which will be encrypted with LUKS:
Command: n ↵ Partition Number: 2 ↵ First sector: ↵ Last sector: ↵ (for rest of disk) Hex Code: ↵
(Optional) Create disk labels:
Command: c ↵ Partition Number: 1 Enter name: BOOT Command: c ↵ Partition Number: 2 Enter name: ROOT
Write Partition Table To Disk:
Command: w ↵ Do you want to proceed? (Y/N): Y ↵
The partition table will now be written to the disk and gdisk
will close.
Create filesystems
Create /boot filesystem
For BIOS systems
root # mkfs.ext2 /dev/sdX1
For UEFI systems
root # mkfs.vfat -F 32 /dev/sdX1
Create LUKS encrypted volume
Cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot.
The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.
root # cryptsetup luksFormat /dev/sdX2
Open newly created LUKS volume
root # cryptsetup open /dev/sdX2 root
Create LVM volumes for / and swap
root # pvcreate /dev/mapper/root
root # vgcreate vg /dev/mapper/root
Replace "16G" with the amount of swap you would like to make available.
root # lvcreate -L16G --name swap vg
root # lvcreate -l 100%FREE --name root vg
The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.
Create filesystems on LVM volumes
root # mkswap /dev/mapper/vg-swap root # swapon /dev/mapper/vg-swap
root # mkfs.ext4 /dev/mapper/vg-root
Create directories for chroot
root # mkdir -p /mnt/funtoo
Mount filesystems
root # mount /dev/mapper/vg-root /mnt/funtoo
root # mkdir /mnt/funtoo/boot
root # mount /dev/sdX1 /mnt/funtoo/boot
Set the date
See the official Funtoo docs on setting the date.
Download and extract stage3
See the official Funtoo docs on downloading and extracting stage3.
Chroot into your new system
See the official Funtoo docs on chrooting into your new system if you are using a LiveCD or USB media other than Funtoo to install Funtoo.
root # fchroot /mnt/funtoo /bin/bash --login
Configure your system
Set a new root password
root # passwd
Set hostname
root # echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname
Set your timezone
root # ln -sf /usr/share/zoneinfo/YOUR/TIMEZONE /etc/localtime
Note your filesystem information
root # blkid
/dev/sdX1: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f" /dev/sdX2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f" /dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member" /dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap" /dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"
Configure /etc/fstab
The UUID parameter is set to the UUID of your boot partition as found from the blkid command above.
root # cat > /etc/fstab << 'EOF' UUID=6453-0C55 /boot vfat noauto,noatime 1 2 /dev/mapper/vg-swap none swap sw 0 0 /dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 EOF
Create /etc/crypttab
The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.
root # echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab
Create /etc/dmtab
root # dmsetup table >> /etc/dmtab
Portage
Download the portage tree
root # ego sync
Change your ego profile to include encrypted root support
root # epro mix-in encrypted-root
Edit package USE-flags
root # cat > /etc/portage/package.use <<'EOF' */* device-mapper lvm luks sys-kernel/linux-firmware initramfs sys-fs/cryptsetup -dynamic EOF
Install necessary packages
root # emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool
Configure services to start at boot
root # rc-update add device-mapper sysinit
root # rc-update add dmcrypt sysinit
root # rc-update add lvmetad sysinit
root # rc-update add haveged default
root # rc-update add busybox-ntpd default
Install a bootloader
Configure /etc/boot.conf
The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.
root # cat > /etc/boot.conf <<'EOF' boot { generate grub default "Funtoo Linux" timeout 3 } "Funtoo Linux" { kernel kernel[-v] initrd initramfs[-v] params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet } EOF
Install GRUB
For BIOS systems
root # grub-install --target=i386-pc --no-floppy /dev/sdX
root # ego boot update
For UEFI systems
root # mount -o remount,rw /sys/firmware/efi/efivars
root # grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX
For 32 bit systems, the command should instead be:
root # grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX
root # ego boot update
Generate a new initramfs
root # genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs
Finishing installation
From this point, you should be able to finish following the official Funtoo Linux install instructions
Managing your LUKS volume
Change your LUKs-encrypted drive's passphrase You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
root # cryptsetup luksChangeKey /dev/sdX2
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will not be asked to confirm your new passphrase, so be careful when running this operation.