The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Rootfs over encrypted lvm
This howto describes how to setup LVM and rootfs with cryptoLUKS-encrypted drive
Prepare the hard drive and partitions
This is an example partition scheme, you may want to choose differently.
/dev/sda1 used as /boot. /dev/sda2 will be encrypted drive with LVM.
/dev/sda1--/bootpartition./dev/sda2-- BIOS boot partition (not needed for MBR - only needed if you are using GPT) This step required for GRUB2. For more info, see: [1] for more information on GPT and MBR./dev/sda3--/partition, will be the drive with LUKS and LVM.
root ##r### dd if=/dev/zero of=/dev/sda3 bs=100M root ##r### dd if=/dev/urandom of=/dev/sda3 bs=100M
The dd part is optional, only for security reason by overwriting the lingering data on the device with random data. It takes around 6 hours to complete for a 200GB drive.
Note that you will get a message about reaching the end of the device when the dd command has finished. This behavior is intended.
Encrypting the drive
root ##r### cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3 root ##r### cryptsetup luksOpen /dev/sda3 dmcrypt_root
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there.
Create logical volumes
root ##r### pvcreate /dev/mapper/dmcrypt_root root ##r### vgcreate vg /dev/mapper/dmcrypt_root root ##r### lvcreate -L10G --name root vg root ##r### lvcreate -L2G --name swap vg root ##r### lvcreate -L5G --name portage vg root ##r### lvcreate -l 100%FREE -nhome vg
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
Create a filesystem on volumes
root ##r### mkfs.ext2 /dev/sda1 root ##r### mkswap /dev/mapper/vg-swap root ##r### mkfs.ext4 /dev/mapper/vg-root root ##r### mkfs.ext4 /dev/mapper/vg-portage root ##r### mkfs.ext4 /dev/mapper/vg-home
Basic system setup
root ##r### swapon /dev/mapper/vg-swap root ##r### mkdir /mnt/funtoo root ##r### mount /dev/mapper/vg-root /mnt/funtoo root ##r### mkdir /mnt/funtoo/boot root ##r### mkdir -p /mnt/funtoo/usr/portage root ##r### mkdir /mnt/funtoo/home root ##r### mount /dev/sda1 /mnt/funtoo/boot root ##r### mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage root ##r### mount /dev/mapper/vg-home /mnt/funtoo/home
Now perform all the steps required for basic system install, please follow [2] don't forget to emerge next packages:
# emerge cryptsetup lvm2 grub foo-sources
Re-emerge sys-apps/busybox and sys-fs/cryptsetup with the "static" USE flag
Kernel options
Important, do not miss this part. Under General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Under Device Drivers --->
Generic Driver Options ---> [*] Maintain a devtmpfs filesystem to mount at /dev [*] Multiple devices driver support ---> <*>Device Mapper Support <*> Crypt target support
Under Cryptographic API --->
-*-AES cipher algorithms <*> XTS support (EXPERIMENTAL)
Initramfs setup and configuration
Build your initramfs with better-initramfs project.
better-initramfs supports neither dynamic modules nor udev, so you should compile your kernel with built-in support for your block devices.
# git clone git@bitbucket.org:piotrkarbowski/better-initramfs.git # cd better-initramfs # less README.rst # bootstrap/bootstrap-all # make prepare # make image
Copy resulting initramfs.cpio.gz to /boot.
# cp output/initramfs.cpio.gz /boot
Alternatively pre-compiled binary initramfs available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2 # tar xf release-x86_64-v0.5.tar.bz2 # cd release* # gzip initramfs.cpio # cp initramfs.cpio.gz /boot
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:
# git pull # less ChangeLog
Please, read the ChangeLog carefuly and do necessary updates, to /etc/boot.conf, the example config below. Please, backup working initramfs.cpio.gz and /etc/boot.conf before updating initramfs.
Genkernel approach
Funtoo's genkernel capable to create initramfs for encrypted drive. Compile and install kernel and initramfs of your favorite kernel sources:
genkernel --kernel-config=/path/to/your/custom-kernel-config --no-mrproper --makeopts=-j5 --install --lvm --luks all
Configure the bootloader as described above, with correct kernel and initramfs images names. An example for genkernel and grub2:
Grub2 configuration
An example of /etc/boot.conf for better-initramfs
Template:Code
Lilo configuration
For oldschool geeks, an example for lilo bootloader. Emerge lilo with device-mapper support
# echo 'sys-boot/lilo device-mapper' >> /etc/portage/package.use/lilo # emerge lilo
Syslinux bootloader setup
Syslinux is another advanced bootloader which you can find on all live CD's.
# emerge syslinux # mkdir /boot/extlinux # extlinux --install /boot/extlinux # dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/mbr.bin of=/dev/sda - or - # sgdisk /dev/sda --attributes=1:set:2 # dd bs=440 conv=notrunc count=1 if=/usr/share/syslinux/gptmbr.bin of=/dev/sda, for GPT partition
Final steps
Umount everything, close encrypted drive and reboot
umount /mnt/funtoo/proc (/dev, /home, /usr/portage, /boot) vgchange -a n cryptsetup luksClose /dev/sda2 dmcrypt_root
After reboot you will get the following:
>>> better-initramfs started. Kernel version 2.6.35-gentoo-r10 >>> Create all the symlinks to /bin/busybox. >>> Initiating /dev/dir >>> Getting LVM volumes up (if any) Reding all physical volumes. This make take awhile... No volume group found No volume group found >>> Opening encrypted partition and mapping to /dev/mapper/dmcrypt_root Enter passphrase fore /dev/sda2:
Type your password
>>> Again, getting LVM volumes up (if any, after map dmcrypt). Reading all physical volumes. This may take a while... Found volume group "vg" using metadata type lvm2 4 logical volume(s) in volume group "vg" now active >>> Mounting rootfs to /newroot >>> Umounting /sys and /proc. >>> Switching root to /newroot and executing /sbin/init. INIT: version 2.88 booting Loading /libexec/rc/console/keymap OpenRC 0.6.1 is starting up Funtoo Linux (x86_64) ...boot messages omitted for clarity orion login: oleg Password: Last login: Thu Oct 14 20:49:21 EEST 2010 on tty1 oleg@orion ~ %