Full Disk Encryption From Scratch Simplified

This article discusses several aspects of using Dm-crypt for full disk encryption with LVM (with some notes for SSD) for daily usage from scratch.

Most of details can also be found in the LUKS-LVM filesystem (Sakaki's Install Guide).

Disk preparation
In this example, we will use GPT as disk partition schema and grub as boot loader. You can create disk schema with gparted.

.

Create partitions
Partition schema is as following: /dev/sdX |--> GRUB BIOS                      2   MB       no fs       grub loader itself |--> /boot                boot      512 Mb       fat32       grub and kernel |--> LUKS encrypted                 100%         encrypted   encrypted binary block |--> LVM             lvm       100% |--> /         root      25  Gb       ext4        rootfs |--> /var      var       40  Gb       ext4        var files |--> /home     home      100%         ext4        user files

To create GRUB BIOS, issue the following command:

Set the default units to mebibytes:

Create a GPT partition table:

Create the BIOS partition:

Create boot partition. This partition will contain grub files, plain (unencrypted) kernel and kernel initrd:

Everything is done, exit from parted:

Create boot filesystem
Create filesystem for /dev/sdX2, that will contain grub and kernel files. This partition is read by UEFI bios. Most of motherboards can ready only FAT32 filesystems:

Prepare encrypted partition
In the next step, we configure DM-CRYPT for /dev/sdX3:

Crypt LVM partition /dev/sdX3 with LUKS:

LVM creation
Open encrypted device:

Create lvm structure for partition mapping (/root, /var, /home):

Crypt physical volume group:

Create volume group vg0:

Create logical volume for /root fs:

Create logical volume for /var fs:

Create logical volume for /home fs

Gentoo installation
Create mount point for permanent Gentoo:

Mount rootfs from encrypted LVM partition:

Create mount point for permanent Gentoo Var:

Mount var from encrypted LVM partition:

And cd into /mnt/gentoo:

Stage 3 install
Download stage3 to /mnt/gentoo from https://www.gentoo.org/downloads/mirrors

For example:

Unzip the downloaded archive:

Configuring compile options
Open /mnt/gentoo/etc/portage/make.conf with nano and setup required flags. See Stages (AMD64 Handbook) article.

Chroot prepare
Copy DNS info:

Mount all required fs into chroot:

Mount shm fs:

Enter chroot:

And run: export PS1="(chroot) $PS1"

Mounting the boot partition:

Install Portage files:

Choose and install correct profile:

Select profile:

Setup correct timezone:

Configure locales:

Set default locale:

Update env:

Run export PS1="(chroot) $PS1"

Configure fstab
For correct setup of required partition, will be used UUID technique.

Run blkid and see partition IDs:

/dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/lvm: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4"

Edit /etc/fstab and setup correct filesystem:

UUID=DB1D-89C5                                 /boot           vfat            noauto,noatime  1 2 UUID=6bedbbd8-cea9-4734-9c49-8e985c61c120      /               ext4            defaults        0 1 UUID=61e4cc83-a1ee-4190-914b-4b62b49ac77f      /var            ext4            defaults        0 1 UUID=5d6ff087-50ce-400f-91c4-e3378be23c00      /home           ext4            defaults        0 1 tmpfs                                          /tmp            tmpfs           size=4Gb        0 0 tmpfs                                          /run            tmpfs           size=100M       0 0 shm                                            /dev/shm        tmpfs           nodev,nosuid,noexec 0 0
 * 1)                                                                
 * 1) tmps
 * 1) shm

Configuring the Linux kernel
Install kernel, genkernel and cryptsetup packages:

Build genkernel:

install GRUB2
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=6a7a642a-3262-4f87-9540-bcd53969343b root=/dev/mapper/vg0-root"

Mount boot:

Install GRUB with EFI:

Generate grub configuration file:

Finalizing
While we have the chroot setup, it's important to remember to set the root password before rebooting

After the install is complete we will need to add the lvm service to boot. If this is not done, at the very least grub-mkconfig will throw "WARNING: Failed to connect to lvmetad. Falling back to internal scanning."

More steps to take: * Handbook:AMD64/Installation/Tools * Handbook:AMD64/Installation/Finalizing

SSD tricks
Add to /etc/default/grub trim command:

GRUB_CMDLINE_LINUX="...root_trim=yes"

edit /etc/lvm/lvm.conf LVM issue_discards = 1

Simple disk encryption without lvm
Encryption are works in such scenario: OS makes I/O request to mapped filesystem on device /dev/mapper/myname. As internal layer in OS knows, that this mapped device are encrypted, it asks for Encryption OS layer to encrypted I/O data on myname, and after that encrypted data goes to physical device, associated with myname.

Creating partition
Fire up parted against the disk (in our example, we use /dev/sda). It is recommended to ask parted to use optimal partition alignment:

Now parted will be used to create the partitions. See AMD64/Installation/Disks for information, how to create partition.

Just create partition with expected partition size, don't set partition type or format it. See next section for steps.

Create encryption layer for partition
After creating partition, encrypt this partition (where sdX are name of created device at prev. step)

Enter YES in uppercase, Enter password for encrypting disk and Vuallya - encrypted part of disk are ready.

Create file system on encrypted layer
Open encrypted part of disk:

myname - it is a name of mapped device

Create ext4 FS on encrypted device

Final mount
Now encrypted device ready for final mount into system

Mount encrypted luks device
And mount of this device into system

Automatic mount of encrypted disk at boot
Automatic mount is working in such way: dmcrypt service reads /etc/conf.d/dmcrypt and add luks mapping device. After that, from fstab mapped device will be binded to something at file system.

First, create directrory, that will contain all encrypted keys

Them, create some super random keyfile

And then add this keyfile to disk LUKS slot

Now, find UUID of encrypted disk with **blkid** command. For example: /dev/sda1: UUID="91d7fd8f-fa64-42f3-8491-ba9464c0c064" TYPE="crypto_LUKS" PARTLABEL="media" PARTUUID="2e1aa997-7295-4e00-b03d-de0317c25342" /dev/sda5: UUID="281c3e94-f195-47fc-b604-7b3d8c38a513" TYPE="crypto_LUKS" PARTLABEL="data" PARTUUID="7c41cc1a-b68b-4eae-97a9-9a28be10c6c3" /dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/root: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4" /dev/mapper/data: UUID="4be7f323-3f7e-47c7-91a3-b37d04e951aa" TYPE="ext4" /dev/mapper/media: UUID="943629b6-391d-441a-adf1-13fcb0471fd3" TYPE="ext4"

Note: See filesystem with type **crypto_LUKS**

In prev. example, disk /dev/sda1 are encrypted disks (note, this disks are encrypted by same key).

Next stage, configure service dmcrypt, that will automatically map this disk for decryption/ecryption with /etc/keyfiles/main. Open file /etc/conf.d/dmcrypt

target='data' source=UUID='91d7fd8f-fa64-42f3-8491-ba9464c0c064' key='/etc/keyfiles/main'

target='media' source=UUID='281c3e94-f195-47fc-b604-7b3d8c38a513' key='/etc/keyfiles/main'

Where: target are name of decrypted mapped disk. This name will be created at: /dev/mapper directory

After this step, add dmcrypt to be started at boot

And start this service immediately

If everything is fine, at /dev/mapper will be mapped decrypted devices.

Then last step is to mount mapped device at boot to some location. Execute again blkid command and find UUID of DECRYPTED mapped device. For example: /dev/sda1: UUID="91d7fd8f-fa64-42f3-8491-ba9464c0c064" TYPE="crypto_LUKS" PARTLABEL="media" PARTUUID="2e1aa997-7295-4e00-b03d-de0317c25342" /dev/sda5: UUID="281c3e94-f195-47fc-b604-7b3d8c38a513" TYPE="crypto_LUKS" PARTLABEL="data" PARTUUID="7c41cc1a-b68b-4eae-97a9-9a28be10c6c3" /dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/root: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4" /dev/mapper/data: UUID="4be7f323-3f7e-47c7-91a3-b37d04e951aa" TYPE="ext4" /dev/mapper/media: UUID="943629b6-391d-441a-adf1-13fcb0471fd3" TYPE="ext4"

In this example, we are interesting in mapped devices /dev/mapper/*. In our case, this is devices /dev/mappper/data and /dev/mapper/media

Last step, add to /etc/fstab this mapped devices. It should look like:

# encrypted devices UUID=943629b6-391d-441a-adf1-13fcb0471fd3      /mnt/media    ext4      defaults        0 2 UUID=4be7f323-3f7e-47c7-91a3-b37d04e951aa      /mnt/data     ext4      defaults        0 2

Where UUID are ID of mapped device, /mnt/media or /mnt/data are directories where this mapped devices should mount, ext4 are filesystem on ecrypted devices