User:MintyTHPS/Encrypting a system with LVM on LUKS

From Gentoo Wiki
Jump to:navigation Jump to:search

Using LVM over a LUKS encrypted partition can be beneficial for security and convenience on a desktop system, as multiple partitions can exist under the LUKS container and be unlocked with a single key or passphrase. This also means that non-root partitions on the system such as /home or swap can reside under the encrypted LUKS partition.

This guide is designed for EFI systems using a GPT layout, but some parts may be applied to other systems with some considerations and changes.

Installation

Emerge

Note
sys-fs/cryptsetup is included in Gentoo installation media, so it is not necessary to emerge it at this point if Gentoo installation media is being used.
root #emerge --ask sys-fs/cryptsetup

System preparation

This guide is meant to be followed alongside the Gentoo AMD64 Handbook which should be followed until the section Designing a partition scheme.

Disk preparation

Warning
Partitioning a disk will delete any data stored on the modified or deleted partitions.
Important
Although partitioning a disk will delete the data residing on on it, this data may still be recoverable even after it is deleted. Users wishing to wipe a disk clean should refer to Secure wipe.

EFI System layout

CODE Partition scheme with boot, swap, home and root partitions.
/dev/sda
├─sdb1                       /boot             1G      vfat          (bootloader, kernel, support files, initramfs)
└─sdb2                                         ->END   crypto_LUKS   (partition containing encrypted LUKS container)
  └─luks-x-x-x-x                               ->END   LVM2_member   (encrypted LUKS container)
    ├─VolGroupGentoo-swap                      4G      swap          (logical volume 1 - swap)
    ├─VolGroupGentoo-root    /                 16G     xfs           (logical volume 2 - root)
    └─VolGroupGentoo-home    /home             ->END   xfs           (logical volume 3 - home)
Note
Using a separate partition for /home is optional, and the remainder of the space in the LVM group can be dedicated to /.


Partitioning the disk

To partition the disk, fdisk or cfdisk can be used. Any other partitioning software can also be used. For this guide, a 1G partition will be created as the boot partition, and the rest of the disk will be dedicated to the encrypted LUKS container which will be created later in the guide. The boot partition can be any size, but 1G is a good rule of thumb.


Preparing the boot partition

Since this guide is designed for EFI systems, an EFI partition will be necessary which will later be mounted to /boot. Some users may prefer mounting the partition at /efi or /boot/efi which are both fine, but in this guide, /boot will be the mountpoint for the boot partition.

EFI boot partitions must be formatted as FAT32. Format the boot partition created in the previous step:

root #mkfs.fat -F32 /dev/sda1


Creating the encrypted LUKS container

The LUKS container can be created with the following command. The user will be asked to type "YES" in all capital letters to confirm the action, as all data on the specified partition will be erased.

root #cryptsetup luksFormat /dev/sda2

The user will then be prompted to create a security passphrase and enter it twice. For more information and available options for cryptsetup, refer to Dm-crypt or the cryptsetup man-page.


Opening the encrypted LUKS container

The newly created LUKS container can be opened with:

root #cryptsetup open /dev/sda2 lvmgentoo

The LUKS container (/dev/sda2) can be opened using any name. lvmgentoo is used as an example. In this case, it will be visible at /dev/mapper/lvmgentoo.


Creating logical volumes

In order to create logical volumes within the LUKS container, a physical volume will have to be created in the LUKS container first. A physical volume can be created in the LUKS container with:

root #pvcreate /dev/mapper/lvmgentoo

A volume group must also be created. This volume group can be added onto later, and can contain partitions on other devices, but that will not be covered in this guide. To create the volume group, use:

root #vgcreate VolGroupGentoo /dev/mapper/lvmgentoo

VolGroupGentoo is used in this example, but this can be replaced with any desired name. In this example, lvmgentoo refers to whatever name the LUKS container was opened with.

The logical volumes can now be created:

root #lvcreate -L 4G -n swap VolGroupGentoo
root #lvcreate -L 16G -n root VolGroupGentoo
root #lvcreate -l 100%FREE -n home VolGroupGentoo
Note
In this example, /home will reside on its own logical volume, however this is not necessary and may not be desirable on most desktops, as it may be difficult for users to assume a fixed amount of space for the root partition. In most cases, having /home reside within the root partition will suffice unless there is a particular reason to have a dedicated partition for it.

If a separate logical volume is not needed for /home, the following can be issued instead:

root #lvcreate -L 4G -n swap VolGroupGentoo
root #lvcreate -l 100%FREE -n root VolGroupGentoo

The logical volumes can now be formatted to use any desired filesystems. In this example, / and /home will both use XFS.

root #mkfs.xfs /dev/VolGroupGentoo/root
root #mkfs.xfs /dev/VolGroupGentoo/home
Important
If XFS is used, sys-fs/xfsprogs will need to be emerged later when chrooted into the system.

swap can now be formatted as a swap partition.

root #mkswap /dev/VolGroupGentoo/swap


Mounting filesystems

The filesystems should now be mounted assuming this guide is being followed for a fresh Gentoo installation. The boot partition should also be mounted now, assuming it was prepared earlier in the guide.

root #mount --mkdir /dev/VolGroupGentoo/root /mnt/gentoo
root #mount --mkdir /dev/VolGroupGentoo/home /mnt/gentoo/home
root #swapon /dev/VolGroupGentoo/swap
root #mount --mkdir /dev/sda1 /mnt/gentoo/boot
Note
Although the boot partition is often mounted at /efi, it can also be mounted in /boot even on EFI systems. In this guide, it will be mounted at /boot to avoid any confusion or inconsistency when using software such as GRUB or Dracut.

Gentoo installation

If this guide is being followed for a fresh Gentoo installation, and has been followed up to this point, users should continue following the handbook from: Choosing a stage file.

Users can return to this guide once the step Configuring the kernel is reached.


Initramfs configuration

Important
The rest of this guide should be followed while chrooted into the actual Gentoo installation.

Dracut

Dracut can be used with sys-kernel/installkernel to easily generate an initramfs.

sys-kernel/installkernel should be built with the dracut USE flag, and if sys-boot/grub will be used, the grub USE flag will also be necessary.

FILE /etc/portage/package.use/installkernel
sys-kernel/installkernel dracut grub

installkernel can now be emerged, it will automatically pull in Dracut if the USE flag was applied:

root #emerge --ask --verbose sys-kernel/installkernel

Dracut configuration

Dracut will need the crypt and lvm modules to be specified in its configuration in order to recognize the encrypted LVM system.

Create the dracut.conf.d folder if it doesn't already exist.

root #mkdir /etc/dracut.conf.d

A LUKS configuration file can now be created in the new folder. This is the file where the user will specify which modules Dracut should load. The crypt and lvm modules should be specified.

FILE /etc/dracut.conf.d/luks.conf
add_dracutmodules+=" crypt lvm "
Important
The formatting of the Dracut configuration parameters is important. It is necessary to include the space characters ( ) between the quotation marks and the actual parameters.

The encrypted volumes will also need to be specified in the kernel commandline, which can be specified in this file.

FILE /etc/dracut.conf.d/luks.conf
kernel_cmdline+=" root=UUID=b079209-p055-5555-4591- "

installkernel and dracut are typically called after the kernel configuration when make install is executed, so it may not be necessary to use a command to generate the initramfs at this point in the configuration.

Bootloader configuration

GRUB

Kernel configuration

Configuring the kernel should be followed at this point, with the consideration that some extra configuration is required for sys-fs/cryptsetup to work properly.

Before the kernel is configured to work with cryptsetup, the package sys-fs/cryptsetup must be emerged while chrooted into the actual Gentoo installation if it is not already installed.

root #emerge --ask --verbose sys-fs/cryptsetup
Important
The necessary kernel options can be found at Dm-crypt#Kernel Configuration.

At this point, users should continue configuring the kernel to their liking, while following the Handbook.

Once the kernel is compiled, installkernel should be called by the make install command, and Dracut will also be called by installkernel and an initramfs will be generated.

Tip
It is still possible for the user to call Dracut directly and generate a new initramfs if a new initramfs is ever needed.
root #dracut --force