User:MintyTHPS/Encrypting a system with LVM on LUKS
Using LVM over a LUKS encrypted partition can be beneficial for security and convenience on a desktop system, as multiple partitions can exist under the LUKS container and be unlocked with a single key or passphrase. This also means that non-root partitions on the system such as /home
or swap can reside under the encrypted LUKS partition.
This guide is designed for EFI systems using a GPT layout, but some parts may be applied to other systems with some considerations and changes.
Installation
Emerge
sys-fs/cryptsetup is included in Gentoo installation media, so it is not necessary to emerge it at this point if Gentoo installation media is being used.
root #
emerge --ask sys-fs/cryptsetup
System preparation
This guide is meant to be followed alongside the Gentoo AMD64 Handbook which should be followed until the section Designing a partition scheme.
Disk preparation
Partitioning a disk will delete any data stored on the modified or deleted partitions.
Although partitioning a disk will delete the data residing on on it, this data may still be recoverable even after it is deleted. Users wishing to wipe a disk clean should refer to Secure wipe.
EFI System layout
/dev/sda
├─sdb1 /boot 1G vfat (bootloader, kernel, support files, initramfs)
└─sdb2 ->END crypto_LUKS (partition containing encrypted LUKS container)
└─luks-x-x-x-x ->END LVM2_member (encrypted LUKS container)
├─VolGroupGentoo-swap 4G swap (logical volume 1 - swap)
├─VolGroupGentoo-root / 16G xfs (logical volume 2 - root)
└─VolGroupGentoo-home /home ->END xfs (logical volume 3 - home)
Using a separate partition for
/home
is optional, and the remainder of the space in the LVM group can be dedicated to /
.
Partitioning the disk
To partition the disk, fdisk or cfdisk can be used. Any other partitioning software can also be used. For this guide, a 1G partition will be created as the boot partition, and the rest of the disk will be dedicated to the encrypted LUKS container which will be created later in the guide. The boot partition can be any size, but 1G is a good rule of thumb.
Preparing the boot partition
Since this guide is designed for EFI systems, an EFI partition will be necessary which will later be mounted to /boot
. Some users may prefer mounting the partition at /efi
or /boot/efi
which are both fine, but in this guide, /boot
will be the mountpoint for the boot partition.
EFI boot partitions must be formatted as FAT32. Format the boot partition created in the previous step:
root #
mkfs.fat -F32 /dev/sda1
Creating the encrypted LUKS container
The LUKS container can be created with the following command. The user will be asked to type "YES" in all capital letters to confirm the action, as all data on the specified partition will be erased.
root #
cryptsetup luksFormat /dev/sda2
The user will then be prompted to create a security passphrase and enter it twice. For more information and available options for cryptsetup, refer to Dm-crypt or the cryptsetup man-page.
Opening the encrypted LUKS container
The newly created LUKS container can be opened with:
root #
cryptsetup open /dev/sda2 lvmgentoo
The LUKS container (/dev/sda2
) can be opened using any name. lvmgentoo is used as an example. In this case, it will be visible at /dev/mapper/lvmgentoo
.
Creating logical volumes
In order to create logical volumes within the LUKS container, a physical volume will have to be created in the LUKS container first. A physical volume can be created in the LUKS container with:
root #
pvcreate /dev/mapper/lvmgentoo
A volume group must also be created. This volume group can be added onto later, and can contain partitions on other devices, but that will not be covered in this guide. To create the volume group, use:
root #
vgcreate VolGroupGentoo /dev/mapper/lvmgentoo
VolGroupGentoo is used in this example, but this can be replaced with any desired name. In this example, lvmgentoo refers to whatever name the LUKS container was opened with.
The logical volumes can now be created:
root #
lvcreate -L 4G -n swap VolGroupGentoo
root #
lvcreate -L 16G -n root VolGroupGentoo
root #
lvcreate -l 100%FREE -n home VolGroupGentoo
In this example,
/home
will reside on its own logical volume, however this is not necessary and may not be desirable on most desktops, as it may be difficult for users to assume a fixed amount of space for the root partition. In most cases, having /home
reside within the root partition will suffice unless there is a particular reason to have a dedicated partition for it.
If a separate logical volume is not needed for /home
, the following can be issued instead:
root #
lvcreate -L 4G -n swap VolGroupGentoo
root #
lvcreate -l 100%FREE -n root VolGroupGentoo
The logical volumes can now be formatted to use any desired filesystems. In this example, /
and /home
will both use XFS.
root #
mkfs.xfs /dev/VolGroupGentoo/root
root #
mkfs.xfs /dev/VolGroupGentoo/home
If XFS is used, sys-fs/xfsprogs will need to be emerged later when chrooted into the system.
swap
can now be formatted as a swap partition.
root #
mkswap /dev/VolGroupGentoo/swap
Mounting filesystems
The filesystems should now be mounted assuming this guide is being followed for a fresh Gentoo installation. The boot partition should also be mounted now, assuming it was prepared earlier in the guide.
root #
mount --mkdir /dev/VolGroupGentoo/root /mnt/gentoo
root #
mount --mkdir /dev/VolGroupGentoo/home /mnt/gentoo/home
root #
swapon /dev/VolGroupGentoo/swap
root #
mount --mkdir /dev/sda1 /mnt/gentoo/boot
Although the boot partition is often mounted at
/efi
, it can also be mounted in /boot
even on EFI systems. In this guide, it will be mounted at /boot
to avoid any confusion or inconsistency when using software such as GRUB or Dracut.Gentoo installation
If this guide is being followed for a fresh Gentoo installation, and has been followed up to this point, users should continue following the handbook from: Choosing a stage file.
Users can return to this guide once the step Configuring the kernel is reached.
Initramfs configuration
The rest of this guide should be followed while chrooted into the actual Gentoo installation.
Dracut
Dracut can be used with sys-kernel/installkernel to easily generate an initramfs.
sys-kernel/installkernel should be built with the dracut
USE flag, and if sys-boot/grub will be used, the grub
USE flag will also be necessary.
/etc/portage/package.use/installkernel
sys-kernel/installkernel dracut grub
installkernel can now be emerged, it will automatically pull in Dracut if the USE flag was applied:
root #
emerge --ask --verbose sys-kernel/installkernel
Dracut configuration
Dracut will need the crypt
and lvm
modules to be specified in its configuration in order to recognize the encrypted LVM system.
Create the dracut.conf.d
folder if it doesn't already exist.
root #
mkdir /etc/dracut.conf.d
A LUKS configuration file can now be created in the new folder. This is the file where the user will specify which modules Dracut should load. The crypt
and lvm
modules should be specified.
/etc/dracut.conf.d/luks.conf
add_dracutmodules+=" crypt lvm "
The formatting of the Dracut configuration parameters is important. It is necessary to include the space characters (
) between the quotation marks and the actual parameters.The encrypted volumes will also need to be specified in the kernel commandline, which can be specified in this file.
/etc/dracut.conf.d/luks.conf
kernel_cmdline+=" root=UUID=b079209-p055-5555-4591- "
installkernel and dracut are typically called after the kernel configuration when make install
is executed, so it may not be necessary to use a command to generate the initramfs at this point in the configuration.
Bootloader configuration
GRUB
Kernel configuration
Configuring the kernel should be followed at this point, with the consideration that some extra configuration is required for sys-fs/cryptsetup to work properly.
Before the kernel is configured to work with cryptsetup, the package sys-fs/cryptsetup must be emerged while chrooted into the actual Gentoo installation if it is not already installed.
root #
emerge --ask --verbose sys-fs/cryptsetup
The necessary kernel options can be found at Dm-crypt#Kernel Configuration.
At this point, users should continue configuring the kernel to their liking, while following the Handbook.
Once the kernel is compiled, installkernel should be called by the make install
command, and Dracut will also be called by installkernel and an initramfs will be generated.
It is still possible for the user to call Dracut directly and generate a new initramfs if a new initramfs is ever needed.
root #
dracut --force