LVM/Luks Encryption: Difference between revisions
No edit summary |
No edit summary |
||
Line 171: | Line 171: | ||
mount -o bind /dev /mnt/dev | mount -o bind /dev /mnt/dev | ||
chroot /mnt | chroot /mnt | ||
When you update your kernel all you have to do is make another initrd (run the same command mkinitrd_commaand_generator.sh gave you earlier with updated kernel info), | |||
edit /etc/lilo.conf to reflect the new kernel and run lilo |
Latest revision as of 20:24, 14 November 2018
LVM
LVM is a tool for logical volume management which includes allocating disks, striping, mirroring and resizing logical volumes. With LVM, a hard drive or set of hard drives is allocated to one or more physical volumes. LVM physical volumes can be placed on other block devices which might span two or more disks.
LUKS
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. LUKS stores all necessary setup information in the partition header, enabling you to transport or migrate data seamlessly.
This article assumes that this will be the only operating system installed. Also wherever you see sdx2 it is referring to the single large partition (probably /dev/sda2) made in the first step. It also assumes you know your way around the slackware installer. Swap space setup is documented here but note its only needed if you plan to hibernate e.g. a laptop.
Partitioning
Boot the installer. Login as root and run
cfdisk
What you’re doing here is setting up the partitions. Essentially, we’re dividing up the hard drive into a few logical partitions so that certain things can run in certain places, and not be affected by others. In order to create a bootable encrypted drive there needs to be a small partition that is not encrypted, it’s unencrypted and readable, so the computer can use it to figure out how to start the operating system.
The first partition to make is a boot partition. Delete every other existing partition (if there are any) and write (again, assuming this will be your only OS). Next, select new and create a primary partition that is relatively small, I usually do 1G (which is rather large but i often juggle multiple kernels). Select Beginning, which puts the partition at the front of the disk. DO NOT forget to make the first partition bootable, otherwise the installation won’t know to use this partition to install the boot scripts and such.
Next, create another partition with the remaining space. Follow the same steps, except do not make it bootable and use the rest of the available space. Just hit enter when it asks how much space to use. After you’ve done this, make sure you go down and select write to ensure the changes are made. Then exit cfdisk.
It's a good idea for you to rewrite the entire large partition with random data. This is so computer forensics folks cannot determine where encryption starts and stops, making it harder to find out a way to circumvent the encryption and stuff. To do this, run
dd if=/dev/urandom of=/dev/sdx2
NOTE*** this can take quite some time.
LVM / Luks Config
LVM or Logical Volume Manager is used here to configure volumes inside of the large partition set up earlier (sdx2). LVM makes it easy to separate things internally and keep it all encrypted as one partition.
cryptsetup -s 512 -y luksFormat /dev/sdx2
Type YES, then decide on a password and type it. Be careful, later on if you put stuff on the drive and you forget your password, it’s gone forever. Such is the nature of encryption.
Basically this is setting up luks encryption on /dev/sdx2.
cryptsetup luksOpen /dev/sdx2 slackcrypt
pvcreate is a linux command used to initialize physical volumes for use by logical volume management (lvm) later.
pvcreate /dev/mapper/slackcrypt
This creates the volume group “cryptvg”.
vgcreate cryptvg /dev/mapper/slackcrypt
Create three internal logical volumes, root, home, and swap. If you have a unique setup and prefer it a different way, just follow the same steps and size them how you want. the sizes used are example only
lvcreate -L 20G -n root cryptvg
lvcreate -L 2G -n swap cryptvg
lvcreate -l 100%FREE -n home cryptvg
These will be your /root, /home, and /swap “partitions”. You can adjust the sizes to whatever you want them to be. I use a pretty large amount of space in root because I have run out of space installing tons of programs before, but I’ve also used tiny root partitions on machines where I didn’t plan on installing much. It really depends, but if you have the extra space I’d do like 20+ just to be on the safe side. The home directory gets everything that’s not allocated to swap or root.
Next thing we’ve got to do is make sure some nodes get set so everything knows where things are and what not
vgscan --mknodes
vgchange -ay
make sure the slackware installer can detect the swap partition
mkswap /dev/cryptvg/swap
Slack Setup and Installation
Run the slackware installer
setup
the installer will walk you through it from here. it should auto-detect the swap partition we designated
Selecting root partition
Make sure you select /dev/cryptvg/root here, because that’ll be your LVM root partition. Pick whichever file-system you like. After that it should bring you back to the same screen. It’s important to designate your other partitions here.
Select /dev/cryptvg/home and format it.
Next designate boot, which is essential, otherwise your machine will not work properly. Select /dev/sdx1/ (probably /dev/sda1), format it, and type /boot. Now simply install slackware as you normally would until you get to
Install LILO
To install the bootloader Lilo select expert, then begin. Ignore the optional LILO Append, you probably don’t need to do anything with that. Select mbr, hit confirm when it asks you to confirm /dev/sdx (probably /dev/sda), and keep going through the options until you’re back at the screen where you selected “begin”.
Now you have to select Linux: Add a linux partition... and select /dev/cryptvg/root. (/dev/cryptvg/root, NOT /boot).
Once that’s been selected, install lilo. . Continue with the installation until you reach a screen listing slackwares installation steps.
Eit the installer and select No to get dropped to a command prompt.
Creating an initrd
Now we have to fix lilo because of our encryption scheme.
chroot /mnt
The simple explanation for this command is that you basically just entered the installed system, which is mounted at /mnt. Now you can work on things that are installed on the system.
The initial RAM disk (initrd) is an initial root file system that is mounted prior to when the real root file system is available. The initrd is bound to the kernel and loaded as part of the kernel boot procedure. to create an initrd run
/usr/share/mkinitrd/mkinitrd_command_generator.sh
it will look similar to this
mkinitrd -c -k 4.19.0 -f ext4 -r /dev/cryptvg/root -m usb-storage:xhci- hcd:usbhid:hid_generic:mbcache:jbd2:ext4 -C /dev/sda2 -h /dev/cryptvg/swap -L -u -o /boot/initrd.gz
Run the resulting command (yours will surely be different from the example). This will write an image to /boot/initrd.gz in your system which we will use for booting. The -h /dev/cryptvg/swap has been added to enable hibernation. it was not part of the resulting mikinitrd_command_generator.sh command
If you need to know what kernel you just installed try
uname -a
Fixing LILO
Next, you have to edit lilo’s configuration file and point it to the correct places so it knows what to boot with. Don’t forget the initrd line here. (use your preferred editor)
vim /etc/lilo.conf
Edit the pertinent parts to look like this:
image = /boot/vmlinuz-generic-4.19.0 initrd = /boot/initrd.gz root = /dev/cryptvg/root label = Slackware read-only # Partitions should be mounted read-only for checking
Above that, there’s an “append” line. Edit it to look something like this:
append = "vt.default_utf8=0 resume=/dev/cryptvg/swap"
Of course, substituting your kernel where necessary. You can check what you need to put for “image = ” by going to /boot and checking which generic kernel you want to use to boot. Save your changes and exit.
Run
lilo -v
You may get an error or two from lilo, but you can usually ignore these. type
exit
to leave the chroot and then
reboot
If something went wrong, you probably configured something incorrectly along the way. To get back into your system and repair lilo or some other part of the system, follow these steps to chroot from installation media
cryptsetup luksOpen /dev/sdx2 slackcrypt vgscan --mknodes vgchange -ay lvscan mount /dev/cryptvg/root /mnt mount /dev/cryptvg/home /mnt/home mount /dev/sdx1 /mnt/boot mount -o bind /proc /mnt/proc mount -o bind /sys /mnt/sys mount -o bind /dev /mnt/dev chroot /mnt
When you update your kernel all you have to do is make another initrd (run the same command mkinitrd_commaand_generator.sh gave you earlier with updated kernel info), edit /etc/lilo.conf to reflect the new kernel and run lilo