LVM/Luks Encryption

From SlackWiki
Revision as of 15:22, 5 November 2018 by Wigums (talk | contribs)
Jump to navigation Jump to search


This article assumes that this will be the only operating system installed. Also wherever you see sdx2 it is referring to the single large partition (probably /dev/sda2) made in the first step. It also assumes you know your way around the slackware installer. Swap space setup is documented here but note its only needed if you plan to hibernate e.g. a laptop.

Partitioning

Boot the installer. Login as root and run

cfdisk

What you’re doing here is setting up the partitions. Essentially, we’re dividing up the hard drive into a few logical partitions so that certain things can run in certain places, and not be affected by others. In order to create a bootable encrypted drive there needs to be a small partition that is not encrypted, it’s unencrypted and readable, so the computer can use it to figure out how to start the operating system.

The first partition to make is a boot partition. Delete every other existing partition (if there are any) and write (again, assuming this will be your only OS). Next, select new and create a primary partition that is relatively small, I usually do 1G (which is rather large but i often juggle multiple kernels). Select Beginning, which puts the partition at the front of the disk. DO NOT forget to make the first partition bootable, otherwise the installation won’t know to use this partition to install the boot scripts and such.

Next, create another partition with the remaining space. Follow the same steps, except do not make it bootable and use the rest of the available space. Just hit enter when it asks how much space to use. After you’ve done this, make sure you go down and select write to ensure the changes are made. Then exit cfdisk.

It's a good idea for you to rewrite the entire large partition with random data. This is so computer forensics folks cannot determine where encryption starts and stops, making it harder to find out a way to circumvent the encryption and stuff. To do this, run

dd if=/dev/urandom of=/dev/sdx2

NOTE*** this can take quite some time.

LVM / Luks Config

LVM or Logical Volume Manager is used here to configure volumes inside of the large partition set up earlier (sdx2). LVM makes it easy to separate things internally and keep it all encrypted as one partition.

cryptsetup -s 512 -y luksFormat /dev/sdx2

Type YES, then decide on a password and type it. Be careful, later on if you put stuff on the drive and you forget your password, it’s gone forever. Such is the nature of encryption.

Basically this is setting up luks encryption on /dev/sdx2.

cryptsetup luksOpen /dev/sdx2 slackcrypt

pvcreate is a linux command used to initialize physical volumes for use by logical volume management (lvm) later.

pvcreate /dev/mapper/slackcrypt 

This creates the volume group “cryptvg”.

vgcreate cryptvg /dev/mapper/slackcrypt

Create three internal logical volumes, root, home, and swap. If you have a unique setup and prefer it a different way, just follow the same steps and size them how you want. the sizes used are example only

lvcreate -L 20G -n root cryptvg
lvcreate -L 2G -n swap cryptvg
lvcreate -l 100%FREE -n home cryptvg


These will be your /root, /home, and /swap “partitions”. You can adjust the sizes to whatever you want them to be. I use a pretty large amount of space in root because I have run out of space installing tons of programs before, but I’ve also used tiny root partitions on machines where I didn’t plan on installing much. It really depends, but if you have the extra space I’d do like 20+ just to be on the safe side. The home directory gets everything that’s not allocated to swap or root.

Next thing we’ve got to do is make sure some nodes get set so everything knows where things are and what not

vgscan --mknodes
vgchange -ay

make sure the slackware installer can detect the swap partition

mkswap /dev/cryptvg/swap

Slack Setup and Installation

Run the slackware installer

setup 

the installer will walk you through it from here. it should auto-detect the swap partition we designated

Selecting root partition

Make sure you select /dev/cryptvg/root here, because that’ll be your LVM root partition. Pick whichever file-system you like. After that it should bring you back to the same screen. It’s important to designate your other partitions here.

Select /dev/cryptvg/home and format it.

Next designate boot, which is essential, otherwise your machine will not work properly. Select /dev/sdx1/ (probably /dev/sda1), format it, and type /boot. Now simply install slackware as you normally would until you get to

Install LILO

To install the bootloader Lilo select expert, then begin. Ignore the optional LILO Append, you probably don’t need to do anything with that. Select mbr, hit confirm when it asks you to confirm /dev/sdx (probably /dev/sda), and keep going through the options until you’re back at the screen where you selected “begin”.

Now you have to select Linux: Add a linux partition... and select /dev/cryptvg/root. (/dev/cryptvg/root, NOT /boot).

Once that’s been selected, install lilo. . Continue with the installation until you reach a screen listing slackwares installation steps.

Eit the installer and select No to get dropped to a command prompt.

Creating an initrd

Now we have to fix lilo because of our encryption scheme.

chroot /mnt

The simple explanation for this command is that you basically just entered the installed system, which is mounted at /mnt. Now you can work on things that are installed on the system.

The initial RAM disk (initrd) is an initial root file system that is mounted prior to when the real root file system is available. The initrd is bound to the kernel and loaded as part of the kernel boot procedure. to create an initrd run

/usr/share/mkinitrd/mkinitrd_command_generator.sh

it will look similar to this

mkinitrd -c -k 4.19.0 -f ext4 -r /dev/cryptvg/root -m usb-storage:xhci-
hcd:usbhid:hid_generic:mbcache:jbd2:ext4 -C /dev/sda2 -h /dev/cryptvg/swap 
-L -u -o /boot/initrd.gz

Run the resulting command (yours will surely be different from the example). This will write an image to /boot/initrd.gz in your system which we will use for booting. The -h /dev/cryptvg/swap has been added to enable hibernation. it was not part of the resulting mikinitrd_command_generator.sh command

If you need to know what kernel you just installed try

uname -a

Fixing LILO

Next, you have to edit lilo’s configuration file and point it to the correct places so it knows what to boot with. Don’t forget the initrd line here. (use your preferred editor)

vim /etc/lilo.conf

Edit the pertinent parts to look like this:

image = /boot/vmlinuz-generic-4.19.0

initrd = /boot/initrd.gz
root = /dev/cryptvg/root
label = Slackware
read-only  # Partitions should be mounted read-only for checking

Above that, there’s an “append” line. Edit it to look something like this:

append = "vt.default_utf8=0 resume=/dev/cryptvg/swap"

Of course, substituting your kernel where necessary. You can check what you need to put for “image = ” by going to /boot and checking which generic kernel you want to use to boot. Save your changes and exit.

Run

lilo -v

You may get an error or two from lilo, but you can usually ignore these. type

exit

to leave the chroot and then

reboot


If something went wrong, you probably configured something incorrectly along the way. To get back into your system and repair lilo or some other part of the system, follow these steps to chroot from installation media


cryptsetup luksOpen /dev/sdx2 slackcrypt
vgscan --mknodes
vgchange -ay
lvscan 
mount /dev/cryptvg/root /mnt
mount /dev/cryptvg/home /mnt/home
mount /dev/sdx1 /mnt/boot
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /dev /mnt/dev
chroot /mnt