Install LVM LUKS

From Void Linux Wiki
Jump to: navigation, search

Here are some pointers to get you started on getting (parts of a) system encrypted with LUKS while using Void Linux.

Rough notes on a manual installation, with unencrypted /boot and encrypted / on LVM

NOTE: Not meant to be copy&pasted! Please think for yourself.

1. Boot the Void Linux live CD

2. Run cfdisk /dev/sda and create two partitions:

/dev/sda1 of size 1G to mount as /boot, with boot flag activated
/dev/sda2 of all remaining free space to mount as /

3. Set up filesystems:

mkfs.ext2 -L boot /dev/sda1
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 crypt-pool
vgcreate pool /dev/mapper/crypt-pool
lvcreate --name root -L 20G pool
mkfs.ext4 -L root /dev/mapper/pool-root
mount /dev/mapper/pool-root /mnt
mkdir /mnt/{boot,dev,proc,sys}
mount /dev/sda1 /mnt/boot
mount --rbind /dev /mnt/dev
mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys

4. Time to install Void. Please notice that in the next step we are not only installing the base system, but also lvm2, cryptsetup and grub! Yes, cryptsetup and lvm2 are not part of the base system to keep it as small as possible.

xbps-install -S -R http://repo.voidlinux.eu/current -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi efibootmgr
chroot /mnt /bin/bash
passwd root
chown root:root /
chmod 755 /
vi /etc/rc.conf
echo void-crypt >/etc/hostname
vi /etc/fstab
grub-install /dev/sda
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
xbps-reconfigure -f glibc-locales
echo hostonly=yes > /etc/dracut.conf.d/hostonly.conf

5. Add rd.auto=1 to the GRUB_CMDLINE_LINUX_DEFAULT variable in /etc/default/grub

6. While you're at it, if you want to use a different keyboard layout (e.g. dvorak) to enter your LUKS passphrase, add also rd.vconsole.keymap=dvorak to the same variable.

7. Force update of dracut and grub:

xbps-reconfigure -f linux4.1
^D

8. Reboot and you're done.


Quick and dirty fresh install

Again, this section does not follow the best practices, such as writing over the drive with random data, but will provide a basic encrypted system. Everything will be encrypted except /boot.

Warning: Do not follow this guide to the letter if you have more than one drive or if you have any data you do not want to lose! This guide will destroy all data on /dev/sda!

1. Start by booting the live CD of your choice, then press CTRL+ALT+F1 and log in as root:

Username: root
Password: voidlinux

2. It's time to set up the disk. Remember, all data on the disk will be destroyed!

fdisk /dev/sda
o
n
Enter
Enter
Enter
+1G
n
Enter
Enter
Enter
Enter
a
1
p -- Confirm that you have two partitions. One 1G partition for /boot and the rest of the drive will be dedicated to LUKS.
w

3. Create and open the LUKS device:

cryptsetup luksFormat /dev/sda2 -- Time for that super secret password! Don't forget it, or you'll lose access to all of your data!
cryptsetup luksOpen /dev/sda2 crypt-pool

4. Create a volume group and add sub-volumes:

vgcreate pool /dev/mapper/crypt-pool
lvcreate --name root -L 20G pool -- Feel free to use more for root if needed.
lvcreate --name swap -L 16G pool -- Optional.  But shoot for double the ram if used.
lvcreate --name home -l 100%FREE pool -- Note the lowercase 'L'.  If a specific size is required, make it the same way we made the others.

5. Now let's make sure grub knows what's going on. Run vi /etc/default/grub and find this line:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4"

And change it to:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 rd.auto=1 cryptdevice=/dev/sda2 root=/dev/mapper/pool-root"

6. Install Void like normal. Run void-installer and follow the steps with the following exceptions:

  • If networking fails to connect, there may be a simple conflict with whatever the live environment is running. It's typically safe to ignore and move on to the next step.
  • Skip the partitioning step.
  • On the filesystem step set sda1 to ext2 /boot and the rest should be obvious. Choose your favorite filesystem for / and /home, or just stick with the old stand by of ext4.
  • Set pool-root to /
  • Set pool-home to /home
  • Set swap to swap if applicable.

7. Go back to choose the install step and follow instructions. Select "yes" when it prompts to reboot and enjoy an encrypted system!


Unlock over ssh (optional)

In certain scenarios, you may wish to be able to unlock an encrypted system remotely. Before you decide to set this up, be sure to have assessed your threat model and taken the associated risks into account.

Since Void Linux uses dracut to build the initramfs, we can make use of a module named dracut-crypt-ssh. It integrates the dropbear secure shell into the initramfs and provides two commands to interact with the pre-encrypted system.

IMPORTANT: Read the module documentation! Don't copy&paste what is presented here, as it is intended only as a get-to-know guide and is not considered safe!

Setup

1. First, we install the package:

xbps-install dracut-crypt-ssh

2. By definition, dracut needs to provide access to the network, so add the respective commands to the grub config file at /etc/default/grub (append to GRUB_CMDLINE_LINUX_DEFAULT)

rd.neednet=1 ip=dhcp  #provide early net access via DHCP

This can be good for testing, however it may not be very convenient. To set a static IP, use the command like this (detailed information can of course be found in dracut's network documentation):

rd.neednet=1 ip=11.12.13.14::11.12.13.1:255.255.255.0:Hostname:eth0:off  #set IP manually

3. To be able to log in to the post-boot/pre-encrypted machine, we need to provide our public ssh-key to dropbear, so it recognizes us. You can ssh-copy-id your public ssh-key to the root account, but you may want to use an alternative key than your usual one and after testing you may want to customize dropbear's settings to not have that key in root's authorized_keys file. Once again: see dracut-crypt-ssh documentation!

4. Right now the new module is not included in your current initramfs, so rebuild it. You can do that using this command:

xbps-reconfigure -f linux<KernelVersion>

5. Watch out for dracut-crypt specific output and fix the issues (missing ssh key, for example). Otherwise it will not work.

6. Finally, reboot to test. Make sure you can access the machine in case it fails, otherwise you will remain locked out.

Dropbear's port defaults to 222:

ssh -p 222 root@<ip>

To see what is going on:

console_peek

To enter the LUKS password:

console_auth

Voila!

Last notes

  • Be sure to read the documentation for dracut-crypt-ssh.
  • Think about the pros and cons for your specific use case! Remember that the LUKS key can be read/intercepted by anyone who has physical access to the machine, without you noticing it.
  • You can integrate the setup directly into the installation process (if you install headless, for example), but make sure you got the IP assignment with ip=... correctly before you lock yourself out.
  • As said before, this is only a get-to-know guide and not considered best practise. You have been warned.