Install LVM LUKS

From Void Linux Wiki
Jump to: navigation, search

Rough notes on a manual installation, with unencrypted /boot and encrypted / on LVM

Not meant to be copy&pasted, please think for yourself.

  • boot the Void Linux live CD
  • cfdisk /dev/sda
    • create two partitions:
      • /dev/sda1 of size 1G to mount as /boot with boot flag activated
      • /dev/sda2 of all remaining free space to mount as /
  • mkfs.ext2 -L boot /dev/sda1
  • cryptsetup luksFormat /dev/sda2
  • cryptsetup luksOpen /dev/sda2 crypt-pool
  • vgcreate pool /dev/mapper/crypt-pool
  • lvcreate --name root -L 20G pool
  • mkfs.ext4 -L root /dev/mapper/pool-root
  • mount /dev/mapper/pool-root /mnt
  • mkdir /mnt/{boot,dev,proc,sys}
  • mount /dev/sda1 /mnt/boot
  • mount --rbind /dev /mnt/dev
  • mount --rbind /proc /mnt/proc
  • mount --rbind /sys /mnt/sys
  • Please, notice that in the next step we are not only installing the base system, but also lvm2, cryptsetup and grub! Yes, cryptsetup and lvm2 are not part of the base system to keep as small as possible.

  • xbps-install -S -R -r /mnt base-system lvm2 cryptsetup grub
  • chroot /mnt /bin/bash
  • passwd root
  • chown root:root /
  • chmod 755 /
  • vi /etc/rc.conf
  • echo void-crypt >/etc/hostname
  • vi /etc/fstab
  • grub-install /dev/sda
  • echo "LANG=en_US.UTF-8" > /etc/locale.conf
  • echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
  • xbps-reconfigure -f glibc-locales
  • echo hostonly=yes > /etc/dracut.conf.d/hostonly.conf
  • add to GRUBCMDLINELINUX_DEFAULT variable in /etc/default/grub
  • if you want to use a different keyboard layout (e.g. dvorak) to enter your LUKS passphrase, add rd.vconsole.keymap=dvorak to GRUBCMDLINELINUX_DEFAULT variable in /etc/default/grub
  • force update of dracut and grub: xbps-reconfigure -f linux4.1
  • ^D
  • reboot

Quick and dirty fresh install

This section does not follow the best practices, such as writing over the drive with random data, but will provide a basic encrypted system. Everything will be encrypted except /boot.

Warning: Do not folow this guide to the letter if you have more than one drive or if you have any data you do not want to lose! This guide will destroy all data on /dev/sda!

First boot the live cd of your choice and then: Press <CTRL> + <ALT> + <F1> and and log in as root:

  • Username: root Password: voidlinux
  • It's time to setup the disk. Remember, all data on the disk will be destroyed.

  • fdisk /dev/sda
  • o
  • n
  • <enter>
  • <enter>
  • <enter>
  • +1G
  • n
  • <enter>
  • <enter>
  • <enter>
  • <enter>
  • a
  • 1
  • p -- Confirm that you have two partitons. One 1G partition for /boot and the rest of the drive will be dedicated to luks.
  • w
  • Create and open the LUKS device:

  • cryptsetup luksFormat /dev/sda2 -- Time for that super secret password! Don't forget it, or you'll lose access to all of your data!
  • cryptsetup luksOpen /dev/sda2 crypt-pool
  • Create a volume group and add sub volumes:

  • vgcreate pool /dev/mapper/crypt-pool
  • lvcreate --name root -L 20G pool -- Feel free to use more for root if needed.
  • lvcreate --name swap -L 16G pool -- Optional. But shoot for double the ram if used.
  • lvcreate --name home -l 100%FREE pool -- Note the lowercase "L". If a specific size is required, make it the same way we made the others.
  • Make sure grub knows what's going on:

  • vi /etc/default/grub
  • Find this line:

  • And change it to:

  • GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 cryptdevice=/dev/sda2 root=/dev/mapper/pool-root"
  • Install Void like normal. Run void-installer and follow the steps with the following exceptions:

    If networking fails to connect, there may be a simple conflict with whatever the live environment is running, it's typically safe to ignore and move on to the next step.

    Skip the partioning step.

    On the filesystem step set sda1 to ext2 /boot and the rest should be obvious. Choose your favorite file system for root and home, or just stick with the old stand by of ext4.

    Set pool-root to /

    Set pool-home to /home

    Set swap to swap if applicable.

    Go back to choose the install step and follow instructions. Select "yes" when it prompts to reboot and enjoy an encrypted system!