This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
Full Disk Encryption From Scratch Simplified
This article discusses several aspects of using Dm-crypt for full disk encryption with LVM (with some notes for SSD) for daily usage from scratch.
Most of details can also be found in the LUKS-LVM filesystem (Sakaki's Install Guide).
Disk preparation
In this example, we will use GPT as disk partition schema and grub as boot loader. You can create disk schema with gparted.
For more information about GPT and EFI, see Disks (AMD64 Handbook)
.
Create partitions
Partition schema is as following:
--------------------------------------------------------------------------------
/dev/sdX
|--> GRUB BIOS 2 MB no fs grub loader itself
|--> /boot boot 512 Mb fat32 grub and kernel
|--> LUKS encrypted 100% encrypted encrypted binary block
|--> LVM lvm 100%
|--> / root 25 Gb ext4 rootfs
|--> /var var 40 Gb ext4 var files
|--> /home home 100% ext4 user files
To create GRUB BIOS, issue the following command:
root@localhost #parted -a optimal /dev/sdXSet the default units to mebibytes:
(parted)unit mibCreate a GPT partition table:
(parted)mklabel gptCreate the BIOS partition:
(parted)mkpart primary 1 3
(parted)name 1 grub
(parted)set 1 bios_grub on
Create boot partition. This partition will contain grub files, plain (unencrypted) kernel and kernel initrd:
(parted)mkpart primary fat32 3 515
(parted)name 2 boot
(parted)set 2 BOOT on
(parted)mkpart primary 515 -1
(parted)name 3 lvm
(parted)set 3 lvm on
Everything is done, exit from parted:
(parted)quit
Create boot filesystem
Create filesystem for /dev/sdX2, that will contain grub and kernel files. This partition is read by UEFI bios. Most of motherboards can ready only FAT32 filesystems:
root@localhost #mkfs.vfat -F32 /dev/sdX2
Prepare encrypted partition
In the next step, we configure DM-CRYPT for /dev/sdX3:
For Ubuntu live cd, execute this command
root@localhost #modprobe dm-crypt
Crypt LVM partition /dev/sdX3 with LUKS:
root@localhost #cryptsetup luksFormat -c aes-xts-plain64:sha256 -s 256 /dev/sdX3
Type in UPPERCASE YES
You may receive the following message that can be ignored:
root@localhost #device-mapper: remove ioctl on temporary-cryptsetup-nnnnnn failed: Device or resource busy
Create LVM inside encrypted block
LVM creation
Open encrypted device:
root@localhost #cryptsetup luksOpen /dev/sdX3 lvm
For more information about LVM see LVM.
Create lvm structure for partition mapping (/root, /var, /home):
Crypt physical volume group:
root@localhost #lvm pvcreate /dev/mapper/lvm
Create volume group vg0:
root@localhost #vgcreate vg0 /dev/mapper/lvm
Create logical volume for /root fs:
root@localhost #lvcreate -L 25G -n root vg0
Create logical volume for /var fs:
root@localhost #lvcreate -L 40G -n var vg0
Create logical volume for /home fs
root@localhost #lvcreate -l 100%FREE -n home vg0
File Systems
root@localhost #mkfs.ext4 /dev/mapper/vg0-root
root@localhost #mkfs.ext4 /dev/mapper/vg0-var
root@localhost #mkfs.ext4 /dev/mapper/vg0-home
Gentoo installation
Create mount point for permanent Gentoo:
root@localhost #mkdir /mnt/gentoo
Mount rootfs from encrypted LVM partition:
root@localhost #mount /dev/mapper/vg0-root /mnt/gentoo
Create mount point for permanent Gentoo Var:
root@localhost #mkdir /mnt/gentoo/var
Mount var from encrypted LVM partition:
root@localhost #mount /dev/mapper/vg0-var /mnt/gentoo/var
And cd into /mnt/gentoo:
root@localhost #cd /mnt/gentoo
rootfs install
Stage 3 install
Download stage3 to /mnt/gentoo from https://www.gentoo.org/downloads/mirrors
For example:
Unzip the downloaded archive:
root@localhost:/mnt/gentoo#tar xvjpf stage3-*.tar.bz2 --xattrs --numeric-owner
For more details, see https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage
Configuring compile options
Open /mnt/gentoo/etc/portage/make.conf with nano and setup required flags. See Stages (AMD64 Handbook) article.
Repos configuration
root@localhost:/mnt/gentoo#mkdir /mnt/gentoo/etc/portage/repos.conf
root@localhost:/mnt/gentoo#cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf
Chroot prepare
Copy DNS info:
root@localhost:/mnt/gentoo#cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
Mount all required fs into chroot:
root@localhost:/mnt/gentoo#mount -t proc /proc /mnt/gentoo/proc
root@localhost:/mnt/gentoo#mount --rbind /sys /mnt/gentoo/sys
root@localhost:/mnt/gentoo#mount --make-rslave /mnt/gentoo/sys
root@localhost:/mnt/gentoo#mount --rbind /dev /mnt/gentoo/dev
root@localhost:/mnt/gentoo#mount --make-rslave /mnt/gentoo/dev
Mount shm fs:
root@localhost:/mnt/gentoo#test -L /dev/shm && rm /dev/shm && mkdir /dev/shm
root@localhost:/mnt/gentoo#mount -t tmpfs -o nosuid,nodev,noexec shm /dev/shm
root@localhost:/mnt/gentoo#chmod 1777 /dev/shm
Enter chroot:
root@localhost:/mnt/gentoo#chroot /mnt/gentoo /bin/bash
root@localhost:/mnt/gentoo#source /etc/profile
And run: export PS1="(chroot) $PS1"
Mounting the boot partition:
(chroot) root@localhost:/#mount /dev/sda2 /boot
Install Portage files:
(chroot) root@localhost:/#emerge-webrsync
Choose and install correct profile:
(chroot) root@localhost:/#eselect profile list
Select profile:
(chroot) root@localhost:/#eselect profile set X
Setup correct timezone:
(chroot) root@localhost:/#echo Europe/Kiev > /etc/timezone
(chroot) root@localhost:/#emerge --config sys-libs/timezone-data
Configure locales:
(chroot) root@localhost:/#nano -w /etc/locale.gen
(chroot) root@localhost:/#locale-gen
Set default locale:
(chroot) root@localhost:/#eselect locale list
(chroot) root@localhost:/#eselect locale set 1
Update env:
(chroot) root@localhost:/#env-update && source /etc/profile
Run export PS1="(chroot) $PS1"
Configure fstab
For correct setup of required partition, will be used UUID technique.
Run blkid and see partition IDs:
(chroot) root@localhost:/#blkid
/dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/lvm: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4"
Edit /etc/fstab and setup correct filesystem:
(chroot) root@localhost:/#vim /etc/fstab
# <fs> <mountpoint> <type> <opts> <dump/pass> UUID=DB1D-89C5 /boot vfat noauto,noatime 1 2 UUID=6bedbbd8-cea9-4734-9c49-8e985c61c120 / ext4 defaults 0 1 UUID=61e4cc83-a1ee-4190-914b-4b62b49ac77f /var ext4 defaults 0 1 UUID=5d6ff087-50ce-400f-91c4-e3378be23c00 /home ext4 defaults 0 1 # tmps tmpfs /tmp tmpfs size=4Gb 0 0 tmpfs /run tmpfs size=100M 0 0 # shm shm /dev/shm tmpfs nodev,nosuid,noexec 0 0
Configuring the Linux kernel
Install kernel, genkernel and cryptsetup packages:
(chroot) root@localhost:/#emerge sys-kernel/gentoo-sources
(chroot) root@localhost:/#emerge sys-kernel/genkernel
(chroot) root@localhost:/#emerge sys-fs/cryptsetup
Build genkernel:
(chroot) root@localhost:/#genkernel --luks --lvm --no-zfs all
To build only initramfs
(chroot) root@localhost:/#genkernel --luks --lvm initramfs
install GRUB2
(chroot) root@localhost:/#echo "sys-boot/grub:2 device-mapper" >> /etc/portage/package.use/sys-boot
(chroot) root@localhost:/#emerge -av grub
(chroot) root@localhost:/#vim /etc/default/grub
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=6a7a642a-3262-4f87-9540-bcd53969343b root=/dev/mapper/vg0-root"
Mount boot:
(chroot) root@localhost:/#mount /boot
Install GRUB with EFI:
(chroot) root@localhost:/#grub-install --target=x86_64-efi --efi-directory=/boot
If you get a message "Could not prepare Boot variable: Read-only file system" try running:
(chroot) root@localhost:/#mount -o remount,rw /sys/firmware/efi/efivars
For some old motherboards for grub run this command
(chroot) root@localhost:/#mkdir -p /boot/efi/efi/boot
(chroot) root@localhost:/#cp /boot/efi/efi/gentoo/grubx64.efi /boot/efi/efi/boot/bootx64.efi
Generate grub configuration file:
(chroot) root@localhost:/#grub-mkconfig -o /boot/grub/grub.cfg
Finalizing
While we have the chroot setup, it's important to remember to set the root password before rebooting
(chroot) root@localhost:/#passwd
After the install is complete we will need to add the lvm service to boot. If this is not done, at the very least grub-mkconfig will throw "WARNING: Failed to connect to lvmetad. Falling back to internal scanning."
(chroot) root@localhost:/#rc-update add lvm default
More steps to take:
* Handbook:AMD64/Installation/Tools * Handbook:AMD64/Installation/Finalizing
SSD tricks
Add to /etc/default/grub trim command:
GRUB_CMDLINE_LINUX="...root_trim=yes"
edit /etc/lvm/lvm.conf LVM
issue_discards = 1
Simple disk encryption without lvm
Encryption are works in such scenario: OS makes I/O request to mapped filesystem on device /dev/mapper/myname. As internal layer in OS knows, that this mapped device are encrypted, it asks for Encryption OS layer to encrypted I/O data on myname, and after that encrypted data goes to physical device, associated with myname.
Creating partition
Fire up parted against the disk (in our example, we use /dev/sda). It is recommended to ask parted to use optimal partition alignment:
(chroot) root@localhost:/#parted -a optimal /dev/sda
Now parted will be used to create the partitions. See AMD64/Installation/Disks#Default:_Using_parted_to_partition_the_disk for information, how to create partition.
Just create partition with expected partition size, don't set partition type or format it. See next section for steps.
Create encryption layer for partition
After creating partition, encrypt this partition (where sdX are name of created device at prev. step)
(chroot) root@localhost:/#cryptsetup luksFormat /dev/sdX
Enter YES in uppercase, Enter password for encrypting disk and Vuallya - encrypted part of disk are ready.
Create file system on encrypted layer
Open encrypted part of disk:
(chroot) root@localhost:/#cryptsetup luksOpen /dev/sdX myname
myname - it is a name of mapped device
Create ext4 FS on encrypted device
(chroot) root@localhost:/#mkfs.ext4 /dev/mapper/myname
Final mount
Now encrypted device ready for final mount into system
(chroot) root@localhost:/#mkdir -p /mnt/myname
(chroot) root@localhost:/#mount /dev/mapper/myname /mnt/myname
Manual work with encrypted partition
Open encrypted luks device
(chroot) root@localhost:/#cryptsetup luksOpen /dev/sdX myname
Mount encrypted luks device
And mount of this device into system
root@localhost:/#mkdir -p /mnt/myname
root@localhost:/#mount /dev/mapper/myname /mnt/myname
Automatic mount of encrypted disk at boot
At boot service dmcrypt service reads configuration file /etc/conf.d/dmcrypt and get list of targets (disks) that should be mapped. After success map and create mapped device at /dev/mapped/*, fstab will mount device from /dev/mapped/* to some mount point.
First, create directrory, that will contain keys for encrypting/decryption devices
root@localhost:/#mkdir /etc/keyfiles
root@localhost:/#chmod 0400 /etc/keyfiles
Create 4k keyfile with name main
root@localhost:/#chmod 0400 /etc/keyfiles/main
Add main keyfile to list of keys, that can decrypt disk (technically: add keyfile to LUKS slot)
root@localhost:/#cryptsetup luksAddKey /dev/sdX /etc/keyfiles/main
Find UUID of encrypted disk with **blkid** command. For example, blkid return such output:
root@localhost:/#blkid
/dev/sda1: UUID="91d7fd8f-fa64-42f3-8491-ba9464c0c064" TYPE="crypto_LUKS" PARTLABEL="media" PARTUUID="2e1aa997-7295-4e00-b03d-de0317c25342" /dev/sda5: UUID="281c3e94-f195-47fc-b604-7b3d8c38a513" TYPE="crypto_LUKS" PARTLABEL="data" PARTUUID="7c41cc1a-b68b-4eae-97a9-9a28be10c6c3" /dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/root: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4" /dev/mapper/data: UUID="4be7f323-3f7e-47c7-91a3-b37d04e951aa" TYPE="ext4" /dev/mapper/media: UUID="943629b6-391d-441a-adf1-13fcb0471fd3" TYPE="ext4"
Note: See filesystem with type **crypto_LUKS**
In this example, /dev/sda1 are encrypted with /etc/keys/main key.
Configure dmcrypt service. Dmcrypt service open LUKS encrypted device with /etc/keys/main key and map them with some name. For example:
Edit file /etc/conf.d/dmcrypt
root@localhost:/#vim /etc/conf.d/dmcrypt
target='data' source=UUID='91d7fd8f-fa64-42f3-8491-ba9464c0c064' key='/etc/keyfiles/main'
In example, dmcrypt will open block device with UUID 91d7fd8f-fa64-42f3-8491-ba9464c0c064 with key /etc/keyfiles/main and create mapped point at /dev/mapper/data.
Check, that dmcrypt works fine. Start service manually
root@localhost:/# /etc/init.d/dmcrypt start
If dmcrypt started without problems, no errors in /var/log/messages and exists mapped device /dev/mapper/data, then everything is fine and dmcrypt may be added to be started at boot step
Add dmcrypt to be started at boot
root@localhost:/#rc-update add dmcrypt boot
Add to fstab, where and how mapped device should be mounted. Find UUID of mapped devices. Execute blkid command and find UUID of mapped device /dev/mapper/data.
root@localhost:/#blkid
/dev/sda1: UUID="91d7fd8f-fa64-42f3-8491-ba9464c0c064" TYPE="crypto_LUKS" PARTLABEL="media" PARTUUID="2e1aa997-7295-4e00-b03d-de0317c25342" /dev/sda5: UUID="281c3e94-f195-47fc-b604-7b3d8c38a513" TYPE="crypto_LUKS" PARTLABEL="data" PARTUUID="7c41cc1a-b68b-4eae-97a9-9a28be10c6c3" /dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/root: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4" /dev/mapper/data: UUID="4be7f323-3f7e-47c7-91a3-b37d04e951aa" TYPE="ext4" /dev/mapper/media: UUID="943629b6-391d-441a-adf1-13fcb0471fd3" TYPE="ext4"
In example below, UUID of mapped device /dev/mappper/data are 4be7f323-3f7e-47c7-91a3-b37d04e951aa (don't forget to start dmcrypt before this step).
Add to /etc/fstab this mapped devices. Edit /etc/fstab and add row with UUID of mapped device, mountpoint and fstype at mapped device. For example:
root@localhost:/#vim /etc/fstab
# encrypted devices UUID=4be7f323-3f7e-47c7-91a3-b37d04e951aa /mnt/data ext4 defaults 0 2
Where UUID are ID of mapped device /dev/mapper/data, /mnt/data are mount point and ext4 are fstype on mapped device.
See encrypted device keys in SLOT
root@localhost:/#cryptsetup luksDump /dev/sda5