https://wiki.archlinux.org/api.php?action=feedcontributions&user=Acasanovas&feedformat=atomArchWiki - User contributions [en]2024-03-28T09:16:43ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Dm-crypt/Encrypting_an_entire_system&diff=402257Dm-crypt/Encrypting an entire system2015-09-29T16:03:27Z<p>Acasanovas: Errata corrected.</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Encryption]]<br />
[[Category:File systems]]<br />
[[Category:Getting and installing Arch]]<br />
[[es:Dm-crypt/Encrypting an entire system]]<br />
[[ja:Dm-crypt/システム全体の暗号化]]<br />
Back to [[dm-crypt]].<br />
<br />
The following are examples of common scenarios of full system encryption with ''dm-crypt''. They explain all the adaptations that need to be done to the normal [[Installation guide|installation procedure]]. All the necessary tools are on the [https://www.archlinux.org/download/ installation image].<br />
<br />
== Overview ==<br />
<br />
Securing a root filesystem is where ''dm-crypt'' excels, feature and performance-wise. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as [[mlocate]] and {{ic|/var/log/}}. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the [[boot loader]] and (usually) the kernel is encrypted. <br />
<br />
All scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below: <br />
<br />
{| class="wikitable"<br />
! Scenarios <br />
! Advantages <br />
! Disadvantages <br />
|----------------------------------------------------------<br />
| [[#Simple partition layout with LUKS]]<br />
shows a basic and straight-forward set-up for a fully LUKS encrypted root. <br />
|<br />
* Simple partitioning and setup<br />
|<br />
* Inflexible; disk-space to be encrypted has to be pre-allocated <br />
|----------------------------------------------------------<br />
| [[#LVM on LUKS]]<br />
achieves partitioning flexiblity by using LVM inside a single LUKS encrypted partition.<br />
|<br />
* Simple partitioning with knowledge of LVM<br />
* Only one key required to unlock all volumes (e.g. easy resume-from-disk setup)<br />
* Volume layout not transparent when locked<br />
* Easiest method to allow [[Dm-crypt/Swap_encryption#With_suspend-to-disk_support|suspension to disk]]<br />
|<br />
* LVM adds an additional mapping layer and hook <br />
* Less useful, if a singular volume should receive a separate key <br />
|----------------------------------------------------------<br />
| [[#LUKS on LVM]]<br />
uses dm-crypt only after the LVM is setup. <br />
|<br />
* LVM can be used to have encrypted volumes span multiple disks <br />
* Easy mix of un-/encrypted volume groups<br />
|<br />
* Complex; changing volumes requires changing encryption mappers too<br />
* Volumes require individual keys <br />
* LVM layout is transparent when locked <br />
|----------------------------------------------------------<br />
| [[#Plain dm-crypt]]<br />
uses dm-crypt plain mode, i.e. without a LUKS header and its options for multiple keys. <br>This scenario also employs USB devices for {{ic|/boot}} and key storage, which may be applied to the other scenarios. <br />
|<br />
* Data resilience for cases where a LUKS header may be damaged<br />
* Allows [[Wikipedia:Deniable encryption|deniable encryption]]<br />
|<br />
* High care to all encryption parameters is required<br />
* Single encryption key and no option to change it <br />
|----------------------------------------------------------<br />
| [[#Encrypted boot partition (GRUB)]]<br />
shows how to encrypt the boot partition using the GRUB bootloader. <br> This scenario also employs an ESP partition, which may be applied to the other scenarios.<br />
|<br />
* Same advantages as the scenario the installation is based on (LVM on LUKS for this particular example)<br />
* Less data is left unencrypted, i.e. the boot loader and the ESP partition, if present<br />
|<br />
* Same disadvantages as the scenario the installation is based on (LVM on LUKS for this particular example)<br />
* More complicated configuration<br />
* Not supported by other boot loaders<br />
|}<br />
<br />
While all above scenarios provide much greater protection from outside threats than encrypted secondary filesystems, they also share a common disadvantage: any user in possession of the encryption key is able to decrypt the entire drive, and therefore can access other users' data. If that is of concern, it is possible to use a combination of blockdevice and stacked filesystem encryption and reap the advantages of both. See [[Disk encryption]] to plan ahead. <br />
<br />
See [[Dm-crypt/Drive preparation#Partitioning]] for a general overview of the partitioning strategies used in the scenarios.<br />
<br />
Another area to consider is whether to set up an encrypted swap partition and what kind. See [[Dm-crypt/Swap encryption]] for alternatives.<br />
<br />
If you anticipate to protect the system's data not only against physical theft, but also have a requirement of precautions against logical tampering, see [[Dm-crypt/Specialties#Securing the unencrypted boot partition]] for further possibilities after following one of the scenarios.<br />
<br />
== Simple partition layout with LUKS ==<br />
<br />
This example covers a full system encryption with ''dmcrypt'' + LUKS in a simple partition layout:<br />
<br />
+--------------------+--------------------------+--------------------------+<br />
|Boot partition |LUKS encrypted system |Optional free space |<br />
| |partition |for additional partitions |<br />
|/dev/sdaY |/dev/sdaX |or swap to be setup later |<br />
+--------------------+--------------------------+--------------------------+<br />
<br />
The first steps can be performed directly after booting the Arch Linux install image.<br />
<br />
=== Preparing the disk ===<br />
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in [[Dm-crypt/Drive preparation]].<br />
<br />
Then create the needed partitions, at least one for {{ic|/}} (e.g. {{ic|/dev/sdaX}}) and {{ic|/boot}} ({{ic|/dev/sdaY}}), see [[Partitioning]].<br />
<br />
=== Preparing non-boot partitions ===<br />
<br />
The following commands create and mount the encrypted root partition. They correspond to the procedure described in detail in [[Dm-crypt/Encrypting a non-root file system#Partition]] (which, despite the title, ''can'' be applied to root partitions, as long as [[#Configuring mkinitcpio|mkinitcpio]] and the [[#Configuring the boot loader|boot loader]] are correctly configured). <br />
If you want to use particular non-default encryption options (e.g. cipher, key length), see the [[Dm-crypt/Device encryption#Encryption_options_for_LUKS_mode|encryption options]] before executing the first command:<br />
<br />
# cryptsetup -y -v luksFormat /dev/sdaX<br />
# cryptsetup open /dev/sdaX cryptroot<br />
# mkfs -t ext4 /dev/mapper/cryptroot<br />
# mount -t ext4 /dev/mapper/cryptroot /mnt<br />
<br />
Check the mapping works as intended:<br />
# umount /mnt<br />
# cryptsetup close cryptroot<br />
# cryptsetup open /dev/sdaX cryptroot<br />
# mount -t ext4 /dev/mapper/cryptroot /mnt<br />
<br />
If you created separate partitions (e.g. {{ic|/home}}), these steps have to be adapted and repeated for all of them, ''except'' for {{ic|/boot}}. See [[Dm-crypt/Encrypting a non-root file system#Automated unlocking and mounting]] on how to handle additional partitions at boot.<br />
<br />
Note that each blockdevice requires its own passphrase. This may be inconvenient, because it results in a separate passphrase to be input during boot. An alternative is to use a keyfile stored in the system partition to unlock the separate partition via {{ic|crypttab}}. See [[Dm-crypt/Device encryption#Using LUKS to Format Partitions with a Keyfile]] for instructions.<br />
<br />
=== Preparing the boot partition ===<br />
What you do have to setup is a non-encrypted {{ic|/boot}} partition, which is needed for a crypted root. For a standard [[EFI|MBR/non-EFI]] {{ic|/boot}} partition, for example, execute:<br />
# mkfs -t ext4 /dev/sdaY<br />
# mkdir /mnt/boot<br />
# mount -t ext4 /dev/sdaY /mnt/boot<br />
<br />
=== Mounting the devices ===<br />
At [[Installation guide#Mount the partitions]] you will have to mount the mapped devices, not the actual partitions. Of course {{ic|/boot}}, which is not encrypted, will still have to be mounted directly.<br />
<br />
=== Configuring mkinitcpio ===<br />
Add the {{ic|encrypt}} hook to [[mkinitcpio.conf]]:<br />
{{hc|etc/mkinitcpio.conf|2=HOOKS="... '''encrypt''' ... filesystems ..."}}<br />
<br />
Depending on which other hooks are used, the order may be relevant. See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.<br />
<br />
=== Configuring the boot loader ===<br />
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader: <br />
<br />
cryptdevice=UUID=''<device-UUID>'':cryptoroot root=/dev/mapper/cryptoroot<br />
<br />
See [[Dm-crypt/System configuration#Boot loader]] for details.<br />
<br />
The {{ic|''<device-UUID>''}} refers to the UUID of {{ic|/dev/sdaX}}, see [[Persistent block device naming]] for details.<br />
<br />
== LVM on LUKS ==<br />
<br />
The straight-forward method is to set up [[LVM]] on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted blockdevice. Hence, the LVM is not transparent until the blockdevice is unlocked and the underlying volume structure is scanned and mounted during boot. <br />
<br />
The disk layout in this example is: <br />
+------------------------------------------------------------------------------------+ +----------------+<br />
|Logical volume1 | Logical volume2 | Logical volume3 | | |<br />
|/dev/MyStorage/swapvol | /dev/MyStorage/rootvol | /dev/MyStorage/homevol | | Boot partition |<br />
|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _| | (may be on |<br />
| | | other device) |<br />
| LUKS encrypted partition | | |<br />
| /dev/sdaX | | /dev/sdbY |<br />
+------------------------------------------------------------------------------------+ +----------------+<br />
<br />
This method does not allow you to span the logical volumes over multiple disks, even in the future. The [[#LUKS on LVM]] method does not have this limitation.<br />
<br />
{{Tip|Two variants of this setup: <br />
* Instructions at [[Dm-crypt/Specialties#Encrypted system using a remote LUKS header]] use this setup with a remote LUKS header on a USB device to achieve a two factor authentication with it. <br />
* Instructions at [http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ Pavel Kogan's blog] show how to encrypt the {{ic|/boot}} partition while keeping it on the main LUKS partition when using GRUB, but be aware of {{Bug|43663}}.}} <br />
<br />
=== Preparing the disk ===<br />
<br />
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in [[Dm-crypt/Drive preparation]].<br />
<br />
When using the [[GRUB]] bootloader together with [[GPT]], create a BIOS Boot Partition as explained in [[GRUB#BIOS systems]].<br />
<br />
Create a partition to be mounted at {{ic|/boot}} of type {{ic|8300}} with a size of 100 MB or more.<br />
<br />
Create a partition of type {{ic|8E00}}, which will later contain the encrypted container.<br />
<br />
Create the LUKS encrypted container at the "system" partition. Enter the chosen password twice.<br />
<br />
# cryptsetup luksFormat /dev/''sdaX''<br />
<br />
For more information about the available cryptsetup options see the [[Dm-crypt/Device encryption#Encryption_options_for_LUKS_mode|LUKS encryption options]] prior to above command.<br />
<br />
Open the container:<br />
<br />
# cryptsetup open --type luks /dev/''sdaX'' lvm<br />
<br />
The decrypted container is now available at {{ic|/dev/mapper/lvm}}.<br />
<br />
=== Preparing the logical volumes ===<br />
Create a physical volume on top of the opened LUKS container:<br />
<br />
# pvcreate /dev/mapper/lvm<br />
<br />
Create the volume group named {{ic|MyStorage}}, adding the previously created physical volume to it:<br />
<br />
# vgcreate MyStorage /dev/mapper/lvm<br />
<br />
Create all your logical volumes on the volume group:<br />
<br />
# lvcreate -L 8G MyStorage -n swapvol<br />
# lvcreate -L 15G MyStorage -n rootvol<br />
# lvcreate -l +100%FREE MyStorage -n homevol<br />
<br />
Format your filesystems on each logical volume:<br />
<br />
# mkfs.ext4 /dev/mapper/MyStorage-rootvol<br />
# mkfs.ext4 /dev/mapper/MyStorage-homevol<br />
# mkswap /dev/mapper/MyStorage-swapvol<br />
<br />
Mount your filesystems:<br />
<br />
# mount /dev/MyStorage/rootvol /mnt<br />
# mkdir /mnt/home<br />
# mount /dev/MyStorage/homevol /mnt/home<br />
# swapon /dev/MyStorage/swapvol<br />
<br />
=== Preparing the boot partition ===<br />
The bootloader loads the kernel, [[initramfs]], and its own configuration files from the {{ic|/boot}} directory. This directory must be located on a separate unencrypted filesystem. <br />
<br />
Create an Ext2 filesystem on the partition intended for {{ic|/boot}}. Any filesystem that can be read by the bootloader is eligible.<br />
<br />
# mkfs.ext2 /dev/''sdbY''<br />
<br />
Create the directory {{ic|/mnt/boot}}:<br />
<br />
# mkdir /mnt/boot<br />
<br />
Mount the partition to {{ic|/mnt/boot}}:<br />
<br />
# mount /dev/''sdbY'' /mnt/boot<br />
<br />
Afterwards continue with the installation procedure up to the mkinitcpio step.<br />
<br />
=== Configuring mkinitcpio ===<br />
Add the {{ic|encrypt}} and {{ic|lvm2}} hooks to [[mkinitcpio.conf]]:<br />
{{hc|/etc/mkinitcpio.conf|2=HOOKS="... '''encrypt''' '''lvm2''' ... filesystems ..."}}<br />
<br />
{{Note|The order of both hooks no longer matters with the current implementation of {{ic|lvm2}}.}}<br />
<br />
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.<br />
<br />
=== Configuring the boot loader ===<br />
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:<br />
<br />
cryptdevice=UUID=''<device-UUID>'':MyStorage root=/dev/mapper/MyStorage-rootvol<br />
<br />
See [[Dm-crypt/System configuration#Boot loader]] for details.<br />
<br />
The {{ic|''<device-UUID>''}} refers to the UUID of {{ic|/dev/sdaX}}, see [[Persistent block device naming]] for details.<br />
<br />
== LUKS on LVM ==<br />
<br />
To use encryption on top of [[LVM]], the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well. Unlike [[#LVM on LUKS]], this method allows normally spanning the logical volumes over multiple disks. <br />
<br />
The following short example creates a LUKS on LVM setup and mixes in the use of a key-file for the /home partition and temporary crypt volumes for {{ic|/tmp}} and {{ic|/swap}}. The latter is considered desirable from a security perspective, because no potentially sensitive temporary data survives the reboot, when the encryption is re-initialised. If you are experienced with LVM, you will be able to ignore/replace LVM and other specifics according to your plan. If you want to span a logical volume over multiple disks during setup already, a procedure to do so is described in [[Dm-crypt/Specialties#Expanding LVM on multiple disks]].<br />
<br />
{{Expansion|The intro of this scenario needs some adjustment now that a comparison has been added to [[#Overview]]. A suggested structure is to make it similar to the [[#Simple partition layout with LUKS]] intro.}}<br />
<br />
=== Preparing the disk ===<br />
<br />
Partitioning scheme:<br />
* {{ic|/dev/sda1}} -> {{ic|/boot}}<br />
* {{ic|/dev/sda2}} -> LVM<br />
<br />
Randomise {{ic|/dev/sda2}} according to [[Dm-crypt/Drive preparation#dm-crypt wipe before installation]].<br />
<br />
=== Preparing the logical volumes ===<br />
<br />
# lvm pvcreate /dev/sda2<br />
# lvm vgcreate lvm /dev/sda2<br />
# lvm lvcreate -L 10G -n lvroot lvm<br />
# lvm lvcreate -L 500M -n swap lvm<br />
# lvm lvcreate -L 500M -n tmp lvm<br />
# lvm lvcreate -l 100%FREE -n home lvm<br />
<br />
# cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/lvm/lvroot<br />
# cryptsetup open --type luks /dev/lvm/lvroot root<br />
# mkfs -t ext4 /dev/mapper/root<br />
# mount /dev/mapper/root /mnt<br />
<br />
More information about the encryption options can be found in [[Dm-crypt/Device encryption#Encryption options for LUKS mode]].<br />
Note that {{ic|/home}} will be encrypted in [[#Encrypting logical volume /home]]. Further, note that if you ever have to access the encrypted root from the Arch-ISO, the above {{ic|open}} action will allow you to after the [[LVM#Logical Volumes do not show_up|LVM shows up]].<br />
<br />
=== Preparing the boot partition ===<br />
# dd if=/dev/zero of=/dev/sda1 bs=1M<br />
# mkfs -t ext4 /dev/sda1<br />
# mkdir /mnt/boot<br />
# mount /dev/sda1 /mnt/boot<br />
<br />
Now after setup of the encrypted LVM partitioning, it would be time to install: [[Installation guide#Mount_the_partitions|Arch Install Scripts]].<br />
<br />
=== Configuring mkinitcpio ===<br />
<br />
Add the {{ic|lvm2}} and {{ic|encrypt}} hooks to [[mkinitcpio.conf]]:<br />
{{hc|etc/mkinitcpio.conf|2=HOOKS="... '''lvm2''' '''encrypt''' ... filesystems ..."}}<br />
<br />
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.<br />
<br />
=== Configuring the boot loader ===<br />
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:<br />
<br />
cryptdevice=/dev/lvm/lvroot:cryptoroot root=/dev/mapper/cryptoroot<br />
<br />
See [[Dm-crypt/System configuration#Boot loader]] for details.<br />
<br />
=== Configuring fstab and crypttab ===<br />
{{hc|/etc/fstab|<br />
/dev/mapper/root / ext4 defaults 0 1<br />
/dev/sda1 /boot ext4 defaults 0 2<br />
/dev/mapper/tmp /tmp tmpfs defaults 0 0<br />
/dev/mapper/swap none swap sw 0 0}}<br />
The following [[Dm-crypt/System_configuration#crypttab|crypttab]] options will re-encrypt the temporary filesystems each reboot:<br />
{{hc|/etc/crypttab|<br />
swap /dev/lvm/swap /dev/urandom swap,cipher<nowiki>=aes-xts-plain64,size=</nowiki>256<br />
tmp /dev/lvm/tmp /dev/urandom tmp,cipher<nowiki>=aes-xts-plain64,size=</nowiki>256}}<br />
<br />
=== Encrypting logical volume /home ===<br />
Since this scenario uses LVM as the primary and dm-crypt as secondary mapper, each encrypted logical volume requires its own encryption. Yet, unlike the temporary filesystems configured with volatile encryption above, the logical volume for {{ic|/home}} should be persistent, of course. The following assumes you have rebooted into the installed system, otherwise you have to adjust paths. <br />
To safe on entering a second passphrase at boot for it, a [[Dm-crypt/Device_encryption#Keyfiles|keyfile]] is created: <br />
mkdir -m 700 /etc/luks-keys<br />
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256<br />
<br />
The logical volume is encrypted with it: <br />
cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home<br />
cryptsetup -d /etc/luks-keys/home open --type luks /dev/lvm/home home<br />
mkfs -t ext4 /dev/mapper/home<br />
mount /dev/mapper/home /home<br />
The encrypted mount is configured in [[Dm-crypt/System_configuration#crypttab|crypttab]]: <br />
{{hc|/etc/crypttab|<br />
home /dev/lvm/home /etc/luks-keys/home}}<br />
{{hc|/etc/fstab|<br />
/dev/mapper/home /home ext4 defaults 0 2}}<br />
and setup is done.<br />
<br />
If you want to expand the logical volume for {{ic|/home}} (or any other volume) at a later point, it is important to note that the LUKS encrypted part has to be resized as well. For a procedure see [[Dm-crypt/Specialties#Expanding LVM on multiple disks]].<br />
<br />
== LUKS on software RAID ==<br />
<br />
{{Expansion|Some references: [[RAID]], [[Software RAID and LVM]], http://jasonwryan.com/blog/2012/02/11/lvm/ . Note that full-disk encryption is [https://forums.gentoo.org/viewtopic-p-7029704.html not deniable] with this configuration (consider RAID on LUKS instead?).}}<br />
<br />
== Plain dm-crypt ==<br />
<br />
This scenario sets up a system on a dm-crypt a full disk with ''plain'' mode encryption. Note that for most use cases, the methods using LUKS described above are the better options for both system encryption and encrypted partitions. LUKS features like key management with multiple pass-phrases/key-files are unavailable with ''plain'' mode.<br />
<br />
dm-crypt ''plain'' mode does not require a header on the encrypted disk: this means that an unpartitioned, encrypted disk will be indistinguishable from a disk filled with random data, which is the desired attribute for this scenario, see also [[Wikipedia:Deniable encryption]]. <br />
<br />
''Plain'' dm-crypt encrypted disks can be more resilient to damage than LUKS encrypted disks, because it does not rely on an encryption master-key which can be a single-point of failure if damaged. However, using ''plain'' mode also requires more manual configuration of encryption options to achieve the same cryptographic strength. See also [[Disk encryption#Cryptographic metadata]].<br />
<br />
{{Tip|If headerless encryption is your goal but you are unsure about the lack of key-derivation with ''plain'' mode, then two alternatives are: <br />
* [[tcplay]] which offers headerless encryption but with the PBKDF2 function, or <br />
* dm-crypt LUKS mode by using the ''cryptsetup'' {{ic|--header}} option. It cannot be used with the standard ''encrypt'' hook, but the hook [[Dm-crypt/Specialties#Encrypted system using a remote LUKS header|may be modified]].}}<br />
<br />
The scenario uses a USB stick for the boot device and another one to store the encryption key. The disk layout is: <br />
<br />
+--------------------+------------------+--------------------+ +---------------+ +---------------+<br />
|Volume 1: |Volume 2: |Volume 3: | |Boot device | |Encryption key |<br />
| | | | | | |file storage |<br />
|root |swap |home | |/boot | |(unpartitioned |<br />
| | | | | | |in example) |<br />
|/dev/store/root |/dev/store/swap |/dev/store/home | |/dev/sdY1 | |/dev/sdZ |<br />
|--------------------+------------------+--------------------| |---------------| |---------------|<br />
|disk drive /dev/sdaX encrypted using plain mode and LVM | |USB stick 1 | |USB stick 2 |<br />
+------------------------------------------------------------+ +---------------+ +---------------+<br />
<br />
{{ic|/boot}} and the boot loader cannot be kept on the encrypted drive, or it will defeat the purpose of using ''plain'' mode for deniable encryption. This also allows storing the options required to open/unlock the plain encrypted device in the boot loader configuration, since typing them on each boot would be error prone.<br />
<br />
This scenario also uses a key file, assuming it stored as raw bits on a second USB stick, so that to the eyes of an unaware attacker who might get the usbkey the encryption key will appear as random data instead of being visible as a normal file. See also [[Wikipedia:Security through obscurity]], follow [[Dm-crypt/Device encryption#Keyfiles]] to prepare the keyfile.<br />
<br />
{{Tip|<br />
* It is also possible to use a single usb key by copying the keyfile to the initram directly. An example keyfile {{ic|/etc/keyfile}} gets copied to the initram image by setting {{ic|1=FILES="/etc/keyfile"}} in {{ic|/etc/mkinitcpio.conf}}. The way to instruct the {{ic|encrypt}} hook to read the keyfile in the initram image is using {{ic|rootfs:}} prefix before the filename, e.g. {{ic|cryptkey&#61;rootfs:/etc/keyfile}}. <br />
* Another option is using a passphrase with good [[Disk_encryption#Choosing_a_strong_passphrase|entropy]].<br />
}}<br />
<br />
=== Preparing the disk ===<br />
<br />
It is vital that the mapped device is filled with data. In particular this applies to the scenario usecase we apply here. <br />
<br />
See [[Dm-crypt/Drive preparation]] and [[Dm-crypt/Drive preparation#dm-crypt specific methods]]<br />
<br />
=== Preparing the non-boot partitions ===<br />
<br />
See [[Dm-crypt/Device encryption#Encryption options for plain mode]] for details. <br />
<br />
Using the device {{ic|/dev/sd''X''}}, with the twofish-xts cipher with a 512 bit key size and using a keyfile we have the following options for this scenario: <br />
{{bc|<nowiki># cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --offset=0 --key-file=</nowiki>/dev/sd''Z'' <nowiki>--key-size=512 open --type=plain /dev/sdX enc</nowiki>}}<br />
Unlike encrypting with LUKS, the above command must be executed ''in full'' whenever the mapping needs to be re-established, so it is important to remember the cipher, hash and key file details. <br />
<br />
We can now check a mapping entry has been made for {{ic|/dev/mapper/enc}}:<br />
# fdisk -l<br />
<br />
Next, we setup [[LVM]] logical volumes on the mapped device, see [[LVM#Installing Arch Linux on LVM]] for further details: <br />
# pvcreate /dev/mapper/enc<br />
# vgcreate store /dev/mapper/enc<br />
# lvcreate -L 20G store -n root<br />
# lvcreate -L 10G store -n swap<br />
# lvcreate -l +100%FREE store -n home<br />
We format and mount them and activate swap, see [[File systems#Format a device]] for further details: <br />
# mkfs.ext4 /dev/store/root<br />
# mkfs.ext4 /dev/store/home<br />
# mount /dev/store/root /mnt<br />
# mkdir /mnt/home<br />
# mount /dev/store/home /mnt/home<br />
# mkswap /dev/store/swap<br />
# swapon /dev/store/swap<br />
<br />
=== Preparing the boot partition ===<br />
The {{ic|/boot}} partition can be installed on the standard vfat partition of a USB stick, if required. But if manual partitioning is needed, then a small 200MB partition is all that is required. Create the partition using a [[Partitioning#Partitioning_tools|partitioning tool]] of your choice.<br />
<br />
We choose a non-journalling file system to preserve the flash memory of the {{ic|/boot}} partition, if not already formatted as vfat:<br />
# mkfs.ext2 /dev/sd''Y''1<br />
# mkdir /mnt/boot<br />
# mount /dev/sd''Y''1 /mnt/boot<br />
<br />
=== Configuring mkinitcpio ===<br />
<br />
Add the {{ic|encrypt}} and {{ic|lvm2}} hooks to [[mkinitcpio.conf]]:<br />
{{hc|etc/mkinitcpio.conf|2=HOOKS="... '''encrypt''' '''lvm2''' ... filesystems ..."}}<br />
<br />
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.<br />
<br />
=== Configuring the boot loader ===<br />
<br />
In order to boot the encrypted root partition, the following kernel parameters need to be set by the boot loader:<br />
<br />
cryptdevice=/dev/sd''X'':enc cryptkey=/dev/sd''Z'':0:512 crypto=sha512:twofish-xts-plain64:512:0:<br />
<br />
See [[Dm-crypt/System configuration#Boot loader]] for details and other parameters that you may need.<br />
<br />
{{Tip|If using GRUB, you can install it on the same USB as the {{ic|/boot}} partition with:<br />
# grub-install --recheck /dev/sd''Y''<br />
}}<br />
<br />
===Post-installation===<br />
<br />
You may wish to remove the USB sticks after booting. Since the {{ic|/boot}} partition is not usually needed, the {{ic|noauto}} option can be added to the relevant line in {{ic|/etc/fstab}}:<br />
<br />
{{hc|/etc/fstab|<br />
# /dev/sd''Yn''<br />
/dev/sd''Yn'' /boot ext2 '''noauto''',rw,noatime 0 2}}<br />
<br />
However, when an update to the kernel or bootloader is required, the {{ic|/boot}} partition must be present and mounted. As the entry in {{ic|fstab}} already exists, it can be mounted simply with:<br />
<br />
# mount /boot<br />
<br />
== Encrypted boot partition (GRUB) ==<br />
<br />
This setup utilizes the same partition layout and configuration for the system's root partition as the previous [[#LVM on LUKS]] section, with two distinct differences: <br />
<br />
# The setup is performed for an [[UEFI]] system and <br />
# A special feature of the [[GRUB]] bootloader is used to additionally encrypt the boot partition {{ic|/boot}}. See also [[GRUB#Boot partition]].<br />
<br />
The disk layout in this example is: <br />
<br />
+---------------+----------------+----------------+----------------+----------------+<br />
|ESP partition: |Boot partition: |Volume 1: |Volume 2: |Volume 3: |<br />
| | | | | |<br />
|/boot/efi |/boot |root |swap |home |<br />
| | | | | |<br />
| | |/dev/store/root |/dev/store/swap |/dev/store/home |<br />
|/dev/sdaX |/dev/sdaY +----------------+----------------+----------------+<br />
|'''un'''encrypted |LUKS encrypted |/dev/sdaZ encrypted using LVM on LUKS |<br />
+---------------+----------------+--------------------------------------------------+<br />
<br />
{{Tip|All scenarios are intended as examples. It is, of course, possible to apply both of the two above distinct installation steps with the other scenarios as well. See also the variants linked in [[#LVM on LUKS]].}} <br />
<br />
=== Preparing the disk ===<br />
<br />
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in [[Dm-crypt/Drive preparation]].<br />
<br />
Create an [[Unified_Extensible_Firmware_Interface#EFI_System_Partition|EFI System Partition (ESP)]] with an appropriate size, it will later be mounted at {{ic|/boot/efi}}. <br />
<br />
Create a partition to be mounted at {{ic|/boot}} of type {{ic|8300}} with a size of 100 MB or more.<br />
<br />
{{Tip|When using the [[GRUB]] bootloader together with a BIOS/[[GPT]], create a BIOS Boot Partition as explained in [[GRUB#BIOS systems]] instead of the ESP.}}<br />
<br />
Create a partition of type {{ic|8E00}}, which will later contain the encrypted container.<br />
<br />
Create the LUKS encrypted container at the "system" partition. <br />
<br />
# cryptsetup luksFormat /dev/''sdaZ''<br />
<br />
For more information about the available cryptsetup options see the [[Dm-crypt/Device encryption#Encryption_options_for_LUKS_mode|LUKS encryption options]] prior to above command.<br />
<br />
Your partition layout should look similar to this:<br />
{{hc| gdisk /dev/sda |<br />
Number Start (sector) End (sector) Size Code Name<br />
1 2048 1050623 512.0 MiB EF00 EFI System<br />
2 1050624 1460223 200.0 MiB 8300 Linux filesystem<br />
3 1460224 41943006 19.3 GiB 8E00 Linux LVM<br />
}}<br />
<br />
Open the container:<br />
<br />
# cryptsetup open --type luks /dev/''sdaZ'' lvm<br />
<br />
The decrypted container is now available at {{ic|/dev/mapper/lvm}}.<br />
<br />
=== Preparing the logical volumes ===<br />
<br />
The LVM logical volumes of this example follow the exact layout as the previous scenario. Therefore, please follow [[#Preparing the logical volumes|Preparing the logical volumes]] above or adjust as required.<br />
<br />
=== Preparing the boot partition ===<br />
<br />
The bootloader loads the kernel, [[initramfs]], and its own configuration files from the {{ic|/boot}} directory. <br />
<br />
First, create the LUKS container where the files will be located and installed into: <br />
<br />
# cryptsetup luksFormat /dev/sda''Y'' <br />
<br />
Next, open it: <br />
# cryptsetup open /dev/sda''Y'' cryptboot <br />
<br />
Create a filesystem on the partition intended for {{ic|/boot}}. Any filesystem that can be read by the bootloader is eligible:<br />
<br />
# mkfs.ext2 /dev/mapper/''cryptboot''<br />
<br />
Create the directory {{ic|/mnt/boot}}:<br />
<br />
# mkdir /mnt/boot<br />
<br />
Mount the partition to {{ic|/mnt/boot}}:<br />
<br />
# mount /dev/mapper/''cryptboot'' /mnt/boot<br />
<br />
Create a mountpoint for the [[Unified_Extensible_Firmware_Interface#EFI_System_Partition|ESP]] at {{ic|/boot/efi}} for compatibility with {{ic|grub-install}} and mount it:<br />
<br />
# mkdir /mnt/boot/efi<br />
# mount /dev/''sdaX'' /mnt/boot/efi<br />
<br />
At this point, you should have the following partitions and logical volumes inside of {{ic|/mnt}}:<br />
{{hc|lsblk|<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
sda 8:0 0 200G 0 disk <br />
├─sda1 8:1 0 512M 0 part /boot/efi<br />
├─sda2 8:2 0 200M 0 part <br />
│ └─boot 254:0 0 198M 0 crypt /boot<br />
└─sda3 8:3 0 100G 0 part <br />
└─lvm 254:1 0 100G 0 crypt <br />
├─MyStorage-swapvol 254:2 0 8G 0 lvm [SWAP]<br />
├─MyStorage-rootvol 254:3 0 15G 0 lvm /<br />
└─MyStorage-homevol 254:4 0 77G 0 lvm /home<br />
}}<br />
<br />
Afterwards continue with the installation procedure up to the mkinitcpio step.<br />
<br />
=== Configuring mkinitcpio ===<br />
<br />
Add the {{ic|encrypt}} and {{ic|lvm2}} hooks to [[mkinitcpio.conf]]:<br />
{{hc|/etc/mkinitcpio.conf|2=HOOKS="... '''encrypt''' '''lvm2''' ... filesystems ..."}}<br />
<br />
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.<br />
<br />
=== Configuring the boot loader ===<br />
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:<br />
<br />
cryptdevice=UUID=''<device-UUID>'':MyStorage root=/dev/mapper/MyStorage-rootvol<br />
<br />
See [[Dm-crypt/System configuration#Boot loader]] for details.<br />
<br />
The {{ic|''<device-UUID>''}} refers to the UUID of {{ic|/dev/sdaX}}, see [[Persistent block device naming]] for details.<br />
<br />
Now we prepare the GRUB bootloader installation to recognize the LUKS encrypted {{ic|/boot}} partition according to [[GRUB#Boot partition]]. <br />
<br />
Open {{ic|/etc/default/grub}} and add the parameter to the end:<br />
<br />
{{ic|1=GRUB_ENABLE_CRYPTODISK=y}}<br />
<br />
Create the GRUB menu configuration file: <br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
[[GRUB#Installation_2|Install GRUB]] to the mounted ESP: <br />
<br />
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck<br />
<br />
If this finished without errors, GRUB should prompt for the passphrase to unlock the {{ic|/boot}} partition after the next reboot.<br />
<br />
=== Configuring fstab and crypttab ===<br />
<br />
This section deals with extra configuration to let the system '''mount''' the encrypted {{ic|/boot}}. <br />
<br />
While GRUB asks for a passphrase to unlock the encrypted {{ic|/boot}} after above instructions, the partition unlock is not passed on to the initramfs. Hence, {{ic|/boot}} will not be available after the system has re-/booted, because the {{ic|encrypt}} hook only unlocks the system's root. <br />
<br />
If you used the ''genfstab'' script during installation, it will have generated {{ic|/etc/fstab}} entries for the {{ic|/boot}} and {{ic|/boot/efi}} mount points already, but the system will fail to find the generated device mapper for the boot partition. To make it available, add it to [[Dm-crypt/System configuration#crypttab|crypttab]]. For example: <br />
<br />
{{hc|/etc/crypttab|<br />
cryptboot /dev/sdaY none luks}}<br />
<br />
will make the system ask for the passphrase again (i.e. you have to enter it twice at boot: once for GRUB and once for systemd init). To avoid the double entry for unlocking {{ic|/boot}}, follow the instructions at [[Dm-crypt/Device encryption#Keyfiles]] to: <br />
<br />
# Create a [[Dm-crypt/Device_encryption#Storing the keyfile on a filesystem|randomtext keyfile]], <br />
# Add the keyfile to the ({{ic|/dev/sdaY}}) [[Dm-crypt/Device encryption#Configuring LUKS to make use of the keyfile|boot partition's LUKS header]] and<br />
# Check the {{ic|/etc/fstab}} entry and add the {{ic|/etc/crypttab}} line to [[Dm-crypt/Device_encryption#Unlocking_a_secondary_partition_at_boot|unlock it automatically at boot]].<br />
<br />
If for some reason the keyfile fails to unlock the boot partition, systemd will fallback to ask for a passphrase to unlock and, in case that is correct, continue booting.<br />
<br />
{{Tip|Optional post-installation steps: <br />
* It may be worth considering to add the GRUB bootloader to the ignore list of {{ic|/etc/pacman.conf}} in order to take particular control of when the bootloader (which includes its own encryption modules) is updated. <br />
* If you want to encrypt the {{ic|/boot}} partition to protect against offline tampering threats, the [[Dm-crypt/Specialties#mkinitcpio-chkcryptoboot|mkinitcpio-chkcryptoboot]] hook has been contributed to help.}}</div>Acasanovas