Difference between revisions of "Dm-crypt/Encrypting an entire system"

From ArchWiki
Jump to: navigation, search
m (update links)
(Preparing the disk: use Template:Tip for BIOS boot partition reminder)
 
(405 intermediate revisions by 59 users not shown)
Line 1: Line 1:
 
{{Lowercase title}}
 
{{Lowercase title}}
[[Category:Security]]
+
[[Category:Disk encryption]]
[[Category:File systems]]
 
 
[[Category:Getting and installing Arch]]
 
[[Category:Getting and installing Arch]]
The following are examples of common scenarios of full system encryption with [[dm-crypt]]. They explain all the adaptations that need to be done to the normal [[Installation Guide|installation procedure]]. All the necessary tools are on the [https://www.archlinux.org/download/ installation image].
+
[[de:Systemverschlüsselung mit dm-crypt]]
 +
[[es:Dm-crypt/Encrypting an entire system]]
 +
[[ja:Dm-crypt/システム全体の暗号化]]
 +
[[pl:Dm-crypt/Encrypting an entire system]]
 +
 
 +
The following are examples of common scenarios of full system encryption with ''dm-crypt''. They explain all the adaptations that need to be done to the normal [[Installation guide|installation procedure]]. All the necessary tools are on the [https://www.archlinux.org/download/ installation image].
  
 
== Overview ==
 
== Overview ==
  
Securing a root filesystem is where dm-crypt excels. When a system's root filesystem is on a dm-crypt device, nearly every file on the system is encrypted. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as [[mlocate]] and {{ic|/var/log/}}. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the [[boot loader]] and kernel is encrypted.
+
Securing a root filesystem is where ''dm-crypt'' excels, feature and performance-wise. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as [[mlocate]] and {{ic|/var/log/}}. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the [[boot loader]] and (usually) the kernel is encrypted.
 +
 
 +
All scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below:
 +
 
 +
{| class="wikitable"
 +
! Scenarios
 +
! Advantages
 +
! Disadvantages
 +
|----------------------------------------------------------
 +
| [[#Simple partition layout with LUKS]]
 +
shows a basic and straight-forward set-up for a fully LUKS encrypted root.
 +
|
 +
* Simple partitioning and setup
 +
|
 +
* Inflexible; disk-space to be encrypted has to be pre-allocated
 +
|----------------------------------------------------------
 +
| [[#LVM on LUKS]]
 +
achieves partitioning flexibility by using LVM inside a single LUKS encrypted partition.
 +
|
 +
* Simple partitioning with knowledge of LVM
 +
* Only one key required to unlock all volumes (e.g. easy resume-from-disk setup)
 +
* Volume layout not transparent when locked
 +
* Easiest method to allow [[dm-crypt/Swap encryption#With suspend-to-disk support|suspension to disk]]
 +
|
 +
* LVM adds an additional mapping layer and hook
 +
* Less useful, if a singular volume should receive a separate key
 +
|----------------------------------------------------------
 +
| [[#LUKS on LVM]]
 +
uses dm-crypt only after the LVM is setup.
 +
|
 +
* LVM can be used to have encrypted volumes span multiple disks
 +
* Easy mix of un-/encrypted volume groups
 +
|
 +
* Complex; changing volumes requires changing encryption mappers too
 +
* Volumes require individual keys
 +
* LVM layout is transparent when locked
 +
|----------------------------------------------------------
 +
| [[#LUKS on software RAID]]
 +
uses dm-crypt only after RAID is setup.
 +
|
 +
* Analogous to LUKS on LVM
 +
|
 +
* Analogous to LUKS on LVM
 +
|----------------------------------------------------------
 +
| [[#Plain dm-crypt]]
 +
uses dm-crypt plain mode, i.e. without a LUKS header and its options for multiple keys. <br>This scenario also employs USB devices for {{ic|/boot}} and key storage, which may be applied to the other scenarios.
 +
|
 +
* Data resilience for cases where a LUKS header may be damaged
 +
* Allows [[Wikipedia:Disk encryption#Full disk encryption|Full Disk Encryption]]
 +
* Helps addressing [[dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD)|problems]] with SSDs
 +
|
 +
* High care to all encryption parameters is required
 +
* Single encryption key and no option to change it
 +
|----------------------------------------------------------
 +
| [[#Encrypted boot partition (GRUB)]]
 +
shows how to encrypt the boot partition using the GRUB bootloader. <br> This scenario also employs an ESP partition, which may be applied to the other scenarios.
 +
|
 +
* Same advantages as the scenario the installation is based on (LVM on LUKS for this particular example)
 +
* Less data is left unencrypted, i.e. the boot loader and the ESP partition, if present
 +
|
 +
* Same disadvantages as the scenario the installation is based on (LVM on LUKS for this particular example)
 +
* More complicated configuration
 +
* Not supported by other boot loaders
 +
|----------------------------------------------------------
 +
| [[#Btrfs subvolumes with swap]]
 +
shows how to encrypt a [[Btrfs]] system, including the {{ic|/boot}} directory, also adding a partition for swap, on UEFI hardware.
 +
|
 +
* Similar advantages as [[#Encrypted boot partition (GRUB)]]
 +
* Availability of Btrfs' features
 +
|
 +
* Similar disadvantages as [[#Encrypted boot partition (GRUB)]]
 +
|}
 +
 
 +
While all above scenarios provide much greater protection from outside threats than encrypted secondary filesystems, they also share a common disadvantage: any user in possession of the encryption key is able to decrypt the entire drive, and therefore can access other users' data. If that is of concern, it is possible to use a combination of blockdevice and stacked filesystem encryption and reap the advantages of both. See [[Disk encryption]] to plan ahead.
 +
 
 +
See [[dm-crypt/Drive preparation#Partitioning]] for a general overview of the partitioning strategies used in the scenarios.
 +
 
 +
Another area to consider is whether to set up an encrypted swap partition and what kind. See [[dm-crypt/Swap encryption]] for alternatives.
 +
 
 +
If you anticipate to protect the system's data not only against physical theft, but also have a requirement of precautions against logical tampering, see [[dm-crypt/Specialties#Securing the unencrypted boot partition]] for further possibilities after following one of the scenarios.
  
In encrypted root filesystem scenarios, dm-crypt is often combined with other disk abstraction technologies such as [[#LVM on LUKS|LVM]] and [[#LUKS on software RAID|RAID]], although it is by no means necessary.
+
For [[Solid State Drive]]s you might want to consider enabling TRIM support, but be warned, there are potential security implications. See [[dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD)]] for more information.
  
While an encrypted root filesystem provides much greater protection from outside threats than encrypted secondary filesystems, any user of the system is able to decrypt the entire drive, and therefore can access other users' data. However, it is possible to use a combination of root and non-root filesystem encryption and reap the advantages of both. It is important to balance the benefits with the effort, as an encrypted root filesystem is more difficult to setup than an encrypted secondary filesystem.
+
{{Warning|In any scenario, never use file system repair software such as [[fsck]] directly on an encrypted volume, or it will destroy any means to recover the key used to decrypt your files. Such tools must be used on the decrypted (opened) device instead.}}
  
 
== Simple partition layout with LUKS ==
 
== Simple partition layout with LUKS ==
  
This example covers a full system encryption with ''dmcrypt''+ LUKS in a simple partition layout:
+
This example covers a full system encryption with ''dmcrypt'' + LUKS in a simple partition layout:
  
  +--------------------+--------------------------+--------------------------+
+
  +-----------------------+-----------------------+-----------------------+
  |Boot partition     |LUKS encrypted system     |Optional free space       |
+
  | Boot partition       | LUKS encrypted system | Optional free space   |
  |                   |partition                 |for additional partitions |
+
  |                       | partition             | for additional       |
  |/dev/sdaY          |/dev/sdaX                |or swap to be setup later |
+
|                      |                      | partitions or swap    |
  +--------------------+--------------------------+--------------------------+
+
  | /boot                | /                     | to be setup later     |
 +
|                      |                      |                      |
 +
|                      | /dev/mapper/cryptroot |                      |
 +
  |                      |-----------------------|                      |
 +
| /dev/sda1            | /dev/sda2            |                      |
 +
+-----------------------+-----------------------+-----------------------+
  
 
The first steps can be performed directly after booting the Arch Linux install image.
 
The first steps can be performed directly after booting the Arch Linux install image.
  
 
=== Preparing the disk ===
 
=== Preparing the disk ===
Prior to creating any partitions, securely erase the disk as described in [[Dm-crypt/Drive Preparation#Secure erasure of the hard disk drive]].
 
  
Then create the needed partitions, at least one for {{ic|/}} (e.g. {{ic|/dev/sdaX}}) and {{ic|/boot}} ({{ic|/dev/sdaY}}), see [[Partitioning]].
+
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk,  described in [[dm-crypt/Drive preparation]].
 +
 
 +
Then create the needed partitions, at least one for {{ic|/}} (e.g. {{ic|/dev/sda2}}) and {{ic|/boot}} ({{ic|/dev/sda1}}). See [[Partitioning]].
  
 
=== Preparing non-boot partitions ===
 
=== Preparing non-boot partitions ===
  
Then follow the same procedure described in details in [[Dm-crypt/Encrypting a non-root file system#Partition]] (which, despite the title, ''can'' be applied to root partitions, as long as [[#Configuring mkinitcpio|mkinitcpio]] and the [[#Configuring the boot loader|boot loader]] are then correctly configured).  
+
The following commands create and mount the encrypted root partition. They correspond to the procedure described in detail in [[dm-crypt/Encrypting a non-root file system#Partition]] (which, despite the title, ''can'' be applied to root partitions, as long as [[#Configuring mkinitcpio|mkinitcpio]] and the [[#Configuring the boot loader|boot loader]] are correctly configured).
If you want to use special encryption options (e.g. cipher, key length), see the [[Dm-crypt/Device_Encryption#Encryption_options_for_LUKS_mode|encryption options]] before executing the first command:
+
If you want to use particular non-default encryption options (e.g. cipher, key length), see the [[dm-crypt/Device encryption#Encryption options for LUKS mode|encryption options]] before executing the first command:
  
  # cryptsetup -y -v luksFormat /dev/sdaX
+
  # cryptsetup -y -v luksFormat --type luks2 /dev/sda2
  # cryptsetup open /dev/sdaX cryptroot
+
  # cryptsetup open /dev/sda2 cryptroot
  # mkfs -t ext4 /dev/mapper/cryptroot
+
  # mkfs.ext4 /dev/mapper/cryptroot
  # mount -t ext4 /dev/mapper/cryptroot /mnt
+
  # mount /dev/mapper/cryptroot /mnt
  
 
Check the mapping works as intended:
 
Check the mapping works as intended:
 +
 
  # umount /mnt
 
  # umount /mnt
 
  # cryptsetup close cryptroot
 
  # cryptsetup close cryptroot
  # cryptsetup open /dev/sdaX cryptroot
+
  # cryptsetup open /dev/sda2 cryptroot
  # mount -t ext4 /dev/mapper/cryptroot /mnt
+
  # mount /dev/mapper/cryptroot /mnt
 +
 
 +
If you created separate partitions (e.g. {{ic|/home}}), these steps have to be adapted and repeated for all of them, ''except'' for {{ic|/boot}}. See [[dm-crypt/Encrypting a non-root file system#Automated unlocking and mounting]] on how to handle additional partitions at boot.
  
If you created separate partitions (e.g. {{ic|/home}}), these steps have to be adapted and repeated for all of them, ''except'' for {{ic|/boot}}.
+
Note that each blockdevice requires its own passphrase. This may be inconvenient, because it results in a separate passphrase to be input during boot. An alternative is to use a keyfile stored in the system partition to unlock the separate partition via {{ic|crypttab}}. See [[dm-crypt/Device encryption#Using LUKS to format partitions with a keyfile]] for instructions.
  
See [[Dm-crypt_with_LUKS/Encrypting_a_non-root_file_system#Automated_unlocking_and_mounting]] for automated unlocking and mounting of additional partitions at boot.
+
=== Preparing the boot partition ===
  
Note that each blockdevice requires its own passphrase. This may be inconvenient, because it results in a separate passphrase to be input during boot. An alternative is to use a keyfile stored in the system partition to unlock the separate partition via {{ic|crypttab}}. See [[Dm-crypt/Device Encryption#Using LUKS to Format Partitions_with a Keyfile]] for instructions.
+
What you do have to setup is a non-encrypted {{ic|/boot}} partition, which is needed for a encrypted root. For a standard [[EFI|MBR/non-EFI]] {{ic|/boot}} partition, for example, execute:
  
=== Preparing the boot partition ===
+
  # mkfs.ext4 /dev/sda1
What you do have to setup is a non-encrypted {{ic|/boot}} partition, which is needed for a crypted root. For a standard [[EFI|MBR/non-EFI]] {{ic|/boot}} partition, for example, execute:
 
  # mkfs -t ext2 /dev/sdaY
 
 
  # mkdir /mnt/boot
 
  # mkdir /mnt/boot
  # mount -t ext2 /dev/sdaY /mnt/boot
+
  # mount /dev/sda1 /mnt/boot
  
 
=== Mounting the devices ===
 
=== Mounting the devices ===
At [[Installation Guide#Mount the partitions]] you will have to mount the mapped devices, not the actual partitions. Of course {{ic|/boot}}, which is not encrypted, will still have to be mounted directly.
+
 
 +
At [[Installation guide#Mount the file systems]] you will have to mount the mapped devices, not the actual partitions. Of course {{ic|/boot}}, which is not encrypted, will still have to be mounted directly.
  
 
=== Configuring mkinitcpio ===
 
=== Configuring mkinitcpio ===
Add the {{ic|encrypt}} hook to [[mkinitcpio.conf]] before {{ic|filesystems}}; also add {{ic|shutdown}}:
 
{{hc|etc/mkinitcpio.conf|2=HOOKS="... '''encrypt''' ... filesystems ... '''shutdown''' ..."}}
 
  
See [[dm-crypt/System Configuration#mkinitcpio]] for details and other hooks that you may need.
+
Add the {{ic|keyboard}}, {{ic|keymap}} and {{ic|encrypt}} hooks to [[mkinitcpio.conf]]. If the default US keymap is fine for you, you can omit the {{ic|keymap}} hook.
 +
 
 +
HOOKS=(base udev autodetect '''keyboard''' '''keymap''' consolefont modconf block '''encrypt''' filesystems fsck)
 +
 
 +
If using the [[sd-encrypt]] hook with the systemd-based initramfs, the following needs to be set instead:
 +
 
 +
HOOKS=(base '''systemd''' autodetect '''keyboard''' '''sd-vconsole''' modconf block '''sd-encrypt''' filesystems fsck)
 +
 
 +
Depending on which other hooks are used, the order may be relevant. See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.
  
 
=== Configuring the boot loader ===
 
=== Configuring the boot loader ===
In order to boot the encrypted root partition, the following [[kernel parameter]] needs to be set in your [[boot loader]]:
 
  
  cryptdevice=/dev/sdaX:cryptroot
+
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:
 +
 
 +
  cryptdevice=UUID=''device-UUID'':cryptroot root=/dev/mapper/cryptroot
  
See [[Dm-crypt/System Configuration#Boot loader]] for details and other parameters that you may need.
+
If using the [[sd-encrypt]] hook, the following need to be set instead:
 +
 
 +
rd.luks.name=''device-UUID''=cryptroot root=/dev/mapper/cryptroot
 +
 
 +
See [[dm-crypt/System configuration#Boot loader]] for details.
 +
 
 +
The {{ic|''device-UUID''}} refers to the UUID of {{ic|/dev/sda2}}. See [[Persistent block device naming]] for details.
  
 
== LVM on LUKS ==
 
== LVM on LUKS ==
Line 78: Line 182:
 
The straight-forward method is to set up [[LVM]] on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted blockdevice. Hence, the LVM is not transparent until the blockdevice is unlocked and the underlying volume structure is scanned and mounted during boot.
 
The straight-forward method is to set up [[LVM]] on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted blockdevice. Hence, the LVM is not transparent until the blockdevice is unlocked and the underlying volume structure is scanned and mounted during boot.
  
This method will not allow you to span the logical volumes over multiple disk, even in the future. For a solution that allows to do so, see [[#LUKS on LVM]].
+
The disk layout in this example is:
 +
 
 +
+-----------------------------------------------------------------------------------------+ +----------------+
 +
| Logical volume 1            | Logical volume 2            | Logical volume 3            | | Boot partition |
 +
|                            |                            |                            | |                |
 +
| [SWAP]                      | /                          | /home                      | | /boot          |
 +
|                            |                            |                            | |                |
 +
| /dev/mapper/MyVolGroup-swap | /dev/mapper/MyVolGroup-root | /dev/mapper/MyVolGroup-home | |                |
 +
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _| | (may be on    |
 +
|                                                                                        | | other device)  |
 +
|                        LUKS encrypted partition                                        | |                |
 +
|                          /dev/sda1                                                    | | /dev/sdb1      |
 +
+-----------------------------------------------------------------------------------------+ +----------------+
 +
 
 +
{{Note|While using the {{ic|encrypt}} hook this method does not allow you to span the logical volumes over multiple disks; either use the [[sd-encrypt]] or see [[dm-crypt/Specialties#Modifying the encrypt hook for multiple partitions]].}}
  
{{Expansion|Compare to the other scenarios with advantages/disadvantages.}}
+
{{Tip|Three variants of this setup:
 +
* Instructions at [[dm-crypt/Specialties#Encrypted system using a detached LUKS header]] use this setup with a detached LUKS header on a USB device to achieve a two factor authentication with it.
 +
* Instructions at [https://web.archive.org/web/20180103175714/http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ Pavel Kogan's blog] show how to encrypt the {{ic|/boot}} partition while keeping it on the main LUKS partition when using GRUB.
 +
* Instructions at [[dm-crypt/Specialties#Encrypted /boot and a detached LUKS header on USB]] use this setup with a detached LUKS header, encrypted {{ic|/boot}} partition, and encrypted keyfile all on a USB device.
 +
}}
  
 
=== Preparing the disk ===
 
=== Preparing the disk ===
Prior to creating any partitions, securely erase the disk as described in [[Dm-crypt/Drive Preparation#Secure erasure of the hard disk drive]] (the necessary tools are on the installation ISO).
 
  
Then make the following partitions:
+
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in [[dm-crypt/Drive preparation]].
*sdx1 - Size 2MB, Partition Type EF02  (This is so GRUB plays nice with GPT)
+
 
*sdx2 - Size 200mb, Partition Type 8300 (This is your /boot partition)
+
{{Tip|When using the [[GRUB]] bootloader together with [[GPT]], create a [[BIOS boot partition]].}}
*sdx3 - Remaining space, Partition Type 8E00 (LVM)
+
 
 +
Create a partition to be mounted at {{ic|/boot}} of type {{ic|8300}} with a size of 200 MiB or more.
  
After that, create the LUKS encrypted container (sdx3. We do not encrypt /boot or the BIOS partition)
+
Create a partition of type {{ic|8E00}}, which will later contain the encrypted container.
# cryptsetup luksFormat /dev/sdx3
 
  
NOTE: cryptsetup has a TON of options (which you can find in its man page).  The defaults now are quite secure (aes-xts-plain64 with 256bit keysize results in a 128 bit AES encryption for the data), but you may change whatever settings you like here. A description of the options you find in the [[Dm-crypt/Device_Encryption#Encryption_options_for_LUKS_mode|LUKS]] page too. Enter your password twice.
+
Create the LUKS encrypted container at the "system" partition. Enter the chosen password twice.
  
Now we open our container:
+
# cryptsetup luksFormat --type luks2 /dev/sda1
  
# cryptsetup open --type luks /dev/sdx3 lvm
+
For more information about the available cryptsetup options see the [[dm-crypt/Device encryption#Encryption options for LUKS mode|LUKS encryption options]] prior to above command.
  
Your decrypted disk is now available at /dev/mapper/lvm
+
Open the container:
 +
 
 +
# cryptsetup open /dev/sda1 cryptlvm
 +
 
 +
The decrypted container is now available at {{ic|/dev/mapper/cryptlvm}}.
  
 
=== Preparing the logical volumes ===
 
=== Preparing the logical volumes ===
  
# pvcreate /dev/mapper/lvm
+
Create a physical volume on top of the opened LUKS container:
# vgcreate MyStorage /dev/mapper/lvm
 
# lvcreate -L 15G MyStorage -n rootvol
 
# lvcreate -L 35G MyStorage -n homevol
 
# lvcreate -L 2G MyStorage -n swapvol
 
# lvcreate -L 200G MyStorage -n mediavol
 
  
  # mkfs.ext4 /dev/mapper/MyStorage-rootvol
+
  # pvcreate /dev/mapper/cryptlvm
# mkfs.ext4 /dev/mapper/MyStorage-homevvol
 
# mkswap /dev/mapper/MyStorage-swapvol
 
# mkfs.ext4 /dev/mapper/MyStorage-mediavol
 
  
  # mount /dev/MyStorage/rootvol /mnt
+
Create the volume group named {{ic|MyVolGroup}} (or whatever you want), adding the previously created physical volume to it:
 +
 
 +
# vgcreate MyVolGroup /dev/mapper/cryptlvm
 +
 
 +
Create all your logical volumes on the volume group:
 +
 
 +
# lvcreate -L 8G MyVolGroup -n swap
 +
# lvcreate -L 32G MyVolGroup -n root
 +
# lvcreate -l 100%FREE MyVolGroup -n home
 +
 
 +
Format your filesystems on each logical volume:
 +
 
 +
# mkfs.ext4 /dev/mapper/MyVolGroup-root
 +
# mkfs.ext4 /dev/mapper/MyVolGroup-home
 +
# mkswap /dev/mapper/MyVolGroup-swap
 +
 
 +
Mount your filesystems:
 +
 
 +
  # mount /dev/mapper/MyVolGroup-root /mnt
 
  # mkdir /mnt/home
 
  # mkdir /mnt/home
  # mount /dev/MyStorage/homevol /mnt/home
+
  # mount /dev/mapper/MyVolGroup-home /mnt/home
  # swapon /dev/mapper/MyStorage-swapvol
+
  # swapon /dev/mapper/MyVolGroup-swap
 +
 
 +
=== Preparing the boot partition ===
 +
 
 +
The bootloader loads the kernel, [[initramfs]], and its own configuration files from the {{ic|/boot}} directory. This directory must be located on a separate unencrypted filesystem.
 +
 
 +
Create a [[filesystem]] on the partition intended for {{ic|/boot}}. Any filesystem that can be read by the bootloader is eligible.
  
  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
+
  # mkfs.ext4 /dev/sdb1
|Logical volume1 15GB  |Logical volume2 35GB      |Logical volume3 200GB              |
 
|/dev/MyStorage/rootvol|/dev/MyStorage/homevol    |/dev/MyStorage/mediavol            |
 
|_ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
 
|                                                                                      |
 
|                        (LUKS Encrypted Disk /dev/sdxx)                              |
 
|                                                                                      |
 
|--------------------------------------------------------------------------------------|
 
  
=== Preparing the boot partition ===
+
Create the directory {{ic|/mnt/boot}}:
In most setups, a dedicated /boot partition is not necessary, but it is in a complex setup like this one, because GRUB needs to be able to read the kernel, [[initramfs]], its own configuration files, etc. from the /boot directory. Since GRUB does not itself know how to unlock a LUKS partition (that's the kernel's job), /boot must not be encrypted, and therefore must be a separate disk partition.
 
  
Create an ext2 filesystem on the partition you created for /boot earlier (/dev/sdx2 in the example above).
+
  # mkdir /mnt/boot
  # mkfs -t ext2 /dev/sdx2
 
  
Mount this partition under the /boot partition of the installed system. If you skip this step (or if you mount /mnt after /mnt/boot), GRUB's installation scripts will be writing to the root partition's /boot directory, which will be encrypted and thus unreadable by GRUB at the next reboot. Note: you may wish to delete the /boot/* directory contents from /dev/sdx3 (root partition) to make it obvious that /boot is not mounted, in case you need to make changes in the future.
+
Mount the partition to {{ic|/mnt/boot}}:
# mount /dev/sdx2 /mnt/boot #if you are outside the chroot, OR
 
# mount /dev/sdx2 /boot    #if you are inside the chroot
 
  
Now continue through the Arch setup.  (Pacstrap, arch-chroot /mnt, and so on.  This HOWTO will assume you are also installing grub-bios to GPT as per the install guide.)
+
# mount /dev/sdb1 /mnt/boot
  
 
=== Configuring mkinitcpio ===
 
=== Configuring mkinitcpio ===
Add the {{ic|encrypt}} and {{ic|lvm2}} hooks to [[mkinitcpio.conf]], before {{ic|filesystems}}; also add {{ic|shutdown}}:
 
{{hc|etc/mkinitcpio.conf|2=HOOKS="... '''encrypt''' '''lvm2''' ... filesystems ... '''shutdown''' ..."}}
 
  
{{Note|In the past, it was necessary to ensure the correct ordering of the {{ic|encrypt}} and {{ic|lvm2}} hooks, but the order no longer matters with the current implementation of {{ic|lvm2}}.}}
+
Add the {{ic|keyboard}}, {{ic|encrypt}} and {{ic|lvm2}} hooks to [[mkinitcpio.conf]]:
 +
 
 +
HOOKS=(base udev autodetect '''keyboard''' '''keymap''' consolefont modconf block '''encrypt''' '''lvm2''' filesystems fsck)
 +
 
 +
If using the [[sd-encrypt]] hook with the systemd-based initramfs, the following needs to be set instead:
 +
 
 +
HOOKS=(base '''systemd''' autodetect '''keyboard''' '''sd-vconsole''' modconf block '''sd-encrypt''' '''sd-lvm2''' filesystems fsck)
  
See [[dm-crypt/System Configuration#mkinitcpio]] for details and other hooks that you may need.
+
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.
  
 
=== Configuring the boot loader ===
 
=== Configuring the boot loader ===
In order to boot the encrypted root partition, the following [[kernel parameter]] needs to be set in your [[boot loader]]:
 
  
  cryptdevice=/dev/sdx3:MyStorage
+
In order to unlock the encrypted root partition at boot, the following kernel parameter needs to be set by the boot loader:
 +
 
 +
  cryptdevice=UUID=''device-UUID'':cryptlvm root=/dev/mapper/MyVolGroup-root
  
See [[Dm-crypt/System Configuration#Boot loader]] for details and other parameters that you may need.
+
If using the [[sd-encrypt]] hook, the following need to be set instead:
  
{{Accuracy|Is the following note specific to encryption cases or should be moved to [[LVM]] or [[GRUB]]?}}
+
rd.luks.name=''device-UUID''=cryptlvm root=/dev/mapper/MyVolGroup-root
  
{{Note|1=When reinstalling [[GRUB]], you may receive warnings like {{ic|/run/lvm/lvmetad.socket: connect failed: No such file or directory|}} or {{ic|WARNING: failed to connect to lvmetad: No such file or directory. Falling back to internal scanning|}}. This is because {{ic|/run}} is not available inside the chroot. These warnings will not prevent the system from booting, provided that everything has been done correctly, so you may continue with the installation.}}
+
The {{ic|''device-UUID''}} refers to the UUID of {{ic|/dev/sda1}}. See [[Persistent block device naming]] for details.
  
=== Checking fstab ===
+
See [[dm-crypt/System configuration#Boot loader]] for details.
"genfstab -p /mnt >> /mnt/etc/fstab" will make the proper entry in fstab, so that no further manual intervention is needed and the /boot partition is automatically mounted when the system starts.
 
  
 
== LUKS on LVM ==
 
== LUKS on LVM ==
  
To use encryption on top of [[LVM]], the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well. Unlike [[#LVM on LUKS]], this method allows normally spanning the logical volumes over multiple disks.
+
To use encryption on top of [[LVM]], the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well.
 +
{{tip|Unlike [[#LVM on LUKS]], this method allows normally spanning the logical volumes over multiple disks. }}
  
 
The following short example creates a LUKS on LVM setup and mixes in the use of a key-file for the /home partition and temporary crypt volumes for {{ic|/tmp}} and {{ic|/swap}}. The latter is considered desirable from a security perspective, because no potentially sensitive temporary data survives the reboot, when the encryption is re-initialised. If you are experienced with LVM, you will be able to ignore/replace LVM and other specifics according to your plan.
 
The following short example creates a LUKS on LVM setup and mixes in the use of a key-file for the /home partition and temporary crypt volumes for {{ic|/tmp}} and {{ic|/swap}}. The latter is considered desirable from a security perspective, because no potentially sensitive temporary data survives the reboot, when the encryption is re-initialised. If you are experienced with LVM, you will be able to ignore/replace LVM and other specifics according to your plan.
  
{{Expansion|Compare to the other scenarios with advantages/disadvantages.}}
+
If you want to span a logical volume over multiple disks that have already been set up, or expand the logical volume for {{ic|/home}} (or any other volume), a procedure to do so is described in [[dm-crypt/Specialties#Expanding LVM on multiple disks]]. It is important to note that the LUKS encrypted container has to be resized as well.
 +
 
 +
{{Expansion|The intro of this scenario needs some adjustment now that a comparison has been added to [[#Overview]]. A suggested structure is to make it similar to the [[#Simple partition layout with LUKS]] intro.}}
  
 
=== Preparing the disk ===
 
=== Preparing the disk ===
  
 
Partitioning scheme:
 
Partitioning scheme:
* {{ic|/dev/sda1}} -> {{ic|/boot}}
 
* {{ic|/dev/sda2}} -> LVM
 
  
Randomise {{ic|/dev/sda2}}:
+
+----------------+-------------------------------------------------------------------------------------------------------------+
  cryptsetup -d /dev/random -c aes-xts-plain -s 512 create lvm /dev/sda2
+
| Boot partition | dm-crypt plain encrypted volume    | LUKS encrypted volume            | LUKS encrypted volume            |
  dd if=/dev/urandom of=/dev/mapper/lvm
+
|                |                                    |                                  |                                  |
  cryptsetup remove lvm
+
| /boot          | [SWAP]                              | /                                | /home                            |
 +
|                |                                    |                                  |                                  |
 +
|                | /dev/mapper/swap                    | /dev/mapper/root                  | /dev/mapper/home                  |
 +
|                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
 +
|                | Logical volume 1                    | Logical volume 2                  | Logical volume 3                  |
 +
  |                | /dev/mapper/MyVolGroup-cryptswap    | /dev/mapper/MyVolGroup-cryptroot  | /dev/mapper/MyVolGroup-crypthome  |
 +
|                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
 +
|                |                                                                                                            |
 +
  /dev/sda1    |                                  /dev/sda2                                                                |
 +
  +----------------+-------------------------------------------------------------------------------------------------------------+
 +
 
 +
Randomise {{ic|/dev/sda2}} according to [[dm-crypt/Drive preparation#dm-crypt wipe on an empty disk or partition]].
  
 
=== Preparing the logical volumes ===
 
=== Preparing the logical volumes ===
  
  lvm pvcreate /dev/sda2
+
  # pvcreate /dev/sda2
  lvm vgcreate lvm /dev/sda2
+
  # vgcreate MyVolGroup /dev/sda2
  lvm lvcreate -L 10G -n root lvm
+
  # lvcreate -L 32G -n cryptroot MyVolGroup
  lvm lvcreate -L 500M -n swap lvm
+
  # lvcreate -L 500M -n cryptswap MyVolGroup
  lvm lvcreate -L 500M -n tmp lvm
+
  # lvcreate -L 500M -n crypttmp MyVolGroup
  lvm lvcreate -l 100%FREE -n home lvm
+
  # lvcreate -l 100%FREE -n crypthome MyVolGroup
  
  cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/root
+
  # cryptsetup luksFormat --type luks2 /dev/mapper/MyVolGroup-cryptroot
  cryptsetup open --type luks /dev/lvm/root root
+
  # cryptsetup open /dev/mapper/MyVolGroup-cryptroot root
  mkreiserfs /dev/mapper/root
+
  # mkfs.ext4 /dev/mapper/root
  mount /dev/mapper/root /mnt
+
  # mount /dev/mapper/root /mnt
  
Note that {{ic|/home}} will be encrypted [[#Encrypting /home after reboot|after rebooting]].
+
More information about the encryption options can be found in [[dm-crypt/Device encryption#Encryption options for LUKS mode]].
 +
Note that {{ic|/home}} will be encrypted in [[#Encrypting logical volume /home]].
 +
 
 +
{{Tip|If you ever have to access the encrypted root from the Arch-ISO, the above {{ic|open}} action will allow you to after the [[LVM#Logical Volumes do not show up|LVM shows up]].}}
  
 
=== Preparing the boot partition ===
 
=== Preparing the boot partition ===
dd if=/dev/zero of=/dev/sda1 bs=1M
 
mkreiserfs /dev/sda1
 
mkdir /mnt/boot
 
mount /dev/sda1 /mnt/boot
 
  
Now after setup of the encrypted LVM partitioning, it would be time to install: [[Installation_Guide#Mount_the_partitions|Arch Install Scripts]].
+
# dd if=/dev/zero of=/dev/sda1 bs=1M status=progress
 +
# mkfs.ext4 /dev/sda1
 +
# mkdir /mnt/boot
 +
# mount /dev/sda1 /mnt/boot
  
 
=== Configuring mkinitcpio ===
 
=== Configuring mkinitcpio ===
{{Accuracy|Does the order of {{ic|lvm2}} and {{ic|encrypt}} matter in this case? Compare to [[#Configuring mkinitcpio 2]].}}
 
  
Add the {{ic|lvm2}} and {{ic|encrypt}} hooks to [[mkinitcpio.conf]], before {{ic|filesystems}}; also add {{ic|shutdown}}:
+
Add the {{ic|keyboard}}, {{ic|lvm2}} and {{ic|encrypt}} hooks to [[mkinitcpio.conf]]:
{{hc|etc/mkinitcpio.conf|2=HOOKS="... '''lvm2''' '''encrypt''' ... filesystems ... '''shutdown''' ..."}}
+
 
 +
HOOKS=(base udev autodetect '''keyboard''' '''keymap''' consolefont modconf block '''lvm2''' '''encrypt''' filesystems fsck)
 +
 
 +
If using the [[sd-encrypt]] hook with the systemd-based initramfs, the following needs to be set instead:
 +
 
 +
HOOKS=(base '''systemd''' autodetect '''keyboard''' '''sd-vconsole''' modconf block '''sd-encrypt''' '''sd-lvm2''' filesystems fsck)
  
See [[dm-crypt/System Configuration#mkinitcpio]] for details and other hooks that you may need.
+
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.
  
 
=== Configuring the boot loader ===
 
=== Configuring the boot loader ===
  
For the above example, change the kernel options for the root-device auto-configured in the bootloader installation from {{ic|root<nowiki>=</nowiki>/dev/hda3}} to
+
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:
  cryptdevice=/dev/lvm/root:root root=/dev/mapper/root
+
 
 +
  cryptdevice=/dev/mapper/MyVolGroup-cryptroot:root root=/dev/mapper/root
 +
 
 +
If using the [[sd-encrypt]] hook, the following need to be set instead:
  
More general, the kernel command line for LUKS <-> LVM is constructed like this:
+
  rd.luks.name=''device-UUID''=root root=/dev/mapper/root
  root=/dev/mapper/<volume-group>-<logical-volume> cryptdevice=/dev/<luks-part>:<volume-group>
 
For example:
 
root=/dev/mapper/vg-arch cryptdevice=/dev/sda4:vg
 
  
Or like this:
+
The {{ic|''device-UUID''}} refers to the UUID of {{ic|/dev/mapper/MyVolGroup-cryptroot}}. See [[Persistent block device naming]] for details.
cryptdevice=/dev/<volume-group>/<logical-volume>:root root=/dev/mapper/root
 
  
If you want install the system on a usb stick, you need to add {{ic|lvmdelay<nowiki>=</nowiki>/dev/mapper/lvm-root}}
+
See [[dm-crypt/System configuration#Boot loader]] for details.
  
 
=== Configuring fstab and crypttab ===
 
=== Configuring fstab and crypttab ===
 +
 +
Both [[crypttab]] and [[fstab]] entries are required to both unlock the device and mount the filesystems, respectively. The following lines will re-encrypt the temporary filesystems on each reboot:
 +
 +
{{hc|/etc/crypttab|2=
 +
swap /dev/mapper/MyVolGroup-cryptswap /dev/urandom swap,cipher=aes-xts-plain64,size=256
 +
tmp /dev/mapper/MyVolGroup-crypttmp /dev/urandom tmp,cipher=aes-xts-plain64,size=256
 +
}}
 +
 
{{hc|/etc/fstab|
 
{{hc|/etc/fstab|
/dev/mapper/root        /      reiserfs        defaults        0      1
+
/dev/mapper/root        /      ext4            defaults        0      1
/dev/sda1              /boot  reiserfs        defaults        0      2
+
/dev/sda1              /boot  ext4            defaults        0      2
/dev/mapper/tmp        /tmp    tmpfs          defaults        0      0
+
/dev/mapper/tmp        /tmp    tmpfs          defaults        0      0
/dev/mapper/swap        none    swap            sw              0      0}}
+
/dev/mapper/swap        none    swap            sw              0      0
 +
}}
 +
 
 +
=== Encrypting logical volume /home ===
 +
 
 +
Since this scenario uses LVM as the primary and dm-crypt as secondary mapper, each encrypted logical volume requires its own encryption. Yet, unlike the temporary filesystems configured with volatile encryption above, the logical volume for {{ic|/home}} should of course be persistent. The following assumes you have rebooted into the installed system, otherwise you have to adjust paths.
 +
To save on entering a second passphrase at boot, a [[dm-crypt/Device encryption#Keyfiles|keyfile]] is created:
 +
 
 +
# mkdir -m 700 /etc/luks-keys
 +
# dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress
 +
 
 +
The logical volume is encrypted with it:
 +
 
 +
# cryptsetup luksFormat --type luks2 -v /dev/mapper/MyVolGroup-crypthome /etc/luks-keys/home
 +
# cryptsetup -d /etc/luks-keys/home open /dev/mapper/MyVolGroup-crypthome home
 +
# mkfs.ext4 /dev/mapper/home
 +
# mount /dev/mapper/home /home
 +
 
 +
The encrypted mount is configured in both [[crypttab]] and [[fstab]]:
  
 
{{hc|/etc/crypttab|
 
{{hc|/etc/crypttab|
swap /dev/lvm/swap SWAP -c aes-xts-plain -h whirlpool -s 512
+
home /dev/mapper/MyVolGroup-crypthome  /etc/luks-keys/home
tmp /dev/lvm/tmp /dev/urandom -c aes-xts-plain -s 512}}
+
}}
  
=== Encrypting /home after reboot ===
+
{{hc|/etc/fstab|
Below we will be editing /etc/crypttab.  This is necessary to unlock each non-root LUKS container (like /home, /media, etc) -- these logical volumes are just as important as /root, and if they are not visible the entire system will fail to boot!  LVM must have '''all''' volumes present and accounted for.
+
/dev/mapper/home       /home  ext4        defaults        0      2
Now, in order to avoid typing in multiple passwords (1 per container) every boot, we may generate some strong encryption keys and save them in /etc. Some more background about possible encryption keys, you find [[Dm-crypt/Device_Encryption#Cryptsetup_and_keyfiles|here]].
+
}}
When the PC is powered off, these keys are perfectly safe: they are being saved inside the root LVM container, which must be unlocked by you at boot with a password.  As well, having different passwords for each disk makes breaking the encryption even more difficult -- even if one password is compromised, the LVM WILL NOT activate without the other partitions.
 
  
mkdir -p -m 700 /mnt/etc/luks-keys
+
== LUKS on software RAID ==
dd if=/dev/random of=/mnt/etc/luks-keys/home bs=1 count=256
 
  
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/home /etc/luks-keys/home
+
This example is based on a real-world setup for a workstation class laptop equipped with two SSDs of equal size, and an additional HDD for bulk storage. The end result is LUKS based full disk encryption (including {{ic|/boot}}) for all drives, with the SSDs in a [[RAID|RAID0]] array, and keyfiles used to unlock all encryption after [[GRUB]] is given a correct passphrase at boot.
cryptsetup open --type luks -d /etc/luks-keys/home /dev/lvm/home home
 
mkreiserfs /dev/mapper/home
 
mount /dev/mapper/home /home
 
  
{{hc|/etc/crypttab|
+
This setup utilizes a very simplistic partitioning scheme, with all the available RAID storage being mounted at {{ic|/}} (no separate {{ic|/boot}} partition), and the decrypted HDD being mounted at {{ic|/mnt/data}}. It is also worth mentioning that the system in this example boots in BIOS mode and the drives are partitioned with [[Partitioning|GPT]] partitions.
  home /dev/lvm/home  /etc/luks-keys/home}}
+
 
 +
Please note that regular [[System backup|backups]] are very important in this setup. If either of the SSDs fail, the data contained in the RAID array will be practically impossible to recover. You may wish to select a different [[RAID#Standard RAID levels|RAID level]] if fault tolerance is important to you.
 +
 
 +
The encryption is not deniable in this setup.
 +
 
 +
For the sake of the instructions below, the following block devices are used:
 +
 
 +
/dev/sda = first SSD
 +
/dev/sdb = second SSD
 +
/dev/sdc = HDD
 +
 
 +
Be sure to substitute them with the appropriate device designations for your setup, as they may be different.
 +
 
 +
=== Preparing the disks ===
 +
 
 +
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in [[dm-crypt/Drive preparation]].
 +
 
 +
When using the [[GRUB]] bootloader together with [[GPT]], create a [[BIOS boot partition]]. For this setup, this includes a 1 MiB partition for BIOS/GPT boot at {{ic|/dev/sda1}} and the remaining space on the drive being partitioned for "Linux RAID" at {{ic|/dev/sda2}}.
 +
 
 +
Once partitions have been created on {{ic|/dev/sda}}, the following commands can be used to clone them to {{ic|/dev/sdb}}.
 +
 
 +
# sfdisk -d /dev/sda > sda.dump
 +
# sfdisk /dev/sdb < sda.dump
 +
 
 +
The HDD is prepared with a single Linux partition covering the whole drive at {{ic|/dev/sdc1}}.
 +
 
 +
=== Building the RAID array ===
 +
 
 +
Create the RAID array for the SSDs. This example utilizes RAID0, you may wish to substitute a different level based on your preferences or requirements.
 +
 
 +
  # mdadm --create --verbose --level=0 --metadata=1.2 --raid-devices=2 /dev/md0 /dev/sda2 /dev/sdb2
 +
 
 +
=== Preparing the block devices ===
 +
 
 +
As explained in [[dm-crypt/Drive preparation]], the devices are wiped with random data utilizing {{ic|/dev/zero}} and a crypt device with a random key. Alternatively, you could use {{ic|dd}} with {{ic|/dev/random}} or {{ic|/dev/urandom}}, though it will be much slower.
 +
 
 +
# cryptsetup open --type plain /dev/md0 container --key-file /dev/random
 +
# dd if=/dev/zero of=/dev/mapper/container bs=1M status=progress
 +
# cryptsetup close container
  
{{Note|If you do not want to use a keyfile, simply leave the third column empty ({{ic|/etc/luks-keys/home}} in the example) and you will be asked for a password at boot.}}
+
And repeat above for the HDD ({{ic|/dev/sdc1}} in this example).
  
{{hc|/etc/fstab|
+
Set up encryption for {{ic|/dev/md0}}:
/dev/mapper/home        /home  reiserfs        defaults        0      0}}
 
  
=== Expanding LVM on multiple disks ===
+
# cryptsetup -y -v luksFormat --type luks2 /dev/md0
 +
# cryptsetup open /dev/md0 cryptroot
 +
# mkfs.ext4 /dev/mapper/cryptroot
 +
# mount /dev/mapper/cryptroot /mnt
  
The {{ic|encrypt}} hook only allows for a '''single''' {{ic|cryptdevice<nowiki>=</nowiki>}} entry.  For example, take "LVM on LUKS":  The entire LVM exists inside a LUKS container.  This is perfectly fine for a single-drive system:  there is only one container to decrypt.  But what happens when you want to increase the size of your LVM?  This is in fact the main advantage of LVM: you can add and remove entire drives without having to change the underlying partition.
+
And repeat for the HDD:
  
So, you add another hard drive in order to expand {{ic|home}} (which is a logical volume of its own). You encrypt the second drive, add it to the volume group, expand the {{ic|home}} LV. But now, how do you tell initrd to unlock BOTH drives at the same time? You cannot, at least not without modifying the {{ic|encrypt}} hookAnd as stated in the section above: if only a part of an LVM is available, it will '''not''' boot. So, adding a second drive that requires decryption before it can be read is out of the picture.
+
  # cryptsetup -y -v luksFormat --type luks2 /dev/sdc1
 +
  # cryptsetup open /dev/sdc1 cryptdata
 +
  # mkfs.ext4 /dev/mapper/cryptdata
 +
  # mkdir -p /mnt/mnt/data
 +
  # mount /dev/mapper/cryptdata /mnt/mnt/data
  
Luckily, we can get around this by making the LVM's visible to the system even before they are encrypted. This is why LUKS on LVM is, in general, the option offering more flexibility to change partitioning.
+
=== Configuring the boot loader ===
  
====Adding a new drive====
+
Configure [[GRUB]] for the encrypted system by editing {{ic|/etc/default/grub}} with the following:
Assuming you now have a working single-drive LUKS-on-LVM configuration, it's now time to expand one of your logical volumes.
 
  
Connect your drive (if it's new, or completely randomize it as you did with your root drive). Open gdisk and create a single partiion:
+
  GRUB_CMDLINE_LINUX="cryptdevice=/dev/md0:cryptroot root=/dev/mapper/cryptroot"
* /dev/sdy1: Use ALL space, Partition type 8E00 (Linux LVM)
+
GRUB_ENABLE_CRYPTODISK=y
  
Now, attach this new disk to your existing LVM:
+
See [[dm-crypt/System configuration#Boot loader]] and [[GRUB#Boot partition]] for details.
# pvcreate /dev/sdy1
 
# vgextend MyStorage /dev/sdy1
 
  
====Extending the logical volume====
+
Complete the GRUB install to both SSDs (in reality, installing only to {{ic|/dev/sda}} will work).
You will have to unmount whatever partition you want to grow, meaning you may need to boot via an install cd.  Details for this will follow below.
 
In this example, we will extend the "HOME" logical volume by 100% of the free space of our new drive (ie, put the WHOLE thing into /home!)
 
  
From a root console:
+
  # grub-install --target=i386-pc /dev/sda
  # umount /home
+
  # grub-install --target=i386-pc /dev/sdb
# fsck /dev/mapper/home
+
  # grub-mkconfig -o /boot/grub/grub.cfg
  # cryptsetup luksClose /dev/mapper/home
 
  # lvextend -l +100%FREE MyStorage/homevol
 
  
Now the LV is extended.  Let us make LUKS aware of the change:
+
=== Creating the keyfiles ===
# cryptsetup open --type luks /dev/mapper/MyStorage-homevol home
 
# umount /home      ((JUST IN CASE IT WAS AUTO RE-MOUNTED AGAIN))
 
# cryptsetup --verbose resize home
 
  
And finally resize the ext4 partition itself:
+
The next steps save you from entering your passphrase twice when you boot the system (once so GRUB can unlock the encryption, and second time once the initramfs assumes control of the system). This is done by creating a [[dm-crypt/Device encryption#Keyfiles|keyfile]] for the encryption and adding it to the initramfs image to allow the encrypt hook to unlock the root device. See [[dm-crypt/Device encryption#With a keyfile embedded in the initramfs]] for details.
# e2fsck -f /dev/mapper/home
+
 
# resize2fs /dev/mapper/home
+
* Create the [[dm-crypt/Device encryption#Keyfiles|keyfile]] and add the key to {{ic|/dev/md0}}.
+
* Create another keyfile for the HDD ({{ic|/dev/sdc1}}) so it can also be unlocked at boot. For convenience, leave the passphrase created above in place as this can make recovery easier if you ever need it. Edit {{ic|/etc/crypttab}} to decrypt the HDD at boot. See [[dm-crypt/Device encryption#Unlocking a secondary partition at boot]].
Done!
 
# mount /dev/mapper/home /home
 
  
Note how /home now includes the span of the new drive, and you DO not have to change or add any more encryption keys -- the key for your Home LVM will continue to work and fill into the newly added space.
+
=== Configuring the system ===
  
* A note on extending your root partition:
+
Edit [[fstab|/etc/fstab]] to mount the cryptroot and cryptdata block devices:
The procedure works exactly the same for your root LVM, with the exception that it must be done from an Arch INSTALL CD.  (you cannot unmount your root partition while it's in use).
 
  
===Troubleshooting===
+
/dev/mapper/cryptroot  /          ext4    rw,noatime  0  1
 +
/dev/mapper/cryptdata  /mnt/data  ext4    defaults            0  2 
  
====The system does not boot====
+
Save the RAID configuration:
First, DONT PANIC!  You can always boot a rescue CD and get into your LVM manually! 
 
  
Start up via the Arch installer.
+
# mdadm --detail --scan > /etc/mdadm.conf
When you reach the root shell, for each encrypted LVM:
 
  
# cryptsetup open --type luks /dev/mapper/MyStorage-rootvol
+
Edit [[mkinitcpio.conf]] to include your keyfile and add the proper hooks:
Simply unlock each logical partition -- they will appear in /dev/mapper/<lv> and you can mount each from there.
 
  
== LUKS on software RAID ==
+
FILES=(/crypto_keyfile.bin)
 +
HOOKS=(base udev autodetect '''keyboard''' '''keymap''' consolefont modconf block '''mdadm_udev''' '''encrypt''' filesystems fsck)
  
{{Expansion|Some references: [[RAID]], [[Software RAID and LVM]], http://jasonwryan.com/blog/2012/02/11/lvm/}}
+
See [[dm-crypt/System configuration#mkinitcpio]] for details.
  
 
== Plain dm-crypt ==
 
== Plain dm-crypt ==
  
This scenario sets up a system on a dm-crypt a full disk with ''plain'' mode encryption. It uses an USB stick for the boot device and another one to store the encryption key. The reasons for the use of two USB-keys are:
+
Contrary to LUKS, dm-crypt ''plain'' mode does not require a header on the encrypted device: this scenario exploits this feature to set up a system on an unpartitioned, encrypted disk that will be indistinguishable from a disk filled with random data, which could allow [[Wikipedia:Deniable encryption|deniable encryption]]. See also [[wikipedia:Disk encryption#Full disk encryption]].
* dm-crypt ''plain'' mode does not require a header on the encrypted disk. This means that an unpartitioned, encrypted disk will be indistinguishable from a disk filled with random data.  
+
 
* The boot loader options required to open/unlock a plain encrypted device are detailed. Typing them each boot is error prone, storing them on an unencrypted {{ic|/boot}} partition on the same device results in security concerns.
+
Note that if full-disk encryption is not required, the methods using LUKS described in the sections above are better options for both system encryption and encrypted partitions. LUKS features like key management with multiple passphrases/key-files or re-encrypting a device in-place are unavailable with ''plain'' mode.
* This scenario uses a key file, storing the keyfile on a second USB stick for security again. A passphrase with good entropy may be used instead. 
+
 
 +
''Plain'' dm-crypt encryption can be more resilient to damage than LUKS, because it does not rely on an encryption master-key which can be a single-point of failure if damaged. However, using ''plain'' mode also requires more manual configuration of encryption options to achieve the same cryptographic strength. See also [[Disk encryption#Cryptographic metadata]]. Using ''plain'' mode could also be considered if concerned with the problems explained in [[dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD)]].
 +
 
 +
{{Tip|If headerless encryption is your goal but you are unsure about the lack of key-derivation with ''plain'' mode, then two alternatives are:
 +
* [[dm-crypt/Specialties#Encrypted system using a detached LUKS header|dm-crypt LUKS mode with a detached header]] by using the ''cryptsetup'' {{ic|--header}} option. It cannot be used with the standard ''encrypt'' hook, but the hook may be modified.
 +
* [[tcplay]] which offers headerless encryption but with the PBKDF2 function.
 +
}}
 +
 
 +
The scenario uses two USB sticks:
  
=== Plain mode pros and cons ===
+
* one for the boot device, which also allows storing the options required to open/unlock the plain encrypted device in the boot loader configuration, since typing them on each boot would be error prone;
{{expansion|To be moved to the generic sections, should be later cross linked to [[Dm-crypt/Device_Encryption#Encryption_options_with_dm-crypt]] and [[Disk_encryption]]}}
+
* another for the encryption key file, assuming it stored as raw bits so that to the eyes of an unaware attacker who might get the usbkey the encryption key will appear as random data instead of being visible as a normal file. See also [[Wikipedia:Security through obscurity]], follow [[dm-crypt/Device encryption#Keyfiles]] to prepare the keyfile.
This article focuses on system disk encryption using plain dm-crypt without LUKS. Note that for most use cases, the methods using LUKS described above are by far better options for both system encryption and encrypted partitions. Below are some considerations for choosing one over the other.
 
  
'''Advantages'''
+
The disk layout is:
* dm-crypt does not require a header on the encrypted disk. This means that an unpartitioned, encrypted disk will be indistinguishable from a disk filled with random data. This may be useful in a country that can force you to give up an encryption key where a reasonable suspicion of encrypted data exists.
 
* plain dm-crypt encrypted disks are more resilient to damage than LUKS encrypted disks, because of the one-to-one mapping of unencrypted data to encrypted data.
 
  
'''Disadvantages'''
+
+-----------------------------+-----------------------------+-----------------------------+ +----------------+ +----------------+
* dm-crypt does not allow multiple pass-phrases, nor does it allow changes to the pass-phase or key-file after initial set-up. LUKS allows for up to eight passphrases, and key-files and passphrases can be changed without having to re-encrypt the entire disk or partition.
+
| Logical volume 1            | Logical volume 2            | Logical volume 3            | | Boot device   | | Encryption key |
* plain dm-crypt requires manual configuration of encryption options each time a device is opened, whereas LUKS stores those details in its header.
+
|                            |                            |                            | |                | | file storage  |
* LUKS uses pass-phrase salting and hash iteration, and as such can be more secure than plain dm-crypt. It is essential that a pass-phrase or key-file with very high entropy is used with dm-crypt.
+
| /                          | [SWAP]                      | /home                      | | /boot          | | (unpartitioned |
 +
|                            |                            |                            | |                | | in example)    |
 +
| /dev/mapper/MyVolGroup-root | /dev/mapper/MyVolGroup-swap | /dev/mapper/MyVolGroup-home | | /dev/sdb1      | | /dev/sdc      |
 +
|-----------------------------+-----------------------------+-----------------------------| |----------------| |----------------|
 +
| disk drive /dev/sda encrypted using plain mode and LVM                                  | | USB stick 1    | | USB stick 2    |
 +
+-----------------------------------------------------------------------------------------+ +----------------+ +----------------+
  
A separate {{ic|/boot}} partition is required, as it needs to remain unencrypted to be accessed by the bootloader. In the scenario that follows, it is assumed that no evidence of encryption is to be left on the main system drive, and so we install the {{ic|/boot}} partition and the bootloader to a separate USB stick, and the encryption key to yet another USB stick. Throughout the guide, the system disk will be shown as {{ic|/dev/sd''X''}}, the USB stick containing {{ic|/boot}} will be shown as {{ic|/dev/sd''Y''}}, and the USB stick containing the encryption key will be shown as {{ic|/dev/sd''Z''}}, where ''X'', ''Y'' and
+
{{Tip|
''Z'' represent their respective device letters.
+
* It is also possible to use a single USB key by copying the keyfile to the initram directly. An example keyfile {{ic|/etc/keyfile}} gets copied to the initram image by setting {{ic|1=FILES=(/etc/keyfile)}} in {{ic|/etc/mkinitcpio.conf}}. The way to instruct the {{ic|encrypt}} hook to read the keyfile in the initram image is using {{ic|rootfs:}} prefix before the filename, e.g. {{ic|cryptkey&#61;rootfs:/etc/keyfile}}.
 +
* Another option is using a passphrase with good [[Disk encryption#Choosing a strong passphrase|entropy]].
 +
}}
  
 
=== Preparing the disk ===
 
=== Preparing the disk ===
  
{{Note|It is vital that the mapped device is filled with data. Without doing so, the encrypted data that is written to disk will be easily distinguishable from areas not yet written to. See [[Disk_Encryption#Preparing_the_disk]] for a more comprehensive discussion.}}
+
It is vital that the mapped device is filled with data. In particular this applies to the scenario use case we apply here.
  
See [[Dm-crypt/Drive_Preparation]] and [[Dm-crypt/Drive_Preparation#dm-crypt_specific_methods]]
+
See [[dm-crypt/Drive preparation]] and [[dm-crypt/Drive preparation#dm-crypt specific methods]]
  
 
=== Preparing the non-boot partitions ===
 
=== Preparing the non-boot partitions ===
  
See [[Dm-crypt/Device Encryption#Encryption options for plain mode]] for details.
+
See [[dm-crypt/Device encryption#Encryption options for plain mode]] for details.
 +
 
 +
Using the device {{ic|/dev/sda}}, with the twofish-xts cipher with a 512 bit key size and using a keyfile we have the following options for this scenario:
 +
 
 +
# cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --offset=0 --key-file=/dev/sdc --key-size=512 open --type=plain /dev/sda cryptlvm
 +
 
 +
Unlike encrypting with LUKS, the above command must be executed ''in full'' whenever the mapping needs to be re-established, so it is important to remember the cipher, hash and key file details.
  
Using the device {{ic|/dev/sd''X''}}, with the twofish-xts cipher with a 512 bit key size and using a keyfile we have the following options for this scenario:
+
We can now check a mapping entry has been made for {{ic|/dev/mapper/cryptlvm}}:
{{bc|<nowiki># cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --offset=0 --key-file=</nowiki>/dev/sd''Z'' <nowiki>--key-size=512 open --type=plain /dev/sdX enc</nowiki>}}
 
Unlike encrypting with LUKS, the above command must be executed ''in full'' whenever the mapping needs to be re-established, so it is important to remember the cipher, hash and key file details.
 
  
We can now check a mapping entry has been made for {{ic|/dev/mapper/enc}}:
 
 
  # fdisk -l
 
  # fdisk -l
  
Next, we setup [[LVM]] logical volumes on the mapped device, see [[Lvm#Installing_Arch_Linux_on_LVM]] for further details:  
+
Next, we setup [[LVM]] logical volumes on the mapped device. See [[LVM#Installing Arch Linux on LVM]] for further details:
  # pvcreate /dev/mapper/enc
+
 
  # vgcreate store /dev/mapper/enc
+
  # pvcreate /dev/mapper/cryptlvm
  # lvcreate -L 20G store -n root
+
  # vgcreate MyVolGroup /dev/mapper/cryptlvm
  # lvcreate -C y -L 10G store -n swap
+
  # lvcreate -L 32G MyVolGroup -n root
  # lvcreate -l +100%FREE store -n home
+
  # lvcreate -L 10G MyVolGroup -n swap
We format and mount them and activate swap, see [[File Systems#Format a device]] for further details:  
+
  # lvcreate -l 100%FREE MyVolGroup -n home
  # mkfs.ext4 /dev/store/root
+
 
  # mkfs.ext4 /dev/store/home
+
We format and mount them and activate swap. See [[File systems#Create a file system]] for further details:
  # mount /dev/store/root /mnt
+
 
 +
  # mkfs.ext4 /dev/mapper/MyVolGroup-root
 +
  # mkfs.ext4 /dev/mapper/MyVolGroup-home
 +
  # mount /dev/mapper/MyVolGroup-root /mnt
 
  # mkdir /mnt/home
 
  # mkdir /mnt/home
  # mount /dev/store/home /mnt/home
+
  # mount /dev/mapper/MyVolGroup-home /mnt/home
  # mkswap /dev/store/swap
+
  # mkswap /dev/mapper/MyVolGroup-swap
  # swapon /dev/store/swap
+
  # swapon /dev/mapper/MyVolGroup-swap
  
 
=== Preparing the boot partition ===
 
=== Preparing the boot partition ===
The {{ic|/boot}} partition can be installed on the standard vfat partition of a USB stick, if required. But if manual partitioning is needed, then a small 200MB partition is all that is required:
 
# fdisk /dev/sd''Y''
 
> n
 
> p
 
> 1
 
> default (2048)
 
> +200M
 
> w
 
> q
 
  
We choose a non-journalling file system to preserve the flash memory of the {{ic|/boot}} partition, if not already formatted as vfat:
+
The {{ic|/boot}} partition can be installed on the standard vfat partition of a USB stick, if required. But if manual partitioning is needed, then a small 200 MiB partition is all that is required. Create the partition using a [[Partitioning#Partitioning tools|partitioning tool]] of your choice.
  # mkfs.ext2 /dev/sd''Y''1
+
 
 +
Create a [[filesystem]] on the partition intended for {{ic|/boot}}, if it is not already formatted as vfat:
 +
 
 +
  # mkfs.ext4 /dev/sdb1
 
  # mkdir /mnt/boot
 
  # mkdir /mnt/boot
  # mount /dev/sd''Y''1 /mnt/boot
+
  # mount /dev/sdb1 /mnt/boot
  
 
=== Configuring mkinitcpio ===
 
=== Configuring mkinitcpio ===
  
Please follow [[Installation Guide#Install the base system]] until editing {{ic|mkinitcpio.conf}} is required, then add {{ic|encrypt}} to the {{ic|HOOKS}} array as follows:
+
Add the {{ic|keyboard}}, {{ic|encrypt}} and {{ic|lvm2}} hooks to [[mkinitcpio.conf]]:
 +
 
 +
HOOKS=(base udev autodetect '''keyboard''' '''keymap''' consolefont modconf block '''encrypt''' '''lvm2''' filesystems fsck)
 +
 
 +
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.
 +
 
 +
=== Configuring the boot loader ===
 +
 
 +
In order to boot the encrypted root partition, the following kernel parameters need to be set by the boot loader:
 +
 
 +
cryptdevice=/dev/disk/by-id/''disk-ID-of-sda'':cryptlvm cryptkey=/dev/disk/by-id/''disk-ID-of-sdc'':0:512 crypto=sha512:twofish-xts-plain64:512:0:
 +
 
 +
The {{ic|''disk-ID-of-'''disk'''''}} refers to the id of the referenced disk. See [[Persistent block device naming]] for details.
 +
 
 +
See [[dm-crypt/System configuration#Boot loader]] for details and other parameters that you may need.
 +
 
 +
{{Tip|If using GRUB, you can install it on the same USB as the {{ic|/boot}} partition with:
  
{{hc|/etc/mkinitcpio.conf|HOOKS<nowiki>=</nowiki>"base udev ... '''encrypt''' ... filesystems ..."}}
+
# grub-install --recheck /dev/sdb
  
For this example we also require the lvm2 hook:
+
}}
  
{{hc|/etc/mkinitcpio.conf|HOOKS<nowiki>=</nowiki>"base udev ... encrypt '''lvm2''' ... filesystems ..."}}
+
=== Post-installation ===
  
Then rebuild the initramfs as per usual:
+
You may wish to remove the USB sticks after booting. Since the {{ic|/boot}} partition is not usually needed, the {{ic|noauto}} option can be added to the relevant line in {{ic|/etc/fstab}}:
  
  # mkinitcpio -p linux
+
{{hc|/etc/fstab|
 +
# /dev/sdb1
 +
/dev/sdb1 /boot ext4 '''noauto''',rw,noatime 0 2
 +
}}
 +
 
 +
However, when an update to the kernel or bootloader is required, the {{ic|/boot}} partition must be present and mounted. As the entry in {{ic|fstab}} already exists, it can be mounted simply with:
 +
 
 +
# mount /boot
 +
 
 +
== Encrypted boot partition (GRUB) ==
 +
 
 +
This setup utilizes the same partition layout and configuration for the system's root partition as the previous [[#LVM on LUKS]] section, with the difference that a special feature of the [[GRUB]] bootloader is used to additionally encrypt the boot partition {{ic|/boot}}. See also [[GRUB#Boot partition]].
 +
 
 +
The disk layout in this example is:
 +
 
 +
+---------------------+---------------------+----------------+-----------------------------+-----------------------------+-----------------------------+
 +
| BIOS boot partition | ESP partition      | Boot partition | Logical volume 1            | Logical volume 2            | Logical volume 3            |
 +
|                    |                    |                |                            |                            |                            |
 +
|                    | /boot/efi          | /boot          | /root                      | [SWAP]                      | /home                      |
 +
|                    |                    |                |                            |                            |                            |
 +
|                    |                    |                | /dev/mapper/MyVolGroup-root | /dev/mapper/MyVolGroup-swap | /dev/mapper/MyVolGroup-home |
 +
| /dev/sda1          | /dev/sda2          | /dev/sda3      +-----------------------------+-----------------------------+-----------------------------+
 +
  | '''un'''encrypted  | '''un'''encrypted  | LUKS encrypted | /dev/sda4 encrypted using LVM on LUKS                                                  |
 +
+---------------------+---------------------+----------------+-----------------------------------------------------------------------------------------+
 +
 
 +
{{Tip|
 +
* All scenarios are intended as examples. It is, of course, possible to apply both of the two above distinct installation steps with the other scenarios as well. See also the variants linked in [[#LVM on LUKS]].
 +
* You can use {{ic|cryptboot}} script from {{AUR|cryptboot}} package for simplified encrypted boot management (mounting, unmounting, upgrading packages) and as a defense against [https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html Evil Maid] attacks with [[Secure Boot#Using your own keys|UEFI Secure Boot]]. For more information and limitations see [https://github.com/xmikos/cryptboot cryptboot project] page.
 +
}}
 +
 
 +
=== Preparing the disk ===
 +
 
 +
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in [[dm-crypt/Drive preparation]].
 +
 
 +
For [[GRUB#BIOS systems|BIOS systems]] create a [[BIOS boot partition]] with size of 1 MiB for GRUB to store the second stage of BIOS bootloader. Do not mount the partition.
 +
 
 +
For [[GRUB#UEFI systems|UEFI systems]] create an [[EFI System Partition]] with an appropriate size, it will later be mounted at {{ic|/boot/efi}}.
 +
 
 +
Create a partition to be mounted at {{ic|/boot}} of type {{ic|8300}} with a size of 200 MiB or more.
 +
 
 +
Create a partition of type {{ic|8E00}}, which will later contain the encrypted container.
 +
 
 +
Create the LUKS encrypted container at the "system" partition.
 +
 
 +
# cryptsetup luksFormat --type luks2 /dev/sda4
 +
 
 +
For more information about the available cryptsetup options see the [[dm-crypt/Device encryption#Encryption options for LUKS mode|LUKS encryption options]] prior to above command.
 +
 
 +
Your partition layout should look similar to this:
 +
 
 +
{{hc|# gdisk /dev/sda|
 +
Number  Start (sector)    End (sector)  Size      Code  Name
 +
  1            2048            4095  1024.0 KiB  EF02  BIOS boot partition
 +
  2            4096        1130495  550.0 MiB  EF00  EFI System
 +
  3        1130496        1540095  200.0 MiB  8300  Linux filesystem
 +
  4        1540096        69205982  32.3 GiB    8E00  Linux LVM
 +
}}
 +
 
 +
Open the container:
 +
 
 +
# cryptsetup open /dev/sda4 cryptlvm
 +
 
 +
The decrypted container is now available at {{ic|/dev/mapper/cryptlvm}}.
 +
 
 +
=== Preparing the logical volumes ===
 +
 
 +
The LVM logical volumes of this example follow the exact layout as the [[#LVM on LUKS]] scenario. Therefore, please follow [[#Preparing the logical volumes]] above and adjust as required.
 +
 
 +
=== Preparing the boot partition ===
 +
 
 +
{{Warning|GRUB does not support LUKS2. Do not use LUKS2 on partitions that GRUB needs to access.}}
 +
 
 +
The bootloader loads the kernel, [[initramfs]], and its own configuration files from the {{ic|/boot}} directory.
 +
 
 +
First, create the LUKS container where the files will be located and installed into:
 +
 
 +
# cryptsetup luksFormat /dev/sda3
 +
 
 +
Next, open it:
 +
 
 +
# cryptsetup open /dev/sda3 cryptboot
 +
 
 +
Create a filesystem on the partition intended for {{ic|/boot}}. Any filesystem that can be read by the bootloader is eligible:
 +
 
 +
# mkfs.ext4 /dev/mapper/''cryptboot''
 +
 
 +
Create the directory {{ic|/mnt/boot}}:
 +
 
 +
# mkdir /mnt/boot
 +
 
 +
Mount the partition to {{ic|/mnt/boot}}:
 +
 
 +
# mount /dev/mapper/''cryptboot'' /mnt/boot
 +
 
 +
Create a mountpoint for the [[EFI System Partition]] at {{ic|/boot/efi}} for compatibility with {{ic|grub-install}} and mount it:
 +
 
 +
# mkdir /mnt/boot/efi
 +
# mount /dev/sda2 /mnt/boot/efi
 +
 
 +
At this point, you should have the following partitions and logical volumes inside of {{ic|/mnt}}:
 +
 
 +
{{hc|$ lsblk|
 +
NAME            MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
 +
sda              8:0      0  200G  0 disk
 +
├─sda1          8:1      0    1M  0 part
 +
├─sda2          8:2      0  550M  0 part  /boot/efi
 +
├─sda3          8:3      0  200M  0 part
 +
│ └─cryptboot    254:0    0  198M  0 crypt /boot
 +
└─sda4          8:4      0  100G  0 part
 +
  └─cryptlvm    254:1    0  100G  0 crypt
 +
    ├─MyVolGroup-swap 254:2    0    8G  0 lvm  [SWAP]
 +
    ├─MyVolGroup-root 254:3    0    32G  0 lvm  /
 +
    └─MyVolGroup-home 254:4    0    60G  0 lvm  /home
 +
}}
 +
 
 +
=== Configuring mkinitcpio ===
 +
 
 +
Add the {{ic|keyboard}}, {{ic|encrypt}} and {{ic|lvm2}} hooks to [[mkinitcpio.conf]]:
 +
 
 +
HOOKS=(base udev autodetect '''keyboard''' '''keymap''' consolefont modconf block '''encrypt''' '''lvm2''' filesystems fsck)
 +
 
 +
If using the [[sd-encrypt]] hook with the systemd-based initramfs, the following needs to be set instead:
 +
 
 +
HOOKS=(base '''systemd''' autodetect '''keyboard''' '''sd-vconsole''' modconf block '''sd-encrypt''' '''sd-lvm2''' filesystems fsck)
 +
 
 +
See [[dm-crypt/System configuration#mkinitcpio]] for details and other hooks that you may need.
  
 
=== Configuring the boot loader ===
 
=== Configuring the boot loader ===
{{expansion|It should be double-checked to move the following examples to  [[Dm-crypt/System_Configuration#Boot_loader]] rather then just purge them. The only content we need to remain for the scenario are the ones referring to the example setup.}}
 
See [[Installation Guide#Install and configure a boot loader]] and then return to this guide.
 
  
The kernel arguments for initialising a plain dm-crypt disk are as follows:
+
Configure GRUB to recognize the LUKS encrypted {{ic|/boot}} partition and unlock the encrypted root partition at boot:
 +
 
 +
{{hc|/etc/default/grub|2=
 +
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=''device-UUID'':cryptlvm ..."
 +
GRUB_ENABLE_CRYPTODISK=y
 +
}}
  
{{bc|<nowiki>cryptdevice=</nowiki>/dev/sd''X'':<mapped name>}}
+
If using the [[sd-encrypt]] hook, the following need to be set instead:
  
Where  {{ic|/dev/sd''X''}} is the physical disk containing the encrypted data, and {{ic|<mapped name>}} is the name once mapped to {{ic|/dev/mapper/<mapped name>}}.
+
{{hc|/etc/default/grub|2=
 +
GRUB_CMDLINE_LINUX="... rd.luks.name=''device-UUID''=cryptlvm" ...
 +
GRUB_ENABLE_CRYPTODISK=y
 +
}}
 +
See [[dm-crypt/System configuration#Boot loader]] and [[GRUB#Boot partition]] for details. The {{ic|''device-UUID''}} refers to the UUID of {{ic|/dev/sda4}} (the partition which holds the lvm containing the root filesystem). See [[Persistent block device naming]].
  
{{bc|
+
Generate GRUB's [[GRUB#Generate the main configuration file|configuration]] file:
<nowiki>cryptkey=/path/to/keyfile</nowiki>
 
''or''
 
<nowiki>cryptkey=<device>:<offset>:<size></nowiki>}}
 
  
Which one used will depend on whether the key has been written as a file to a partition, or as a bit stream to unpartitioned space. See [[Dm-crypt/Device_Encryption#Cryptsetup_and_keyfiles|here]] for details on different keyfiles.
+
# grub-mkconfig -o /boot/grub/grub.cfg
  
{{bc|
+
[[GRUB#Installation_2|install GRUB]] to the mounted ESP for UEFI booting:
<nowiki>crypto=<hash>:<cipher>:<keysize>:<offset>:<skip></nowiki>}}
 
  
Here, the arguments hash, cipher, keysize, offset and skip relate directly to the ''cryptsetup'' options --hash, --cipher, --key-size, --offset and --skip.
+
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
  
==== Example with defaults ====
+
[[GRUB#Installation|install GRUB]] to the disk for BIOS booting:
  
For a disk encrypted with just default options, we can use the following kernel arguments:
+
# grub-install --target=i386-pc --recheck /dev/sda
  
{{bc|<nowiki>cryptdevice=</nowiki>/dev/sd''X'':enc <nowiki>crypto=::::</nowiki>}}
+
If this finished without errors, GRUB should prompt for the passphrase to unlock the {{ic|/boot}} partition after the next reboot.
  
The {{ic|crypto}} argument must still be specified, but each entry can be left blank. This will prompt for the pass-phrase on boot.
+
=== Configuring fstab and crypttab ===
  
==== Example custom options ====
+
This section deals with extra configuration to let the system '''mount''' the encrypted {{ic|/boot}}.
  
Assuming the key file is located on {{ic|/dev/sd''Z''}} and the options are as used in the previous example, we have:
+
While GRUB asks for a passphrase to unlock the encrypted {{ic|/boot}} after above instructions, the partition unlock is not passed on to the initramfs. Hence, {{ic|/boot}} will not be available after the system has re-/booted, because the {{ic|encrypt}} hook only unlocks the system's root.
  
{{bc|<nowiki>cryptdevice=</nowiki>/dev/sd''X'':enc <nowiki>cryptkey=</nowiki>/dev/sd''Z'':0:512 <nowiki>crypto=sha512:twofish-xts-plain64:512:0:</nowiki>}}
+
If you used the ''genfstab'' script during installation, it will have generated {{ic|/etc/fstab}} entries for the {{ic|/boot}} and {{ic|/boot/efi}} mount points already, but the system will fail to find the generated device mapper for the boot partition. To make it available, add it to [[crypttab]]. For example:
  
If using [[grub]], this is added to {{ic|/etc/default/grub}}:
+
{{hc|/etc/crypttab|
{{hc|/etc/default/grub|<nowiki>
+
cryptboot  /dev/sda3      none        luks
GRUB_CMDLINE_LINUX="cryptdevice=</nowiki>/dev/sd''X'':enc <nowiki>cryptkey=</nowiki>/dev/sd''Z'':0:512 <nowiki>crypto=sha512:twofish-xts-plain64:512:0:</nowiki>"}}
+
}}
You may also wish to add:
 
{{hc|/etc/default/grub|<nowiki>
 
GRUB_CMDLINE_LINUX="... root=</nowiki>/dev/store/root"}}
 
Although it should not be necessary.
 
  
This can then be used to update {{ic|grub.cfg}}
+
will make the system ask for the passphrase again (i.e. you have to enter it twice at boot: once for GRUB and once for systemd init). To avoid the double entry for unlocking {{ic|/boot}}, follow the instructions at [[dm-crypt/Device encryption#Keyfiles]] to:
  # grub-mkconfig -o /boot/grub/grub.cfg
+
 
 +
# Create a [[dm-crypt/Device encryption#Storing the keyfile on a filesystem|randomtext keyfile]],
 +
# Add the keyfile to the ({{ic|/dev/sda3}}) [[dm-crypt/Device encryption#Configuring LUKS to make use of the keyfile|boot partition's LUKS header]] and
 +
# Check the {{ic|/etc/fstab}} entry and add the {{ic|/etc/crypttab}} line to [[dm-crypt/Device encryption#Unlocking a secondary partition at boot|unlock it automatically at boot]].
 +
 
 +
If for some reason the keyfile fails to unlock the boot partition, systemd will fallback to ask for a passphrase to unlock and, in case that is correct, continue booting.
 +
 
 +
{{Tip|Optional post-installation steps:
 +
* It may be worth considering to add the GRUB bootloader to the ignore list of {{ic|/etc/pacman.conf}} in order to take particular control of when the bootloader (which includes its own encryption modules) is updated.
 +
* If you want to encrypt the {{ic|/boot}} partition to protect against offline tampering threats, the [[dm-crypt/Specialties#mkinitcpio-chkcryptoboot|mkinitcpio-chkcryptoboot]] hook has been contributed to help.
 +
}}
 +
 
 +
== Btrfs subvolumes with swap ==
 +
 
 +
The following example creates a full system encryption with LUKS using [[Btrfs]] subvolumes to [[Btrfs#Mounting subvolumes|simulate partitions]].
 +
 
 +
If using UEFI, an [[EFI System Partition]] (ESP) is required. {{ic|/boot}} itself may reside on {{ic|/}} and be encrypted; however, the ESP itself cannot be encrypted. In this example layout, the ESP is {{ic|/dev/sda3}} and is mounted at {{ic|/boot/efi}}. {{ic|/boot}} itself is located on the system partition, {{ic|/dev/sda2}}.
 +
 
 +
Since {{ic|/boot}} resides on the encrypted {{ic|/}}, [[GRUB]] must be used as the bootloader because only GRUB can load modules necessary to decrypt {{ic|/boot}} (e.g., crypto.mod, cryptodisk.mod and luks.mod) [http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/].
 +
 
 +
Additionally an optional plain-encrypted [[swap]] partition is shown.
 +
 
 +
{{Warning|Do not use a [[swap file]] instead of a separate partition, because this may result in data loss. See [[Btrfs#Swap file]].}}
 +
 
 +
+--------------------------+--------------------------+--------------------------+
 +
|ESP                      |System partition          |Swap partition            |
 +
|'''un'''encrypted              |LUKS-encrypted            |plain-encrypted          |
 +
|                          |                          |                          |
 +
|/boot/efi                |/                        |[SWAP]                    |
 +
|/dev/sda1                |/dev/sda2                |/dev/sda3                |
 +
|--------------------------+--------------------------+--------------------------+
 +
 
 +
=== Preparing the disk ===
 +
 
 +
{{Note|It is not possible to use btrfs partitioning as described in [[Btrfs#Partitionless Btrfs disk]] when using LUKS. Traditional partitioning must be used, even if it is just to create one partition.}}
 +
 
 +
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in [[dm-crypt/Drive preparation]]. If you are using [[UEFI]] create an [[EFI System Partition]] with an appropriate size. It will later be mounted at {{ic|/boot/efi}}. If you are going to create an encrypted swap partition, create the partition for it, but do '''not''' mark it as swap, since plain ''dm-crypt'' will be used with the partition.
 +
 
 +
Create the needed partitions, at least one for {{ic|/}} (e.g. {{ic|/dev/sda2}}). See the [[Partitioning]] article.
 +
 
 +
=== Preparing the system partition ===
 +
 
 +
==== Create LUKS container ====
 +
 
 +
Follow [[dm-crypt/Device encryption#Encrypting devices with LUKS mode]] to setup {{ic|/dev/sda2}} for LUKS. See the [[dm-crypt/Device encryption#Encryption options for LUKS mode]] before doing so for a list of encryption options.
 +
 
 +
==== Unlock LUKS container ====
 +
 
 +
Now follow [[dm-crypt/Device encryption#Unlocking/Mapping LUKS partitions with the device mapper]] to unlock the LUKS container and map it.
 +
 
 +
==== Format mapped device ====
 +
 
 +
Proceed to format the mapped device as described in [[Btrfs#File system on a single device]], where {{ic|''/dev/partition''}} is the name of the mapped device (i.e., {{ic|cryptroot}}) and '''not''' {{ic|/dev/sda2}}.
 +
 
 +
==== Mount mapped device ====
 +
 
 +
Finally, [[mount]] the now-formatted mapped device (i.e., {{ic|/dev/mapper/cryptroot}}) to {{ic|/mnt}}.
 +
 
 +
{{Tip|You may want to use the {{ic|1=compress=lzo}} mount option. See [[Btrfs#Compression]] for more information.}}
 +
 
 +
=== Creating btrfs subvolumes ===
 +
 
 +
{{Merge|Btrfs|The subvolume layout is not specific to an encrypted system.}}
 +
 
 +
==== Layout ====
 +
 
 +
[[Btrfs#Subvolumes|Subvolumes]] will be used to simulate partitions, but other (nested) subvolumes will also be created. Here is a partial representation of what the following example will generate:
 +
 
 +
  subvolid=5 (/dev/sda2)
 +
    |
 +
    ├── @ (mounted as /)
 +
    |      |
 +
    |      ├── /bin (directory)
 +
    |      |
 +
    |      ├── /home (mounted @home subvolume)
 +
    |      |
 +
    |      ├── /usr (directory)
 +
    |      |
 +
    |      ├── /.snapshots (mounted @snapshots subvolume)
 +
    |      |
 +
    |      ├── /var/cache/pacman/pkg (nested subvolume)
 +
    |      |
 +
    |      ├── ... (other directories and nested subvolumes)
 +
    |
 +
    ├── @snapshots (mounted as /.snapshots)
 +
    |
 +
    ├── @home (mounted as /home)
 +
    |
 +
    └── @... (additional subvolumes you wish to use as mount points)
 +
 
 +
This section follows the [[Snapper#Suggested filesystem layout]], which is most useful when used with [[Snapper]]. You should also consult [https://btrfs.wiki.kernel.org/index.php/SysadminGuide#Layout Btrfs Wiki SysadminGuide#Layout].
 +
 
 +
==== Create top-level subvolumes ====
 +
 
 +
Here we are using the convention of prefixing {{ic|@}} to subvolume names that will be used as mount points, and {{ic|@}} will be the subvolume that is mounted as {{ic|/}}.
 +
 
 +
Following the [[Btrfs#Creating a subvolume]] article, create subvolumes at {{ic|/mnt/@}}, {{ic|/mnt/@snapshots}}, and {{ic|/mnt/@home}}.
 +
 
 +
Create any additional subvolumes you wish to use as mount points now.
 +
 
 +
==== Mount top-level subvolumes ====
 +
 
 +
Unmount the system partition at {{ic|/mnt}}.
 +
 
 +
Now mount the newly created {{ic|@}} subvolume which will serve as {{ic|/}} to {{ic|/mnt}} using the {{ic|1=subvol=}} mount option. Assuming the mapped device is named {{ic|cryptroot}}, the command would look like:
 +
 
 +
# mount -o compress=lzo,subvol=@ /dev/mapper/cryptroot /mnt
 +
 
 +
See [[Btrfs#Mounting subvolumes]] for more details.
 +
 
 +
Also mount the other subvolumes to their respective mount points: {{ic|@home}} to {{ic|/mnt/home}} and {{ic|@snapshots}} to {{ic|/mnt/.snapshots}}.
 +
 
 +
==== Create nested subvolumes ====
 +
 
 +
Create any subvolumes you do '''not''' want to have snapshots of when taking a snapshot of {{ic|/}}. For example, you probably do not want to take snapshots of {{ic|/var/cache/pacman/pkg}}. These subvolumes will be nested under the {{ic|@}} subvolume, but just as easily could have been created earlier at the same level as {{ic|@}} according to your preference.
 +
 
 +
Since the {{ic|@}} subvolume is mounted at {{ic|/mnt}} you will need to [[create a subvolume]] at {{ic|/mnt/var/cache/pacman/pkg}} for this example. You may have to create any parent directories first.
 +
 
 +
Other directories you may wish to do this with are {{ic|/var/abs}}, {{ic|/var/tmp}}, and {{ic|/srv}}.
 +
 
 +
==== Mount ESP ====
 +
 
 +
If you prepared an EFI system partition earlier, create its mount point and mount it now.
 +
 
 +
{{Note|Btrfs snapshots will exclude {{ic|/boot/efi}}, since it is not a btrfs file system.}}
 +
 
 +
At the [[Installation guide#Install the base packages|pacstrap]] installation step, the {{Pkg|btrfs-progs}} must be installed in addition to the base group.
 +
 
 +
=== Configuring mkinitcpio ===
 +
 
 +
==== Create keyfile ====
 +
 
 +
In order for GRUB to open the LUKS partition without having the user enter his passphrase twice, we will use a keyfile embedded in the initramfs. Follow [[dm-crypt/Device encryption#With a keyfile embedded in the initramfs]] making sure to add the key to {{ic|/dev/sda2}} at the ''luksAddKey'' step.
 +
 
 +
==== Edit mkinitcpio.conf ====
  
The bootloader can then be installed on the same USB as the {{ic|/boot}} partition:
+
After creating, adding, and embedding the key as described above, add the {{ic|encrypt}} hook to [[mkinitcpio.conf]] as well as any other hooks you require. See [[dm-crypt/System configuration#mkinitcpio]] for detailed information.
# grub-install --recheck /dev/sd''Y''
 
  
===Post-installation===
+
{{Tip|You may want to add {{ic|1=BINARIES=(/usr/bin/btrfs)}} to your {{ic|mkinitcpio.conf}}. See the [[Btrfs#Corruption recovery]] article.}}
  
You may wish to remove the USB sticks after booting. Since the {{ic|/boot}} partition is not usually needed, the following option can be added to the boot options in {{ic|/etc/fstab}}:
+
=== Configuring the boot loader ===
  
{{hc|/etc/fstab|
+
Install [[GRUB]] to {{ic|/dev/sda}}. Then, edit {{ic|/etc/default/grub}} as instructed in the [[GRUB#Encryption]] article, following both the instructions for an encrypted root and boot partition. Finally, generate the GRUB configuration file.
# /dev/sd''Yn''
 
<nowiki>UUID=</nowiki>************* /boot ext2 '''noauto''',rw,noatime 0 2}}
 
  
However, when an update to the kernel or bootloader is required, the {{ic|/boot}} partition must be present and mounted. As the entry in {{ic|fstab}} already exists, it can be mounted simply with:
+
=== Configuring swap ===
  
# mount /boot
+
If you created a partition to be used for encrypted swap, now is the time to configure it. Follow the instructions at [[dm-crypt/Swap encryption]].

Latest revision as of 08:27, 21 April 2018

The following are examples of common scenarios of full system encryption with dm-crypt. They explain all the adaptations that need to be done to the normal installation procedure. All the necessary tools are on the installation image.

Contents

Overview

Securing a root filesystem is where dm-crypt excels, feature and performance-wise. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate and /var/log/. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the boot loader and (usually) the kernel is encrypted.

All scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below:

Scenarios Advantages Disadvantages
#Simple partition layout with LUKS

shows a basic and straight-forward set-up for a fully LUKS encrypted root.

  • Simple partitioning and setup
  • Inflexible; disk-space to be encrypted has to be pre-allocated
#LVM on LUKS

achieves partitioning flexibility by using LVM inside a single LUKS encrypted partition.

  • Simple partitioning with knowledge of LVM
  • Only one key required to unlock all volumes (e.g. easy resume-from-disk setup)
  • Volume layout not transparent when locked
  • Easiest method to allow suspension to disk
  • LVM adds an additional mapping layer and hook
  • Less useful, if a singular volume should receive a separate key
#LUKS on LVM

uses dm-crypt only after the LVM is setup.

  • LVM can be used to have encrypted volumes span multiple disks
  • Easy mix of un-/encrypted volume groups
  • Complex; changing volumes requires changing encryption mappers too
  • Volumes require individual keys
  • LVM layout is transparent when locked
#LUKS on software RAID

uses dm-crypt only after RAID is setup.

  • Analogous to LUKS on LVM
  • Analogous to LUKS on LVM
#Plain dm-crypt

uses dm-crypt plain mode, i.e. without a LUKS header and its options for multiple keys.
This scenario also employs USB devices for /boot and key storage, which may be applied to the other scenarios.

  • High care to all encryption parameters is required
  • Single encryption key and no option to change it
#Encrypted boot partition (GRUB)

shows how to encrypt the boot partition using the GRUB bootloader.
This scenario also employs an ESP partition, which may be applied to the other scenarios.

  • Same advantages as the scenario the installation is based on (LVM on LUKS for this particular example)
  • Less data is left unencrypted, i.e. the boot loader and the ESP partition, if present
  • Same disadvantages as the scenario the installation is based on (LVM on LUKS for this particular example)
  • More complicated configuration
  • Not supported by other boot loaders
#Btrfs subvolumes with swap

shows how to encrypt a Btrfs system, including the /boot directory, also adding a partition for swap, on UEFI hardware.

While all above scenarios provide much greater protection from outside threats than encrypted secondary filesystems, they also share a common disadvantage: any user in possession of the encryption key is able to decrypt the entire drive, and therefore can access other users' data. If that is of concern, it is possible to use a combination of blockdevice and stacked filesystem encryption and reap the advantages of both. See Disk encryption to plan ahead.

See dm-crypt/Drive preparation#Partitioning for a general overview of the partitioning strategies used in the scenarios.

Another area to consider is whether to set up an encrypted swap partition and what kind. See dm-crypt/Swap encryption for alternatives.

If you anticipate to protect the system's data not only against physical theft, but also have a requirement of precautions against logical tampering, see dm-crypt/Specialties#Securing the unencrypted boot partition for further possibilities after following one of the scenarios.

For Solid State Drives you might want to consider enabling TRIM support, but be warned, there are potential security implications. See dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD) for more information.

Warning: In any scenario, never use file system repair software such as fsck directly on an encrypted volume, or it will destroy any means to recover the key used to decrypt your files. Such tools must be used on the decrypted (opened) device instead.

Simple partition layout with LUKS

This example covers a full system encryption with dmcrypt + LUKS in a simple partition layout:

+-----------------------+-----------------------+-----------------------+
| Boot partition        | LUKS encrypted system | Optional free space   |
|                       | partition             | for additional        |
|                       |                       | partitions or swap    |
| /boot                 | /                     | to be setup later     |
|                       |                       |                       |
|                       | /dev/mapper/cryptroot |                       |
|                       |-----------------------|                       |
| /dev/sda1             | /dev/sda2             |                       |
+-----------------------+-----------------------+-----------------------+

The first steps can be performed directly after booting the Arch Linux install image.

Preparing the disk

Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in dm-crypt/Drive preparation.

Then create the needed partitions, at least one for / (e.g. /dev/sda2) and /boot (/dev/sda1). See Partitioning.

Preparing non-boot partitions

The following commands create and mount the encrypted root partition. They correspond to the procedure described in detail in dm-crypt/Encrypting a non-root file system#Partition (which, despite the title, can be applied to root partitions, as long as mkinitcpio and the boot loader are correctly configured). If you want to use particular non-default encryption options (e.g. cipher, key length), see the encryption options before executing the first command:

# cryptsetup -y -v luksFormat --type luks2 /dev/sda2
# cryptsetup open /dev/sda2 cryptroot
# mkfs.ext4 /dev/mapper/cryptroot
# mount /dev/mapper/cryptroot /mnt

Check the mapping works as intended:

# umount /mnt
# cryptsetup close cryptroot
# cryptsetup open /dev/sda2 cryptroot
# mount /dev/mapper/cryptroot /mnt

If you created separate partitions (e.g. /home), these steps have to be adapted and repeated for all of them, except for /boot. See dm-crypt/Encrypting a non-root file system#Automated unlocking and mounting on how to handle additional partitions at boot.

Note that each blockdevice requires its own passphrase. This may be inconvenient, because it results in a separate passphrase to be input during boot. An alternative is to use a keyfile stored in the system partition to unlock the separate partition via crypttab. See dm-crypt/Device encryption#Using LUKS to format partitions with a keyfile for instructions.

Preparing the boot partition

What you do have to setup is a non-encrypted /boot partition, which is needed for a encrypted root. For a standard MBR/non-EFI /boot partition, for example, execute:

# mkfs.ext4 /dev/sda1
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

Mounting the devices

At Installation guide#Mount the file systems you will have to mount the mapped devices, not the actual partitions. Of course /boot, which is not encrypted, will still have to be mounted directly.

Configuring mkinitcpio

Add the keyboard, keymap and encrypt hooks to mkinitcpio.conf. If the default US keymap is fine for you, you can omit the keymap hook.

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)

If using the sd-encrypt hook with the systemd-based initramfs, the following needs to be set instead:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt filesystems fsck)

Depending on which other hooks are used, the order may be relevant. See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.

Configuring the boot loader

In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:

cryptdevice=UUID=device-UUID:cryptroot root=/dev/mapper/cryptroot

If using the sd-encrypt hook, the following need to be set instead:

rd.luks.name=device-UUID=cryptroot root=/dev/mapper/cryptroot

See dm-crypt/System configuration#Boot loader for details.

The device-UUID refers to the UUID of /dev/sda2. See Persistent block device naming for details.

LVM on LUKS

The straight-forward method is to set up LVM on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted blockdevice. Hence, the LVM is not transparent until the blockdevice is unlocked and the underlying volume structure is scanned and mounted during boot.

The disk layout in this example is:

+-----------------------------------------------------------------------------------------+ +----------------+
| Logical volume 1            | Logical volume 2            | Logical volume 3            | | Boot partition |
|                             |                             |                             | |                |
| [SWAP]                      | /                           | /home                       | | /boot          |
|                             |                             |                             | |                |
| /dev/mapper/MyVolGroup-swap | /dev/mapper/MyVolGroup-root | /dev/mapper/MyVolGroup-home | |                |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _| | (may be on     |
|                                                                                         | | other device)  |
|                         LUKS encrypted partition                                        | |                |
|                           /dev/sda1                                                     | | /dev/sdb1      |
+-----------------------------------------------------------------------------------------+ +----------------+
Note: While using the encrypt hook this method does not allow you to span the logical volumes over multiple disks; either use the sd-encrypt or see dm-crypt/Specialties#Modifying the encrypt hook for multiple partitions.
Tip: Three variants of this setup:

Preparing the disk

Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in dm-crypt/Drive preparation.

Tip: When using the GRUB bootloader together with GPT, create a BIOS boot partition.

Create a partition to be mounted at /boot of type 8300 with a size of 200 MiB or more.

Create a partition of type 8E00, which will later contain the encrypted container.

Create the LUKS encrypted container at the "system" partition. Enter the chosen password twice.

# cryptsetup luksFormat --type luks2 /dev/sda1

For more information about the available cryptsetup options see the LUKS encryption options prior to above command.

Open the container:

# cryptsetup open /dev/sda1 cryptlvm

The decrypted container is now available at /dev/mapper/cryptlvm.

Preparing the logical volumes

Create a physical volume on top of the opened LUKS container:

# pvcreate /dev/mapper/cryptlvm

Create the volume group named MyVolGroup (or whatever you want), adding the previously created physical volume to it:

# vgcreate MyVolGroup /dev/mapper/cryptlvm

Create all your logical volumes on the volume group:

# lvcreate -L 8G MyVolGroup -n swap
# lvcreate -L 32G MyVolGroup -n root
# lvcreate -l 100%FREE MyVolGroup -n home

Format your filesystems on each logical volume:

# mkfs.ext4 /dev/mapper/MyVolGroup-root
# mkfs.ext4 /dev/mapper/MyVolGroup-home
# mkswap /dev/mapper/MyVolGroup-swap

Mount your filesystems:

# mount /dev/mapper/MyVolGroup-root /mnt
# mkdir /mnt/home
# mount /dev/mapper/MyVolGroup-home /mnt/home
# swapon /dev/mapper/MyVolGroup-swap

Preparing the boot partition

The bootloader loads the kernel, initramfs, and its own configuration files from the /boot directory. This directory must be located on a separate unencrypted filesystem.

Create a filesystem on the partition intended for /boot. Any filesystem that can be read by the bootloader is eligible.

# mkfs.ext4 /dev/sdb1

Create the directory /mnt/boot:

# mkdir /mnt/boot

Mount the partition to /mnt/boot:

# mount /dev/sdb1 /mnt/boot

Configuring mkinitcpio

Add the keyboard, encrypt and lvm2 hooks to mkinitcpio.conf:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)

If using the sd-encrypt hook with the systemd-based initramfs, the following needs to be set instead:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck)

See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.

Configuring the boot loader

In order to unlock the encrypted root partition at boot, the following kernel parameter needs to be set by the boot loader:

cryptdevice=UUID=device-UUID:cryptlvm root=/dev/mapper/MyVolGroup-root

If using the sd-encrypt hook, the following need to be set instead:

rd.luks.name=device-UUID=cryptlvm root=/dev/mapper/MyVolGroup-root

The device-UUID refers to the UUID of /dev/sda1. See Persistent block device naming for details.

See dm-crypt/System configuration#Boot loader for details.

LUKS on LVM

To use encryption on top of LVM, the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well.

Tip: Unlike #LVM on LUKS, this method allows normally spanning the logical volumes over multiple disks.

The following short example creates a LUKS on LVM setup and mixes in the use of a key-file for the /home partition and temporary crypt volumes for /tmp and /swap. The latter is considered desirable from a security perspective, because no potentially sensitive temporary data survives the reboot, when the encryption is re-initialised. If you are experienced with LVM, you will be able to ignore/replace LVM and other specifics according to your plan.

If you want to span a logical volume over multiple disks that have already been set up, or expand the logical volume for /home (or any other volume), a procedure to do so is described in dm-crypt/Specialties#Expanding LVM on multiple disks. It is important to note that the LUKS encrypted container has to be resized as well.

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: The intro of this scenario needs some adjustment now that a comparison has been added to #Overview. A suggested structure is to make it similar to the #Simple partition layout with LUKS intro. (Discuss in Talk:Dm-crypt/Encrypting an entire system#)

Preparing the disk

Partitioning scheme:

+----------------+-------------------------------------------------------------------------------------------------------------+
| Boot partition | dm-crypt plain encrypted volume     | LUKS encrypted volume             | LUKS encrypted volume             |
|                |                                     |                                   |                                   |
| /boot          | [SWAP]                              | /                                 | /home                             |
|                |                                     |                                   |                                   |
|                | /dev/mapper/swap                    | /dev/mapper/root                  | /dev/mapper/home                  |
|                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
|                | Logical volume 1                    | Logical volume 2                  | Logical volume 3                  |
|                | /dev/mapper/MyVolGroup-cryptswap    | /dev/mapper/MyVolGroup-cryptroot  | /dev/mapper/MyVolGroup-crypthome  |
|                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
|                |                                                                                                             |
|   /dev/sda1    |                                   /dev/sda2                                                                 |
+----------------+-------------------------------------------------------------------------------------------------------------+

Randomise /dev/sda2 according to dm-crypt/Drive preparation#dm-crypt wipe on an empty disk or partition.

Preparing the logical volumes

# pvcreate /dev/sda2
# vgcreate MyVolGroup /dev/sda2
# lvcreate -L 32G -n cryptroot MyVolGroup
# lvcreate -L 500M -n cryptswap MyVolGroup
# lvcreate -L 500M -n crypttmp MyVolGroup
# lvcreate -l 100%FREE -n crypthome MyVolGroup
# cryptsetup luksFormat --type luks2 /dev/mapper/MyVolGroup-cryptroot
# cryptsetup open /dev/mapper/MyVolGroup-cryptroot root
# mkfs.ext4 /dev/mapper/root
# mount /dev/mapper/root /mnt

More information about the encryption options can be found in dm-crypt/Device encryption#Encryption options for LUKS mode. Note that /home will be encrypted in #Encrypting logical volume /home.

Tip: If you ever have to access the encrypted root from the Arch-ISO, the above open action will allow you to after the LVM shows up.

Preparing the boot partition

# dd if=/dev/zero of=/dev/sda1 bs=1M status=progress
# mkfs.ext4 /dev/sda1
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

Configuring mkinitcpio

Add the keyboard, lvm2 and encrypt hooks to mkinitcpio.conf:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block lvm2 encrypt filesystems fsck)

If using the sd-encrypt hook with the systemd-based initramfs, the following needs to be set instead:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck)

See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.

Configuring the boot loader

In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:

cryptdevice=/dev/mapper/MyVolGroup-cryptroot:root root=/dev/mapper/root

If using the sd-encrypt hook, the following need to be set instead:

rd.luks.name=device-UUID=root root=/dev/mapper/root

The device-UUID refers to the UUID of /dev/mapper/MyVolGroup-cryptroot. See Persistent block device naming for details.

See dm-crypt/System configuration#Boot loader for details.

Configuring fstab and crypttab

Both crypttab and fstab entries are required to both unlock the device and mount the filesystems, respectively. The following lines will re-encrypt the temporary filesystems on each reboot:

/etc/crypttab
swap	/dev/mapper/MyVolGroup-cryptswap	/dev/urandom	swap,cipher=aes-xts-plain64,size=256
tmp	/dev/mapper/MyVolGroup-crypttmp	/dev/urandom	tmp,cipher=aes-xts-plain64,size=256
/etc/fstab
/dev/mapper/root        /       ext4            defaults        0       1
/dev/sda1               /boot   ext4            defaults        0       2
/dev/mapper/tmp         /tmp    tmpfs           defaults        0       0
/dev/mapper/swap        none    swap            sw              0       0

Encrypting logical volume /home

Since this scenario uses LVM as the primary and dm-crypt as secondary mapper, each encrypted logical volume requires its own encryption. Yet, unlike the temporary filesystems configured with volatile encryption above, the logical volume for /home should of course be persistent. The following assumes you have rebooted into the installed system, otherwise you have to adjust paths. To save on entering a second passphrase at boot, a keyfile is created:

# mkdir -m 700 /etc/luks-keys
# dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress

The logical volume is encrypted with it:

# cryptsetup luksFormat --type luks2 -v /dev/mapper/MyVolGroup-crypthome /etc/luks-keys/home
# cryptsetup -d /etc/luks-keys/home open /dev/mapper/MyVolGroup-crypthome home
# mkfs.ext4 /dev/mapper/home
# mount /dev/mapper/home /home

The encrypted mount is configured in both crypttab and fstab:

/etc/crypttab
home	/dev/mapper/MyVolGroup-crypthome   /etc/luks-keys/home
/etc/fstab
/dev/mapper/home        /home   ext4        defaults        0       2

LUKS on software RAID

This example is based on a real-world setup for a workstation class laptop equipped with two SSDs of equal size, and an additional HDD for bulk storage. The end result is LUKS based full disk encryption (including /boot) for all drives, with the SSDs in a RAID0 array, and keyfiles used to unlock all encryption after GRUB is given a correct passphrase at boot.

This setup utilizes a very simplistic partitioning scheme, with all the available RAID storage being mounted at / (no separate /boot partition), and the decrypted HDD being mounted at /mnt/data. It is also worth mentioning that the system in this example boots in BIOS mode and the drives are partitioned with GPT partitions.

Please note that regular backups are very important in this setup. If either of the SSDs fail, the data contained in the RAID array will be practically impossible to recover. You may wish to select a different RAID level if fault tolerance is important to you.

The encryption is not deniable in this setup.

For the sake of the instructions below, the following block devices are used:

/dev/sda = first SSD
/dev/sdb = second SSD
/dev/sdc = HDD

Be sure to substitute them with the appropriate device designations for your setup, as they may be different.

Preparing the disks

Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in dm-crypt/Drive preparation.

When using the GRUB bootloader together with GPT, create a BIOS boot partition. For this setup, this includes a 1 MiB partition for BIOS/GPT boot at /dev/sda1 and the remaining space on the drive being partitioned for "Linux RAID" at /dev/sda2.

Once partitions have been created on /dev/sda, the following commands can be used to clone them to /dev/sdb.

# sfdisk -d /dev/sda > sda.dump
# sfdisk /dev/sdb < sda.dump

The HDD is prepared with a single Linux partition covering the whole drive at /dev/sdc1.

Building the RAID array

Create the RAID array for the SSDs. This example utilizes RAID0, you may wish to substitute a different level based on your preferences or requirements.

# mdadm --create --verbose --level=0 --metadata=1.2 --raid-devices=2 /dev/md0 /dev/sda2 /dev/sdb2

Preparing the block devices

As explained in dm-crypt/Drive preparation, the devices are wiped with random data utilizing /dev/zero and a crypt device with a random key. Alternatively, you could use dd with /dev/random or /dev/urandom, though it will be much slower.

# cryptsetup open --type plain /dev/md0 container --key-file /dev/random
# dd if=/dev/zero of=/dev/mapper/container bs=1M status=progress
# cryptsetup close container

And repeat above for the HDD (/dev/sdc1 in this example).

Set up encryption for /dev/md0:

# cryptsetup -y -v luksFormat --type luks2 /dev/md0
# cryptsetup open /dev/md0 cryptroot
# mkfs.ext4 /dev/mapper/cryptroot
# mount /dev/mapper/cryptroot /mnt

And repeat for the HDD:

# cryptsetup -y -v luksFormat --type luks2 /dev/sdc1
# cryptsetup open /dev/sdc1 cryptdata
# mkfs.ext4 /dev/mapper/cryptdata
# mkdir -p /mnt/mnt/data
# mount /dev/mapper/cryptdata /mnt/mnt/data

Configuring the boot loader

Configure GRUB for the encrypted system by editing /etc/default/grub with the following:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/md0:cryptroot root=/dev/mapper/cryptroot"
GRUB_ENABLE_CRYPTODISK=y

See dm-crypt/System configuration#Boot loader and GRUB#Boot partition for details.

Complete the GRUB install to both SSDs (in reality, installing only to /dev/sda will work).

# grub-install --target=i386-pc /dev/sda
# grub-install --target=i386-pc /dev/sdb
# grub-mkconfig -o /boot/grub/grub.cfg

Creating the keyfiles

The next steps save you from entering your passphrase twice when you boot the system (once so GRUB can unlock the encryption, and second time once the initramfs assumes control of the system). This is done by creating a keyfile for the encryption and adding it to the initramfs image to allow the encrypt hook to unlock the root device. See dm-crypt/Device encryption#With a keyfile embedded in the initramfs for details.

  • Create the keyfile and add the key to /dev/md0.
  • Create another keyfile for the HDD (/dev/sdc1) so it can also be unlocked at boot. For convenience, leave the passphrase created above in place as this can make recovery easier if you ever need it. Edit /etc/crypttab to decrypt the HDD at boot. See dm-crypt/Device encryption#Unlocking a secondary partition at boot.

Configuring the system

Edit /etc/fstab to mount the cryptroot and cryptdata block devices:

/dev/mapper/cryptroot  /           ext4    rw,noatime  0   1 
/dev/mapper/cryptdata  /mnt/data   ext4    defaults            0   2  

Save the RAID configuration:

# mdadm --detail --scan > /etc/mdadm.conf 

Edit mkinitcpio.conf to include your keyfile and add the proper hooks:

FILES=(/crypto_keyfile.bin)
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block mdadm_udev encrypt filesystems fsck)

See dm-crypt/System configuration#mkinitcpio for details.

Plain dm-crypt

Contrary to LUKS, dm-crypt plain mode does not require a header on the encrypted device: this scenario exploits this feature to set up a system on an unpartitioned, encrypted disk that will be indistinguishable from a disk filled with random data, which could allow deniable encryption. See also wikipedia:Disk encryption#Full disk encryption.

Note that if full-disk encryption is not required, the methods using LUKS described in the sections above are better options for both system encryption and encrypted partitions. LUKS features like key management with multiple passphrases/key-files or re-encrypting a device in-place are unavailable with plain mode.

Plain dm-crypt encryption can be more resilient to damage than LUKS, because it does not rely on an encryption master-key which can be a single-point of failure if damaged. However, using plain mode also requires more manual configuration of encryption options to achieve the same cryptographic strength. See also Disk encryption#Cryptographic metadata. Using plain mode could also be considered if concerned with the problems explained in dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD).

Tip: If headerless encryption is your goal but you are unsure about the lack of key-derivation with plain mode, then two alternatives are:
  • dm-crypt LUKS mode with a detached header by using the cryptsetup --header option. It cannot be used with the standard encrypt hook, but the hook may be modified.
  • tcplay which offers headerless encryption but with the PBKDF2 function.

The scenario uses two USB sticks:

  • one for the boot device, which also allows storing the options required to open/unlock the plain encrypted device in the boot loader configuration, since typing them on each boot would be error prone;
  • another for the encryption key file, assuming it stored as raw bits so that to the eyes of an unaware attacker who might get the usbkey the encryption key will appear as random data instead of being visible as a normal file. See also Wikipedia:Security through obscurity, follow dm-crypt/Device encryption#Keyfiles to prepare the keyfile.

The disk layout is:

+-----------------------------+-----------------------------+-----------------------------+ +----------------+ +----------------+
| Logical volume 1            | Logical volume 2            | Logical volume 3            | | Boot device    | | Encryption key |
|                             |                             |                             | |                | | file storage   |
| /                           | [SWAP]                      | /home                       | | /boot          | | (unpartitioned |
|                             |                             |                             | |                | | in example)    |
| /dev/mapper/MyVolGroup-root | /dev/mapper/MyVolGroup-swap | /dev/mapper/MyVolGroup-home | | /dev/sdb1      | | /dev/sdc       |
|-----------------------------+-----------------------------+-----------------------------| |----------------| |----------------|
| disk drive /dev/sda encrypted using plain mode and LVM                                  | | USB stick 1    | | USB stick 2    |
+-----------------------------------------------------------------------------------------+ +----------------+ +----------------+
Tip:
  • It is also possible to use a single USB key by copying the keyfile to the initram directly. An example keyfile /etc/keyfile gets copied to the initram image by setting FILES=(/etc/keyfile) in /etc/mkinitcpio.conf. The way to instruct the encrypt hook to read the keyfile in the initram image is using rootfs: prefix before the filename, e.g. cryptkey=rootfs:/etc/keyfile.
  • Another option is using a passphrase with good entropy.

Preparing the disk

It is vital that the mapped device is filled with data. In particular this applies to the scenario use case we apply here.

See dm-crypt/Drive preparation and dm-crypt/Drive preparation#dm-crypt specific methods

Preparing the non-boot partitions

See dm-crypt/Device encryption#Encryption options for plain mode for details.

Using the device /dev/sda, with the twofish-xts cipher with a 512 bit key size and using a keyfile we have the following options for this scenario:

# cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --offset=0 --key-file=/dev/sdc --key-size=512 open --type=plain /dev/sda cryptlvm

Unlike encrypting with LUKS, the above command must be executed in full whenever the mapping needs to be re-established, so it is important to remember the cipher, hash and key file details.

We can now check a mapping entry has been made for /dev/mapper/cryptlvm:

# fdisk -l

Next, we setup LVM logical volumes on the mapped device. See LVM#Installing Arch Linux on LVM for further details:

# pvcreate /dev/mapper/cryptlvm
# vgcreate MyVolGroup /dev/mapper/cryptlvm
# lvcreate -L 32G MyVolGroup -n root
# lvcreate -L 10G MyVolGroup -n swap
# lvcreate -l 100%FREE MyVolGroup -n home

We format and mount them and activate swap. See File systems#Create a file system for further details:

# mkfs.ext4 /dev/mapper/MyVolGroup-root
# mkfs.ext4 /dev/mapper/MyVolGroup-home
# mount /dev/mapper/MyVolGroup-root /mnt
# mkdir /mnt/home
# mount /dev/mapper/MyVolGroup-home /mnt/home
# mkswap /dev/mapper/MyVolGroup-swap
# swapon /dev/mapper/MyVolGroup-swap

Preparing the boot partition

The /boot partition can be installed on the standard vfat partition of a USB stick, if required. But if manual partitioning is needed, then a small 200 MiB partition is all that is required. Create the partition using a partitioning tool of your choice.

Create a filesystem on the partition intended for /boot, if it is not already formatted as vfat:

# mkfs.ext4 /dev/sdb1
# mkdir /mnt/boot
# mount /dev/sdb1 /mnt/boot

Configuring mkinitcpio

Add the keyboard, encrypt and lvm2 hooks to mkinitcpio.conf:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)

See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.

Configuring the boot loader

In order to boot the encrypted root partition, the following kernel parameters need to be set by the boot loader:

cryptdevice=/dev/disk/by-id/disk-ID-of-sda:cryptlvm cryptkey=/dev/disk/by-id/disk-ID-of-sdc:0:512 crypto=sha512:twofish-xts-plain64:512:0:

The disk-ID-of-disk refers to the id of the referenced disk. See Persistent block device naming for details.

See dm-crypt/System configuration#Boot loader for details and other parameters that you may need.

Tip: If using GRUB, you can install it on the same USB as the /boot partition with:
# grub-install --recheck /dev/sdb

Post-installation

You may wish to remove the USB sticks after booting. Since the /boot partition is not usually needed, the noauto option can be added to the relevant line in /etc/fstab:

/etc/fstab
# /dev/sdb1
/dev/sdb1 /boot ext4 noauto,rw,noatime 0 2

However, when an update to the kernel or bootloader is required, the /boot partition must be present and mounted. As the entry in fstab already exists, it can be mounted simply with:

# mount /boot

Encrypted boot partition (GRUB)

This setup utilizes the same partition layout and configuration for the system's root partition as the previous #LVM on LUKS section, with the difference that a special feature of the GRUB bootloader is used to additionally encrypt the boot partition /boot. See also GRUB#Boot partition.

The disk layout in this example is:

+---------------------+---------------------+----------------+-----------------------------+-----------------------------+-----------------------------+
| BIOS boot partition | ESP partition       | Boot partition | Logical volume 1            | Logical volume 2            | Logical volume 3            |
|                     |                     |                |                             |                             |                             |
|                     | /boot/efi           | /boot          | /root                       | [SWAP]                      | /home                       |
|                     |                     |                |                             |                             |                             |
|                     |                     |                | /dev/mapper/MyVolGroup-root | /dev/mapper/MyVolGroup-swap | /dev/mapper/MyVolGroup-home |
| /dev/sda1           | /dev/sda2           | /dev/sda3      +-----------------------------+-----------------------------+-----------------------------+
| unencrypted   | unencrypted   | LUKS encrypted | /dev/sda4 encrypted using LVM on LUKS                                                   |
+---------------------+---------------------+----------------+-----------------------------------------------------------------------------------------+
Tip:
  • All scenarios are intended as examples. It is, of course, possible to apply both of the two above distinct installation steps with the other scenarios as well. See also the variants linked in #LVM on LUKS.
  • You can use cryptboot script from cryptbootAUR package for simplified encrypted boot management (mounting, unmounting, upgrading packages) and as a defense against Evil Maid attacks with UEFI Secure Boot. For more information and limitations see cryptboot project page.

Preparing the disk

Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in dm-crypt/Drive preparation.

For BIOS systems create a BIOS boot partition with size of 1 MiB for GRUB to store the second stage of BIOS bootloader. Do not mount the partition.

For UEFI systems create an EFI System Partition with an appropriate size, it will later be mounted at /boot/efi.

Create a partition to be mounted at /boot of type 8300 with a size of 200 MiB or more.

Create a partition of type 8E00, which will later contain the encrypted container.

Create the LUKS encrypted container at the "system" partition.

# cryptsetup luksFormat --type luks2 /dev/sda4

For more information about the available cryptsetup options see the LUKS encryption options prior to above command.

Your partition layout should look similar to this:

# gdisk /dev/sda
Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048            4095   1024.0 KiB  EF02  BIOS boot partition
   2            4096         1130495   550.0 MiB   EF00  EFI System
   3         1130496         1540095   200.0 MiB   8300  Linux filesystem
   4         1540096        69205982   32.3 GiB    8E00  Linux LVM

Open the container:

# cryptsetup open /dev/sda4 cryptlvm

The decrypted container is now available at /dev/mapper/cryptlvm.

Preparing the logical volumes

The LVM logical volumes of this example follow the exact layout as the #LVM on LUKS scenario. Therefore, please follow #Preparing the logical volumes above and adjust as required.

Preparing the boot partition

Warning: GRUB does not support LUKS2. Do not use LUKS2 on partitions that GRUB needs to access.

The bootloader loads the kernel, initramfs, and its own configuration files from the /boot directory.

First, create the LUKS container where the files will be located and installed into:

# cryptsetup luksFormat /dev/sda3

Next, open it:

# cryptsetup open /dev/sda3 cryptboot

Create a filesystem on the partition intended for /boot. Any filesystem that can be read by the bootloader is eligible:

# mkfs.ext4 /dev/mapper/cryptboot

Create the directory /mnt/boot:

# mkdir /mnt/boot

Mount the partition to /mnt/boot:

# mount /dev/mapper/cryptboot /mnt/boot

Create a mountpoint for the EFI System Partition at /boot/efi for compatibility with grub-install and mount it:

# mkdir /mnt/boot/efi
# mount /dev/sda2 /mnt/boot/efi

At this point, you should have the following partitions and logical volumes inside of /mnt:

$ lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda              8:0      0   200G  0 disk
├─sda1           8:1      0     1M  0 part
├─sda2           8:2      0   550M  0 part  /boot/efi
├─sda3           8:3      0   200M  0 part
│ └─cryptboot    254:0    0   198M  0 crypt /boot
└─sda4           8:4      0   100G  0 part
  └─cryptlvm     254:1    0   100G  0 crypt
    ├─MyVolGroup-swap 254:2    0     8G  0 lvm   [SWAP]
    ├─MyVolGroup-root 254:3    0    32G  0 lvm   /
    └─MyVolGroup-home 254:4    0    60G  0 lvm   /home

Configuring mkinitcpio

Add the keyboard, encrypt and lvm2 hooks to mkinitcpio.conf:

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)

If using the sd-encrypt hook with the systemd-based initramfs, the following needs to be set instead:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck)

See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.

Configuring the boot loader

Configure GRUB to recognize the LUKS encrypted /boot partition and unlock the encrypted root partition at boot:

/etc/default/grub
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=device-UUID:cryptlvm ..."
GRUB_ENABLE_CRYPTODISK=y

If using the sd-encrypt hook, the following need to be set instead:

/etc/default/grub
GRUB_CMDLINE_LINUX="... rd.luks.name=device-UUID=cryptlvm" ...
GRUB_ENABLE_CRYPTODISK=y

See dm-crypt/System configuration#Boot loader and GRUB#Boot partition for details. The device-UUID refers to the UUID of /dev/sda4 (the partition which holds the lvm containing the root filesystem). See Persistent block device naming.

Generate GRUB's configuration file:

# grub-mkconfig -o /boot/grub/grub.cfg

install GRUB to the mounted ESP for UEFI booting:

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

install GRUB to the disk for BIOS booting:

# grub-install --target=i386-pc --recheck /dev/sda

If this finished without errors, GRUB should prompt for the passphrase to unlock the /boot partition after the next reboot.

Configuring fstab and crypttab

This section deals with extra configuration to let the system mount the encrypted /boot.

While GRUB asks for a passphrase to unlock the encrypted /boot after above instructions, the partition unlock is not passed on to the initramfs. Hence, /boot will not be available after the system has re-/booted, because the encrypt hook only unlocks the system's root.

If you used the genfstab script during installation, it will have generated /etc/fstab entries for the /boot and /boot/efi mount points already, but the system will fail to find the generated device mapper for the boot partition. To make it available, add it to crypttab. For example:

/etc/crypttab
cryptboot  /dev/sda3      none        luks

will make the system ask for the passphrase again (i.e. you have to enter it twice at boot: once for GRUB and once for systemd init). To avoid the double entry for unlocking /boot, follow the instructions at dm-crypt/Device encryption#Keyfiles to:

  1. Create a randomtext keyfile,
  2. Add the keyfile to the (/dev/sda3) boot partition's LUKS header and
  3. Check the /etc/fstab entry and add the /etc/crypttab line to unlock it automatically at boot.

If for some reason the keyfile fails to unlock the boot partition, systemd will fallback to ask for a passphrase to unlock and, in case that is correct, continue booting.

Tip: Optional post-installation steps:
  • It may be worth considering to add the GRUB bootloader to the ignore list of /etc/pacman.conf in order to take particular control of when the bootloader (which includes its own encryption modules) is updated.
  • If you want to encrypt the /boot partition to protect against offline tampering threats, the mkinitcpio-chkcryptoboot hook has been contributed to help.

Btrfs subvolumes with swap

The following example creates a full system encryption with LUKS using Btrfs subvolumes to simulate partitions.

If using UEFI, an EFI System Partition (ESP) is required. /boot itself may reside on / and be encrypted; however, the ESP itself cannot be encrypted. In this example layout, the ESP is /dev/sda3 and is mounted at /boot/efi. /boot itself is located on the system partition, /dev/sda2.

Since /boot resides on the encrypted /, GRUB must be used as the bootloader because only GRUB can load modules necessary to decrypt /boot (e.g., crypto.mod, cryptodisk.mod and luks.mod) [1].

Additionally an optional plain-encrypted swap partition is shown.

Warning: Do not use a swap file instead of a separate partition, because this may result in data loss. See Btrfs#Swap file.
+--------------------------+--------------------------+--------------------------+
|ESP                       |System partition          |Swap partition            |
|unencrypted               |LUKS-encrypted            |plain-encrypted           |
|                          |                          |                          |
|/boot/efi                 |/                         |[SWAP]                    |
|/dev/sda1                 |/dev/sda2                 |/dev/sda3                 |
|--------------------------+--------------------------+--------------------------+

Preparing the disk

Note: It is not possible to use btrfs partitioning as described in Btrfs#Partitionless Btrfs disk when using LUKS. Traditional partitioning must be used, even if it is just to create one partition.

Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in dm-crypt/Drive preparation. If you are using UEFI create an EFI System Partition with an appropriate size. It will later be mounted at /boot/efi. If you are going to create an encrypted swap partition, create the partition for it, but do not mark it as swap, since plain dm-crypt will be used with the partition.

Create the needed partitions, at least one for / (e.g. /dev/sda2). See the Partitioning article.

Preparing the system partition

Create LUKS container

Follow dm-crypt/Device encryption#Encrypting devices with LUKS mode to setup /dev/sda2 for LUKS. See the dm-crypt/Device encryption#Encryption options for LUKS mode before doing so for a list of encryption options.

Unlock LUKS container

Now follow dm-crypt/Device encryption#Unlocking/Mapping LUKS partitions with the device mapper to unlock the LUKS container and map it.

Format mapped device

Proceed to format the mapped device as described in Btrfs#File system on a single device, where /dev/partition is the name of the mapped device (i.e., cryptroot) and not /dev/sda2.

Mount mapped device

Finally, mount the now-formatted mapped device (i.e., /dev/mapper/cryptroot) to /mnt.

Tip: You may want to use the compress=lzo mount option. See Btrfs#Compression for more information.

Creating btrfs subvolumes

Merge-arrows-2.pngThis article or section is a candidate for merging with Btrfs.Merge-arrows-2.png

Notes: The subvolume layout is not specific to an encrypted system. (Discuss in Talk:Dm-crypt/Encrypting an entire system#)

Layout

Subvolumes will be used to simulate partitions, but other (nested) subvolumes will also be created. Here is a partial representation of what the following example will generate:

subvolid=5 (/dev/sda2)
   |
   ├── @ (mounted as /)
   |       |
   |       ├── /bin (directory)
   |       |
   |       ├── /home (mounted @home subvolume)
   |       |
   |       ├── /usr (directory)
   |       |
   |       ├── /.snapshots (mounted @snapshots subvolume)
   |       |
   |       ├── /var/cache/pacman/pkg (nested subvolume)
   |       |
   |       ├── ... (other directories and nested subvolumes)
   |
   ├── @snapshots (mounted as /.snapshots)
   |
   ├── @home (mounted as /home)
   |
   └── @... (additional subvolumes you wish to use as mount points)

This section follows the Snapper#Suggested filesystem layout, which is most useful when used with Snapper. You should also consult Btrfs Wiki SysadminGuide#Layout.

Create top-level subvolumes

Here we are using the convention of prefixing @ to subvolume names that will be used as mount points, and @ will be the subvolume that is mounted as /.

Following the Btrfs#Creating a subvolume article, create subvolumes at /mnt/@, /mnt/@snapshots, and /mnt/@home.

Create any additional subvolumes you wish to use as mount points now.

Mount top-level subvolumes

Unmount the system partition at /mnt.

Now mount the newly created @ subvolume which will serve as / to /mnt using the subvol= mount option. Assuming the mapped device is named cryptroot, the command would look like:

# mount -o compress=lzo,subvol=@ /dev/mapper/cryptroot /mnt

See Btrfs#Mounting subvolumes for more details.

Also mount the other subvolumes to their respective mount points: @home to /mnt/home and @snapshots to /mnt/.snapshots.

Create nested subvolumes

Create any subvolumes you do not want to have snapshots of when taking a snapshot of /. For example, you probably do not want to take snapshots of /var/cache/pacman/pkg. These subvolumes will be nested under the @ subvolume, but just as easily could have been created earlier at the same level as @ according to your preference.

Since the @ subvolume is mounted at /mnt you will need to create a subvolume at /mnt/var/cache/pacman/pkg for this example. You may have to create any parent directories first.

Other directories you may wish to do this with are /var/abs, /var/tmp, and /srv.

Mount ESP

If you prepared an EFI system partition earlier, create its mount point and mount it now.

Note: Btrfs snapshots will exclude /boot/efi, since it is not a btrfs file system.

At the pacstrap installation step, the btrfs-progs must be installed in addition to the base group.

Configuring mkinitcpio

Create keyfile

In order for GRUB to open the LUKS partition without having the user enter his passphrase twice, we will use a keyfile embedded in the initramfs. Follow dm-crypt/Device encryption#With a keyfile embedded in the initramfs making sure to add the key to /dev/sda2 at the luksAddKey step.

Edit mkinitcpio.conf

After creating, adding, and embedding the key as described above, add the encrypt hook to mkinitcpio.conf as well as any other hooks you require. See dm-crypt/System configuration#mkinitcpio for detailed information.

Tip: You may want to add BINARIES=(/usr/bin/btrfs) to your mkinitcpio.conf. See the Btrfs#Corruption recovery article.

Configuring the boot loader

Install GRUB to /dev/sda. Then, edit /etc/default/grub as instructed in the GRUB#Encryption article, following both the instructions for an encrypted root and boot partition. Finally, generate the GRUB configuration file.

Configuring swap

If you created a partition to be used for encrypted swap, now is the time to configure it. Follow the instructions at dm-crypt/Swap encryption.