Difference between revisions of "User:Indigo"
(wireless table for editing) |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
---- | ---- | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Work-in-progress page == | == Work-in-progress page == | ||
− | Mind you: I was not using Arch yet when most of the following section was written. It is saved here | + | Mind you: I was not using Arch yet when most of the following section was written. It is saved here because we re-worked the original considerably. This will be deleted in Sept 13. |
== Encrypting a LVM setup == | == Encrypting a LVM setup == |
Revision as of 11:05, 11 August 2013
I am from Germany. I have interests in security-related subjects and follow pages here on a variety of networking and encryption topics. The distro I have used most is Debian, interrupted by stints to Ubuntu. I have been using Arch since Mid 2011. Feel free to leave comments on the talk page here or send me an email via the wiki interface.
Contents
- 1 Work-in-progress page
- 2 Encrypting a LVM setup
- 2.1 LVM with Arch Linux Installer (>2009.08 <2012.07.15)
- 2.2 Applying this to a non-root partition
- 2.3 LVM and dm-crypt manually (short version)
- 2.4 / on LVM on LUKS
- 2.5 AIF Instructions
Work-in-progress page
Mind you: I was not using Arch yet when most of the following section was written. It is saved here because we re-worked the original considerably. This will be deleted in Sept 13.
Encrypting a LVM setup
It's really easy to use encryption with LVM. If you do not know how to set up LVM, then read Installing with Software RAID or LVM.
LVM on LUKS
The easiest and best method is to set up LVM on top of the encrypted partition instead of the other way round. This link here is easy to follow and explains everything: Arch Linux: LVM on top of an encrypted partition
The most important thing in setting LVM on top of encryption is to configure the initramfs for running both the encrypt
hook and the lvm2
hook (and those two before the filesystems
hook). In the past, it was necessary to ensure the correct ordering of these hooks in /etc/mkinitcpio.conf
but the order no longer matters with the current implementation of lvm2
.
LUKS on LVM
To use encryption on top of LVM, you have to first set up your LVM volumes and then use them as the base for the encrypted partitions. That means, in short, that you have to set up LVM first. Then follow this guide, but replace all occurrences of /dev/sdXy
in the guide with its LVM counterpart. (E.g.: /dev/sda5
-> /dev/<volume group name>/home
). This is used to setup partitions (inside the LVM) which can be unlocked separately or a mixture of encrypted and non-encrypted partitions.
For encrypted partitions inside an LVM, the LVM-hook has to run first, before the respective encrypted logical volumes can be unlocked. So for this add the encrypt
hook in /etc/mkinitcpio.conf
after the lvm2
hook, if you chose to set up encrypted partitions on top of LVM.
LVM with Arch Linux Installer (>2009.08 <2012.07.15)
In between Arch Linux installation media release 2009.08 and 2012.07.15 LVM and dm_crypt had been supported by the installer out of the box. This made it very easy to configure a system for LVM on dm-crypt or vice versa. Actually the configuration is done exactly as without LVM: see the corresponding section above. It differs only in two aspects.
The partition and filesystem choice
Create a small, unencrypted boot partition and use the remaining space for a single partition which can later be split up into multiple logic volumes by LVM.
For a LVM-on-dm-crypt system set up the filesystems and mounting points for example like this:
/dev/sda1 raw->ext2;yes;/boot;no_opts;no_label;no_params /dev/sda2 raw->dm_crypt;yes;no_mountpoint;no_opts;sda2crypt;-c_aes-xts-plain_-y_-s_512 /dev/mapper/sda2crypt dm_crypt->lvm-vg;yes;no_mountpoint;no_opts;no_label;no_params /dev/mapper/sda2crypt+ lvm-pv->lvm-vg;yes;no_mountpoint;no_opts;cryptpool;no_params /dev/mapper/cryptpool lvm-vg(cryptpool)->lvm-lv;yes;no_mountpoint;no_opts;cryptroot;10000M|lvm-lv;yes;no_mountpoint;no_opts;crypthome;20000M /dev/mapper/cryptpool-cryptroot lvm-lv(cryptroot)->ext3;yes;/;no_opts;cryptroot;no_params /dev/mapper/cryptpool-crypthome lvm-lv(crypthome)->ext3;yes;/home;no_opts;cryptroot;no_params
The configuration stage
- In
/etc/mkinitcpio.conf
add theencrypt
hook before thelvm2
hook in theHOOKS
array, if you set up LVM on top of the encrypted partition.
That is it for the LVM & dm_crypt specific part. The rest is done as usual.
- In
/etc/rc.conf
setUSELVM
to"yes"
.
Applying this to a non-root partition
You might get tempted to apply all this fancy stuff to a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in /lib/initcpio/hooks/encrypt
(the first one to your /dev/sd*
partition, the second to the name you want to attribute). That should be enough.
The big advantage is you can have everything automated, while setting up /etc/crypttab
with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of /etc/fstab
(at least).
Of course, if the cryptsetup package gets upgraded, you will have to change this script again. However, this solution is to be preferred over hacking /etc/rc.sysinit
or similar files. Unlike /etc/crypttab
, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the /dev/mdX
device in /lib/initcpio/hooks/encrypt
is not enough; the encrypt
hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the encrypt
hook is run. You can solve this by putting the RAID array in /boot/grub/menu.lst
, like
kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5
If you set up your root partition as a RAID, you will notice the similarities with that setup ;-). GRUB can handle multiple array definitions just fine:
kernel /boot/vmlinuz-linux root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5
LVM and dm-crypt manually (short version)
Notes
If you are smart enough for this, you will be smart enough to ignore/replace LVM-specific things if you do not want to use LVM.
Partitioning scheme
/dev/sda1
->/boot
/dev/sda2
-> LVM
The commands
cryptsetup -d /dev/random -c aes-xts-plain -s 512 create lvm /dev/sda2 dd if=/dev/urandom of=/dev/mapper/lvm cryptsetup remove lvm lvm pvcreate /dev/sda2 lvm vgcreate lvm /dev/sda2 lvm lvcreate -L 10G -n root lvm lvm lvcreate -L 500M -n swap lvm lvm lvcreate -L 500M -n tmp lvm lvm lvcreate -l 100%FREE -n home lvm cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/root cryptsetup luksOpen /dev/lvm/root root mkreiserfs /dev/mapper/root mount /dev/mapper/root /mnt dd if=/dev/zero of=/dev/sda1 bs=1M mkreiserfs /dev/sda1 mkdir /mnt/boot mount /dev/sda1 /mnt/boot mkdir -p -m 700 /mnt/etc/luks-keys dd if=/dev/random of=/mnt/etc/luks-keys/home bs=1 count=256
Install Arch Linux
Run /arch/setup
Configuration
/etc/rc.conf
Change USELVM="no"
to USELVM="yes"
.
/etc/mkinitcpio.conf
Put lvm2
and encrypt
(in that order) before filesystems
in the HOOKS
array. Again, note that you are setting encryption on top of LVM.)
if you want install the system on a usb stick, you need to put usb
just after udev
.
Change root=/dev/hda3
to root=/dev/lvm/root
.
For kernel >= 2.6.30, you should change root=/dev/hda3
to the following:
cryptdevice=/dev/lvm/root:root root=/dev/mapper/root
if you want install the system on a usb stick, you need to add lvmdelay=/dev/mapper/lvm-root
/etc/fstab
/dev/mapper/root / reiserfs defaults 0 1 /dev/sda1 /boot reiserfs defaults 0 2 /dev/mapper/tmp /tmp tmpfs defaults 0 0 /dev/mapper/swap none swap sw 0 0
/etc/crypttab
swap /dev/lvm/swap SWAP -c aes-xts-plain -h whirlpool -s 512 tmp /dev/lvm/tmp /dev/urandom -c aes-xts-plain -s 512
After rebooting
The commands
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/home /etc/luks-keys/home cryptsetup luksOpen -d /etc/luks-keys/home /dev/lvm/home home mkreiserfs /dev/mapper/home mount /dev/mapper/home /home
/etc/crypttab
home /dev/lvm/home /etc/luks-keys/home
/etc/fstab
/dev/mapper/home /home reiserfs defaults 0 0
/ on LVM on LUKS
Make sure your kernel command line looks like this:
root=/dev/mapper/<volume-group>-<logical-volume> cryptdevice=/dev/<luks-part>:<volume-group>
For example:
root=/dev/mapper/vg-arch cryptdevice=/dev/sda4:vg
Or like this:
cryptdevice=/dev/<volume-group>/<logical-volume>:root root=/dev/mapper/root
AIF Instructions
(saved here or intermediate reference upon rm'ing the section in the LUKS wiki
Prepare hard drive for AIF
Now that /dev/mapper/root
and /dev/mapper/home
are in place, we can enter the regular Arch setup script to install the system into the encrypted volumes.
# /arch/setup
Skip the Partitioning and Auto-Prepare steps and go straight to manual configuration.
Instead of choosing the hardware devices (/dev/sdaX
) directly, you have to select the mapper devices created above.
Choose /dev/mapper/root
for your root and /dev/mapper/home
as /home
partition respectively and format them with any filesystem you like.
The same is valid for a swap partition which is set up like the /home
partition. Make sure you mount /dev/sda1
as the /boot
partition, or else the installer will not properly set up the bootloader.
Select and Install packages
Select and install the packages as usual: the base package contains all required programs.
Exit Install
Now that the install is finished the only thing left to do is add entries to the /etc/crypttab
file so you do not have to enter the passphrase for all encrypted partitions. This works only for non-root partitions e.g. /home
, swap, etc.
# vi /mnt/etc/crypttab
Add one of the following for the /home
partition.
/etc/crypttab
is deprecated: see http://www.mail-archive.com/arch-projects@archlinux.org/msg02115.htmlhome /dev/sda5 /etc/mypassword1
You can also use a keyfile instead of a passphrase. If not already done, create a keyfile and add the key to the corresponding LUKS partition as described above.
Then add the following information to the /etc/crypttab
file for automounting:
home /dev/sda5 /path/of/your/keyfile
If you used a USB device to store your keyfile, you should have something like this:
home /dev/sda5 /dev/sd*1/keyfile
Or if the keyfile was stored in the MBR, it should be like this:
home /dev/sda5 /dev/sd*:2048:2048
After rebooting you should now be presented with the text
A password is required to access the root filesystem:
followed by a prompt for a LUKS password. Type it in and everything should boot.
Once you have logged in, have a look at your mounted partitions by typing mount
. You should have /dev/mapper/root
mounted at /
and, if you set up a separate encrypted home partition, /dev/mapper/home
mounted at /home
. If you set up encrypted swap, swapon -s
should have /dev/mapper/swap
listed as your swap partition.
GRUB Legacy
GRUB Legacy: You have to make some small changes to the entries generated by the installer by replacing /dev/mapper/root
with /dev/sda3
. The important point to remember here is to use the same cryptdevice
name you assigned when you initially unlocked your device. In this example, the device name is cryptroot
; customize yours accordingly:
# (0) Arch Linux title Arch Linux root (hd0,0) kernel /vmlinuz-linux cryptdevice=/dev/sda3:cryptroot root=/dev/mapper/cryptroot ro initrd /initramfs-linux.img
For kernels older than 2.6.37, the syntax is:
# (0) Arch Linux title Arch Linux root (hd0,0) kernel /vmlinuz26 root=/dev/sda3 ro initrd /kernel26.img
LILO
LILO: Edit the Arch Linux section in /etc/lilo.conf
and include a line for the append
option, over the initrd, with the root=/dev/sda3
parameter. The append
section makes the same kernel line as in GRUB. Also, you can omit the root
option above the image
option. The section looks like this:
# Arch Linux lilo section image = /vmlinuz-linux # root = /dev/sda3 label = Arch initrd = /initramfs-linux.img append = "root=/dev/sda3" read-only
If you want to use a USB flash drive with a keyfile, you have to append the cryptkey
option. See the corresponding section above.