From ArchWiki
Revision as of 15:51, 20 July 2013 by Indigo (talk | contribs)
Jump to: navigation, search

Luks LVM

The following is current work-in-progress to update the LUKS page section 8.


Below you only find snips and edits that I want to save for some reason.

/home crypttab problem



AIF Instructions

(saved here or intermediate reference upon rm'ing the section in the LUKS wiki

Tango-edit-cut.pngThis section is being considered for removal.Tango-edit-cut.png

Reason: (Discuss in User talk:Indigo#)

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: AIF (Arch Installation Framework; referenced below also as /arch/setup) does not exist anymore, GRUB Legacy is not available anymore (Discuss in User talk:Indigo#)

Prepare hard drive for AIF

Now that /dev/mapper/root and /dev/mapper/home are in place, we can enter the regular Arch setup script to install the system into the encrypted volumes.

# /arch/setup

Skip the Partitioning and Auto-Prepare steps and go straight to manual configuration. Instead of choosing the hardware devices (/dev/sdaX) directly, you have to select the mapper devices created above. Choose /dev/mapper/root for your root and /dev/mapper/home as /home partition respectively and format them with any filesystem you like. The same is valid for a swap partition which is set up like the /home partition. Make sure you mount /dev/sda1 as the /boot partition, or else the installer will not properly set up the bootloader.

Select and Install packages

Select and install the packages as usual: the base package contains all required programs.

Exit Install

Now that the install is finished the only thing left to do is add entries to the /etc/crypttab file so you do not have to enter the passphrase for all encrypted partitions. This works only for non-root partitions e.g. /home, swap, etc.

# vi /mnt/etc/crypttab

Add one of the following for the /home partition.

Note: Using a passphrase to decrypt LUKS partitions automatically from /etc/crypttab is deprecated: see
home    /dev/sda5    /etc/mypassword1

You can also use a keyfile instead of a passphrase. If not already done, create a keyfile and add the key to the corresponding LUKS partition as described above. Then add the following information to the /etc/crypttab file for automounting:

home    /dev/sda5    /path/of/your/keyfile

If you used a USB device to store your keyfile, you should have something like this:

home    /dev/sda5    /dev/sd*1/keyfile

Or if the keyfile was stored in the MBR, it should be like this:

home    /dev/sda5    /dev/sd*:2048:2048
Note: When reading the keyfile from the MBR it should be /dev/sdb not /dev/sdb1 but if the key is in the filesystem it should still be /dev/sdb1.

After rebooting you should now be presented with the text

A password is required to access the root filesystem:

followed by a prompt for a LUKS password. Type it in and everything should boot. Once you have logged in, have a look at your mounted partitions by typing mount. You should have /dev/mapper/root mounted at / and, if you set up a separate encrypted home partition, /dev/mapper/home mounted at /home. If you set up encrypted swap, swapon -s should have /dev/mapper/swap listed as your swap partition.

Note: Eventually the text prompting for the password is mixed up with other boot messages. So the boot process may seem frozen at first glance, but it is not, simply enter your password and press Template:Keypress.

GRUB Legacy

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: Like AIF in this section, GRUB Legacy and LILO are dropped. (Discuss in User talk:Indigo#)

GRUB Legacy: You have to make some small changes to the entries generated by the installer by replacing /dev/mapper/root with /dev/sda3. The important point to remember here is to use the same cryptdevice name you assigned when you initially unlocked your device. In this example, the device name is cryptroot; customize yours accordingly:

# (0) Arch Linux
title Arch Linux
root (hd0,0)
kernel /vmlinuz-linux cryptdevice=/dev/sda3:cryptroot root=/dev/mapper/cryptroot ro
initrd /initramfs-linux.img

For kernels older than 2.6.37, the syntax is:

# (0) Arch Linux
title Arch Linux
root (hd0,0)
kernel /vmlinuz26 root=/dev/sda3 ro
initrd /kernel26.img


LILO: Edit the Arch Linux section in /etc/lilo.conf and include a line for the append option, over the initrd, with the root=/dev/sda3 parameter. The append section makes the same kernel line as in GRUB. Also, you can omit the root option above the image option. The section looks like this:

# Arch Linux lilo section
image = /vmlinuz-linux
# root = /dev/sda3
 label = Arch
 initrd = /initramfs-linux.img
 append = "root=/dev/sda3"

If you want to use a USB flash drive with a keyfile, you have to append the cryptkey option. See the corresponding section above.