Difference between revisions of "User talk:Indigo"

From ArchWiki
Jump to: navigation, search
(Encrypting a LVM setup (rework of LUKS section 8): new section)
(Encrypting a LVM setup: edit 1)
Line 6: Line 6:
 
{{Merge|Encrypted_LVM |Device mapper stacking is explained there building on the LVM wiki with a howto for both approaches below.}}
 
{{Merge|Encrypted_LVM |Device mapper stacking is explained there building on the LVM wiki with a howto for both approaches below.}}
  
It's really easy to use encryption with [[LVM]]. If you do not know how to set up LVM, then read [[Installing with Software RAID or LVM]].
+
It's really easy to use encryption with [[LVM]]. If you do not know how to set up LVM, then read [[Installing with Software RAID or LVM]]. Using LVM is particularly helpful when a system with multiple partitions is planned. While there are a number of alternatives for unlocking multiple partitions with the same passphrase/key, the default Arch initcpio hooks do not implement non-standard ways. A combination of the initcpio {{ic|encrypt}} and {{ic|lvm2}} hooks, however, enables to setup a system with numerous logical volumes as partitions while using one passphrase/key to unlock them.  
  
 
'''LVM on LUKS'''
 
'''LVM on LUKS'''
  
The easiest and best method is to set up LVM on top of the encrypted partition instead of the other way round. This link here is easy to follow and explains everything: [http://www.pindarsign.de/webblog/?p=767 Arch Linux: LVM on top of an encrypted partition]
+
The straight-forward method is to set up LVM on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted LUKS blockdevice. Hence, the LVM is not transparent until the blockdevice is unlocked and the underlying volume structure is scanned and mounted during boot.
  
 
The most important thing in setting LVM on '''top''' of encryption is to [[#Configure initramfs|configure the initramfs]] for running '''both''' the {{ic|encrypt}} hook '''and''' the {{ic|lvm2}} hook (and those two before the {{ic|filesystems}} hook). In the past, it was necessary to ensure the correct ordering of these hooks in {{ic|/etc/mkinitcpio.conf}} but the order no longer matters with the current implementation of {{ic|lvm2}}.
 
The most important thing in setting LVM on '''top''' of encryption is to [[#Configure initramfs|configure the initramfs]] for running '''both''' the {{ic|encrypt}} hook '''and''' the {{ic|lvm2}} hook (and those two before the {{ic|filesystems}} hook). In the past, it was necessary to ensure the correct ordering of these hooks in {{ic|/etc/mkinitcpio.conf}} but the order no longer matters with the current implementation of {{ic|lvm2}}.
Line 43: Line 43:
  
 
That is it for the LVM & dm_crypt specific part. The rest is done as usual.
 
That is it for the LVM & dm_crypt specific part. The rest is done as usual.
 
{{Accuracy|The {{ic|lvm2}} hook activates the (encrypted) root volume group long before sysvinit (or systemd) can run from there. Letting sysvinit later run a second LVM activation in addition serves no purpose. Read [[LVM#Configure system]]. However this error is duplicated within the [[#Encrypting a LVM setup]] section.}}
 
* In {{ic|/etc/rc.conf}} set {{ic|USELVM}} to {{ic|"yes"}}.
 
  
 
=== Applying this to a non-root partition ===
 
=== Applying this to a non-root partition ===
Line 52: Line 49:
 
The big advantage is you can have everything automated, while setting up {{ic|/etc/crypttab}} with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of {{ic|/etc/fstab}} (at least).
 
The big advantage is you can have everything automated, while setting up {{ic|/etc/crypttab}} with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of {{ic|/etc/fstab}} (at least).
  
Of course, if the {{Pkg|cryptsetup}} package gets upgraded, you will have to change this script again. However, this solution is to be preferred over hacking {{ic|/etc/rc.sysinit}} or similar files. Unlike {{ic|/etc/crypttab}}, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.
+
Of course, if the {{pkg|cryptsetup}} package gets upgraded, you will have to change this script again. Unlike {{ic|/etc/crypttab}}, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.
  
 
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the {{ic|/dev/mdX}} device in {{ic|/lib/initcpio/hooks/encrypt}} is not enough; the {{ic|encrypt}} hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the {{ic|encrypt}} hook is run. You can solve this by putting the RAID array in {{ic|/boot/grub/menu.lst}}, like  
 
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the {{ic|/dev/mdX}} device in {{ic|/lib/initcpio/hooks/encrypt}} is not enough; the {{ic|encrypt}} hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the {{ic|encrypt}} hook is run. You can solve this by putting the RAID array in {{ic|/boot/grub/menu.lst}}, like  
Line 63: Line 60:
  
 
==== Notes ====
 
==== Notes ====
If you are smart enough for this, you will be smart enough to ignore/replace LVM-specific things if you do not want to use LVM.
+
If you are smart enough for this, you will be smart enough to ignore/replace LVM-specific things.
  
 
{{Note|This brief uses reiserfs for some of the partitions, so change this accordingly if you want to use a more "normal" file system, like ext4.}}
 
{{Note|This brief uses reiserfs for some of the partitions, so change this accordingly if you want to use a more "normal" file system, like ext4.}}
Line 146: Line 143:
 
Or like this:
 
Or like this:
 
  cryptdevice=/dev/<volume-group>/<logical-volume>:root root=/dev/mapper/root
 
  cryptdevice=/dev/<volume-group>/<logical-volume>:root root=/dev/mapper/root
 +
 +
 +
 +
 +
==saving links for resources section==
 +
This link here is easy to follow and explains everything: [http://www.pindarsign.de/webblog/?p=767 Arch Linux: LVM on top of an encrypted partition]

Revision as of 16:28, 20 July 2013

Feel free to leave comments. --Indigo (talk) 17:43, 27 September 2012 (UTC)

Encrypting a LVM setup (rework of LUKS section 8)

Encrypting a LVM setup

Merge-arrows-2.pngThis article or section is a candidate for merging with Encrypted_LVM .Merge-arrows-2.png

Notes: Device mapper stacking is explained there building on the LVM wiki with a howto for both approaches below. (Discuss in User talk:Indigo#)

It's really easy to use encryption with LVM. If you do not know how to set up LVM, then read Installing with Software RAID or LVM. Using LVM is particularly helpful when a system with multiple partitions is planned. While there are a number of alternatives for unlocking multiple partitions with the same passphrase/key, the default Arch initcpio hooks do not implement non-standard ways. A combination of the initcpio encrypt and lvm2 hooks, however, enables to setup a system with numerous logical volumes as partitions while using one passphrase/key to unlock them.

LVM on LUKS

The straight-forward method is to set up LVM on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted LUKS blockdevice. Hence, the LVM is not transparent until the blockdevice is unlocked and the underlying volume structure is scanned and mounted during boot.

The most important thing in setting LVM on top of encryption is to configure the initramfs for running both the encrypt hook and the lvm2 hook (and those two before the filesystems hook). In the past, it was necessary to ensure the correct ordering of these hooks in /etc/mkinitcpio.conf but the order no longer matters with the current implementation of lvm2.

LUKS on LVM

To use encryption on top of LVM, you have to first set up your LVM volumes and then use them as the base for the encrypted partitions. That means, in short, that you have to set up LVM first. Then follow this guide, but replace all occurrences of /dev/sdXy in the guide with its LVM counterpart. (E.g.: /dev/sda5 -> /dev/<volume group name>/home). This is used to setup partitions (inside the LVM) which can be unlocked separately or a mixture of encrypted and non-encrypted partitions.

For encrypted partitions inside an LVM, the LVM-hook has to run first, before the respective encrypted logical volumes can be unlocked. So for this add the encrypt hook in /etc/mkinitcpio.conf after the lvm2 hook, if you chose to set up encrypted partitions on top of LVM.

LVM with Arch Linux Installer (>2009.08 <2012.07.15)

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: As of the 2012.07.15 installation media release the AIF (Arch Installation Framework) and grub-legacy are dropped. These outdated instructions still give the backbones to understanding what to do. If you plan to do a fresh install, also check the howto Encrypted_LVM. (Discuss in User talk:Indigo#)

In between Arch Linux installation media release 2009.08 and 2012.07.15 LVM and dm_crypt had been supported by the installer out of the box. This made it very easy to configure a system for LVM on dm-crypt or vice versa. Actually the configuration is done exactly as without LVM: see the corresponding section above. It differs only in two aspects.

The partition and filesystem choice

Create a small, unencrypted boot partition and use the remaining space for a single partition which can later be split up into multiple logic volumes by LVM.

For a LVM-on-dm-crypt system set up the filesystems and mounting points for example like this:

/dev/sda1   raw->ext2;yes;/boot;no_opts;no_label;no_params
/dev/sda2   raw->dm_crypt;yes;no_mountpoint;no_opts;sda2crypt;-c_aes-xts-plain_-y_-s_512
/dev/mapper/sda2crypt   dm_crypt->lvm-vg;yes;no_mountpoint;no_opts;no_label;no_params
/dev/mapper/sda2crypt+  lvm-pv->lvm-vg;yes;no_mountpoint;no_opts;cryptpool;no_params
/dev/mapper/cryptpool   lvm-vg(cryptpool)->lvm-lv;yes;no_mountpoint;no_opts;cryptroot;10000M|lvm-lv;yes;no_mountpoint;no_opts;crypthome;20000M
/dev/mapper/cryptpool-cryptroot   lvm-lv(cryptroot)->ext3;yes;/;no_opts;cryptroot;no_params
/dev/mapper/cryptpool-crypthome   lvm-lv(crypthome)->ext3;yes;/home;no_opts;cryptroot;no_params

The configuration stage

  • In /etc/mkinitcpio.conf add the encrypt hook before the lvm2 hook in the HOOKS array, if you set up LVM on top of the encrypted partition.

That is it for the LVM & dm_crypt specific part. The rest is done as usual.

Applying this to a non-root partition

You might get tempted to apply all this fancy stuff to a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in /lib/initcpio/hooks/encrypt (the first one to your /dev/sd* partition, the second to the name you want to attribute). That should be enough.

The big advantage is you can have everything automated, while setting up /etc/crypttab with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of /etc/fstab (at least).

Of course, if the cryptsetup package gets upgraded, you will have to change this script again. Unlike /etc/crypttab, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.

If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the /dev/mdX device in /lib/initcpio/hooks/encrypt is not enough; the encrypt hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the encrypt hook is run. You can solve this by putting the RAID array in /boot/grub/menu.lst, like

kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5

If you set up your root partition as a RAID, you will notice the similarities with that setup ;-). GRUB can handle multiple array definitions just fine:

kernel /boot/vmlinuz-linux root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5

LVM and dm-crypt manually (short version)

Notes

If you are smart enough for this, you will be smart enough to ignore/replace LVM-specific things.

Note: This brief uses reiserfs for some of the partitions, so change this accordingly if you want to use a more "normal" file system, like ext4.

Partitioning scheme

/dev/sda1 -> /boot
/dev/sda2 -> LVM

The commands

cryptsetup -d /dev/random -c aes-xts-plain -s 512 create lvm /dev/sda2
dd if=/dev/urandom of=/dev/mapper/lvm
cryptsetup remove lvm
lvm pvcreate /dev/sda2
lvm vgcreate lvm /dev/sda2
lvm lvcreate -L 10G -n root lvm
lvm lvcreate -L 500M -n swap lvm
lvm lvcreate -L 500M -n tmp lvm
lvm lvcreate -l 100%FREE -n home lvm
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/root
cryptsetup luksOpen /dev/lvm/root root
mkreiserfs /dev/mapper/root
mount /dev/mapper/root /mnt
dd if=/dev/zero of=/dev/sda1 bs=1M
mkreiserfs /dev/sda1
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
mkdir -p -m 700 /mnt/etc/luks-keys
dd if=/dev/random of=/mnt/etc/luks-keys/home bs=1 count=256

Install Arch Linux

Run /arch/setup

Configuration

/etc/rc.conf

Change USELVM="no" to USELVM="yes".

/etc/mkinitcpio.conf

Put lvm2 and encrypt (in that order) before filesystems in the HOOKS array. Again, note that you are setting encryption on top of LVM.)

if you want install the system on a usb stick, you need to put usb just after udev.

/boot/grub/menu.lst

Change root=/dev/hda3 to root=/dev/lvm/root.

For kernel >= 2.6.30, you should change root=/dev/hda3 to the following:

cryptdevice=/dev/lvm/root:root root=/dev/mapper/root

if you want install the system on a usb stick, you need to add lvmdelay=/dev/mapper/lvm-root

/etc/fstab
/dev/mapper/root        /       reiserfs        defaults        0       1
/dev/sda1               /boot   reiserfs        defaults        0       2
/dev/mapper/tmp         /tmp    tmpfs           defaults        0       0
/dev/mapper/swap        none    swap            sw              0       0
/etc/crypttab
swap	/dev/lvm/swap	SWAP		-c aes-xts-plain -h whirlpool -s 512
tmp	/dev/lvm/tmp	/dev/urandom	-c aes-xts-plain -s 512

After rebooting

The commands
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/home /etc/luks-keys/home
cryptsetup luksOpen -d /etc/luks-keys/home /dev/lvm/home home
mkreiserfs /dev/mapper/home
mount /dev/mapper/home /home
/etc/crypttab
home	/dev/lvm/home   /etc/luks-keys/home
/etc/fstab
/dev/mapper/home        /home   reiserfs        defaults        0       0

/ on LVM on LUKS

Make sure your kernel command line looks like this:

root=/dev/mapper/<volume-group>-<logical-volume> cryptdevice=/dev/<luks-part>:<volume-group>

For example:

root=/dev/mapper/vg-arch cryptdevice=/dev/sda4:vg

Or like this:

cryptdevice=/dev/<volume-group>/<logical-volume>:root root=/dev/mapper/root



saving links for resources section

This link here is easy to follow and explains everything: Arch Linux: LVM on top of an encrypted partition