- 1 Encrypting a LVM setup (rework of LUKS section 8)
- 2 Encrypting a LVM setup
- 2.1 LVM with Arch Linux Installer (>2009.08 <2012.07.15)
- 2.2 Applying this to a non-root partition
- 2.3 LVM and dm-crypt manually (short version)
- 2.3.1 Notes
- 2.3.2 Partitioning scheme
- 2.3.3 The commands
- 2.3.4 Install Arch Linux
- 2.3.5 Configuration
- 2.3.6 After rebooting
- 2.4 / on LVM on LUKS
Encrypting a LVM setup (rework of LUKS section 8)
Encrypting a LVM setup
LVM on LUKS
The easiest and best method is to set up LVM on top of the encrypted partition instead of the other way round. This link here is easy to follow and explains everything: Arch Linux: LVM on top of an encrypted partition
The most important thing in setting LVM on top of encryption is to configure the initramfs for running both the
encrypt hook and the
lvm2 hook (and those two before the
filesystems hook). In the past, it was necessary to ensure the correct ordering of these hooks in
/etc/mkinitcpio.conf but the order no longer matters with the current implementation of
LUKS on LVM
To use encryption on top of LVM, you have to first set up your LVM volumes and then use them as the base for the encrypted partitions. That means, in short, that you have to set up LVM first. Then follow this guide, but replace all occurrences of
/dev/sdXy in the guide with its LVM counterpart. (E.g.:
/dev/<volume group name>/home). This is used to setup partitions (inside the LVM) which can be unlocked separately or a mixture of encrypted and non-encrypted partitions.
For encrypted partitions inside an LVM, the LVM-hook has to run first, before the respective encrypted logical volumes can be unlocked. So for this add the
encrypt hook in
/etc/mkinitcpio.conf after the
lvm2 hook, if you chose to set up encrypted partitions on top of LVM.
LVM with Arch Linux Installer (>2009.08 <2012.07.15)
In between Arch Linux installation media release 2009.08 and 2012.07.15 LVM and dm_crypt had been supported by the installer out of the box. This made it very easy to configure a system for LVM on dm-crypt or vice versa. Actually the configuration is done exactly as without LVM: see the corresponding section above. It differs only in two aspects.
The partition and filesystem choice
Create a small, unencrypted boot partition and use the remaining space for a single partition which can later be split up into multiple logic volumes by LVM.
For a LVM-on-dm-crypt system set up the filesystems and mounting points for example like this:
/dev/sda1 raw->ext2;yes;/boot;no_opts;no_label;no_params /dev/sda2 raw->dm_crypt;yes;no_mountpoint;no_opts;sda2crypt;-c_aes-xts-plain_-y_-s_512 /dev/mapper/sda2crypt dm_crypt->lvm-vg;yes;no_mountpoint;no_opts;no_label;no_params /dev/mapper/sda2crypt+ lvm-pv->lvm-vg;yes;no_mountpoint;no_opts;cryptpool;no_params /dev/mapper/cryptpool lvm-vg(cryptpool)->lvm-lv;yes;no_mountpoint;no_opts;cryptroot;10000M|lvm-lv;yes;no_mountpoint;no_opts;crypthome;20000M /dev/mapper/cryptpool-cryptroot lvm-lv(cryptroot)->ext3;yes;/;no_opts;cryptroot;no_params /dev/mapper/cryptpool-crypthome lvm-lv(crypthome)->ext3;yes;/home;no_opts;cryptroot;no_params
The configuration stage
encrypthook before the
lvm2hook in the
HOOKSarray, if you set up LVM on top of the encrypted partition.
That is it for the LVM & dm_crypt specific part. The rest is done as usual.
Applying this to a non-root partition
You might get tempted to apply all this fancy stuff to a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in
/lib/initcpio/hooks/encrypt (the first one to your
/dev/sd* partition, the second to the name you want to attribute). That should be enough.
The big advantage is you can have everything automated, while setting up
/etc/crypttab with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of
/etc/fstab (at least).
Of course, if the
/etc/rc.sysinit or similar files. Unlike
/etc/crypttab, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the
/dev/mdX device in
/lib/initcpio/hooks/encrypt is not enough; the
encrypt hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the
encrypt hook is run. You can solve this by putting the RAID array in
kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5
If you set up your root partition as a RAID, you will notice the similarities with that setup ;-). GRUB can handle multiple array definitions just fine:
kernel /boot/vmlinuz-linux root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5
LVM and dm-crypt manually (short version)
If you are smart enough for this, you will be smart enough to ignore/replace LVM-specific things if you do not want to use LVM.
cryptsetup -d /dev/random -c aes-xts-plain -s 512 create lvm /dev/sda2 dd if=/dev/urandom of=/dev/mapper/lvm cryptsetup remove lvm lvm pvcreate /dev/sda2 lvm vgcreate lvm /dev/sda2 lvm lvcreate -L 10G -n root lvm lvm lvcreate -L 500M -n swap lvm lvm lvcreate -L 500M -n tmp lvm lvm lvcreate -l 100%FREE -n home lvm cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/root cryptsetup luksOpen /dev/lvm/root root mkreiserfs /dev/mapper/root mount /dev/mapper/root /mnt dd if=/dev/zero of=/dev/sda1 bs=1M mkreiserfs /dev/sda1 mkdir /mnt/boot mount /dev/sda1 /mnt/boot mkdir -p -m 700 /mnt/etc/luks-keys dd if=/dev/random of=/mnt/etc/luks-keys/home bs=1 count=256
Install Arch Linux
encrypt (in that order) before
filesystems in the
HOOKS array. Again, note that you are setting encryption on top of LVM.)
if you want install the system on a usb stick, you need to put
usb just after
For kernel >= 2.6.30, you should change
root=/dev/hda3 to the following:
if you want install the system on a usb stick, you need to add
/dev/mapper/root / reiserfs defaults 0 1 /dev/sda1 /boot reiserfs defaults 0 2 /dev/mapper/tmp /tmp tmpfs defaults 0 0 /dev/mapper/swap none swap sw 0 0
swap /dev/lvm/swap SWAP -c aes-xts-plain -h whirlpool -s 512 tmp /dev/lvm/tmp /dev/urandom -c aes-xts-plain -s 512
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/home /etc/luks-keys/home cryptsetup luksOpen -d /etc/luks-keys/home /dev/lvm/home home mkreiserfs /dev/mapper/home mount /dev/mapper/home /home
home /dev/lvm/home /etc/luks-keys/home
/dev/mapper/home /home reiserfs defaults 0 0
/ on LVM on LUKS
Make sure your kernel command line looks like this:
Or like this: