LVM on LUKS: Difference between revisions

Revision as of 21:07, 10 January 2015

Configuring LVM on top of LUKS

The most common errors for failure to boot a LUKS installation can be fixed with (1) or all of the following:

(1) Mount partitions & rebuild initramfs to include LUKS support

 mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT

or alternatively rebuild the initramfs with:

 apk fix --root $MNT linux-grsec

(2) Write MBR (also needed for LVM manual / custom installations)

 dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda

(3) Change partition system id ('t') to "8e" with fdisk for partition type LVM

 fdisk /dev/vda

Additional Notes

Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with:

 cryptsetup benchmark

(You may or may not be able to take advantage of AES hardware acceleration)

Haveged can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)

   rc-update add haveged default

As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:

   tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777   0 0

ALPINE KVM SETUP

setup-interfaces

ifup eth0

setup-apkrepos

apk update

apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux

rc-service haveged start

# Partition disks (100meg boot / 2nd partition for LVM)

fdisk /dev/vda

m

n

etc........

# Wipe partition with random data

haveged -n 0 | dd of=/dev/vda2

# Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system

cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2

# Open LUKS partition

cryptsetup open --type luks /dev/vda2 lvmcrypt

# The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting

# shown further down in $MNT/etc/update-extlinux.conf

pvcreate /dev/mapper/lvmcrypt

# Create LVM partitions

vgcreate vg0 /dev/mapper/lvmcrypt

lvcreate -L 1G vg0 -n root

lvcreate -L 256M vg0 -n swap

lvcreate -L 500M vg0 -n home

lvcreate -L 50M vg0 -n tmp

# NOTE small "l" for 100% FREE allocation

lvcreate -l 100%FREE vg0 -n var

# Create filesystems

mkfs.ext2 /dev/vda1

mkfs.ext4 /dev/mapper/vg0-root

mkfs.ext4 /dev/mapper/vg0-home

mkfs.ext4 /dev/mapper/vg0-tmp

mkfs.ext4 /dev/mapper/vg0-var

mkswap /dev/mapper/vg0-swap

# Make vda1 bootable

fdisk /dev/vda

m

a

1

# Change partition type to "8e" with fdisk for the LVM partition

fdisk /dev/vda

m

t

2

8e

w

# Open LVM volumes

vgchange -a y

# Mount Partitions

# *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.

# mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper

# LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems

mount -t ext4 /dev/vg0/root /mnt

mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var

mount -t ext4 /dev/vg0/home /mnt/home

mount -t ext4 /dev/vg0/tmp /mnt/tmp

mount -t ext4 /dev/vg0/var /mnt/var

mount -t ext2 /dev/vda1 /mnt/boot

swapon /dev/mapper/vg0-swap

# Install Alpine

setup-disk -m sys /mnt

# Setup crypttab

echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab

# Setup fstab

# You could also setup devices with uuid's by running 'blkid'

echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab

# Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)

# Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt

# (this field is also space-separated and quoted)

# Also check the root= setting = /dev/mapper/vg0-root

extlinux --install $MNT/boot --update

# Rebuild initramfs

mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT

# alternative method (ignore extlinux errors)

# apk fix --root $MNT linux-grsec

# 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above

# Write MBR (also needed for LVM manual / custom installations)

dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda

# See instructions below for unmounting LVM volumes & closing the LUKS partition

The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:

# CHROOT MOUNTS ###

vgchange -a y

# Follow instructions above for mounting LVM partitions

cd /mnt

mount --bind /dev dev

mount -t devpts devpts dev/pts

mount -t tmpfs tmpfs dev/shm

mount -t proc proc proc

mount -t sysfs sysfs sys

chroot /mnt /bin/ash

# UNMOUNTING ###

umount dev/pts

umount dev/shm

umount dev

umount /mnt/boot

umount /mnt/var

umount /mnt/home

umount /mnt/tmp

swapoff /dev/mapper/vg0-swap

umount /mnt

# Deactivate LVM volumes

vgchange -a n

# Close LUKS partition

cryptsetup luksClose lvmcrypt

--Stuart Cardall (talk) 19:53, 1 May 2014 (UTC)

@@ Line 6: / Line 6: @@
-* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors)
+* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support
+  mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT
+or alternatively rebuild the initramfs with:
    apk fix --root $MNT linux-grsec
@@ Line 47: / Line 51: @@
 apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux
+rc-service haveged start
 <nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki>
@@ Line 64: / Line 70: @@
 <nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki>
-cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2
+cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2
 <nowiki># Open LUKS partition</nowiki>
@@ Line 135: / Line 141: @@
 <nowiki># Mount Partitions</nowiki>
+<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki>
+<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki>
+<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki>
 mount -t ext4 /dev/vg0/root /mnt
@@ Line 156: / Line 168: @@
 <nowiki># Setup crypttab</nowiki>
-echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab
+echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab
 <nowiki># Setup fstab</nowiki>
@@ Line 182: / Line 194: @@
 extlinux --install $MNT/boot --update
-<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki>
+<nowiki># Rebuild initramfs</nowiki>
+mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT
+<nowiki># alternative method (ignore extlinux errors)</nowiki>
-apk fix --root $MNT linux-grsec
+<nowiki># apk fix --root $MNT linux-grsec</nowiki>
 <nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki>
@@ Line 190: / Line 206: @@
 <nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki>
-dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda
+dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda
 <nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code>