LVM on LUKS: Difference between revisions

From Alpine Linux
mNo edit summary
mNo edit summary
Line 164: Line 164:
echo "/dev/mapper/vg0-home  /home  ext4      defaults      0  2" >> /mnt/etc/fstab
echo "/dev/mapper/vg0-home  /home  ext4      defaults      0  2" >> /mnt/etc/fstab


echo "/dev/mapper/vg0-tmp  /tmp    ext4      defaults,noexec,noatime,nodev,nosuid,mode=1777     0  2" >> /mnt/etc/fstab
echo "/dev/mapper/vg0-tmp  /tmp    ext4      defaults,noexec,noatime,nodev,nosuid      0  2" >> /mnt/etc/fstab


echo "/dev/mapper/vg0-swap  none  swap      sw            0  0" >> /mnt/etc/fstab
echo "/dev/mapper/vg0-swap  none  swap      sw            0  0" >> /mnt/etc/fstab

Revision as of 11:47, 13 May 2014

Configuring LVM on top of LUKS

The most common errors for failure to boot a LUKS installation can be fixed with (1) or all of the following:


  • (1) Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors)
 apk fix --root $MNT linux-grsec
  • (2) Write MBR (also needed for LVM manual / custom installations)
 dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda
  • (3) Change partition system id ('t') to "8e" with fdisk for partition type LVM
 fdisk /dev/vda



Additional Notes

  • Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with:
 cryptsetup benchmark

(You may or may not be able to take advantage of AES hardware acceleration)


Haveged can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)



ALPINE KVM SETUP


setup-interfaces

ifup eth0

setup-apkrepos

apk update

apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux

# Partition disks (100meg boot / 2nd partition for LVM)

fdisk /dev/vda

m

n

etc........

# Wipe partition with random data

haveged -n 0 | dd of=/dev/vda2

# Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system

cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2

# Open LUKS partition

cryptsetup open --type luks /dev/vda2 lvmcrypt

# The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting

# shown further down in $MNT/etc/update-extlinux.conf

pvcreate /dev/mapper/lvmcrypt

# Create LVM partitions

vgcreate vg0 /dev/mapper/lvmcrypt

lvcreate -L 1G vg0 -n root

lvcreate -L 256M vg0 -n swap

lvcreate -L 500M vg0 -n home

lvcreate -L 50M vg0 -n tmp

# NOTE small "l" for 100% FREE allocation

lvcreate -l 100%FREE vg0 -n var

# Create filesystems

mkfs.ext2 /dev/vda1

mkfs.ext4 /dev/mapper/vg0-root

mkfs.ext4 /dev/mapper/vg0-home

mkfs.ext4 /dev/mapper/vg0-tmp

mkfs.ext4 /dev/mapper/vg0-var

mkswap /dev/mapper/vg0-swap

# Make vda1 bootable

fdisk /dev/vda

m

a

1

# Change partition type to "8e" with fdisk for the LVM partition

fdisk /dev/vda

m

t

2

8e

w

# Open LVM volumes

vgchange -a y

# Mount Partitions

mount -t ext4 /dev/vg0/root /mnt

mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var

mount -t ext4 /dev/vg0/home /mnt/home

mount -t ext4 /dev/vg0/tmp /mnt/tmp

mount -t ext4 /dev/vg0/var /mnt/var

mount -t ext2 /dev/vda1 /mnt/boot

swapon /dev/mapper/vg0-swap

# Install Alpine

setup-disk -m sys /mnt

# Setup crypttab

echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab

# Setup fstab

# You could also setup devices with uuid's by running 'blkid'

echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab

# Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)

# Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt

# (this field is also space-separated and quoted)

# Also check the root= setting = /dev/mapper/vg0-root

extlinux --install $MNT/boot --update

# Rebuild initramfs (ignore extlinux errors)

apk fix --root $MNT linux-grsec

# 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above

# Write MBR (also needed for LVM manual / custom installations)

dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda

# See instructions below for unmounting LVM volumes & closing the LUKS partition



The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:


# CHROOT MOUNTS ###

vgchange -a y

# Follow instructions above for mounting LVM partitions

cd /mnt

mount --bind /dev dev

mount -t devpts devpts dev/pts

mount -t tmpfs tmpfs dev/shm

mount -t proc proc proc

mount -t sysfs sysfs sys

chroot /mnt /bin/ash


# UNMOUNTING ###

umount dev/pts

umount dev/shm

umount dev

umount /mnt/boot

umount /mnt/var

umount /mnt/home

umount /mnt/tmp

swapoff /dev/mapper/vg0-swap

umount /mnt

# Deactivate LVM volumes

vgchange -a n

# Close LUKS partition

cryptsetup luksClose lvmcrypt


--Stuart Cardall (talk) 19:53, 1 May 2014 (UTC)