LVM on LUKS

From Alpine Linux
Revision as of 19:53, 1 May 2014 by Itoffshore (talk | contribs) (Created page with " == Configuring LVM on top of LUKS == The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following: '''(1)''' Mount p...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Configuring LVM on top of LUKS

The most common errors for failure to boot a LUKS installation can be fixed with (1) or all of the following:


(1) Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors)

apk fix --root $MNT linux-grsec

(2) Write MBR (also needed for LVM manual / custom installations)

dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda

(3) Change partition system id ('t') to "8e" with fdisk for partition type LVM

fdisk /dev/vda



Additional Notes


Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with:

cryptsetup benchmark

(You may or may not be able to take advantage of AES hardware acceleration)

Haveged can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)



ALPINE KVM SETUP


setup-interfaces

ifup eth0

setup-apkrepos

apk update

apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux

# Partition disks (100meg boot / 2nd partition for LVM)

fdisk /dev/vda

m

n

etc........

# Wipe partition with random data

haveged -n 0 | dd of=/dev/vda2

# Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system

cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2

# Open LUKS partition

cryptsetup open --type luks /dev/vda2 lvmcrypt

# The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting

# shown further down in $MNT/etc/update-extlinux.conf

pvcreate /dev/mapper/lvmcrypt

# Create LVM partitions

vgcreate vg0 /dev/mapper/lvmcrypt

lvcreate -L 1G vg0 -n root

lvcreate -L 256M vg0 -n swap

lvcreate -L 500M vg0 -n home

lvcreate -L 50M vg0 -n tmp

# NOTE small "l" for 100% FREE allocation

lvcreate -l 100%FREE vg0 -n var

# Create filesystems

mkfs.ext2 /dev/vda1

mkfs.ext4 /dev/mapper/vg0-root

mkfs.ext4 /dev/mapper/vg0-home

mkfs.ext4 /dev/mapper/vg0-tmp

mkfs.ext4 /dev/mapper/vg0-var

mkswap /dev/mapper/vg0-swap

# Open LVM volumes

vgchange -a y

# Mount Partitions

mount -t ext4 /dev/vg0/root /mnt

mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var

mount -t ext4 /dev/vg0/home /mnt/home

mount -t ext4 /dev/vg0/tmp /mnt/tmp

mount -t ext4 /dev/vg0/var /mnt/var

mount -t ext2 /dev/vda1 /mnt/boot

swapon /dev/mapper/vg0-swap

# Install Alpine

setup-disk -m sys /mnt

# Setup crypttab

echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab

# Setup fstab

# You could also setup devices with uuid's by running 'blkid'

echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid,mode=1777 0 2" >> /mnt/etc/fstab

echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab

# Make vda1 bootable

fdisk /dev/vda

m

a

1

# Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)

# Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt

# (this field is also space-separated and quoted)

# Also check the root= setting = /dev/mapper/vg0-root

extlinux --install $MNT/boot --update

# Rebuild initramfs (ignore extlinux errors)

apk fix --root $MNT linux-grsec

# Write MBR (also needed for LVM manual / custom installations)

dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda

# Change partition type to "8e" with fdisk for the LVM partition

fdisk /dev/vda

m

t

2

8e

w

# See instructions below for unmounting LVM volumes & closing the LUKS partition



The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:


# CHROOT MOUNTS ###

vgchange -a y

# Follow instructions above for mounting LVM partitions

cd /mnt

mount --bind /dev dev

mount -t devpts devpts dev/pts

mount -t tmpfs tmpfs dev/shm

mount -t proc proc proc

mount -t sysfs sysfs sys

chroot /mnt /bin/ash


# UNMOUNTING ###

umount dev/pts

umount dev/shm

umount dev

umount /mnt/boot

umount /mnt/var

umount /mnt/home

umount /mnt/tmp

swapoff /dev/mapper/vg0-swap

umount /mnt

# Deactivate LVM volumes

vgchange -a n

# Close LUKS partition

cryptsetup luksClose lvmcrypt


--Stuart Cardall (talk) 19:53, 1 May 2014 (UTC)