Include:Parted UEFI with GPT disklabel
 Do not follow instructions here until this notice is removed. |
We'll be partitioning the storage device using parted utility. The EFI system partition mounted at /boot/efi will remain unencrypted and the remaining disk can be encrypted. This means GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not unlocked. The partitioning scheme will look like this:
+---------------------------+------------------------+-----------------------+ | Partition name | Partition purpose | Filesystem type | +---------------------------+------------------------+-----------------------+ | /dev/sda1 | EFI system partition | fat32 | | /dev/sda2 | LUKS container | LUKS | | |-> /dev/mapper/lvmcrypt | LVM container | LVM | | |-> /dev/vg01/root | Root partition | ext4 | | |-> /dev/vg01/boot | Boot partition | ext4 | | |-> /dev/vg01/swap | Swap partition | swap | +---------------------------+------------------------+-----------------------+
Create an EFI system partition of approximately 200MB, then assign the rest of the space to your LUKS partition.
# parted -a optimal (parted) mklabel gpt (parted) mkpart primary fat32 0% 200M (parted) name 1 esp (parted) set 1 esp on (parted) mkpart primary ext4 200M 100% (parted) name 2 crypto-luks
(parted) print Model: ATA TOSHIBA ******** (scsi) Disk /dev/sda: 1000GB Sector size (logical/physical): 512B/4096B Partition Table: msdos Disk Flags:
Number Start End Size Type File system Flags
1 1049kB 99.6MB 98.6MB primary ext4 boot 2 99.6MB 1000GB 1000GB primary ext4