You are not logged in.

Pages: 1

#1 2015-02-25 22:02:11

Hugao
Member
From: Portugal
Registered: 2014-02-25
Posts: 27
Website

Encrypt and existence system

Hey there,
So I have my Arch and isn't encrypted and I want to encrypt it, but without losing my current settings. I'm kinda know what I need to do but I want to be sure I'm doing it right.
First, my disk scheme:

sda1 -> 512M fat32 /boot
sda2 -> 100G ext4 /
sda3 -> 4G linux-swap
sda4 -> 646G ext4 /home

Then the process

Do a system wide backup
Create .img files for sda2 and sda4 using dd
Delete sda2, sda3, sda4
Create an LUKS encrypted partition
Recreate the original sda2, sda3 and sda4 but with LVM
Apply the .img to the partition using dd
Updated the bootloader to the new scheme

I'm using UEFI, but since I'm keeping the original boot partition shouldn't be a problem right?

What to you think??

Thanks in advance.

Offline

#2 2015-02-25 22:15:57

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,231
Website

Re: Encrypt and existence system

Use rsync instead of dd. No need to copy empty blocks, and your new sda{2,3,4} aren't likely to be identically sized to your current ones.

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#3 2015-02-25 22:51:02

Hugao
Member
From: Portugal
Registered: 2014-02-25
Posts: 27
Website

Re: Encrypt and existence system

fukawi2 wrote:

Use rsync instead of dd. No need to copy empty blocks, and your new sda{2,3,4} aren't likely to be identically sized to your current ones.

Hey fukawi2,
So, instead of using dd i will use rsync, but beside that, it's all good?

About the update of gummiboot,  I should use

title Arch Linux
linux	/vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:<mapped-name> root=UUID=<luks-UUID> quiet ro
options root=/dev/mapper/<VolumeGroup-LogicalVolume> rw

I'm i right?

And about fstab, I can use 

genfstab -U -p /mnt >> /mnt/etc/fstab

like in a normal install?

Offline

#4 2015-02-26 17:14:25

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: Encrypt and existence system

Hugao wrote:

About the update of gummiboot,  I should use

title Arch Linux
linux	/vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:<mapped-name> root=UUID=<luks-UUID> quiet ro
options root=/dev/mapper/<VolumeGroup-LogicalVolume> rw

I'm i right?

Some notes about the kernel options:
Why do you specify the "root" parameter twice? That does not make sense.
I am not sure if gummiboot supports having two lines starting with "options", better make it a single line.
You specify "ro" and "rw", which is conflicting with each other. Remove the ro parameter.

And about fstab, I can use 

genfstab -U -p /mnt >> /mnt/etc/fstab

like in a normal install?

That should work, but make sure that you have mounted all the LVM volumes properly on /mnt.

Also check that you are *not* using the "systemd" hook in /etc/mkinitcpio.conf. Otherwise you would need a different configuration.

Offline

#5 2015-02-26 19:13:44

Hugao
Member
From: Portugal
Registered: 2014-02-25
Posts: 27
Website

Re: Encrypt and existence system

teateawhy wrote:

Some notes about the kernel options:
Why do you specify the "root" parameter twice? That does not make sense.
I am not sure if gummiboot supports having two lines starting with "options", better make it a single line.
You specify "ro" and "rw", which is conflicting with each other. Remove the ro parameter.

I just missed the root on the first one xD ups
So, it will stay
options cryptdevice=UUID=<UUID>:<mapped-name> root=UUID=<luks-UUID> quiet rw

teateawhy wrote:

Also check that you are *not* using the "systemd" hook in /etc/mkinitcpio.conf. Otherwise you would need a different configuration.

My current /etc/mkinitcpio.conf

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES="piix ide_disk reiserfs"
MODULES="i915"

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=""

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=""

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS="base"
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS="base udev autodetect block filesystems"
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS="base udev block filesystems"
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS="base udev block mdadm encrypt filesystems"
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS="base udev block lvm2 filesystems"
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS="base udev plymouth autodetect modconf block filesystems keyboard fsck"

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=""

Do I need to change something, besides plymouth to plymouth-encrypt and adding lvm2? Like

HOOKS="base udev plymouth-encrypt lvm2 autodetect modconf block filesystems keyboard fsck"

Another question,
since I'm using LVM, do I need /etc/crypttab?

Offline

#6 2015-02-26 19:30:56

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: Encrypt and existence system

Hugao wrote:

I just missed the root on the first one xD ups
So, it will stay
options cryptdevice=UUID=<UUID>:<mapped-name> root=UUID=<luks-UUID> quiet rw

The root parameter should be the way it was in the second line.

root=/dev/mapper/<VolumeGroup-LogicalVolume>

or, a bit shorter

root=/dev/<VolumeGroup>/<LogicalVolume>

Do I need to change something, besides plymouth to plymouth-encrypt and adding lvm2? Like

HOOKS="base udev plymouth-encrypt lvm2 autodetect modconf block filesystems keyboard fsck"

I never heard of plymouth-encrypt, but if it works the same as encrypt, then it is correct.

Another question,
since I'm using LVM, do I need /etc/crypttab?

No.

Offline

#7 2015-02-26 19:40:19

Hugao
Member
From: Portugal
Registered: 2014-02-25
Posts: 27
Website

Re: Encrypt and existence system

teateawhy wrote:

The root parameter should be the way it was in the second line.

root=/dev/mapper/<VolumeGroup-LogicalVolume>

or, a bit shorter

root=/dev/<VolumeGroup>/<LogicalVolume>

Roger that smile

teateawhy wrote:

I never heard of plymouth-encrypt, but if it works the same as encrypt, then it is correct.

On the Wiki it says to if I'm using encrypt I should use plymouth-encrypt instead.

Offline

Pages: 1

Board footer

Powered by FluxBB