Installation notes LUKS + LVM with USB keyfile (x86_64)

donuon · 2013-08-29 04:02:10

I'm about to give Arch (64-bit) a shot and will be replacing an existing Slackware installation on a laptop, currently LVM on LUKS with a passphrase. With this installation I'm looking to switch the setup to a keyfile on a usb drive. Once system is up and running I'll look at adding GPG to the mix. Coming from my current setup a few things are new such as grub, GPT and systemd. I've put the following together from the wiki, a few other forum posts and current config files under Slack. Hoping to get some eyes on what I've put together here so I can make sure I'm not overlooking anything and minimize the down time making the switch. All input will be helpful and appreciated. Thank you.

1. Partition Drive

/boot - unencrypted (ext2)
/lvm - encrypted (lvm)

   # gdisk /dev/sda
   # o (start from scratch)

1.1 Create BIOS boot partition

   # n
   # +1007K (type ef02)

1.2 Create other partitions

   # n
   # +xG (where x=# of GB)
    ** select partition type (0700) for boot (8e00) for lvm
   # w (write table)

2. Create LUKS

   # modprobe dm-crypt

2.1 Format LUKS partitions

   # cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

2.2 Open LUKS partitions

   # cryptsetup luksOpen /dev/sda2 lvmpool

2.3. Create LVM

   # modprobe dm-mod

   # pvcreate /dev/sda2
   # vgcreate cryptvg /dev/sda2
   # lvcreate -L 50G cryptvg -n root
   # lvcreate -L 50G cryptvg -n var
   # lvcreate -L 1G cryptvg -n swap
   # lvcreate -L 400G cryptvg -n home
   # lvdisplay
   # vgscan
   # vgchange -ay

3. Create filesystems

   # mkfs.ext4 /dev/mapper/root
   # mkfs.ext4 /dev/mapper/var
   # mkfs.ext4 /dev/mapper/home
   # mkswap /dev/mapper/swap

4. Mount partitions

   # mount /dev/mapper/root /mnt
   # mount /dev/sda1 /mnt/boot
   # mount /dev/mapper/var /mnt/var
   # mount /dev/mapper/home /mnt/home
   # swapon /dev/mapper/swap

6. Configure Wireless

   # wifi-menu

7. Install Base System

   # emacs /etc/pacman.d/mirrorlist
   # pacstrap /mnt base

8. Generate fstab and chroot

   # genfstab -p /mnt >> /mnt/etc/fstab
   # arch-chroot /mnt

9. Hostname, timezone, locale, keymap

10. Create cryptkey

10.1 Mount USB Stick

   # mount /dev/sdb1 /mnt/usb

10.2 Create keyfile

   # dd if=/dev/urandom of=/mnt/usb/cryptkey bs=512 count=4

10.3 Add keyslot to LUKS header

   # cryptsetup luksAddKey /dev/sda2 /mnt/usb/cryptkey

11. Configure mkinitcpio.conf

   # emacs /etc/mkinitcpio.conf
     
     MODULES="nls_cp437 ext2"
     HOOKS = "base autodetect keymap encrypt lvm2 fsck openswap resume filesystems shutdown"

   # mkinitcpio -p linux

12. Set root password

13. Configure network in new env

13.1 Install wpa_supplicant and configure

13.2 Create startup scripts

   # emacs /etc/systemd/system/network-wireless@.service

   [Unit]
   Description=Wireless network connectivity (%i)
   Wants=network.target
   Before=network.target
   BindsTo=sys-subsystem-net-devices-%i.device
   After=sys-subsystem-net-devices-%i.device

   [Service]
   Type=oneshot
   RemainAfterExit=yes
   ExecStart=/usr/bin/ip link set dev %i up
   ExecStart=/usr/bin/wpa_supplicant -B -i %i -c /etc/wpa_supplicant.conf
   ExecStart=/usr/bin/dhcpcd %i
   ExecStop=/usr/bin/ip link set dev %i down

   [Install]
   WantedBy=multi-user.target

   # systemctl enable network-wireless@wlan0.service
   # systemctl start network-wireless@wlan0.service

14. Install GRUB and config

   # pacman -S grub
   # mkdir /boot/grub
   # modprobe dm-mod
   # grub-install --target=x86_64 --recheck --debug /dev/sda

14.1 Edit config

   # emacs /etc/default/grub

     GRUB_GFXMODE=1024x768x32
     GRUB_GFXPAYLOAD_LINUX=keep
     GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptvg cryptkey=/dev/disk/by-uuid/xxxx/cryptkey root=/dev/mapper/cryptvg-root"

   # grub-mkconfig -o /boot/grub/grub.cfg

15. Unmount and Reboot

qinohe · 2013-08-29 09:36:47

First welcome to Arch, well, you made quite some work of it already.

#4;the mkdir part is missing
#8;would use UUID's, or labels.

I don't know if there are big mistakes in it, but it looks like you can start, don't see missing things, at a first glance.
Don't know about that keyfile part though, never used it. Don't be worried, Arch is still linux, like Slack is.
Happy Rolling!

Strike0 · 2013-08-29 10:07:33

Welcome from me too,
in addition to qinohe's suggestion, the following:
#2 do a "cryptsetup benchmark" before luksformat quickly to confirm the cipher you want to use is a good choice performance wise.
#2: You prepare for LVM on LUKS (?), but in 2.3 you pvcreate /dev/sda2 directly. I suggest you use pvcreate /dev/mapper/lvmpool there. See: https://wiki.archlinux.org/index.php/En … VM_on_LUKS
#8: genfstab also has a -L option I remember: https://wiki.archlinux.org/index.php/In … the_system
#13.2: your wireless device will be something else than wlan0, just be aware and check it on installation
#14.1: For LVM on LUKS you should be able to leave out the root= entry. It should be autogenerated

donuon · 2013-08-30 17:25:24

Greetings! First off thank you to qinohe and Strike0.

The install went smoothly but not without some headaches. I have so many notes scribbled all over the place I'm not sure what pertains to the original guide and what were fixes I tried and didn't work. So below will only be a few things I can definately say were corrections to the original guide I put together, I hope this information is helpful for anyone else attempting a similar setup. Just to note these are additions to what qinohe and Strike0 mentioned above.

4) The volume to mount should include the volume group (eg. mount /dev/mapper/cryptvg-root /mnt)

11) I removed openswap from the hooks, I haven't fully explored how to hibernate/suspend to swap yet. Since I didn't have a hookfile created it was giving me warning messages to I removed it.

13) So this is weird, the startup script I copied from the wiki doesn't work, wpa_supplicant and everything is configured properly but it seems to have issues autoloading through systemd. If I use systemctl to stop the service and then just run dhcpcd on my wireless device it seems to make the connection with wpa_supplicant on its own and request an ip. I plan on searching this more thoroughly.

14) GRUB was where the big headaches came from. To clarify this setup is GPT+BIOS so inorder to install GRUB to the MBR properly I needed --target=i386-pc. Initially I had just written it as x86_64 however this isn't an option. The choices are i386-pc or x86_64-efi. I was confused here because the system is x86_64 however it is BIOS not UEFI.

Once that was sorted out, the remaining issues were coming from GRUB_CMDLINE_LINUX. I got it working using the UUID but the two issues I resolved were as follows:
For cryptdevice the part after the : is the volumegroup as I had above. I was trying a bunch of different things here and finally came back to realizing I initially had it correct.
The second issue was I didn't pay attention to the proper format for how the cryptkey line is supposed to be formatted, what is above is incorrect. It should look like this:

cryptkey=/dev/disk/by-uuid/xxxx:ext2:/cryptkey

Where ext is the fstype for the usb drive, note the two : as well as the leading /

And not a problem but worth mentioning is emacs is not installed by default so I just used nano, once my system was up and running I then installed emacs

So other than that I can say I have arch installed and everything is great. I love the similarities in minimalist style to Slackware, but the dependency management is a huge bonus here! There are still some issues I need to work out but they don't pertain to the installation and I will do some searching and post new topics if questions arise.

Cheers,
don

qinohe · 2013-08-30 18:14:12

Glad you made it...Well, I guess you choose a nice distro in Arch, it has never disappointed me so far, and true, dependency hell is heaven here on Arch,
I guess the issues you call are mostly in the wiki, but may be a little different to slack. Yeah, the ISO is just minimal
As for the other things, yes Grub can be a 'bitch', to get it right;), don't know about openswap?, and you'll fix wpa_supplicant I guess...
I don't know if Slack uses systemd already, but I thought not, it is wise to dive into it, as a lot of administration is/can be done this way.

Arch Linux

#1 2013-08-29 04:02:10

Installation notes LUKS + LVM with USB keyfile (x86_64)

#2 2013-08-29 09:36:47

Re: Installation notes LUKS + LVM with USB keyfile (x86_64)

#3 2013-08-29 10:07:33

Re: Installation notes LUKS + LVM with USB keyfile (x86_64)

#4 2013-08-30 17:25:24

Re: Installation notes LUKS + LVM with USB keyfile (x86_64)

#5 2013-08-30 18:14:12

Re: Installation notes LUKS + LVM with USB keyfile (x86_64)

Board footer