Skip to main content
Topic: dm-crypt/LUKS and LVM on a runit install (Read 2503 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

dm-crypt/LUKS and LVM on a runit install

So, I spent a few hours wrangling with this yesterday, and ArtixElf in the IRC suggested putting my process here to help out.

To start with, you'll want to boot and configure your installation environment as normal. Do the routine
Code: [Select]
# pacman -Syy
and other applicable things. If you're using the official Artix install media, you'll already have everything you need. Let me preface this by recommending you back up everything you care about before you do this, as you'll lose it all otherwise. This is not a reversible process as far as I know.

Partition your disks as you desire -- personally, I wanted encrypted swap, but I didn't want to have to decrypt 3 volumes at bootup and having swap separately encrypted complicates resuming from hibernation. So, as I use UEFI, I started with a GPT disklabel, a single 500MB partition at the start of my SSD with type ef00, formatted it as FAT32, and made one other partition using the rest of my SSD with just the standard 8300 type. Perhaps I shouldn't have done that, looking at a guide meant for Arch I supposedly should have set it to type 8E00. But it works as it is, so I'm not going to mess with it further.

I didn't format that partition directly, rather I ran
Code: [Select]
# cryptsetup luksFormat /dev/sda2
and then opened it using
Code: [Select]
# cryptsetup luksOpen /dev/sda2 rootfs
in my case. I realize that the term I named my encrypted volume here probably shouldn't have been used, but it's what I used at the time. I personally used a passphrase, but I'm sure if you wanted to use a passfile that'd be fine also. I imagine you'd want it to be on a separate drive, perhaps even removable, and mounted as /boot itself.

I also made one large partition on my hard drive for use as /home, did a luksFormat on it as well, and opened it too.

Then, for my use case, I needed LVM, so I proceeded to create a physical volume via
Code: [Select]
# pvcreate /dev/mapper/rootfs
and then a volume group via
Code: [Select]
# vgcreate artix /dev/mapper/rootfs
And here's where I made a mistake and overcomplicated things -- I also made a separate logical volume group for my encrypted contained /home partition. I suppose this gives me free reign to add to it later on to make a larger logical volume but personally I see it as having needlessly overcomplicated my setup. But again, it works, so I'm not going to mess with it for the moment.

I formatted the mapped logical volume meant to be my root as ext4, and did the same to my mapped logical volume for /home. I formatted the swap logical volume and turned swap on. I mounted the root volume and made directories for /boot and /home to be mounted to, and mounted those respective volumes. I then installed my base system as normal using basestrap -- making sure to catch lvm2, cryptsetup, and their respective runit services as well as my bootloader, GRUB. I did the rest of my normal install tasks, like making sure I'd have networking (in my case it's via ethernet and controlled with dhcpcd), generating an fstab, chrooting and setting my root password, and setting my locale and timezone as well as my hostname.

I had to add the appropriate hooks to my mkinitcpio.conf, and rebuild my initramfs using
Code: [Select]
# mkinitcpio -p linux
In my case, I moved the keyboard hook to just after autodetect, and added encrypt, lvm2 and resume to just after block, in that order.

When it came time to install my bootloader, I had to make sure I added the appropriate command lines to make it decrypt and mount my logical volumes for root and swap, in my case appending
Code: [Select]
cryptdevice=UUID=(my partition's UUID):rootfs root=/dev/artix/rootfs resume=/dev/artix/swap
to the command line. I generated a config file as normal in /boot/grub/grub.cfg and then installed the bootloader using
Code: [Select]
# grub-install --target=x86_64-efi --efi-directory=/boot

On my first boot, I enabled the cryptsetup and lvm2 runit services by doing the usual symbolic linking from /etc/runit/sv to /run/runit/service. I had to add my /home to my crypttab -- in my case I again used a passphrase, though it makes it easy to specify a password file. I edited my fstab, changing the line that specified my home volume's UUID to /dev/mapper/home-home (the logical volume overtop of the encrypted volume). I then went about setting up my needed applications as normal, and this is where my "guide", really just a relation of my experience, leaves off.

Re: dm-crypt/LUKS and LVM on a runit inatall

Reply #1
welcome and thank you, this is very useful.

 

Re: dm-crypt/LUKS and LVM on a runit install

Reply #2
I have a similar LUKS/LVM setup myself. Mine is LVM on LUKS with an unencrypted boot partition. Perhaps one could be more paranoid and lock down the boot partition as well, but that adds a ton of complexity without much discernible benefit in my opinion.

Quote
$ lsblk
NAME             MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                8:0    0 931.5G  0 disk 
├─sda1             8:1    0   200M  0 part  /boot
└─sda2             8:2    0 931.3G  0 part 
  └─cryptolvm    254:0    0 931.3G  0 crypt
    ├─MyVol-swap 254:1    0     8G  0 lvm   [SWAP]
    ├─MyVol-root 254:2    0    15G  0 lvm   /
    └─MyVol-home 254:3    0 908.3G  0 lvm   /home
sr0               11:0    1  1024M  0 rom  

One of the really nice things about mkinitcpio is that you can load files on boot with it. I have a keyfile (which is just random data of course)  that is set to read-only by root which is used to automatically unlock the encrypted block on boot. If someone has root permissions on your box, you're screwed anyway so I don't view it as a bad security practice.