| View previous topic :: View next topic |
| Author |
Message |
HomeHammer
n00b
Joined: 21 Sep 2013
Posts: 10
|
 Posted: Sun Oct 27, 2013 4:48 pm Post subject: Gentoo in fde with lvm2 and luks |
 |
|
First of all I want to say that I could install gentoo without this, and the reason I want this is because Im to mush paranoid and also have this on my debian machine main. That being said I want to do this on gentoo to migrate from debain to gentoo
I follow many tutorials on how to do this but none had the thing I need, so I adapt then to my need the problem is none o then work for me and they all would do thing diferently.
What I want to do is create a /boot partion uncrypted on a pen with one key, then when the system starts I want to be asked other password made by me (not sure if this is possible).
On the hard drive I want to use lvm for easy of expansion like /dev/sda1 Linux system and /dev/sda5 extended to create de following partion /, swap, /home, /tmp (destroy logs from disk and take then elsewhere)
I could also do this with /boot on disk (like I have in my debain machine) but I would prefer not to (want to improve my security)
Also Im thinking in updating to an ssd so ext4 for filesystem or other?
For bootloader I have grub2 but I think grub would do the trick also
This would be to a desktop/notebook
Could someone point me to some tutorial on how to do this, because I really want to do this and change to gentoo to make my system truly my own piece by piece
Sorry if any mistakes were made |
|
| Back to top |
|
 |
HomeHammer
n00b
Joined: 21 Sep 2013
Posts: 10
|
| Posted: Sat Nov 02, 2013 7:14 pm Post subject: |
|
|
Was able to do somethings with this but its still not perfect, when I figured it out i will post something saying what I did
Community seems a little bit dead around here or its just my impression ? |
|
| Back to top |
|
|
f4c3m3l70r
n00b
Joined: 19 Jul 2011
Posts: 47
|
| Posted: Sat Nov 02, 2013 10:50 pm Post subject: |
|
|
I've tried a bit outdated howto, but upon reboot i got kernel panic "no lvm volumes found".
Dont know what exactly gone wrong but seems like wrong grub2 configuration. Im on x86_64-hardened-nomultilib profile and legacy grub is masked.
/etc/defaults/grub
| Code: | GRUB_DISTRIBUTOR="Gentoo"
GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=3
GRUB_GFXPAYLOAD_LINUX="1280x1024"
GRUB_PRELOAD_MODULES="crypto cryptodisk ext2 gzio lvm luks lzopio part_gpt"
GRUB_CMDLINE_LINUX="dolvm root=/dev/mapper/cryptroot"
GRUB_DISABLE_LINUX_UUID=false
GRUB_DISABLE_RECOVERY=true |
Sorry for copy & paste, but pastebin was under heavy load.
_________________
i7-4820X | ROG RIVE | 16GB 2400MHz CL10 | SSD 850 Pro | Essence STX | GTX970 |
|
| Back to top |
|
|
Tractor Girl
Apprentice
Joined: 16 May 2013
Posts: 159
|
| Posted: Sun Nov 03, 2013 12:10 am Post subject: |
|
|
These are additional steps you need to make (apart from what's in handbook)
| Code: | cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-urandom /dev/sda3
cryptsetup luksOpen /dev/sda3 luks_gentoo
pvcreate /dev/mapper/luks_gentoo
vgcreate gentoo /dev/mapper/luks_gentoo
lvcreate -L 10G -n root gentoo (for 10GB root partition)
lvcreate -L 4G -n swap gentoo (for 4GB swap partition)
lvcreate -l +100%FREE -n home gentoo (for home partition on all free space that left) |
Create filesystems:
| Code: | mkfs.ext4 /dev/mapper/gentoo-root
mkswap /dev/mapper/gentoo-swap
etc. |
When compliling kernel make sure that you have there dm-crypt and lvm.
Emerge genkernel with "crypt" and "cryptsetup" USE flags.
Create initramfs:
| Code: | | genkernel --lvm --luks --install initramfs |
/etc/fstab should look like this:
| Code: | /dev/mapper/gentoo-root / ext4 noatime 0 1
/dev/mapper/gentoo-home /home ext4 defaults 0 2
/dev/mapper/gentoo-swap none swap sw 0 0 |
Grub2 configuration:
vi /etc/grub.d/06_gentoo
| Code: | #!/bin/sh
cat<<EOF
menuentry 'Gentoo' --class gentoo --class gnu-linux --class gnu --class os {
load_video
insmod gzio
insmod part_msdos
insmod ext2
set root='(hd0,msdos1)'
search --no-floppy --fs-uuid --set=root 67e94334-a5b5-4e46-a012-80a347239876
linux /vmlinuz-3.10.1-gentoo-amd64 crypt_root=/dev/sda3 root=/dev/mapper/gentoo-root ro quiet dolvm docrypt
initrd /initrd.img-3.10.1-gentoo-amd64
}
EOF |
|
|
| Back to top |
|
|
f4c3m3l70r
n00b
Joined: 19 Jul 2011
Posts: 47
|
| Posted: Mon Nov 04, 2013 2:42 pm Post subject: |
|
|
Should I encrypt the drive before or after creating logical volumes?
Maybe thatswhy my volumes arent detected during boot.
_________________
i7-4820X | ROG RIVE | 16GB 2400MHz CL10 | SSD 850 Pro | Essence STX | GTX970 |
|
| Back to top |
|
|
Tractor Girl
Apprentice
Joined: 16 May 2013
Posts: 159
|
| Posted: Mon Nov 04, 2013 6:14 pm Post subject: |
|
|
| Quote: | | Should I encrypt the drive before or after creating logical volumes? |
Before.
First, create one big encrypted partition (and unencrypted /boot partition):
| Code: | cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-urandom /dev/sda?
cryptsetup luksOpen /dev/sda? luks_gentoo |
Next, create on it physical volume, volume group and logical volumes:
| Code: | pvcreate /dev/mapper/luks_gentoo
vgcreate gentoo /dev/mapper/luks_gentoo
lvcreate -L 10G -n root gentoo
lvcreate -L 4G -n swap gentoo
lvcreate -l +100%FREE -n home gentoo |
|
|
| Back to top |
|
|
f4c3m3l70r
n00b
Joined: 19 Jul 2011
Posts: 47
|
| Posted: Tue Nov 05, 2013 4:57 pm Post subject: |
|
|
Finally I did it ! \o/
Genkernel was using wrong kernel-config from /etc/kernel......
I remember the handbook told me something about /etc/share/genkernel/arch.....some time ago.
_________________
i7-4820X | ROG RIVE | 16GB 2400MHz CL10 | SSD 850 Pro | Essence STX | GTX970 |
|
| Back to top |
|
|
HomeHammer
n00b
Joined: 21 Sep 2013
Posts: 10
|
| Posted: Mon Dec 09, 2013 9:12 pm Post subject: |
|
|
| Tractor Girl wrote: | These are additional steps you need to make (apart from what's in handbook)
| Code: | cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --use-urandom /dev/sda3
cryptsetup luksOpen /dev/sda3 luks_gentoo
pvcreate /dev/mapper/luks_gentoo
vgcreate gentoo /dev/mapper/luks_gentoo
lvcreate -L 10G -n root gentoo (for 10GB root partition)
lvcreate -L 4G -n swap gentoo (for 4GB swap partition)
lvcreate -l +100%FREE -n home gentoo (for home partition on all free space that left) |
Create filesystems:
| Code: | mkfs.ext4 /dev/mapper/gentoo-root
mkswap /dev/mapper/gentoo-swap
etc. |
When compliling kernel make sure that you have there dm-crypt and lvm.
Emerge genkernel with "crypt" and "cryptsetup" USE flags.
Create initramfs:
| Code: | | genkernel --lvm --luks --install initramfs |
/etc/fstab should look like this:
| Code: | /dev/mapper/gentoo-root / ext4 noatime 0 1
/dev/mapper/gentoo-home /home ext4 defaults 0 2
/dev/mapper/gentoo-swap none swap sw 0 0 |
Grub2 configuration:
vi /etc/grub.d/06_gentoo
| Code: | #!/bin/sh
cat<<EOF
menuentry 'Gentoo' --class gentoo --class gnu-linux --class gnu --class os {
load_video
insmod gzio
insmod part_msdos
insmod ext2
set root='(hd0,msdos1)'
search --no-floppy --fs-uuid --set=root 67e94334-a5b5-4e46-a012-80a347239876
linux /vmlinuz-3.10.1-gentoo-amd64 crypt_root=/dev/sda3 root=/dev/mapper/gentoo-root ro quiet dolvm docrypt
initrd /initrd.img-3.10.1-gentoo-amd64
}
EOF |
|
That really helped me.
I was able to do this, now I want to take it next level:
How about using /boot on usb ? What filesystem ? ext2?
Use btrfs for other partion instead of ext4 since I think its better with EFI, dont know for sure.
Create swap outside the lvm and format and create random swap every time the system reboots. I dont need to hibernate or suspend to disk. But if want it to would I be able to do the same ? with swap?
Thanks again for this it really helped me |
|
| Back to top |
|
|
HomeHammer
n00b
Joined: 21 Sep 2013
Posts: 10
|
| Posted: Fri Mar 07, 2014 11:58 pm Post subject: |
|
|
I finally achived it like I wanted
Only one partion with lvm + luks
Usb with boot and keys to decrypt partion
If anyone wants to know what I did, just ask here |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21635
|
| Posted: Sat Mar 08, 2014 2:01 am Post subject: |
|
|
| HomeHammer wrote: | I finally achived it like I wanted
Only one partion with lvm + luks
Usb with boot and keys to decrypt partion
If anyone wants to know what I did, just ask here |
If you think your solution is generally applicable, please post it while you still remember how it works. Your invitation for someone to eventually ask for it may not be found until after you have stopped participating here. |
|
| Back to top |
|
|
Budoka
l33t
Joined: 03 Jun 2012
Posts: 777
Location: Tokyo, Japan
|
| Posted: Sat Mar 08, 2014 2:45 am Post subject: |
|
|
| Hu wrote: | | HomeHammer wrote: | I finally achived it like I wanted
Only one partion with lvm + luks
Usb with boot and keys to decrypt partion
If anyone wants to know what I did, just ask here |
If you think your solution is generally applicable, please post it while you still remember how it works. Your invitation for someone to eventually ask for it may not be found until after you have stopped participating here. |
Agreed. I really would like to know how he achieved this as well. |
|
| Back to top |
|
|
HomeHammer
n00b
Joined: 21 Sep 2013
Posts: 10
|
| Posted: Tue Sep 09, 2014 3:54 pm Post subject: |
|
|
| Hu wrote: | | If you think your solution is generally applicable, please post it while you still remember how it works. Your invitation for someone to eventually ask for it may not be found until after you have stopped participating here. |
| Budoka wrote: | | Agreed. I really would like to know how he achieved this as well. |
Fist of all sorry for the delay in the response, had some problems and need to get some time apart gentoo and go back to what I was familiar with
Also my machine broke down (hardware problems) and I needed to get a new one
Im back and I think thats the point
I will try to explain what I did and why I did it
Disclaimer: Im not an expert on the field and my needs may be very diferent from yours. Plesea expect some mistakes and re-trys to get this to work proparly.
Also notice that it took me some time to get this right, and this tutorial has room to improve
This is not for the faint of heart (but you already know that with gentoo)
What will we do:
Gentoo GNU/Linux
Full system encryption with AES XTS Plain64 using dm-crypt and LUKS + LVM
Unencrypted boot-partition stored on USB-memory stick
Keyfile for / and /home protected with GnuPG stored on USB-memory stick
Follow must of the official guide on gentoo website
Assume that /dev/sda is my harddrive and
/dev/sdb is my USB-memory stick
Start of with a complete removal of everything, remember the steps here will erease everything
| Code: | # dd if=/dev/zero of=/dev/sda bs=512
# dd if=/dev/zero of=/dev/sdb bs=512
|
This will that some time to complete
The partion will be like this:
/dev/sdb1 - 500MB ext2 for /boot
/dev/sdb2 - rest of space for what you want (I did vfat)
/dev/sda1 - encrypted then LVM on top for everything
Format the USB accordingly
I mounted /dev/sdb1 to /mnt/sdb1
Create Encryption keyfiles
| Code: | # export GPG_TTY=$(tty)
# head -c384 /dev/random | openssl base64 -A | gpg --symmetric --cipher-algo aes256 --digest-algo sha512 --armor > /mnt/sdb1/root.gpg |
Encrypt partion
| Code: | # gpg --quiet --decrypt /mnt/sdb3/root.gpg | cryptsetup luksFormat -l 512 -c aes-xts-plain64 -h sha512 /dev/sda1
# gpg --decrypt /mnt/sdb3/root.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda1 luks |
Create the LVM
| Code: | # pvcreate /dev/mapper/luks
# vgcreate vg0 /dev/mapper/luks
# lvcreate -L 20G -n root
# lvcreate -L 4G -n swap
# lvcreate -l +100%FREE -n home |
Create filesystems
| Code: | # mkfs.ext4 /dev/mapper/vg0-root
# mkfs.ext4 /dev/mapper/vg0-home
# mkswap /dev/mapper/vg0-swap
# swapon /dev/mapper/vg0-swap |
Install
| Code: | # mount /dev/mapper/vg0-root /mnt/gentoo/
# mount /dev/mapper/vg0-home /mnt/gentoo/home
# mount --rbind /mnt/sdb1 /mnt/gentoo/boot |
Now continue the instalation normally
Then kernel part (the trick part for me)
| Code: | # emerge -av gentoo-sources
# emerge -av genkernel # USE-flag cryptsetup
# emerge -av cryptsetup # USE-flag static
# emerge -av busybox
# emerge -av eix
# emerge -av gnupg
# emerge -av module-rebuild
# emerge -av portage-utils
# emerge -av util-linux
# emerge -av vim
# emerge -av lvm2 |
You have two options now either compile the kernel by hand or let genkernel do must of the work
Either way it should go like this
By hand
| Code: | # cd /usr/src/linux
# make menuconfig
# make -j3 && make modules_install
# cp arch/x86_64/boot/bzImage /boot/kernel-3.9.5-gentoo |
if you decide to use genkernel
first do this
| Code: | # vim /etc/genkernel.conf
OLDCONFIG = "yes"
MENUCONFIG = "yes"
CLEAN = "yes"
MRPROPER = "no"
MOUNTBOOT = "yes"
SAVE_CONFIG = "yes"
POSTCLEAR = "yes"
LVM = "yes"
LUKS = "yes"
GPG = "yes"
BUSYBOX = "yes"
DISKLABEL = "yes"
MAKEOPTS = "-j3"
# cd /usr/src/linux
# genkernel –no-clean –menuconfig –save-config –luks –lvm all |
Depending on the cipher used you need to eneble it
Basic config to get you going
| Code: | Device Drivers —>
Multi-device support (RAID and LVM) —>
[*] Multiple devices driver support (RAID and LVM)
< > RAID support
<*> Device mapper support
<*> Crypt target support
File Systems —>
<*> The Extended 4 (ext4) filesystem
Cryptographic API —>
<*> SHA512 digest algorithm
<*> AES cipher algorithms |
I have red some posts and articles saying its best to edit the fstab before creating initramfs (thats up to you, this worked for me)
Configure fstab
| Code: | # blkid
# vim /etc/fstab
UUID=<the UUID of your /boot-partition on your USB-memory stick> /boot ext4 noauto,noatime 0 1
/dev/mapper/vg0-swap none swap sw 0 0
/dev/mapper/vg0-root / ext4 noatime 0 0
/dev/mapper/vg0-home /home ext4 noatime 0 1
# cat /proc/mounts>/etc/mtab |
Create initramfs
| Code: | # genkernel --luks --gpg --lvm initramfs
# module-rebuild populate
# module-rebuild rebuild |
Configure GRUB (I have used legacy)
| Code: | # emerge -av grub-static
# vim /boot/grub/grub.conf
default 0
timeout 30
title Linux
root (hd0,2)
kernel /boot/kernel-3.9.5-gentoo-hardened root=/dev/ram0 crypt_root=UUID=<UUID of /dev/sda1> real_root=/dev/mapper/root root_keydev=UUID=<UUID of USB-memory stick /boot-partition> root_key=root.gpg rootfstype=ext4 key_timeout=0 video=vesafb:mtrr:3,ywrap vga=0x361
initrd /boot/initramfs-genkernel-x86_64-3.9.5-gentoo-hardened
# grub-install --no-floppy /dev/sdb1 # Where /dev/sdb1 is the USB-memory stick /boot-partition. |
Finish the install by the official guide reboot and expect for the best
Expect not to get it rigth at first time
If you have any doubts post then here
Hope you liked my tutorial |
|
| Back to top |
|
|
|
Installing Gentoo
