Arch Linux with encrypted LVM on 2 physical volumes
In this howto, I explain how I installed Arch Linux, with an encrypted LVM setup. The tricky part is that I have 2 physical volumes for my volume group, which required some hacking to get it working.
(I did all this on a virtual machine, as a proof of concept. I want to do something similar on my laptop, which already has an encrypted LVM system, and on which I want to install Arch beside the other installed OS'es.)
disclaimer: I am an Arch newbie. This is the first time a setup Arch, so I might explain things wrong. I've used LVM on other distributions though, and I have used encrypted LVM on Fedora (where the installer did al the work for me, without me completely understanding how it worked.)
Setting up the encrypted LVM system
Boot your machine from the installation iso, and use e.g. cfdisk to create the partitions.
My partitioning scheme looks like this:
sda1 510 MB ext2 (boot)
sda5 2048 MB Linux LVM
sda6 6029 MB Linux LVM
The boot partition cannot be inside LVM, and cannot be encrypted either, because it should be accessable by grub. All other file systems will be on logical LVM volumes, which will be in one volume group. I set this up like this:
modprobe dm-mod
cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/sda5
cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/sda6
cryptsetup luksOpen /dev/sda5 crypt1
cryptsetup luksOpen /dev/sda6 crypt2
pvcreate /dev/mapper/crypt1
pvcreate /dev/mapper/crypt2
vgcreate vgroup /dev/mapper/crypt1
vgextend vgroup /dev/mapper/crypt2
lvcreate -L 1G -n swap vgroup
lvcreate -L 6G -n root vgroup
lvcreate -l 100%FREE -n home vgroup
The
aes-xts-plain
defines the used encryption method. I don't know
anything about that, so I just copied something from yet another howto.
crypt1
and crypt2
are just arbitrary names, which allow access
to the unecrypted partitions on /dev/mapper/crypt1
and
/dev/mapper/crypt2
.
Reactivating the LVM volumes after reboot
At this point, you can just start the installation procedure. But, if something goes wrong, and you have to reboot, you obviously don't have to recreate your encrypted partitions. This is how you can reactivate them:
modprobe dm-mod
cryptsetup luksOpen /dev/sda5 crypt1
cryptsetup luksOpen /dev/sda5 crypt2
vgchange -ay
(The last line just activates all available logical volumes.)
Setting up arch
To setup arch, just run /arch/setup
, as usual. For the step
‘prepare hard drive’, choose option 3: manually configure block devices,
file systems, mount points.
Choose the physical partition as boot partition, and the correct logical partitions for root, home, swap, or whatever partitions you created.
In order to use two (or more)
encrypted physical volumes, you have to apply a hack to the encrypt
hook. You do this when the installer shows you the different
configuration files you can edit. At this point, just press CTRL+ALT+F2,
log in as root again, and apply the changes in this
patch to /mnt/lib/initcpio/hooks/encrypt
.
Update: It seems the patch got lost in a migration of my blog 😢. But I obviously didn't invent the patch myself, I just shamelessly stole it from this post on the arch linux forums.
Once
you've done that, press CTRL+ALT+F1 again, to switch back to the
installer.
Edit rc.conf
: change USELVM="no"
into
USELVM="yes"
.
Edit mkinitcpio.conf
: search for
HOOKS
, and add encrypt lvm2
directly before filesystems
. In
my case, the HOOKS-line looks like
this:
HOOKS="base udev autodetect pata scsi sata encrypt lvm2 filesystems"
That's all you have to change in the configuration files. Continue the installation until the step you have to configure grub. For the menu entries 'Arch Linux' and 'Arch Linux Fallback' you should make sure that the kernel line looks as follows:
kernel /vmlinuz27 root=/dev/mapper/vgroup-root cryptdevice=/dev/sda5:crypt1,/dev/sda6:crypt2 ro
Of
course you should change vgroup-root
to the name of your root
volume, and choose the correct partitions after cryptdevice=
. I
chose the same names for the unencrypted devices (crypt1
and
crypt2
) as above, but I am not sure this is a
requirement.
Adding two partitions after cryptdevice=
is
non-standard, this is why you had to hack the encrypt
hook.
That's all. It should work. During bootup, you will be asked for the passphrases to decrypt your physical LVM partition. After entering these, your system will boot.
Things to be done
Although this setup works, it isn't perfect yet. In my situation, both encrypted partitions can be unlocked with the same password. It would be nice if entering the password one time, would decrypt both partitions at once; this is e.g. the case with Fedora.
I guess I will have to modify the encrypt hook again, such that it would try the first entered password for decrypting all the volumes. Only if this fails, it should ask to enter another password. This should be perfectly doable, but I wasn't able to try this out. Yet. ;-)
References
- https://bbs.archlinux.org/viewtopic.php?pid=827495#p828784
- https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS#LVM.26dm-crypt_manually_.28short_version.29
- http://www.pindarsign.de/webblog/?p=767
Commentaar
Comments powered by Disqus