Tagged: encryption

Installing Arch Linux: LVM on top of an encrypted partition

IMPORTANT!!!
I now have updated version of Arch Linux with LVM on LUKS, Installing Arch Linux: LVM on top of an encrypted partition [[UPDATED]] with updated contents. Please visit that page!

I recently got a new notebook from my friend. I'm a slackware user but decided to give it a try on Arch Linux for this notebook. Ah... Arch Linux. I like its simplicity and user-centric philosophy. So I was reading up about Arch Linux and came across about encryption. Hmm... I could give it a try and make my notebook secure.

After reading, it looks like setting up LVM on top of the encrypted partition is the best method. So, I'll do that.

Disclaimer:
Information below is gathered mostly from the Arch Linux Wiki page and changed here and there for my liking. This information below is solely used for my purpose and may not be suitable for others.

Erasure of the Hard Disk:

Information (data) on a Hard Drive is written in chunk here and there. Re-partitioning or reformatting a disk does not really removes (erase) the data. It merely remove the system structure that used to identify where the original data was located. This leaves the actual data on a disk.

To securely erase a disk, you could either:

  • Fill with zeros
  • Fill with random bits
Both methods overwrite data on a disk but the first one fill with zero's leaving easily (to some extent) identify where the encrypted data ends. So, I follow the second method. # dd if=/dev/urandom of=/dev/<drive> bs=1M Just to be warned, this takes a long, long time.

Partitioning a Disk:

Even though Arch Linux version that I'm using (2012.08.04) comes with GRUB2 and this supports having the /boot partition in LVM, the /boot directory has to reside on its own. If the /boot directory is encrytpted (with or without LVM), the bootloader cannot read it; thus, boot failure will occur. # fdisk /dev/sda

Partition Layout:
/dev/sda1 -> /boot (bootable)
/dev/sda2 -> LVM (8e)

Configuring LUKS:

cryptsetup is used to interface with LUKS for formatting, mounting and unmounting encrypted partition.

First make sure the device mapper kernel module is installed: # modprobe dm-mod

Then format it as an encrypted LUKS partition: # cryptsetup -c aes-xts-plain -s 512 -yvh sha256 luksFormat /dev/sda2

  • -c: defines the cipher type
  • -s: defines the key size
  • -yvh sha256: prompts for the password twice and stores it in a 256-bit hash

It looks like AES cipher in XTS mode (XTS-AES) is most popular these days.

Unlocking/Mapping LUKS partition with the Device Mapper:

To access the encrypted volume, It needs to be unlocked. # cryptsetup luksOpen /dev/sda2 lvm

LVM:

Create a physical volume (encrypted volume) and a group volume. # lvm pvcreate /dev/mapper/lvm # lvm vgcreate lvmvg /dev/mapper/lvm

Create logical volumes on this new volume group. # lvm lvcreate -L 10G -n root lvmvg # lvm lvcreate -L 500M -n swap lvmvg # lvm lvcreate -l 100%FREE -n home lvmvg

Installation of Arch Linux:

Follow my blog entry, Installing Arch Linux on LVM, to install Arch Linux.

Configuration:

There are several configuration files that need to be modified.

/etc/rc.conf

Change USELVM="no" to USELVM="yes": # vi /etc/rc.conf -------------------- USELVM="yes"

/etc/mkinitcpio.conf

Configure /etc/mkinitcpio.conf for encryption and LVM by adding encrypt lvm2 (in this order) in the HOOKS section before filesystems so that the kernel will find LVM volumes at boot time. # vi /etc/mkinitcpio.conf -------------------- HOOKS="...encrypt lvm2 filesystems..."

/boot/grub/grub.cfg

Add cryptdevice=/dev/sda2:lvmvg between root=... and ro in the line starts with linux. This needs to be done for "Arch Linux" and "Arch Linux Fallback". # vi /boot/grub/grub.cfg -------------------- linux /boot/vmlinuz-linux root=/dev/mapper/lvmvg-root cryptdevice=/dev/sda2:lvmvg ro quiet

Reboot:

Now reboot the system.

That's all!
-gibb