Rootfs criptografado com LUKS usando LVM

De Wiki Hackstore

Encrypting the drive

Read more about different cipher options here: (1)

# cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3

Or use SHA512 for increase security. Do NOT use SHA-1: LUKS disk encryption. As the cryptography expert Bruce Schneier already told in year 2005, do not use SHA-1 because its broken. See his article here: (2)

# cryptsetup --cipher twofish-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sda


Initializes the volume

Initializes the volume, and sets an initial key or passphrase:

# cryptsetup luksOpen /dev/sda3 dmcrypt_root

There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there. :D


Create logical volumes

# pvcreate /dev/mapper/dmcrypt_root
# vgcreate vg /dev/mapper/dmcrypt_root
# lvcreate -L10G --name root vg           
# lvcreate -L2G --name swap vg
# lvcreate -L5G --name portage vg
# lvcreate -l 100%FREE -nhome vg

Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.


OBS: Please, notice that above mentioned partitioning scheme is an example and not a default recommendation, change it accordingly to desired scheme.


Create a filesystem on volumes

# mkfs.ext2 /dev/sda1
# mkswap /dev/mapper/vg-swap
# mkfs.ext4 /dev/mapper/vg-root
# mkfs.ext4 /dev/mapper/vg-portage
# mkfs.ext4 /dev/mapper/vg-home

Basic system setup

# swapon /dev/mapper/vg-swap
# mkdir /mnt/funtoo
# mount /dev/mapper/vg-root /mnt/funtoo
# mkdir -p /mnt/funtoo/{boot,usr/portage,home}
# mount /dev/sda1 /mnt/funtoo/boot
# mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage
# mount /dev/mapper/vg-home /mnt/funtoo/home

Now perform all the steps required for basic system install, please follow [4] don't forget to emerge the following before your install is finished:

  • cryptsetup
  • lvm2
  • a bootloader (Grub2 recommended)
  • kernel sources (hardened/grsec recommended)

Editing the fstab

Fire up your favorite text editor to edit /etc/fstab. You want to put the following in the file:

cat /etc/fstab
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1               /boot         ext2      noauto,noatime                  1 2
/dev/mapper/vg-swap     none          swap      sw                              0 0
/dev/mapper/vg-root     /             ext4      noatime,nodiratime,defaults     0 1
/dev/sr0                /mnt/cdrom    auto      noauto,ro                       0 0
/dev/mapper/vg-portage  /usr/portage  ext4      noatime,nodiratime              0 0
/dev/mapper/vg-home     /home         ext4      noatime,nodiratime              0 0


Kernel options

Note: If you are using debian-sources as included in mid-May 2015 and later Funtoo stages, you do not need to rebuild the kernel. The following instructions are for other kernels that you may choose to install.

General setup --->
      [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Device Drivers --->
      Generic Driver Options ---> 
      [*] Maintain a devtmpfs filesystem to mount at /dev
Device Drivers --->
      [*] Multiple devices driver support --->
      <*>Device Mapper Support
        <*> Crypt target support
Cryptographic API --->
      <*> XTS support
      -*-AES cipher algorithms


Initramfs setup and configuration

Better-initramfs

# cd /opt
# git clone git://github.com/slashbeast/better-initramfs.git
# cd better-initramfs
# less README.rst
# bootstrap/bootstrap-all
# make prepare
# make image


Copy resulting initramfs.cpio.gz to /boot:

# cp output/initramfs.cpio.gz /boot


Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads

# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2
# tar xf release-x86_64-v0.5.tar.bz2
# cd release*
# gzip initramfs.cpio
# cp initramfs.cpio.gz /boot


Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:

# cd /opt/better-initramfs
# git pull
# less ChangeLog


Bootloader Configuration

Grub2 configuration

Emerge Grub2 with device-mapper support:

# echo 'sys-boot/grub device-mapper' >> /etc/portage/package.use/grub
# emerge grub


better-initramfs with HARDENED kernel

An example /etc/boot.conf for better-initramfs:

boot {
        generate grub
        default "Funtoo Linux Hardened"
        timeout 3
}

"Funtoo Linux Hardened" {
        kernel vmlinuz[-v]
        initrd /initramfs.cpio.gz
        params += enc_root=UUID="5b9ef51d-525e-4141-ad9f-7de802d1cdcf" lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet video.allow_duplicates=1 iomem=relaxed
}


better-initramfs with default kernel

boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel vmlinuz[-v]
  initrd /initramfs.cpio.gz
  params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}

better-initramfs with genkernel

boot {
  generate grub
  default "Funtoo Linux"
  timeout 3
}
"Funtoo Linux" {
  kernel kernel-genkernel-x86_64-3.13.0
  initrd initramfs-genkernel-x86_64-3.13.0
  params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root  rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}


Now, run boot-update to write the configuration files to /boot/grub/grub.cfg

# boot-update


More infos: http://www.funtoo.org/Rootfs_over_encrypted_lvm