You are not logged in.

#1 2015-02-28 22:43:05

Biycep
Member
Registered: 2015-01-29
Posts: 10

How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

I've decided to run through my process for anyone with very limited knowledge or experience that would like to encrypt their drive without having to digest everything on the Arch wiki. For the install I used a disc, not USB, and I never used the "load to RAM" option. I am on a 32-bit machine.

Prepare your drive for encryption by securely wiping it. I read there are different ways to secure wipe depending on the type of drive you have. I am using an old mechanical drive so I believe "shred" and "dd" are best suited and should achieve the same result. Both commands can write random data on your entire drive. This is to destroy old data so it cannot be easily recovered as well as camouflage your encrypted data since it and random data appear the same. This can take a long time depending on how many passes you make and the size of your drive.

Issue the following for a single pass and -v so you can see the progress. Change sda to the correct drive if you need to.

$ sudo shred -n1 -v /dev/sda

I have encountered problems with the installer after doing this so I recommend a reboot. After, run the installer.

For partitions, of course choose encryption and lvm and cfdisk to create partitions. Since the partition table was wiped you will need to choose a table type. I chose dos. Create your first partition for boot (primary); Arch wiki says 100M minimum. Flag this bootable. Then set the rest of the free space as your second partition (primary) and set the type to Linux LVM. Write the changes and quit.

Next is selecting the partition for encryption so choose the second partition /dev/sda2. Set your passphrase (make it a good one) then the installer will automatically create a physical volume and volume group (lvm) and ask how many partitions to create (these are logical volumes created within the lvm partition). I prefer two, one for swap and one for root (adjust to your preference but make sure to set the mount points!). So, type 2 and hit enter. Name the first partition "swap" and set it to an appropriate size. I have two GB of RAM so I chose two GB for swap (this varies). Name the second partition "root" and hit enter; it will use the remaining available space.

Now you will be prompted to select the root for mounting so select lvm-root from the list and format with ext4. Select lvm-swap for swap. It will then ask if you would like to configure any other partitions, say yes and choose /dev/sda1. This is the separate, unencrypted, boot partition so type in /boot and format to ext4. It will ask if you would like to configure any more partitions, you may say no.

Continue and complete the installation: For the fstab I used UUID and the bootloader I used GRUB2. (Note: I had originally tried to edit the /etc/mkinitcpio.conf before running mkinitcpio in the installer but I don't think it did anything and the installer adds the "encrypt" and "lvm2" hooks on its own. If I am wrong please let me know so I can edit the thread.) You may see some warnings when installing GRUB, this is okay.

The system is setup with encryption but it will not know to ask you for your passphrase to unlock the encrypted partition and you will receive an error. Initially, to gain access you need to add two kernel parameters in the GRUB menu itself. So when you restart for the first time after installation and reach the GRUB menu quickly hit "e" on your keyboard. Use the arrow keys to go down to the "linux" line and at the very end after it says "quiet" add the following:

cryptdevice=/dev/sda2:lvm root=/dev/mapper/lvm-root

Hit F10 to boot with these changes. You should now be prompted to enter your passphrase to unlock your encrypted partition. Now that you have system access lets make this permanent by editing and remaking the GRUB config:

$ sudo leafpad /etc/default/grub

Change the line

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

to

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:lvm root=/dev/mapper/lvm-root quiet"

Save and quit. Now remake the GRUB configuration:

$ sudo grub-mkconfig -o /boot/grub/grub.cfg

Your system should now always ask for your passphrase without any additional adjustments.



LUKS key on USB: Unlocking with a USB drive

If you dislike typing your obscenely long passphrase to decrypt your system every time then follow this part to decrypt by plugging in a USB drive before booting. This is also beneficial if you unlock your computer around others where visual collection of your passphrase is possible.

Grab a USB drive you would like, plug it in and make sure the file system is FAT. Like FAT32.
Determine the path to your USB drive in the file manager (or however). It should be something like /run/media/username/xxxx-xxxx

xxxx-xxxx is the USB drive's UUID. To display a list for all your devices:

$ ls -l /dev/disk/by-uuid/

Typically, sdb1 is going to be your USB drive if it is the only one connected and you have only one hard drive. The UUID will be in teal.

Generate a random key and have it placed directly on your USB drive:

$ sudo dd bs=512 count=4 if=/dev/urandom of=/run/media/username/xxxx-xxxx/mykeyfile iflag=fullblock

Note: you can change "mykeyfile" to another name for obfuscation.

Add the generated key on your USB device to your LUKS passphrases on your encrypted partition:

$ sudo cryptsetup luksAddKey /dev/sda2 /run/media/username/xxxx-xxxx/mykeyfile

You have to add two extra modules in your /etc/mkinitcpio.conf, one for the drive's file system (vfat module) and one for the codepage (nls_cp437 module):

$ sudo leafpad /etc/mkinitcpio.conf
MODULES="nls_cp437 vfat"

Save and quit. Generate a new initramfs image:

$ sudo mkinitcpio -p linux

Add a parameter to GRUB so the kernel knows to look for this key.

$ sudo leafpad /etc/default/grub

Go back to that line

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:lvm root=/dev/mapper/lvm-root quiet"

and add cryptkey=/dev/disk/by-uuid/xxxx-xxxx:vfat:mykeyfile

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:lvm root=/dev/mapper/lvm-root cryptkey=/dev/disk/by-uuid/xxxx-xxxx:vfat:mykeyfile quiet"

I use by-UUID here instead of labels so the system can correctly identify the USB drive with the key even if you have other external USB devices connected. Also, if someone managed to copy your key file it wouldn't read from their drive since the UUID would be different. Warning: if you decide to format your USB drive and place the key back it will no longer work because the UUID will change. You may also place the key file in another directory on your USB drive and adjust the cryptkey line accordingly. The key file, however, may NOT be a hidden .file. Example of a different path to key:

cryptkey=/dev/disk/by-uuid/xxxx-xxxx:vfat:/folder/mykeyfile

Remake your GRUB config:

$ sudo grub-mkconfig -o /boot/grub/grub.cfg

Now, at boot, have your USB drive plugged in and the system will fetch the key for you so you don't have to enter your passphrase. If you do not have the USB drive plugged in it will attempt to find the key and after about ten seconds will fail and allow you to enter your passphrase as normal.
Additionally, you could set your system to auto login so with the USB drive plugged in the system will boot directly to your desktop. Convenient. After the system is up you may eject your drive and stash it.

*If you need to manage your LUKS keys, like adding or removing, go here.

If I have missed anything or stated something incorrectly please let me know so I can edit the thread. There may be a better way to do these things but with my current capabilities this is how I did it and it works.

Hope this helps. Cheers.

Last edited by Biycep (2015-03-07 22:47:43)

Offline

#2 2015-03-01 01:01:05

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,748

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Thanks for sharing. Encryption can be daunting to some users, think USB key unlocking is a really cool idea. Another thought was using a phone to unlock, ie bluetooth a code or phrase to system if it detects it.....

At some point this needs to go into our wiki


Comments, suggestions, donations please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#3 2015-03-01 04:01:32

Biycep
Member
Registered: 2015-01-29
Posts: 10

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Happy to contribute. Encryption, and ultimately privacy, is important to me. Especially if you have a laptop and it's lost or stolen you don't want someone throwing in a live CD and having a looksy.

Would it be possible to modify the installer script to correctly insert the cryptdevice= and root= code into the GRUB config?

Offline

#4 2015-03-01 08:13:14

xtremyst
Member
Registered: 2011-11-21
Posts: 331

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Thanks a lot for your guide Biycep, I'm definitely going to try this on my next installation!

Offline

#5 2015-03-01 10:18:30

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,748

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Biycep wrote:

Happy to contribute. Encryption, and ultimately privacy, is important to me. Especially if you have a laptop and it's lost or stolen you don't want someone throwing in a live CD and having a looksy.

Would it be possible to modify the installer script to correctly insert the cryptdevice= and root= code into the GRUB config?

patches are always welcome, so yes I can.... just give let me know what you need doing....


Comments, suggestions, donations please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#6 2015-03-01 10:45:15

scjet
Member
From: Canada
Registered: 2010-12-01
Posts: 1,463

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Nice ! for all that are supra-security conscious.
smile

Last edited by scjet (2015-03-01 10:48:33)

Offline

#7 2015-03-01 15:55:56

Biycep
Member
Registered: 2015-01-29
Posts: 10

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

xtremyst wrote:

Thanks a lot for your guide Biycep, I'm definitely going to try this on my next installation!

Welcome!

scjet wrote:

Nice ! for all that are supra-security conscious.
smile

Part of my motivation was seeing this and I thought it was clever.

Mr Green wrote:

patches are always welcome, so yes I can.... just give let me know what you need doing....

If the script could pull the partition label, like sda2, that the user sets for encryption during installation and store it. Same for the root partition that is created like lvm-root. Then if you could program the installer to insert

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/DeviceVariable:lvm root=/dev/mapper/RootVariable quiet"

in /etc/default/grub so when the user reaches the step to install the bootloader it will have cryptdevice and root already set. This way when they reboot after install they will be prompted for the passphrase to unlock their partition instead of having to manually edit GRUB.

There is way to do this for SYSLINUX bootloader as well but I haven't looked into because I've only ever used GRUB.

Last edited by Biycep (2015-03-01 20:13:20)

Offline

#8 2015-03-02 00:53:16

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,748

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

second one is simply lvm-root, will look at script see if it stores root partition name.


Comments, suggestions, donations please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#9 2015-03-02 19:49:49

Biycep
Member
Registered: 2015-01-29
Posts: 10

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

The Arch wiki has users name logical volumes different (rootvol and swapvol, etc.). So in the event someone decides to name their root differently maybe the script should store this?

If the script always inserts root=/dev/mapper/lvm-root but during lv creation the user sets the name to something else like rootvol then I think the path will be incorrect because it would then be root=/dev/mapper/lvm-rootvol.

Last edited by Biycep (2015-03-02 23:29:07)

Offline

#10 2015-03-03 00:44:26

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,748

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Ok so I can check now our installer and see if I need to make any changes


Comments, suggestions, donations please feel free to contact me mrgreen(at)archbang(dot)org

Offline

#11 2015-03-18 11:59:09

Biycep
Member
Registered: 2015-01-29
Posts: 10

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Any updates?

Offline

#12 2015-03-18 15:53:12

Mr Green
Administrator
Registered: 2010-11-07
Posts: 6,748

Re: How to install w/ encryption and LVM (LVM on LUKS) and LUKS key on USB

Sorry been working on voidbang and my secret project, when I get around to ArchBang update I will check it out....


Comments, suggestions, donations please feel free to contact me mrgreen(at)archbang(dot)org

Offline

Board footer

Powered by FluxBB