Documentation/crux-wiki/CRUX-3.7-Encrypted.txt

163 lines
4.7 KiB
Plaintext

# This outline of a CRUX installation for full-disk encryption is provided
# based on the experience of one user. There are many other possible ways
# to set up an encrypted disk. At every stage of the installation, you have a
# number of different options. It is easy to get overwhelmed by all the decisions
# involved.
#
# Extra packages: lz4 if you choose this compression mode for the kernel,
# dracut and lvm2 to access the logical volumes when booting
parted -s -a optimal /dev/sda \
mklabel gpt \
mkpart primary fat32 0% 500MiB \
name 1 esp \
set 1 esp on \
mkpart primary 500MiB 4GiB \
name 2 swap \
mkpart primary 4GiB 100% \
name 3 ENCRYPTED
mkfs.vfat /dev/sda1
cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
mkswap -f /dev/mapper/swap
swapon /dev/mapper/swap
##### For AES Encryption
##### cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3
cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3
##### The device node is now set up, but it needs a mapping to be usable as disk space
##### Replace 'ENCRYPTED' with whatever name you want
cryptsetup luksOpen /dev/sda3 ENCRYPTED
pvcreate /dev/mapper/ENCRYPTED
##### On the newly-mapped physical volume, create the desired logical volumes
vgcreate ENCRYPTED /dev/mapper/ENCRYPTED
lvcreate -L 30G ENCRYPTED -n root
lvcreate -L 4G ENCRYPTED -n var
lvcreate -L 50G ENCRYPTED -n usr
lvcreate -L 3G ENCRYPTED -n opt
lvcreate -l 100%FREE ENCRYPTED -n home
##### Format each logical volume with the desired filesystem
##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible)
mkfs.f2fs /dev/mapper/ENCRYPTED-root
mkfs.f2fs /dev/mapper/ENCRYPTED-var
mkfs.f2fs /dev/mapper/ENCRYPTED-usr
mkfs.f2fs /dev/mapper/ENCRYPTED-opt
mkfs.f2fs /dev/mapper/ENCRYPTED-home
##### Mount the root FS where the CRUX installer expects it
mount /dev/mapper/ENCRYPTED-root /mnt
##### Do the same for any partitions that will be written to during CRUX installation
mkdir /mnt/{var,usr,opt,home,boot}
mount /dev/mapper/ENCRYPTED-var /mnt/var
mount /dev/mapper/ENCRYPTED-usr /mnt/usr
mount /dev/mapper/ENCRYPTED-opt /mnt/opt
mount /dev/mapper/ENCRYPTED-home /mnt/home
mount /dev/sda1 /mnt/boot
setup # --> Install these extra packages (cryptsetup lvm2 syslinux dracut lz4)
setup-chroot
passwd
localedef -i en_US -f UTF-8 en_US.UTF-8
cat <<EOF > /etc/fstab
/dev/mapper/ENCRYPTED-root / f2fs defaults 0 0
#/dev/mapper/swap swap swap defaults 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/ENCRYPTED-var /var f2fs defaults 0 0
/dev/mapper/ENCRYPTED-usr /usr f2fs defaults 0 0
/dev/mapper/ENCRYPTED-opt /opt f2fs defaults 0 0
/dev/mapper/ENCRYPTED-home /home f2fs defaults 0 0
EOF
##### Now write a custom initscript to create an encrypted swap partition with
##### randomized cipher on each boot
cat <<EOF > /etc/rc.d/swap
#!/bin/sh
PROG="/usr/sbin/cryptsetup"
SWAP="swap"
CIPH="aes-cbc-essiv:sha256"
PART="/dev/sda2"
case $1 in
start)
if [ -e /dev/mapper/swap ] ; then
if swapon --show | grep -qs partition ; then
exit 0
else
swapon /dev/mapper/${SWAP}
exit 0
fi
else
${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART}
mkswap -f /dev/mapper/${SWAP}
swapon /dev/mapper/${SWAP}
exit 0
fi
;;
stop)
swapoff -a
sleep 1
${PROG} close /dev/mapper/${SWAP}
;;
status)
swapon --show
;;
*)
echo "usage: $0 [start|stop|status]"
;;
esac
EOF
##### Make the above initscript executable, and add it to the SERVICES array
chmod +x /etc/rc.d/swap
vi /etc/rc.conf
SERVICES=(swap lo net crond)
##### Continue configuring the network and building the kernel
vi /etc/rc.d/net
vi /etc/dracut.conf.d/modules.conf
add_dracutmodules+=" crypt lvm "
cd /usr/src/linux-5.15.55
make menuconfig
make all && make modules_install
##### Install the kernel, syslinux bootloader, and initramfs
mkdir -p /boot/efi/BOOT
cp arch/x86/boot/bzImage /boot/efi/BOOT/vmlinuz-5.15.55
cp System.map /boot/efi/BOOT/System.map-5.15.55
cp .config /boot/efi/BOOT/config-5.15.55
dracut --kver 5.15.55 /boot/initramfs-5.15.55.img
cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/BOOT/bootx64.efi
cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/BOOT
vi /boot/efi/BOOT/syslinux.cfg
PROMPT 1
TIMEOUT 10
DEFAULT CRUX
LABEL CRUX
LINUX vmlinuz-5.15.55
APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1
INITRD initramfs-5.15.55.img
##### Reboot, and enjoy your new CRUX installation!