# This outline of a CRUX installation for full-disk encryption is provided # based on the experience of one user. There are many other possible ways # to set up an encrypted disk. At every stage of the installation, you have a # number of different options. It is easy to get overwhelmed by all the decisions # involved. # # Extra packages: lz4 if you choose this compression mode for the kernel, # dracut and lvm2 to access the logical volumes when booting parted -s -a optimal /dev/sda \ mklabel gpt \ mkpart primary fat32 0% 500MiB \ name 1 esp \ set 1 esp on \ mkpart primary 500MiB 4GiB \ name 2 swap \ mkpart primary 4GiB 100% \ name 3 ENCRYPTED mkfs.vfat /dev/sda1 cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2 mkswap -f /dev/mapper/swap swapon /dev/mapper/swap ##### For AES Encryption ##### cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3 cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3 ##### The device node is now set up, but it needs a mapping to be usable as disk space ##### Replace 'ENCRYPTED' with whatever name you want cryptsetup luksOpen /dev/sda3 ENCRYPTED pvcreate /dev/mapper/ENCRYPTED ##### On the newly-mapped physical volume, create the desired logical volumes vgcreate ENCRYPTED /dev/mapper/ENCRYPTED lvcreate -L 30G ENCRYPTED -n root lvcreate -L 4G ENCRYPTED -n var lvcreate -L 50G ENCRYPTED -n usr lvcreate -L 3G ENCRYPTED -n opt lvcreate -l 100%FREE ENCRYPTED -n home ##### Format each logical volume with the desired filesystem ##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible) mkfs.f2fs /dev/mapper/ENCRYPTED-root mkfs.f2fs /dev/mapper/ENCRYPTED-var mkfs.f2fs /dev/mapper/ENCRYPTED-usr mkfs.f2fs /dev/mapper/ENCRYPTED-opt mkfs.f2fs /dev/mapper/ENCRYPTED-home ##### Mount the root FS where the CRUX installer expects it mount /dev/mapper/ENCRYPTED-root /mnt ##### Do the same for any partitions that will be written to during CRUX installation mkdir /mnt/{var,usr,opt,home,boot} mount /dev/mapper/ENCRYPTED-var /mnt/var mount /dev/mapper/ENCRYPTED-usr /mnt/usr mount /dev/mapper/ENCRYPTED-opt /mnt/opt mount /dev/mapper/ENCRYPTED-home /mnt/home mount /dev/sda1 /mnt/boot setup # --> Install these extra packages (cryptsetup lvm2 syslinux dracut lz4) setup-chroot passwd localedef -i en_US -f UTF-8 en_US.UTF-8 cat < /etc/fstab /dev/mapper/ENCRYPTED-root / f2fs defaults 0 0 #/dev/mapper/swap swap swap defaults 0 0 /dev/sda1 /boot vfat defaults 0 0 /dev/mapper/ENCRYPTED-var /var f2fs defaults 0 0 /dev/mapper/ENCRYPTED-usr /usr f2fs defaults 0 0 /dev/mapper/ENCRYPTED-opt /opt f2fs defaults 0 0 /dev/mapper/ENCRYPTED-home /home f2fs defaults 0 0 EOF ##### Now write a custom initscript to create an encrypted swap partition with ##### randomized cipher on each boot cat < /etc/rc.d/swap #!/bin/sh PROG="/usr/sbin/cryptsetup" SWAP="swap" CIPH="aes-cbc-essiv:sha256" PART="/dev/sda2" case $1 in start) if [ -e /dev/mapper/swap ] ; then if swapon --show | grep -qs partition ; then exit 0 else swapon /dev/mapper/${SWAP} exit 0 fi else ${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART} mkswap -f /dev/mapper/${SWAP} swapon /dev/mapper/${SWAP} exit 0 fi ;; stop) swapoff -a sleep 1 ${PROG} close /dev/mapper/${SWAP} ;; status) swapon --show ;; *) echo "usage: $0 [start|stop|status]" ;; esac EOF ##### Make the above initscript executable, and add it to the SERVICES array chmod +x /etc/rc.d/swap vi /etc/rc.conf SERVICES=(swap lo net crond) ##### Continue configuring the network and building the kernel vi /etc/rc.d/net vi /etc/dracut.conf.d/modules.conf add_dracutmodules+=" crypt lvm " cd /usr/src/linux-5.15.55 make menuconfig make all && make modules_install ##### Install the kernel, syslinux bootloader, and initramfs mkdir -p /boot/efi/BOOT cp arch/x86/boot/bzImage /boot/efi/BOOT/vmlinuz-5.15.55 cp System.map /boot/efi/BOOT/System.map-5.15.55 cp .config /boot/efi/BOOT/config-5.15.55 dracut --kver 5.15.55 /boot/initramfs-5.15.55.img cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/BOOT/bootx64.efi cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/BOOT vi /boot/efi/BOOT/syslinux.cfg PROMPT 1 TIMEOUT 10 DEFAULT CRUX LABEL CRUX LINUX vmlinuz-5.15.55 APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1 INITRD initramfs-5.15.55.img ##### Reboot, and enjoy your new CRUX installation!