HVORDAN: Install Antergos with custom/advanced LUKS/LVM2 partitioning

HVORDAN: Install Antergos with custom/advanced LUKS/LVM2 partitioning

# Page just updated, and tested (joekamprad)

Although the Antergos Installer, Cnchi, now offers the option encrypt a single partition with LUKS when making your own partition scheme, it still doesn't support LVM2 (Logical Volume Manager) volumes over LUKS for custom partitioning.

Doing a full disk install with LVM2 over LUKS is great if you can spare the whole hard drive for Linux. If you can't but still want to get the benefit of installing Antergos on a LUKS/LVM2 combo while sharing the drive with other partitions, this tutorial was made for you!

I initially picked up the knowledge early last year when Cnchi didn't even support any encryption for custom partition layouts. There's a lot of good information about this topic already on the Arch Wiki but I found it to be spread out and difficult to piece together. I thought it would be nice if I took what I learned and shared it with everyone.

Why LVM2 on Luks vs. multiple Luks only partitions?

You may be wondering why you would bother with a big LUKS partition containing several logical volumes within it (LVM2) as opposed to several simple LUKS custom partitions which Cnchi supports already?

Having an LVM2 volume group in the LUKS partition offers a few advantages.

First, having only to perform a single decryption is very convenient.

You'll only need to enter one passphrase at boot time to decode all your volumes as opposed to the multiple LUKS scheme where you would have to enter a passphrase for each of the encrypted volumes.

If your passphrase is very long and you've got 2 or more volumes, this makes a huge difference. If you don't have a long passphrase, I would urge you to make one as most crypto devs recommend a passphrase of at least 25 characters in length to ensure robustness against cloud based brute force attacks (which pretty much anyone with a lot of money can setup these days).

Additionally, I've found LVM volumes to be a pleasure to work with. They are alot easier/flexible to manipulate than LUKS partitions which essentially have to be destroyed and recreated.

Procedure:

Preparation Work

  • Today most systemd uses EFI/UEFI -- Firmware, this systems need to create a seperate ESP partition formatted in fat32.
  • Older BIOS/MBR system or systems forced to legacy mode boot, will not need the extra ESP partition.

Once you're in the live environment, use the Windows/Meta key and search for GParted.

Use it to partition your drive the way you want it.

Set a partition aside for your LUKS (best choose unformatted). If you're going to install grub on the same drive as your Antergos installation (which I recommend) and the drive has an mbr partition, set aside a 150-300mb partition for a seperate non-encrypted/non-lvm /boot partition.

If you're installing grub on the same drive and it's GPT, you'll also have to set aside the first 100mb (again non-encrypted/non-lvm) for the /boot/efi partition (that's in addition to the /boot partition).

 

1

To manually setup LUKS and LVM, open Terminal (Meta, search for terminal) and enter the following commands:

# from here on out, I'll assume you're running my commands as root 
sudo su 

#replace sdXX with the partition you set aside for your LUKS (eg. sdd3 or sda4), keep note of your sdXn for later.
cryptsetup luksFormat /dev/sdXn 

#The decrypted container is now available at /dev/mapper/myCRYPTname
cryptsetup open /dev/sdXn myCRYPTname 

pvcreate /dev/mapper/myCRYPTname
vgcreate MyVolumeGroupsName /dev/mapper/myCRYPTname

Keep a note of the names you've selected for myCRYPTname og MyVolumeGroupsName as you'll need it at the end of this tutorial. Now you can create as many volumes as you want. For example:

lvcreate -L 8G MyVolumeGroupsName -n swapvol

lvcreate -L 15G MyVolumeGroupsName -n rootvol

lvcreate -L 120G MyVolumeGroupsName -n homevol

lvcreate -l 100%FREE MyVolumeGroupsName -n datavol

(100%FREE will take the rest of the free space)

Keep a note of the name you've selected for rootvol (future /), as you'll also need it at the end. Reference: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

If you have a big amount of RAM swap is not needed, for getting system running, but

If you want to make use of suspend to swap you will need the swap volume (swapvol).

 

Cnchi Install:

You can use Cnchi to do most of the rest from here:

run Cnchi installer and when you get to the point that asks you "how would you like to proceed?", Vælg: "choose exactly where Antergos should be installed."

2

The installer sees the decrypted lvm volumes you've setup/mounted and places them above the regular partitions. You'll be able to treat the volumes as any other physical partition in Cnchi.

3

Now would be a good time to format them and give them a mount point:

  • /dev/mapper/myCRYPTname-rootvol ext4 /
  • /dev/mapper/myCRYPTname-homevol ext4 /home
  • /dev/mapper/myCRYPTname-datavol ext4 /home/yourusername/data

On EFI Systems:

  • /dev/sda1 fat32 /boot/efi
  • /dev/sda2 ext4 /boot

 

On Bios/MBR

  • /dev/sda1 ext4 /boot

At the very least, to proceed, you'll have to assign/format your root volume (/),

your (/boot) partition which (again) must be outside of your LUKS partition and,

if you're on GPT, det (/boot/efi) partition (at very beginning of the drive).

You will also have to specify the hard drive where you want to install grub. In general it's a good policy to keep all hard drives self sufficient and install grub on the same drive you're running the OS.

 

4

You can then run the installer as usual after that but don't reboot at the end of the install.

Configure grub & mkinitcpio:

Once the installation is finished, you'll have 90% of the job finished but you still won't be able to boot into your new OS.

Since you installed Antergos on lvms that you decrypted yourself, Cnchi will not know that they are encrypted and your kernel will be missing the "encrypt" hook and grub will need a few parameters added to it as well.

You'll have to fix some config files and recompile them before rebooting the system.

For that we need to arch-chroot into the fresh installed system: (make sure you know what that means!)

sda1=fat32=efiboot
sda2=ext4=boot

sudo su
mount /dev/mapper/MyVolumeGroupsName-rootvol /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
arch-chroot /mnt

Be sure to mount the /boot and /boot/efi partitions within the root volume's mount path.

And the caveat of choosing USB vs UEFI would still apply at this point!

Edit /etc/mkinitcpio.conf

nano /etc/mkinitcpio.conf

and go down to the HOOKS section

it will look something like:

# usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block keyboard keymap lvm2 filesystems fsck"

and add the encrypt hook before the lvm2 one so that it looks like here:

# usr, fsck and shutdown hooks.
HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck"

and add ext4 to Modules line>

#     MODULES=(piix ide_disk reiserfs)
MODULES="ext4"

 

Edit /etc/default/grub

nano /etc/default/grub

At the very beginning of the "grub" file, after this section:

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR=Antergos
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=UUID=XXX:root:allow-discards root=/dev/mapper/MyVolumeGroupsName-rootvol"
GRUB_ENABLE_CRYPTODISK=y

You will get the UUID of the device blkid /dev/sda3

(replace the sda3 with the number of your device contains the volumegroup)

In the section that says:

# Preload both GPT and MBR modules so that they are not missed 
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm" 

Recompiling kernel image:

Now that these two config files are corrected, we can re-compile the kernel image og grub.cfg inside arch-chroot:

mkinitcpio -p linux

It needs to compile with no errors or warnings.

Recompiling grub.cfg

grub-mkconfig -o /boot/grub/grub.cfg

This will may give some warnings related to lvm, you can just ignore it will succeed anyways.

WARNING: Failed to connect to lvmetad. Falling back to device scanning.

 

reboot now and pray 😉

 


IF IT REBOOTS AND GIVES YOU A PASSWORD PROMPT, PAT YOURSELVES ON THE BACK! YOU ARE DONE!

 

Wiki Entry History:

All benefits go to fadi-r as he was the one creating this wiki some time ago!

Me joekamprad take a review on this at June 2018 to fit current state of Antergos system and Cnchi.

Thanks to toxpal the one going to this here at the forum:

https://forum.antergos.com/topic/10084/luks-with-custom-partitioning

 

 

Contributors:

(besøgte 16,978 gange, 17 besøg i dag)

Pin It on Pinterest

Share This