On This Page...
# Page just updated, and tested (joekamprad)
Although the Antergos Installer, Cnchi, now offers the option encrypt a single partition with LUKS when making your own partition scheme, it still doesn't support LVM2 (Logical Volume Manager) volumes over LUKS for custom partitioning.
Doing a full disk install with LVM2 over LUKS is great if you can spare the whole hard drive for Linux. If you can't but still want to get the benefit of installing Antergos on a LUKS/LVM2 combo while sharing the drive with other partitions, this tutorial was made for you!
I initially picked up the knowledge early last year when Cnchi didn't even support any encryption for custom partition layouts. There's a lot of good information about this topic already on the Arch Wiki but I found it to be spread out and difficult to piece together. I thought it would be nice if I took what I learned and shared it with everyone.
Why LVM2 on Luks vs. multiple Luks only partitions?
You may be wondering why you would bother with a big LUKS partition containing several logical volumes within it (LVM2) as opposed to several simple LUKS custom partitions which Cnchi supports already?
Having an LVM2 volume group in the LUKS partition offers a few advantages.
First, having only to perform a single decryption is very convenient.
You'll only need to enter one passphrase at boot time to decode all your volumes as opposed to the multiple LUKS scheme where you would have to enter a passphrase for each of the encrypted volumes.
If your passphrase is very long and you've got 2 or more volumes, this makes a huge difference. If you don't have a long passphrase, I would urge you to make one as most crypto devs recommend a passphrase of at least 25 characters in length to ensure robustness against cloud based brute force attacks (which pretty much anyone with a lot of money can setup these days).
Additionally, I've found LVM volumes to be a pleasure to work with. They are alot easier/flexible to manipulate than LUKS partitions which essentially have to be destroyed and recreated.
- watch installation as video here: Video Tutorial
- Today most systemd uses EFI/UEFI -- Firmware, this systems need to create a seperate ESP partition formatted in fat32.
- Older BIOS/MBR system or systems forced to legacy mode boot, will not need the extra ESP partition.
Once you're in the live environment, use the Windows/Meta key and search for GParted.
Use it to partition your drive the way you want it.
Set a partition aside for your LUKS (best choose unformatted). If you're going to install grub on the same drive as your Antergos installation (which I recommend) and the drive has an mbr partition, set aside a 150-300mb partition for a seperate non-encrypted/non-lvm
If you're installing grub on the same drive and it's GPT, you'll also have to set aside the first 100mb (again non-encrypted/non-lvm) for the
/boot/efi partition (that's in addition to the
To manually setup LUKS and LVM, open Terminal (Meta, search for terminal) and enter the following commands:
# from here on out, I'll assume you're running my commands as root sudo su #replace sdXX with the partition you set aside for your LUKS (eg. sdd3 or sda4), keep note of your sdXn for later. cryptsetup luksFormat /dev/sdXn #The decrypted container is now available at /dev/mapper/myCRYPTname cryptsetup open /dev/sdXn myCRYPTname pvcreate /dev/mapper/myCRYPTname vgcreate MyVolumeGroupsName /dev/mapper/myCRYPTname
Keep a note of the names you've selected for
MyVolumeGroupsName as you'll need it at the end of this tutorial. Now you can create as many volumes as you want. For example:
lvcreate -L 8G MyVolumeGroupsName -n swapvol lvcreate -L 15G MyVolumeGroupsName -n rootvol lvcreate -L 120G MyVolumeGroupsName -n homevol lvcreate -l 100%FREE MyVolumeGroupsName -n datavol
(100%FREE will take the rest of the free space)
Keep a note of the name you've selected for
rootvol (future /), as you'll also need it at the end. Reference: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
If you have a big amount of RAM swap is not needed, for getting system running, but
If you want to make use of suspend to swap you will need the swap volume (swapvol).
You can use Cnchi to do most of the rest from here:
run Cnchi installer and when you get to the point that asks you "how would you like to proceed?", select: "choose exactly where Antergos should be installed."
The installer sees the decrypted lvm volumes you've setup/mounted and places them above the regular partitions. You'll be able to treat the volumes as any other physical partition in Cnchi.
Now would be a good time to format them and give them a mount point:
- /dev/mapper/myCRYPTname-rootvol ext4 /
- /dev/mapper/myCRYPTname-homevol ext4 /home
- /dev/mapper/myCRYPTname-datavol ext4 /home/yourusername/data
On EFI Systems:
- /dev/sda1 fat32 /boot/efi
- /dev/sda2 ext4 /boot
- /dev/sda1 ext4 /boot
At the very least, to proceed, you'll have to assign/format your root volume (/),
your (/boot) partition which (again) must be outside of your LUKS partition and,
if you're on GPT, the (/boot/efi) partition (at very beginning of the drive).
You will also have to specify the hard drive where you want to install grub. In general it's a good policy to keep all hard drives self sufficient and install grub on the same drive you're running the OS.
You can then run the installer as usual after that but don't reboot at the end of the install.
Configure grub & mkinitcpio:
Once the installation is finished, you'll have 90% of the job finished but you still won't be able to boot into your new OS.
Since you installed Antergos on lvms that you decrypted yourself, Cnchi will not know that they are encrypted and your kernel will be missing the "encrypt" hook and grub will need a few parameters added to it as well.
You'll have to fix some config files and recompile them before rebooting the system.
For that we need to arch-chroot into the fresh installed system: (make sure you know what that means!)
sudo su mount /dev/mapper/MyVolumeGroupsName-rootvol /mnt mount /dev/sda2 /mnt/boot mount /dev/sda1 /mnt/boot/efi arch-chroot /mnt
Be sure to mount the /boot and /boot/efi partitions within the root volume's mount path.
And the caveat of choosing USB vs UEFI would still apply at this point!
and go down to the HOOKS section
it will look something like:
# usr, fsck and shutdown hooks. HOOKS="base udev autodetect modconf block keyboard keymap lvm2 filesystems fsck"
and add the encrypt hook before the lvm2 one so that it looks like here:
# usr, fsck and shutdown hooks. HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck"
and add ext4 to Modules line>
# MODULES=(piix ide_disk reiserfs) MODULES="ext4"
At the very beginning of the "grub" file, after this section:
GRUB_DEFAULT=0 GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR=Antergos GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX="cryptdevice=UUID=XXX:root:allow-discards root=/dev/mapper/MyVolumeGroupsName-rootvol" GRUB_ENABLE_CRYPTODISK=y
You will get the UUID of the device
(replace the sda3 with the number of your device contains the volumegroup)
In the section that says:
# Preload both GPT and MBR modules so that they are not missed GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"
Recompiling kernel image:
Now that these two config files are corrected, we can re-compile the kernel image and grub.cfg inside arch-chroot:
mkinitcpio -p linux
It needs to compile with no errors or warnings.
grub-mkconfig -o /boot/grub/grub.cfg
This will may give some warnings related to lvm, you can just ignore it will succeed anyways.
WARNING: Failed to connect to lvmetad. Falling back to device scanning.
reboot now and pray 😉
IF IT REBOOTS AND GIVES YOU A PASSWORD PROMPT, PAT YOURSELVES ON THE BACK! YOU ARE DONE!
Wiki Entry History:
All benefits go to fadi-r as he was the one creating this wiki some time ago!
Me joekamprad take a review on this at June 2018 to fit current state of Antergos system and Cnchi.
Thanks to toxpal the one going to this here at the forum: