HOW TO: Install Antergos /w custom LUKS/LVM2 partitioning

HOW TO: Install Antergos /w custom LUKS/LVM2 partitioning

Although the Antergos Installer, Cnchi, now offers the option encrypt a single partition with LUKS when making your own partition scheme, it still doesn't support LVM2 (Logical Volume Manager) volumes over LUKS for custom partitioning.

Doing a full disk install with LVM2 over LUKS is great if you can spare the whole hard drive for Linux. If you can't but still want to get the benefit of installing Antergos on a LUKS/LVM2 combo while sharing the drive with other partitions, this tutorial was made for you!

I initially picked up the knowledge early last year when Cnchi didn't even support  any encryption for custom partition layouts. There's a lot of good information about this topic already on the Arch Wiki but I found it to be spread out and difficult to piece together. I thought it would be nice if I took what I learned and shared it with everyone.

WHY LVM2 ON LUKS VS MULTIPLE LUKS only partitions?

You may be wondering why you would bother with a big LUKS partition containing several logical volumes within it (LVM2) as opposed to several simple LUKS custom partitions which Cnchi supports already? Having an LVM2 volume group in the LUKS partition offers a few advantages. First, having only to perform a single decryption is very convenient. You'll only need to enter one passphrase at boot time to decode all your volumes as opposed to the multiple LUKS scheme where you would have to enter a passphrase for each of the encrypted volumes. If your passphrase is very long and you've got 2 or more volumes, this makes a huge difference. If you don't have a long passphrase, I would urge you to make one as most crypto devs recommend a passphrase of at least 25 characters in length to ensure robustness against cloud based brute force attacks (which pretty much anyone with a lot of money can setup these days). Additionally, I've found LVM volumes to be a pleasure to work with. They are alot easier/flexible to manipulate than LUKS partitions which essentially have to be destroyed and recreated.

PROCEDURE

 

PREP WORK


 You're better off plugging the HD/SSD on which you're going to install Antergos into the SATA0 or SATA1 port on your motherboard as it'll save you some headaches with Grub (see end of article TROUBLESHOOTING1).Boot into your Antergos USB media via the bios menu. At the bios menu, if your going to install grub on a GPT drive, you'll need to select the UEFI boot option. If your grub is going to run off an MBR disk, you'll need to use the USB option.
Be aware that if you're working with a drive that's larger then 2TB, you can only use GPT partitioning.
Once you're in the live environment, use the Windows/Meta key and search for GParted. Use it to partition your drive the way you want it. Set a partition aside for your LUKS (it can be any format as the partition will just get overwritten later). If you're going to install grub on the same drive as your Antergos installation (which I recommend) and the drive has an mbr partition, set aside a 150-300mb partition for a seperate non-encrypted/non-lvm  /boot  partition. If you're installing grub on the same drive and it's GPT, you'll also have to set aside the first 100mb (again non-encrypted/non-lvm) for the  /boot/efi  partition (that's in addition to the /boot  partition).

1

To manually setup LUKS and LVM, open Terminal (Meta, search for terminal) and enter the following commands:
# from here on out, I'll assume you're running my commands as root 
sudo su 

#replace sdXX with the partition you set aside for your LUKS (eg. sdd3 or sda4), keep note of your sdXX for later.
cryptsetup luksFormat /dev/sdXX 

#The decrypted container is now available at /dev/mapper/myCRYPTname
cryptsetup open --type luks /dev/sdXX myCRYPTname 

pvcreate /dev/mapper/myCRYPTname
vgcreate MyVolumeGroupsName /dev/mapper/myCRYPTname
 Keep a note of the names you've selected for  myCRYPTname  and  MyVolumeGroupsName  as you'll need it at the end of this tutorial.Now you can create as many volumes as you want. For example:
lvcreate -L 8G MyVolumeGroupsName -n swapvol

lvcreate -L 15G MyVolumeGroupsName -n myROOTvolume

lvcreate -l 270G MyVolumeGroupsName -n homevol
 Keep a note of the name you've selected for  myROOTvolume  (future /), as you'll also need it at the end.Reference: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS  

Cnchi Install:


 You can use Cnchi to do most of the rest from here: run Cnchi installer and when you get to the point that asks you "how would you like to proceed?", select "choose exactly where Antergos should be installed."

2

 The installer sees the decrypted lvm volumes you've setup/mounted and places them above the regular partitions. You'll be able to treat the volumes as any other physical partition in Cnchi.

3

Now would be a good time to format them and give them a mount point. At the very least, to proceed, you'll have to assign/format your root volume (/), your (/boot) partition which (again) must be outside of your LUKS partition and, if you're on GPT, the (/boot/efi) partition (at very beginning of the drive). You will also have to specify the hard drive where you want to install grub. In general it's a good policy to keep all hard drives self sufficient and install grub on the same drive you're running the OS.

4

You can then run the installer as usual after that but don't reboot at the end of the install. 

Configure grub & mkinitcpio:


 Once the installation is finished, you'll have 90% of the job finished but you still won't be able to boot into your new OS. Since you installed Antergos on lvms that you decrypted yourself, Cnchi will not know that they are encrypted and your kernel will be missing the "encrypt" hook and grub will need a few parameters added to it as well. You'll have to fix some config files and recompile them before rebooting the system.First, go to "/intall/boot" and make a copy of your kernel and grub.cfg files (they're probably not useful but might as well keep them in case you need to refer to grub.cfg).FYI "/install" is where your future root volume (/) has been mounted by the Antergos installer. If you've rebooted and mounted the root volume somewhere else, just replace the "/install" in my instructions with the path you've used to mount the root volume. Be sure to mount the /boot and /boot/efi partitions within the root volume's mount path. And the caveat of choosing USB vs UEFI would still apply at this point.Edit /install/etc/mkinitcpio.conf and go down to the HOOKS section(it will look something like HOOKS="base, udev..., lvm2,....") and add the encrypt hook before the lvm2 one.Edit /install/etc/default/grubAt the very beginning of the "grub" file, after this section:
GRUB_DEFAULT=0GRUB_TIMEOUT=5GRUB_DISTRIBUTOR=AntergosGRUB_CMDLINE_LINUX_DEFAULT="quiet"GRUB_ENABLE_CRYPTODISK=y <======ADD THIS LINE
Replace: GRUB_CMDLINE_LINUX=""with:       GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXX:myCRYPTname:allow-discards root=/dev/mapper/MyVolumeGroupsName-MYrootVOLUME"[Remember the info I told you to note? You'll need it in the above line. Be aware that the sdXX location in cryptdevice=/dev/sdXX:... can vary due to various circumstances(see TROUBLESHOOTING1 at the end), so it would be a good idea to doublecheck it by running "lsblk" in terminal and check for the /dev/sdXX of your luks partition before fillingout /install/etc/default/grub].In the section that says:
# Preload both GPT and MBR modules so that they are not missedGRUB_PRELOAD_MODULES="part_gpt part_msdos lvm" <== ADD lvm, if it's not there already

Recompiling kernel image: 


 Now that these two config files are corrected, we can re-compile grub.cfg and the kernel image using chroot.Go to terminal and enter the following commands:
mount --bind /proc /install/procmount --bind /dev /install/devmount --bind /sys /install/sysmount --bind /run/lvm /install/run/lvm (make the /install/run/lvm directory if it doesn't already exit).chroot /install
If for some reason that doesn't work, try:
/install/usr/bin/chroot /install
Once in chroot:
dir /usr/lib/modules # (will get you the current Kernel version installed on your root, it will be different from the one in your liveCD or the example below).mkinitcpio -g /boot/initramfs-linux.img -k 4.19.2-1-ARCH #<== change the Kernel version to the one you just found in the line above, you're only interested in the main version, not the extramodules.
It needs to compile with no errors or warnings. If you get the following warning during compilation: "bsdcpio: Failed to set default locale", enter:
localelocale -a
If they output an error message, enter:
nano /etc/locale.gen #(and uncomment the locale you want to install, Ctrl-O to save/Ctrl-X to exit without saving)nano /etc/locale.conf #(make sure that the locale you just selected in locale.gen is in locale.conf)locale-gen #<= will compile the newly selected locale(s) (and redo the kernel compilation step with your compiled locale)
 

Recompiling grub.cfg 


 
grub-mkconfig -o /boot/grub/grub.cfg
 

TROUBLESHOOTING1:Grub


 
ERROR: device '/dev/mapper/MyVolumeGroupsName-myROOTvolume' not found. Skipping fsck.ERROR: Unable to find root device '/dev/mapper/MyVolumeGroupsName-myROOTvolume'You are being dropped to a recovery shell etc... etc...

 Grub is telling you they can't find the luks partition or it can't decrypt it. Could be because of many different reasons (missing encrypt hook in kernel, mis-entered info when filling out /etc/default/grub) but the most common I've found is because grub use non-persistent naming (for example cryptdevice=/dev/sdd3:(...)) to mount the crypt partition instead of persistent naming (such UUID).See the full example below:
linux /vmlinuz-linux root=/dev/mapper/buckDOEkit-Antergos2015root rw cryptdevice=/dev/sdd3:buckDOEkit:allow-discards root=/dev/mapper/buckDOEkit-Antergos2015root GRUB_CMDLINE_LINUX_DEFAULT quiet splash

(you'll find this at the end of the encrypted-antergos menu entry)

The problem with specifying cryptdevice=/dev/sdd3 instead of cryptdevice=UUID=sjfkdl-djdskj-sdjkdskjsd-sdjdskj etc, is that your disk will not always be at /dev/sdd3. This can change with something as simple as you booting with a usb stick plugged into your PC which happened to me. As soon as I unplugged my Antergos installation USB, the disk address of the luks partition went from /dev/sdd3 to /dev/sdc3. Booting the live USB as UEFI vs USB will also influence device addressing. Adding or removing other drives as well will shift things around as well.I've tried modding grub.cfg with cryptdevice=UUID=(my luks UUID) but that doesn't seem to work. There's a couple of ways of getting around this design flaw. Easiest, plug disk containing (or that will contain) LUKS on SATA port 0 in mobo. You're better off doing this before installing Antergos but you can do it after as well, just correct the grub.cfg file accordingly: if don't want to guess, you can boot with the live USB and use lsblk to verify LUKS address and mod grub.cfg. If you don't want to go to the trouble and don't mind guessing, just hit E when you're in grub and temporarily mod the cryptdevice=/dev/sdXX:(...) with your best guess and hit F10 to start. 

TROUBLESHOOTING2: Grub


 
Error device name required...Loading linux kernel...Press any Key to continue(and then it loads fine after that)

 Running the grub compilation script results in an out of context "cryptomount -u" being placed for each of the encrypted menu entries. This causes a confusing but harmless error message at the very beginning of boot. You can make the error message go away by deleting the bogus "cryptomount -u" line.You'll find it in the fifth or sixth line of all the encrypted menu entries, for example:
menuentry 'Antergos Linux' --class antergos --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-c6fcdd0e-ddab-4381-bc40-b402ae96659e' {load_videoset gfxpayload=keepinsmod gzioinsmod part_gptinsmod fat cryptomount -u <<<==== BOGUS! DELETE! The real cryptomount -u entry is at the beginning of the grub.cfg file and not in the menu entries.set root='hd3,gpt2'(etc... etc...)echo 'Loading initial ramdisk ...' initrd /initramfs-linux.img }

IF IT REBOOTS AND GIVES YOU A PASSWORD PROMPT, PAT YOURSELVES ON THE BACK! YOU ARE DONE! YEEEEEEEHHHHAAAAWWWWWWW!

(Visited 12,587 times, 8 visits today)

Pin It on Pinterest

Share This