These are my notes for setting up an encrypted LVM-on-LUKS container for my Linux installs. Each install currently needs an unencrypted EFI (/boot/efi) and boot partition (/boot) outside of the encrypted container. Normally, I boot to the install media and use the terminal to open the encrypted container and set all logical volumes active. I then do the install but do not reboot, mount the new install after the installation has finished, and make sure the /etc/crypttab is set up properly. If not, I set it up and then reboot into the new system.
Comments in the code below use the // style prefix so that there is no confusion with the standard # type comments since # is also the default root prompt.
// secure erase standard ssd drive
hdparm -I /dev/sdX | grep frozen
hdparm --user-master u --security-set-pass p /dev/sdX
hdparm -I /dev/sda (security enabled and supported:)
hdparm --user-master u --security-erase-enhanced p /dev/sdX
// secure wipe nvme ssd
{to be added later}
// secure wipe hdd
{to be added later}
// create LUKS container
// use blkid to get the UUID of the new partition to be set up as LUKS
cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/disk/by-uuid/UUID
cryptsetup luksUUID /dev/disk/by-uuid/UUID -- to get the LUKS UUID for crypttab
cryptsetup luksOpen /dev/disk/by-uuid/UUID name_crypt
// create LVM volumes on LUKS container
pvcreate /dev/mapper/name_crypt
vgcreate lnx /dev/mapper/name_crypt
lvcreate -n os_name -L 64G lnx
lvcreate -n home -L 32G lnx // if desired
lvcreate -n swap -L 8G lnx
vgchange -ay
// install distro on existing LVM on LUKS
cryptsetup luksOpen /dev/disk/by-uuid/UUID name_crypt
// manually create logical volumes as above using lvcreate
// activate using vgchange -ay
// install as normal but do not reboot
// check or create the crypttab
mount new root: mount /dev/mapper/xxx /mnt
mount new boot: mount /dev/disk/by-uuid/boot-uuid /mnt/boot
mount efi: mount /dev/disk/by-uuid/efi-uuid /mnt/boot/efi
mount --bind /dev /mnt/dev
mount --bind /proc /mnt/proc // or mount -t proc proc /mnt/proc
mount --bind /sys /mnt/sys // or mount -t sysfs sysfs /sys
// can mount -t devpts devpts /dev/pts
chroot /mnt
vi /etc/crypttab
name_crypt UUID=UUID none
or
luks-33ce7397-e5cd-400c-b4c8-5406ddabcec9 UUID=33ce7397-e5cd-400c-b4c8-5406ddabcec9 none
dracut -v -f or update-initramfs -u (update-initramfs -c -t -k all)
update-grub
// auto-unlock other LUKS containers using a keyfile
mkdir -p /etc/keys
chmod 0400 /etc/keys
dd if=/dev/urandom of=/etc/keys/name_crypt bs=1024 count=4
chmod 0400 /etc/keys/name_crypt
cryptsetup luksAddKey /dev/disk/by-uuid/name-uuid /etc/keys/name_crypt
vi /etc/crypttab
add: name_crypt /dev/disk/by-uuid/name-uuid /etc/keys/name_crypt luks
vi /etc/fstab
add: /dev/mapper/name_crypt /mnt/point auto user,exec,defaults 0 0
reboot
# rename encrypted mapping name
dmsetup rename OLDNAME NEWNAME
update /etc/crypttab
dracut -v -f or update-initramfs -u
update-grub
reboot