These are my notes for setting up an encrypted LVM-on-LUKS container for my Linux installs. Each install currently needs an unencrypted EFI (/boot/efi) and boot partition (/boot) outside of the encrypted container. Normally, I boot to the install media and use the terminal to open the encrypted container and set all logical volumes active. I then do the install but do not reboot, mount the new install after the installation has finished, and make sure the /etc/crypttab is set up properly. If not, I set it up and then reboot into the new system.

Comments in the code below use the // style prefix so that there is no confusion with the standard # type comments since # is also the default root prompt.

// secure erase standard ssd drive

    hdparm -I /dev/sdX | grep frozen
    hdparm --user-master u --security-set-pass p /dev/sdX
    hdparm -I /dev/sda (security enabled and supported:)
    hdparm --user-master u --security-erase-enhanced p /dev/sdX

// secure wipe nvme ssd
    {to be added later}

// secure wipe hdd
    {to be added later}
// create LUKS container 

    // use blkid to get the UUID of the new partition to be set up as LUKS 
    cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/disk/by-uuid/UUID
    cryptsetup luksUUID /dev/disk/by-uuid/UUID  -- to get the LUKS UUID for crypttab
    cryptsetup luksOpen /dev/disk/by-uuid/UUID name_crypt 

// create LVM volumes on LUKS container 

    pvcreate /dev/mapper/name_crypt 
    vgcreate lnx /dev/mapper/name_crypt 
    lvcreate -n os_name -L 64G lnx 
    lvcreate -n home -L 32G lnx  // if desired
    lvcreate -n swap -L 8G lnx
    vgchange -ay

// install distro on existing LVM on LUKS

    cryptsetup luksOpen /dev/disk/by-uuid/UUID name_crypt
    // manually create logical volumes as above using lvcreate
    // activate using vgchange -ay
    // install as normal but do not reboot
    // check or create the crypttab
        mount new root: mount /dev/mapper/xxx /mnt
        mount new boot: mount /dev/disk/by-uuid/boot-uuid /mnt/boot
        mount efi: mount /dev/disk/by-uuid/efi-uuid /mnt/boot/efi
        mount --bind /dev /mnt/dev
        mount --bind /proc /mnt/proc // or mount -t proc proc /mnt/proc
        mount --bind /sys /mnt/sys // or mount -t sysfs sysfs /sys
        // can mount -t devpts devpts /dev/pts
        chroot /mnt
        vi /etc/crypttab
            name_crypt UUID=UUID none
            luks-33ce7397-e5cd-400c-b4c8-5406ddabcec9 UUID=33ce7397-e5cd-400c-b4c8-5406ddabcec9 none
        dracut -v -f or update-initramfs -u (update-initramfs -c -t -k all)
// auto-unlock other LUKS containers using a keyfile

    mkdir -p /etc/keys
    chmod 0400 /etc/keys
    dd if=/dev/urandom of=/etc/keys/name_crypt bs=1024 count=4
    chmod 0400 /etc/keys/name_crypt
    cryptsetup luksAddKey /dev/disk/by-uuid/name-uuid /etc/keys/name_crypt
    vi /etc/crypttab
        add: name_crypt /dev/disk/by-uuid/name-uuid /etc/keys/name_crypt luks
    vi /etc/fstab
        add: /dev/mapper/name_crypt /mnt/point auto user,exec,defaults 0 0
# rename encrypted mapping name
    dmsetup rename OLDNAME NEWNAME
    update /etc/crypttab
    dracut -v -f or update-initramfs -u

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s