CRUX : Home

Home :: Documentation :: Download :: Development :: Community :: Wiki :: Ports :: Bugs :: Links :: About

Back to wiki start page

Categories: Install

Installing CRUX 3.7 with Full-disk Encryption

Author

John McQuah

Description

This outline of a CRUX installation for full-disk encryption started as an actual install log, with comments and revisions added later. There are many other possible ways to set up an encrypted disk. At every stage of the installation, you have a number of different options. It is easy to get overwhelmed by all the decisions involved.

Although it's possible to follow this outline in its entirety without any changes, I recommend that you study each individual step to understand how it applies to the threats you're trying to mitigate against. For instance, if you're only worried about your decrypted SSH private keys appearing in plaintext on the swap partition, you might extract from this document the etc/rc.d startup script that encrypts swap with a different cipher on every boot, and the cryptsetup commands that initialize the swap partition. Read through the entire document to develop a sense of how all the pieces fit together, and then assemble the right combination for your use case.

Instructions

Extra packages: lz4 if you choose this compression mode for the kernel, dracut and lvm2 to access the logical volumes when booting, and cryptsetup to create the encrypted volumes.

parted -s -a optimal /dev/sda         \
       mklabel gpt                    \
       mkpart primary fat32 0% 500MiB \
       name 1 esp                     \
       set 1 esp on                   \
       mkpart primary 500MiB 4GiB     \
       name 2 swap                    \
       mkpart primary 4GiB 100%       \
       name 3 ENCRYPTED

mkfs.vfat /dev/sda1

cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
mkswap -f /dev/mapper/swap
swapon  /dev/mapper/swap

cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3

### For AES encryption, replace the last command with:
# cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3

##### The device node is now set up, but it needs a mapping to be usable as disk space
##### Replace 'ENCRYPTED' with whatever name you want
cryptsetup luksOpen /dev/sda3 ENCRYPTED
pvcreate /dev/mapper/ENCRYPTED

##### On the newly-mapped physical volume, create the desired logical volumes
vgcreate ENCRYPTED /dev/mapper/ENCRYPTED

lvcreate -L 30G ENCRYPTED -n root
lvcreate -L  4G ENCRYPTED -n var
lvcreate -L 50G ENCRYPTED -n usr
lvcreate -L  3G ENCRYPTED -n opt
lvcreate -l 100%FREE ENCRYPTED -n home

##### Format each logical volume with the desired filesystem
##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible)
mkfs.f2fs /dev/mapper/ENCRYPTED-root
mkfs.f2fs /dev/mapper/ENCRYPTED-var
mkfs.f2fs /dev/mapper/ENCRYPTED-usr
mkfs.f2fs /dev/mapper/ENCRYPTED-opt
mkfs.f2fs /dev/mapper/ENCRYPTED-home

##### Mount the root FS where the CRUX installer expects it
mount /dev/mapper/ENCRYPTED-root  /mnt

##### Do the same for any partitions that will be written to during CRUX installation
mkdir /mnt/{var,usr,opt,home,boot}

mount /dev/mapper/ENCRYPTED-var   /mnt/var
mount /dev/mapper/ENCRYPTED-usr   /mnt/usr
mount /dev/mapper/ENCRYPTED-opt   /mnt/opt
mount /dev/mapper/ENCRYPTED-home  /mnt/home
mount /dev/sda1                   /mnt/boot

setup # Remember to select the extra packages (cryptsetup lvm2 syslinux dracut lz4)

setup-chroot
passwd
localedef -i en_US -f UTF-8 en_US.UTF-8

cat <<EOF > /etc/fstab 

  /dev/mapper/ENCRYPTED-root  /      f2fs defaults 0 0
  #/dev/mapper/swap            swap   swap defaults 0 0
  /dev/sda1                   /boot  vfat defaults 0 0
  /dev/mapper/ENCRYPTED-var   /var   f2fs defaults 0 0
  /dev/mapper/ENCRYPTED-usr   /usr   f2fs defaults 0 0
  /dev/mapper/ENCRYPTED-opt   /opt   f2fs defaults 0 0
  /dev/mapper/ENCRYPTED-home  /home  f2fs defaults 0 0
EOF

##### Now write a custom initscript to create an encrypted swap partition with
##### randomized cipher on each boot
cat <<EOF > /etc/rc.d/swap
  #!/bin/sh

  PROG="/usr/sbin/cryptsetup"
  SWAP="swap"
  CIPH="aes-cbc-essiv:sha256"
  PART="/dev/sda2"

  case $1 in
  start)
    if [ -e /dev/mapper/swap ] ; then
      if swapon --show | grep -qs partition ; then
         exit 0
       else
        swapon /dev/mapper/${SWAP}
        exit 0
      fi
    else
      ${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART}
      mkswap -f /dev/mapper/${SWAP}
      swapon  /dev/mapper/${SWAP}
      exit 0
    fi
    ;;
  stop)
    swapoff -a
    sleep 1
    ${PROG} close /dev/mapper/${SWAP}
    ;;
  status)
    swapon --show
    ;;
  *)
    echo "usage: $0 [start|stop|status]"
    ;;
  esac
EOF

##### Make the above initscript executable, and add it to the SERVICES array
chmod +x /etc/rc.d/swap

vi /etc/rc.conf

  SERVICES=(swap lo net crond)

##### Continue configuring the network and building the kernel
vi /etc/rc.d/net

vi /etc/dracut.conf.d/modules.conf

  add_dracutmodules+=" crypt lvm "

cd /usr/src/linux-5.15.55
make menuconfig
make all && make modules_install

##### Install the kernel, syslinux bootloader, and initramfs
##### The EFI partition is mounted at /boot/efi in this example
mkdir -p /boot/efi/syslinux
cp arch/x86/boot/bzImage /boot/efi/syslinux/vmlinuz-5.15.55
cp System.map /boot/efi/syslinux/System.map-5.15.55
cp .config /boot/efi/syslinux/config-5.15.55

dracut --kver 5.15.55 /boot/efi/syslinux/initramfs-5.15.55.img

cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/syslinux
cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/syslinux
efibootmgr -c -d /dev/sda -L 'SYSLINUX' -l '\syslinux\syslinux.efi'

cat <<EOF > /boot/efi/syslinux/syslinux.cfg
PROMPT  1
TIMEOUT 10
DEFAULT CRUX-3.7

    LABEL CRUX-3.7
    LINUX  vmlinuz-5.15.55
    APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1 
    INITRD initramfs-5.15.55.img

EOF

Reboot, and enjoy your new CRUX installation!