Categories: Install
John McQuah
This outline of a CRUX installation for full-disk encryption started as an actual install log, with comments and revisions added later. There are many other possible ways to set up an encrypted disk. At every stage of the installation, you have a number of different options. It is easy to get overwhelmed by all the decisions involved.
Although it's possible to follow this outline in its entirety without any changes, I recommend that you study each individual step to understand how it applies to the threats you're trying to mitigate against. For instance, if you're only worried about your decrypted SSH private keys appearing in plaintext on the swap partition, you might extract from this document the etc/rc.d startup script that encrypts swap with a different cipher on every boot, and the cryptsetup commands that initialize the swap partition. Read through the entire document to develop a sense of how all the pieces fit together, and then assemble the right combination for your use case.
Extra packages: lz4 if you choose this compression mode for the kernel, dracut and lvm2 to access the logical volumes when booting, and cryptsetup to create the encrypted volumes.
parted -s -a optimal /dev/sda \
mklabel gpt \
mkpart primary fat32 0% 500MiB \
name 1 esp \
set 1 esp on \
mkpart primary 500MiB 4GiB \
name 2 swap \
mkpart primary 4GiB 100% \
name 3 ENCRYPTED
mkfs.vfat /dev/sda1
cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
mkswap -f /dev/mapper/swap
swapon /dev/mapper/swap
cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3
### For AES encryption, replace the last command with:
# cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3
##### The device node is now set up, but it needs a mapping to be usable as disk space
##### Replace 'ENCRYPTED' with whatever name you want
cryptsetup luksOpen /dev/sda3 ENCRYPTED
pvcreate /dev/mapper/ENCRYPTED
##### On the newly-mapped physical volume, create the desired logical volumes
vgcreate ENCRYPTED /dev/mapper/ENCRYPTED
lvcreate -L 30G ENCRYPTED -n root
lvcreate -L 4G ENCRYPTED -n var
lvcreate -L 50G ENCRYPTED -n usr
lvcreate -L 3G ENCRYPTED -n opt
lvcreate -l 100%FREE ENCRYPTED -n home
##### Format each logical volume with the desired filesystem
##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible)
mkfs.f2fs /dev/mapper/ENCRYPTED-root
mkfs.f2fs /dev/mapper/ENCRYPTED-var
mkfs.f2fs /dev/mapper/ENCRYPTED-usr
mkfs.f2fs /dev/mapper/ENCRYPTED-opt
mkfs.f2fs /dev/mapper/ENCRYPTED-home
##### Mount the root FS where the CRUX installer expects it
mount /dev/mapper/ENCRYPTED-root /mnt
##### Do the same for any partitions that will be written to during CRUX installation
mkdir /mnt/{var,usr,opt,home,boot}
mount /dev/mapper/ENCRYPTED-var /mnt/var
mount /dev/mapper/ENCRYPTED-usr /mnt/usr
mount /dev/mapper/ENCRYPTED-opt /mnt/opt
mount /dev/mapper/ENCRYPTED-home /mnt/home
mount /dev/sda1 /mnt/boot
setup # Remember to select the extra packages (cryptsetup lvm2 syslinux dracut lz4)
setup-chroot
passwd
localedef -i en_US -f UTF-8 en_US.UTF-8
cat <<EOF > /etc/fstab
/dev/mapper/ENCRYPTED-root / f2fs defaults 0 0
#/dev/mapper/swap swap swap defaults 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/ENCRYPTED-var /var f2fs defaults 0 0
/dev/mapper/ENCRYPTED-usr /usr f2fs defaults 0 0
/dev/mapper/ENCRYPTED-opt /opt f2fs defaults 0 0
/dev/mapper/ENCRYPTED-home /home f2fs defaults 0 0
EOF
##### Now write a custom initscript to create an encrypted swap partition with
##### randomized cipher on each boot
cat <<EOF > /etc/rc.d/swap
#!/bin/sh
PROG="/usr/sbin/cryptsetup"
SWAP="swap"
CIPH="aes-cbc-essiv:sha256"
PART="/dev/sda2"
case $1 in
start)
if [ -e /dev/mapper/swap ] ; then
if swapon --show | grep -qs partition ; then
exit 0
else
swapon /dev/mapper/${SWAP}
exit 0
fi
else
${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART}
mkswap -f /dev/mapper/${SWAP}
swapon /dev/mapper/${SWAP}
exit 0
fi
;;
stop)
swapoff -a
sleep 1
${PROG} close /dev/mapper/${SWAP}
;;
status)
swapon --show
;;
*)
echo "usage: $0 [start|stop|status]"
;;
esac
EOF
##### Make the above initscript executable, and add it to the SERVICES array
chmod +x /etc/rc.d/swap
vi /etc/rc.conf
SERVICES=(swap lo net crond)
##### Continue configuring the network and building the kernel
vi /etc/rc.d/net
vi /etc/dracut.conf.d/modules.conf
add_dracutmodules+=" crypt lvm "
cd /usr/src/linux-5.15.55
make menuconfig
make all && make modules_install
##### Install the kernel, syslinux bootloader, and initramfs
##### The EFI partition is mounted at /boot/efi in this example
mkdir -p /boot/efi/syslinux
cp arch/x86/boot/bzImage /boot/efi/syslinux/vmlinuz-5.15.55
cp System.map /boot/efi/syslinux/System.map-5.15.55
cp .config /boot/efi/syslinux/config-5.15.55
dracut --kver 5.15.55 /boot/efi/syslinux/initramfs-5.15.55.img
cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/syslinux
cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/syslinux
efibootmgr -c -d /dev/sda -L 'SYSLINUX' -l '\syslinux\syslinux.efi'
cat <<EOF > /boot/efi/syslinux/syslinux.cfg
PROMPT 1
TIMEOUT 10
DEFAULT CRUX-3.7
LABEL CRUX-3.7
LINUX vmlinuz-5.15.55
APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1
INITRD initramfs-5.15.55.img
EOF
Reboot, and enjoy your new CRUX installation!