Skip to content

Instantly share code, notes, and snippets.

@bsantraigi

bsantraigi/Encrypted_Linux_Setup.md

Last active July 28, 2024 05:20
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bsantraigi/17b2d3d033d80868472a20eab5ac0117 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bsantraigi/17b2d3d033d80868472a20eab5ac0117 to your computer and use it in GitHub Desktop.
Download ZIP
LVM on LUKs | Linux Installation with Full Encryption | Any Distro
Raw
Encrypted_Linux_Setup.md

LVM on LUKS installation process

Shortlink: https://tinyurl.com/lvm-luks

  • Custom partitioning, full system encryption, LVM on LUKS, and booting with GRUB2.
  • Common instruction for all distributions.

Format and partition your disk

Target Installation Disk: /dev/sda (yours may be different)

First, go to gparted and create a new GPT partition table. Then, create the following partitions:

  1. EFI partition (512MB) -- /dev/sda1
  2. Boot partition (1.5GB) -- /dev/sda2
  3. Extended partition (remaining space) --- this will be the LUKS container -- /dev/sda3

The from terminal, run the following commands:

cryptsetup luksFormat /dev/sda3
cryptsetup open /dev/sda3 cryptlvm

Create LVM volumes

pvcreate /dev/mapper/cryptlvm
vgcreate SysVG /dev/mapper/cryptlvm
lvcreate -L 16G SysVG -n swap
lvcreate -l 150G SysVG -n root
lvcreate -l 100%FREE SysVG -n home
# Optionally, create a data volume if you have a large disk
# lvcreate -l 100%FREE SysVG -n data
# Reduce 512MB from the final partition to be able to run fsck
lvresize -L -512M /dev/SysVG/home

Format the partitions

mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/sda2
mkfs.ext4 /dev/SysVG/root
mkfs.ext4 /dev/SysVG/home
mkswap /dev/SysVG/swap

Mount the partitions

mount /dev/SysVG/root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi

Installation

Follow your distribution's installation process. You can use either the graphical or the terminal-based installer. When you reach the partitioning step, select the following:

  • EFI partition: /dev/sda1 -- mount point: /boot/efi
  • Boot partition: /dev/sda2 -- mount point: /boot
  • Root partition: /dev/mapper/SysVG-root -- mount point: /
  • Swap partition: /dev/mapper/SysVG-swap -- mount point: swap
  • Home partition: /dev/mapper/SysVG-home -- mount point: /home

Post-installation

GRUB2

chroot into the system:

for i in /dev /dev/pts /proc /sys /run; do mount -B $i /mnt$i; done
chroot /mnt

OR

arch-chroot /mnt

Install LVM and LUKS tools:

apt update
apt install lvm2 cryptsetup
# pacman -S lvm2 cryptsetup

Generate crypttab:

echo "cryptlvm UUID=$(blkid -s UUID -o value /dev/sda3) none luks" > /etc/crypttab

Configure GRUB for LUKS:

echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub

# Add the following to /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=$(blkid -s UUID -o value /dev/sda3):cryptlvm root=/dev/SysVG/root"

GRUB installation:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
# If above fails during installation/repair, you might need to manually create the directory or path /boot/EFI.

Update GRUB:

grub-mkconfig -o /boot/grub/grub.cfg

Initramfs

update-initramfs -u
# or 
mkinitcpio -p linux # for Arch

Unmount all partitions and reboot

sudo umount -R /mnt
reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment