dm-crypt/Encrypting an entire system
Back to dm-crypt.
The following are examples of common scenarios of full system encryption with dm-crypt. They explain all the adaptations that need to be done to the normal installation procedure. All the necessary tools are on the installation images.
Contents
- 1 Overview
- 2 Simple partition layout with LUKS
- 3 LVM on LUKS
- 4 LUKS on LVM
- 5 LUKS on software RAID
- 6 Plain dm-crypt
- 7 Encrypted boot partition (GRUB)
- 8 Btrfs subvolumes with swap
- 9 Acknowledgement
1 Overview
Securing a root filesystem is where dm-crypt excels, feature and performance-wise. Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate and /var/log/. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the boot loader and (usually) the kernel is encrypted.
All scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below:
Scenarios | Advantages | Disadvantages |
---|---|---|
#Simple partition layout with LUKS
shows a basic and straight-forward set-up for a fully LUKS encrypted root. |
|
|
#LVM on LUKS
achieves partitioning flexiblity by using LVM inside a single LUKS encrypted partition. |
|
|
#LUKS on LVM
uses dm-crypt only after the LVM is setup. |
|
|
#Plain dm-crypt
uses dm-crypt plain mode, i.e. without a LUKS header and its options for multiple keys. |
|
|
#Encrypted boot partition (GRUB)
shows how to encrypt the boot partition using the GRUB bootloader. |
|
|
#Btrfs subvolumes with swap
shows how to encrypt a Btrfs system, including the /boot directory, also adding a partition for swap, on UEFI hardware. |
|
|
While all above scenarios provide much greater protection from outside threats than encrypted secondary filesystems, they also share a common disadvantage: any user in possession of the encryption key is able to decrypt the entire drive, and therefore can access other users' data. If that is of concern, it is possible to use a combination of blockdevice and stacked filesystem encryption and reap the advantages of both. See Disk encryption to plan ahead.
See Dm-crypt/Drive preparation#Partitioning for a general overview of the partitioning strategies used in the scenarios.
Another area to consider is whether to set up an encrypted swap partition and what kind. See Dm-crypt/Swap encryption for alternatives.
If you anticipate to protect the system's data not only against physical theft, but also have a requirement of precautions against logical tampering, see Dm-crypt/Specialties#Securing the unencrypted boot partition for further possibilities after following one of the scenarios.
2 Simple partition layout with LUKS
This example covers a full system encryption with dmcrypt + LUKS in a simple partition layout:
+--------------------+--------------------------+--------------------------+ |Boot partition |LUKS encrypted system |Optional free space | | |partition |for additional partitions | |/dev/sdaY |/dev/sdaX |or swap to be setup later | +--------------------+--------------------------+--------------------------+
The first steps can be performed directly after booting the Parabola install image.
2.1 Preparing the disk
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in Dm-crypt/Drive preparation.
Then create the needed partitions, at least one for / (e.g. /dev/sdaX) and /boot (/dev/sdaY), see Partitioning.
2.2 Preparing non-boot partitions
The following commands create and mount the encrypted root partition. They correspond to the procedure described in detail in Dm-crypt/Encrypting a non-root file system#Partition (which, despite the title, can be applied to root partitions, as long as mkinitcpio and the boot loader are correctly configured). If you want to use particular non-default encryption options (e.g. cipher, key length), see the encryption options before executing the first command:
# cryptsetup -y -v luksFormat /dev/sdaX # cryptsetup open /dev/sdaX cryptroot # mkfs -t ext4 /dev/mapper/cryptroot # mount -t ext4 /dev/mapper/cryptroot /mnt
Check the mapping works as intended:
# umount /mnt # cryptsetup close cryptroot # cryptsetup open /dev/sdaX cryptroot # mount -t ext4 /dev/mapper/cryptroot /mnt
If you created separate partitions (e.g. /home), these steps have to be adapted and repeated for all of them, except for /boot. See Dm-crypt/Encrypting a non-root file system#Automated unlocking and mounting on how to handle additional partitions at boot.
Note that each blockdevice requires its own passphrase. This may be inconvenient, because it results in a separate passphrase to be input during boot. An alternative is to use a keyfile stored in the system partition to unlock the separate partition via crypttab. See Dm-crypt/Device encryption#Using LUKS to format partitions with a keyfile for instructions.
2.3 Preparing the boot partition
What you do have to setup is a non-encrypted /boot partition, which is needed for a crypted root. For a standard MBR/non-EFI /boot partition, for example, execute:
# mkfs -t ext4 /dev/sdaY # mkdir /mnt/boot # mount -t ext4 /dev/sdaY /mnt/boot
2.4 Mounting the devices
At Installation guide#Mount the partitions you will have to mount the mapped devices, not the actual partitions. Of course /boot, which is not encrypted, will still have to be mounted directly.
Afterwards continue with the installation procedure up to the mkinitcpio step.
2.5 Configuring mkinitcpio
Add the encrypt hook to mkinitcpio.conf:
etc/mkinitcpio.conf
HOOKS="... encrypt ... filesystems ..."
Depending on which other hooks are used, the order may be relevant. See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.
2.6 Configuring the boot loader
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:
cryptdevice=UUID=<device-UUID>:cryptroot root=/dev/mapper/cryptroot
See Dm-crypt/System configuration#Boot loader for details.
The <device-UUID> refers to the UUID of /dev/sdaX, see Persistent block device naming for details.
3 LVM on LUKS
The straight-forward method is to set up LVM on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted blockdevice. Hence, the LVM is not transparent until the blockdevice is unlocked and the underlying volume structure is scanned and mounted during boot.
The disk layout in this example is:
+-----------------------------------------------------------------------+ +----------------+ | Logical volume1 | Logical volume2 | Logical volume3 | | | |/dev/mapper/MyVol-swap |/dev/mapper/MyVol-root |/dev/mapper/MyVol-home | | Boot partition | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _| | (may be on | | | | other device) | | LUKS encrypted partition | | | | /dev/sdaX | | /dev/sdbY | +-----------------------------------------------------------------------+ +----------------+
{{Tip|Two variants of this setup:
- Instructions at Dm-crypt/Specialties#Encrypted system using a remote LUKS header use this setup with a remote LUKS header on a USB device to achieve a two factor authentication with it.
3.1 Preparing the disk
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in Dm-crypt/Drive preparation.
When using the GRUB bootloader together with GPT, create a BIOS Boot Partition as explained in GRUB#BIOS systems.
Create a partition to be mounted at /boot of type 8300 with a size of 100 MB or more.
Create a partition of type 8E00, which will later contain the encrypted container.
Create the LUKS encrypted container at the "system" partition. Enter the chosen password twice.
# cryptsetup luksFormat /dev/sdaX
For more information about the available cryptsetup options see the LUKS encryption options prior to above command.
Open the container:
# cryptsetup open --type luks /dev/sdaX lvm
The decrypted container is now available at /dev/mapper/lvm.
3.2 Preparing the logical volumes
Create a physical volume on top of the opened LUKS container:
# pvcreate /dev/mapper/lvm
Create the volume group named MyVol (or whatever you want), adding the previously created physical volume to it:
# vgcreate MyVol /dev/mapper/lvm
Create all your logical volumes on the volume group:
# lvcreate -L 8G MyVol -n swap # lvcreate -L 15G MyVol -n root # lvcreate -l 100%FREE MyVol -n home
Format your filesystems on each logical volume:
# mkfs.ext4 /dev/mapper/MyVol-root # mkfs.ext4 /dev/mapper/MyVol-home # mkswap /dev/mapper/MyVol-swap
Mount your filesystems:
# mount /dev/mapper/MyVol-root /mnt # mkdir /mnt/home # mount /dev/mapper/MyVol-home /mnt/home # swapon /dev/mapper/MyVol-swap
3.3 Preparing the boot partition
The bootloader loads the kernel, initramfs, and its own configuration files from the /boot directory. This directory must be located on a separate unencrypted filesystem.
Create an Ext2 filesystem on the partition intended for /boot. Any filesystem that can be read by the bootloader is eligible.
# mkfs.ext2 /dev/sdbY
Create the directory /mnt/boot:
# mkdir /mnt/boot
Mount the partition to /mnt/boot:
# mount /dev/sdbY /mnt/boot
Afterwards continue with the installation procedure up to the mkinitcpio step.
3.4 Configuring mkinitcpio
Add the encrypt and lvm2 hooks to mkinitcpio.conf:
/etc/mkinitcpio.conf
HOOKS="... encrypt lvm2 ... filesystems ..."
See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.
3.5 Configuring the boot loader
In order to unlock the encrypted root partition at boot, the following kernel parameter needs to be set by the boot loader:
cryptdevice=UUID=device-UUID:lvm
The <device-UUID> refers to the UUID of /dev/sdaX, see Persistent block device naming for details.
See Dm-crypt/System configuration#Boot loader for details.
4 LUKS on LVM
To use encryption on top of LVM, the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well.
The following short example creates a LUKS on LVM setup and mixes in the use of a key-file for the /home partition and temporary crypt volumes for /tmp and /swap. The latter is considered desirable from a security perspective, because no potentially sensitive temporary data survives the reboot, when the encryption is re-initialised. If you are experienced with LVM, you will be able to ignore/replace LVM and other specifics according to your plan. If you want to span a logical volume over multiple disks during setup already, a procedure to do so is described in Dm-crypt/Specialties#Expanding LVM on multiple disks.
4.1 Preparing the disk
Partitioning scheme:
- /dev/sda1 -> /boot
- /dev/sda2 -> LVM
Randomise /dev/sda2 according to Dm-crypt/Drive preparation#dm-crypt wipe before installation.
4.2 Preparing the logical volumes
# lvm pvcreate /dev/sda2 # lvm vgcreate lvm /dev/sda2 # lvm lvcreate -L 10G -n lvroot lvm # lvm lvcreate -L 500M -n swap lvm # lvm lvcreate -L 500M -n tmp lvm # lvm lvcreate -l 100%FREE -n home lvm
# cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/lvm/lvroot # cryptsetup open --type luks /dev/lvm/lvroot root # mkfs -t ext4 /dev/mapper/root # mount /dev/mapper/root /mnt
More information about the encryption options can be found in Dm-crypt/Device encryption#Encryption options for LUKS mode. Note that /home will be encrypted in #Encrypting logical volume /home. Further, note that if you ever have to access the encrypted root from the Parabola ISO, the above open action will allow you to after the LVM shows up.
4.3 Preparing the boot partition
# dd if=/dev/zero of=/dev/sda1 bs=1M # mkfs -t ext4 /dev/sda1 # mkdir /mnt/boot # mount /dev/sda1 /mnt/boot
Now after setup of the encrypted LVM partitioning, it would be time to mount the partitions.
4.4 Configuring mkinitcpio
Add the lvm2 and encrypt hooks to mkinitcpio.conf:
etc/mkinitcpio.conf
HOOKS="... block ''encrypt lvm2 ... filesystems ..."
See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.
4.5 Configuring the boot loader
In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set by the boot loader:
cryptdevice=/dev/lvm/lvroot:cryptoroot root=/dev/mapper/cryptoroot
See Dm-crypt/System configuration#Boot loader for details.
4.6 Configuring fstab and crypttab
/etc/fstab
/dev/mapper/root / ext4 defaults 0 1 /dev/sda1 /boot ext4 defaults 0 2 /dev/mapper/tmp /tmp tmpfs defaults 0 0 /dev/mapper/swap none swap sw 0 0
The following crypttab options will re-encrypt the temporary filesystems each reboot:
/etc/crypttab
swap /dev/lvm/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256 tmp /dev/lvm/tmp /dev/urandom tmp,cipher=aes-xts-plain64,size=256
4.7 Encrypting logical volume /home
Since this scenario uses LVM as the primary and dm-crypt as secondary mapper, each encrypted logical volume requires its own encryption. Yet, unlike the temporary filesystems configured with volatile encryption above, the logical volume for /home should be persistent, of course. The following assumes you have rebooted into the installed system, otherwise you have to adjust paths. To safe on entering a second passphrase at boot for it, a keyfile is created:
mkdir -m 700 /etc/luks-keys dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256
The logical volume is encrypted with it:
cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home cryptsetup -d /etc/luks-keys/home open --type luks /dev/lvm/home home mkfs -t ext4 /dev/mapper/home mount /dev/mapper/home /home
The encrypted mount is configured in crypttab:
/etc/crypttab
home /dev/lvm/home /etc/luks-keys/home
/etc/fstab
/dev/mapper/home /home ext4 defaults 0 2
and setup is done.
If you want to expand the logical volume for /home (or any other volume) at a later point, it is important to note that the LUKS encrypted part has to be resized as well. For a procedure see Dm-crypt/Specialties#Expanding LVM on multiple disks.
5 LUKS on software RAID
6 Plain dm-crypt
Contrary to LUKS, dm-crypt plain mode does not require a header on the encrypted device: this scenario exploits this feature to set up a system on an unpartitioned, encrypted disk that will be indistinguishable from a disk filled with random data, which could allow deniable encryption. See also wikipedia:Disk encryption#Full disk encryption.
Note that if full-disk encryption is not required, the methods using LUKS described in the sections above are better options for both system encryption and encrypted partitions. LUKS features like key management with multiple passphrases/key-files or re-encrypting a device in-place are unavailable with plain mode.
Plain dm-crypt encryption can be more resilient to damage than LUKS, because it does not rely on an encryption master-key which can be a single-point of failure if damaged. However, using plain mode also requires more manual configuration of encryption options to achieve the same cryptographic strength. See also Disk encryption#Cryptographic metadata. Using plain mode could also be considered if concerned with the problems explained in Dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD).
- tcplay which offers headerless encryption but with the PBKDF2 function, or
- dm-crypt LUKS mode by using the cryptsetup --header option. It cannot be used with the standard encrypt hook, but the hook may be modified.
The scenario uses two USB sticks:
- one for the boot device, which also allows storing the options required to open/unlock the plain encrypted device in the boot loader configuration, since typing them on each boot would be error prone;
- another for the encryption key file, assuming it stored as raw bits so that to the eyes of an unaware attacker who might get the usbkey the encryption key will appear as random data instead of being visible as a normal file. See also Wikipedia:Security through obscurity, follow Dm-crypt/Device encryption#Keyfiles to prepare the keyfile.
The disk layout is:
+--------------------+------------------+--------------------+ +---------------+ +---------------+ |Volume 1: |Volume 2: |Volume 3: | |Boot device | |Encryption key | | | | | | | |file storage | |root |swap |home | |/boot | |(unpartitioned | | | | | | | |in example) | |/dev/store/root |/dev/store/swap |/dev/store/home | |/dev/sdY1 | |/dev/sdZ | |--------------------+------------------+--------------------| |---------------| |---------------| |disk drive /dev/sdaX encrypted using plain mode and LVM | |USB stick 1 | |USB stick 2 | +------------------------------------------------------------+ +---------------+ +---------------+
- It is also possible to use a single usb key by copying the keyfile to the initram directly. An example keyfile /etc/keyfile gets copied to the initram image by setting FILES="/etc/keyfile" in /etc/mkinitcpio.conf. The way to instruct the encrypt hook to read the keyfile in the initram image is using rootfs: prefix before the filename, e.g. cryptkey=rootfs:/etc/keyfile.
- Another option is using a passphrase with good entropy.
6.1 Preparing the disk
It is vital that the mapped device is filled with data. In particular this applies to the scenario usecase we apply here.
See Dm-crypt/Drive preparation and Dm-crypt/Drive preparation#dm-crypt specific methods
6.2 Preparing the non-boot partitions
See Dm-crypt/Device encryption#Encryption options for plain mode for details.
Using the device /dev/sdX, with the twofish-xts cipher with a 512 bit key size and using a keyfile we have the following options for this scenario:
# cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --offset=0 --key-file=/dev/sdZ --key-size=512 open --type=plain /dev/sdX enc
Unlike encrypting with LUKS, the above command must be executed in full whenever the mapping needs to be re-established, so it is important to remember the cipher, hash and key file details.
We can now check a mapping entry has been made for /dev/mapper/enc:
# fdisk -l
Next, we setup LVM logical volumes on the mapped device, see LVM#Installing Parabola on LVM for further details:
# pvcreate /dev/mapper/enc # vgcreate store /dev/mapper/enc # lvcreate -L 20G store -n root # lvcreate -L 10G store -n swap # lvcreate -l 100%FREE store -n home
We format and mount them and activate swap, see [[File systems#Format a device] for further details:
# mkfs.ext4 /dev/store/root # mkfs.ext4 /dev/store/home # mount /dev/store/root /mnt # mkdir /mnt/home # mount /dev/store/home /mnt/home # mkswap /dev/store/swap # swapon /dev/store/swap
6.3 Preparing the boot partition
The /boot partition can be installed on the standard vfat partition of a USB stick, if required. But if manual partitioning is needed, then a small 200MB partition is all that is required. Create the partition using a partitioning tool of your choice.
We choose a non-journalling file system to preserve the flash memory of the /boot partition, if not already formatted as vfat:
# mkfs.ext2 /dev/sdY1 # mkdir /mnt/boot # mount /dev/sdY1 /mnt/boot
6.4 Configuring mkinitcpio
Add the encrypt and lvm2 hooks to mkinitcpio.conf:
etc/mkinitcpio.conf
HOOKS="... encrypt lvm2 ... filesystems ..."
See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.
6.5 Configuring the boot loader
In order to boot the encrypted root partition, the following kernel parameters need to be set by the boot loader:
cryptdevice=/dev/sdX:enc cryptkey=/dev/sdZ:0:512 crypto=sha512:twofish-xts-plain64:512:0:
See Dm-crypt/System configuration#Boot loader for details and other parameters that you may need.
# grub-install --recheck /dev/sdY
6.6 Post-installation
You may wish to remove the USB sticks after booting. Since the /boot partition is not usually needed, the noauto option can be added to the relevant line in /etc/fstab:
/etc/fstab
# /dev/sdYn /dev/sdYn /boot ext2 noauto,rw,noatime 0 2
However, when an update to the kernel or bootloader is required, the /boot partition must be present and mounted. As the entry in fstab already exists, it can be mounted simply with:
# mount /boot
7 Encrypted boot partition (GRUB)
This setup utilizes the same partition layout and configuration for the system's root partition as the previous #LVM on LUKS section, with two distinct differences:
- The setup is performed for an UEFI system and
- A special feature of the GRUB bootloader is used to additionally encrypt the boot partition /boot. See also GRUB#Boot partition.
The disk layout in this example is:
+---------------+----------------+----------------+----------------+----------------+ |ESP partition: |Boot partition: |Volume 1: |Volume 2: |Volume 3: | | | | | | | |/boot/efi |/boot |root |swap |home | | | | | | | | | |/dev/store/root |/dev/store/swap |/dev/store/home | |/dev/sdaX |/dev/sdaY +----------------+----------------+----------------+ |unencrypted |LUKS encrypted |/dev/sdaZ encrypted using LVM on LUKS | +---------------+----------------+--------------------------------------------------+
7.1 Preparing the disk
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in Dm-crypt/Drive preparation.
Create an EFI System Partition with an appropriate size, it will later be mounted at /boot/efi.
Create a partition to be mounted at /boot of type 8300 with a size of 100 MB or more.
Create a partition of type 8E00, which will later contain the encrypted container.
Create the LUKS encrypted container at the "system" partition.
# cryptsetup luksFormat /dev/sdaZ
For more information about the available cryptsetup options see the LUKS encryption options prior to above command.
Your partition layout should look similar to this:
gdisk /dev/sda
Number Start (sector) End (sector) Size Code Name 1 2048 1050623 512.0 MiB EF00 EFI System 2 1050624 1460223 200.0 MiB 8300 Linux filesystem 3 1460224 41943006 19.3 GiB 8E00 Linux LVM
Open the container:
# cryptsetup open --type luks /dev/sdaZ lvm
The decrypted container is now available at /dev/mapper/lvm.
7.2 Preparing the logical volumes
The LVM logical volumes of this example follow the exact layout as the previous scenario. Therefore, please follow Preparing the logical volumes above or adjust as required.
7.3 Preparing the boot partition
The bootloader loads the kernel, initramfs, and its own configuration files from the /boot directory.
First, create the LUKS container where the files will be located and installed into:
# cryptsetup luksFormat /dev/sdaY
Next, open it:
# cryptsetup open /dev/sdaY cryptboot
Create a filesystem on the partition intended for /boot. Any filesystem that can be read by the bootloader is eligible:
# mkfs.ext2 /dev/mapper/cryptboot
Create the directory /mnt/boot:
# mkdir /mnt/boot
Mount the partition to /mnt/boot:
# mount /dev/mapper/cryptboot /mnt/boot
Create a mountpoint for the EFI System Partition at /boot/efi for compatibility with grub-install and mount it:
# mkdir /mnt/boot/efi # mount /dev/sdaX /mnt/boot/efi
At this point, you should have the following partitions and logical volumes inside of /mnt:
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 200G 0 disk ├─sda1 8:1 0 512M 0 part /boot/efi ├─sda2 8:2 0 200M 0 part │ └─boot 254:0 0 198M 0 crypt /boot └─sda3 8:3 0 100G 0 part └─lvm 254:1 0 100G 0 crypt ├─MyStorage-swapvol 254:2 0 8G 0 lvm [SWAP] ├─MyStorage-rootvol 254:3 0 15G 0 lvm / └─MyStorage-homevol 254:4 0 77G 0 lvm /home
Afterwards continue with the installation procedure up to the mkinitcpio step.
7.4 Configuring mkinitcpio
Add the encrypt and lvm2 hooks to mkinitcpio.conf:
/etc/mkinitcpio.conf
HOOKS="... encrypt lvm2 ... filesystems ..."
See dm-crypt/System configuration#mkinitcpio for details and other hooks that you may need.
7.5 Configuring the boot loader
Configure GRUB to recognize the LUKS encrypted /boot partition and unlock the encrypted root partition at boot:
/etc/default/grub
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=<device-UUID>:lvm ..." GRUB_ENABLE_CRYPTODISK=y
See Dm-crypt/System configuration#Boot loader and GRUB#Boot partition for details. The <device-UUID> refers to the UUID of /dev/sdaZ (the partition which holds the lvm containing the root filesystem), see Persistent block device naming.
Generate GRUB's configuration file and install to the mounted ESP:
# grub-mkconfig -o /boot/grub/grub.cfg # grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
If this finished without errors, GRUB should prompt for the passphrase to unlock the /boot partition after the next reboot.
7.6 Configuring fstab and crypttab
This section deals with extra configuration to let the system mount the encrypted /boot.
While GRUB asks for a passphrase to unlock the encrypted /boot after above instructions, the partition unlock is not passed on to the initramfs. Hence, /boot will not be available after the system has re-/booted, because the encrypt hook only unlocks the system's root.
If you used the genfstab script during installation, it will have generated /etc/fstab entries for the /boot and /boot/efi mount points already, but the system will fail to find the generated device mapper for the boot partition. To make it available, add it to crypttab. For example:
/etc/crypttab
cryptboot /dev/sdaY none luks
will make the system ask for the passphrase again (i.e. you have to enter it twice at boot: once for GRUB and once for systemd init). To avoid the double entry for unlocking /boot, follow the instructions at Dm-crypt/Device encryption#Keyfiles to:
- Create a randomtext keyfile,
- Add the keyfile to the (/dev/sdaY) boot partition's LUKS header and
- Check the /etc/fstab entry and add the /etc/crypttab line to unlock it automatically at boot.
If for some reason the keyfile fails to unlock the boot partition, systemd will fallback to ask for a passphrase to unlock and, in case that is correct, continue booting.
- It may be worth considering to add the GRUB bootloader to the ignore list of /etc/pacman.conf in order to take particular control of when the bootloader (which includes its own encryption modules) is updated.
- If you want to encrypt the /boot partition to protect against offline tampering threats, the mkinitcpio-chkcryptoboot hook has been contributed to help.
8 Btrfs subvolumes with swap
The following example creates a full system encryption with LUKS using Btrfs subvolumes to simulate partitions.
If using UEFI, an EFI System Partition (ESP) is required. /boot itself may reside on / and be encrypted; however, the ESP itself cannot be encrypted. In this example layout, the ESP is /dev/sdaY and is mounted at /boot/efi. /boot itself is located on the system partition, /dev/sdaX.
Since /boot resides on the encrypted /, GRUB must be used as the bootloader because only GRUB can load modules necessary to decrypt /boot (e.g., crypto.mod, cryptodisk.mod and luks.mod).
Additionally an optional plain-encrypted swap partition is shown.
+--------------------------+--------------------------+--------------------------+ |ESP |System partition |Swap partition | |unencrypted |LUKS-encrypted |plain-encrypted | | | | | |/boot/efi |/ | | |/dev/sdaY |/dev/sdaX |/dev/sdaZ | |--------------------------+--------------------------+--------------------------+
8.1 Preparing the disk
Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in Dm-crypt/Drive preparation. If you are using UEFI create an EFI System Partition with an appropriate size. It will later be mounted at /boot/efi. If you are going to create an encrypted swap partition, create the partition for it, but do not mark it as swap, since plain dm-crypt will be used with the partition.
Create the needed partitions, at least one for / (e.g. /dev/sdaX). See the Partitioning article.
8.2 Preparing the system partition
8.2.1 Create LUKS container
Follow dm-crypt/Device encryption#Encrypting devices with LUKS mode to setup /dev/sdaX for LUKS. See the Dm-crypt/Device encryption#Encryption options for LUKS mode before doing so for a list of encryption options.
8.2.2 Unlock LUKS container
Now follow Dm-crypt/Device encryption#Unlocking/Mapping LUKS partitions with the device mapper to unlock the LUKS container and map it.
8.2.3 Format mapped device
Proceed to format the mapped device as described in Btrfs#File system on a single device, where /dev/partition is the name of the mapped device (i.e., cryptroot) and not /dev/sdaX.
8.2.4 Mount mapped device
Finally, mount the now-formatted mapped device (i.e., /dev/mapper/cryptroot) to /mnt.
8.3 Creating btrfs subvolumes
8.3.1 Layout
Subvolumes will be used to simulate partitions, but other (nested) subvolumes will also be created. Here is a partial representation of what the following example will generate:
subvolid=5 (/dev/sdaX) | ├── @ (mounted as /) | | | ├── /bin (directory) | | | ├── /home (mounted @home subvolume) | | | ├── /usr (directory) | | | ├── /.snapshots (mounted @snapshots subvolume) | | | ├── /var/cache/pacman/pkg (nested subvolume) | | | ├── ... (other directories and nested subvolumes) | ├── @snapshots (mounted as /.snapshots) | ├── @home (mounted as /home) | └── @... (additional subvolumes you wish to use as mount points)
This section follows the Snapper#Suggested filesystem layout, which is most useful when used with Snapper. You should also consult Btrfs Wiki SysadminGuide#Layout.
8.3.2 Create top-level subvolumes
Here we are using the convention of prefixing @ to subvolume names that will be used as mount points, and @ will be the subvolume that is mounted as /.
Following the Btrfs#Creating a subvolume article, create subvolumes at /mnt/@, /mnt/@snapshots, and /mnt/@home.
Create any additional subvolumes you wish to use as mount points now.
8.3.3 Mount top-level subvolumes
Unmount the system partition at /mnt.
Now mount the newly created @ subvolume which will serve as / to /mnt using the subvol= mount option. Assuming the mapped device is named cryptroot, the command would look like:
# mount -o compress=lzo,subvol=@ /dev/mapper/cryptroot /mnt
See Btrfs#Mounting subvolumes for more details.
Also mount the other subvolumes to their respective mount points: @home to /mnt/home and @snapshots to /mnt/.snapshots.
8.3.4 Create nested subvolumes
Create any subvolumes you do not want to have snapshots of when taking a snapshot of /. For example, you probably do not want to take snapshots of /var/cache/pacman/pkg. These subvolumes will be nested under the @ subvolume, but just as easily could have been created earlier at the same level as @ according to your preference.
Since the @ subvolume is mounted at /mnt you will need to create a subvolume at /mnt/var/cache/pacman/pkg for this example. You may have to create any parent directories first.
Other directories you may wish to do this with are /var/abs, /var/tmp, and /srv.
8.3.5 Mount ESP
If you prepared an EFI system partition earlier, create its mount point and mount it now.
At the pacstrap installation step, the btrfs-progs must be installed in addition to the base group.
8.4 Configuring mkinitcpio
8.4.1 Create keyfile
In order for GRUB to open the LUKS partition without having the user enter his passphrase twice, we will use a keyfile embedded in the initramfs. Follow Dm-crypt/Device encryption#With a keyfile embedded in the initramfs making sure to add the key to /dev/sdaX at the luksAddKey step.
8.4.2 Edit mkinitcpio.conf
After creating, adding, and embedding the key as described above, add the encrypt hook to mkinitcpio.conf as well as any other hooks you require. See Dm-crypt/System configuration#mkinitcpio for detailed information. Be sure to regenerate the initial ramdisk when finished.
8.5 Configuring the boot loader
Install GRUB to /dev/sda. Then, edit /etc/default/grub as instructed in the GRUB#Encryption article, following both the instructions for an encrypted root and boot partition. Finally, generate the GRUB configuration file.
8.6 Configuring swap
If you created a partition to be used for encrypted swap, now is the time to configure it. Follow the instructions at Dm-crypt/Swap encryption.
After completing this step, continue configuring your system as normal according to the installation guide.