dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

dm-crypt/Encrypting an entire
system
From ArchWiki

Back to dm-crypt.

The following are examples of common scenarios of full system encryption with
dm-crypt. They explain all the adaptations that need to be done to the normal
installation procedure. All the necessary tools are on the installation image
(https://www.archlinux.org/download/).

Contents
1 Overview
2 Simple partition layout with LUKS
2.1 Preparing the disk
2.2 Preparing non-boot partitions
2.3 Preparing the boot partition
2.4 Mounting the devices
2.5 Conguring mkinitcpio
2.6 Conguring the boot loader
3 LVM on LUKS
3.1 Preparing the disk
3.2 Preparing the logical volumes
3.3 Preparing the boot partition
3.4 Conguring mkinitcpio
3.5 Conguring the boot loader
4 LUKS on LVM
4.1 Preparing the disk
4.2 Preparing the logical volumes
4.3 Preparing the boot partition
4.4 Conguring mkinitcpio
4.5 Conguring the boot loader
4.6 Conguring fstab and crypttab
4.7 Encrypting logical volume /home
5 LUKS on software RAID
6 Plain dm-crypt
6.1 Preparing the disk
6.2 Preparing the non-boot partitions
6.3 Preparing the boot partition

1 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

6.4 Conguring mkinitcpio

6.5 Conguring the boot loader
6.6 Post-installation
7 Encrypted boot partition (GRUB)
7.1 Preparing the disk
7.2 Preparing the logical volumes
7.3 Preparing the boot partition
7.4 Conguring mkinitcpio
7.5 Conguring the boot loader
7.6 Conguring fstab and crypttab

Overview
Securing a root lesystem is where dm-crypt excels, feature and
performance-wise. Unlike selectively encrypting non-root lesystems, an
encrypted root lesystem can conceal information such as which programs are
installed, the usernames of all user accounts, and common data-leakage vectors
such as mlocate and /var/log/ . Furthermore, an encrypted root lesystem makes
tampering with the system far more dicult, as everything except the boot loader
and (usually) the kernel is encrypted.

All scenarios illustrated in the following share these advantages, other pros and
cons dierentiating them are summarized below:

2 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki
Scenarios
#Simple partition
layout with LUKS
shows a basic and
straight-forward
set-up for a fully
LUKS encrypted root.
#LVM on LUKS
achieves partitioning
exiblity by using
LVM inside a single
LUKS encrypted
partition.
#LUKS on LVM
uses dm-crypt only
after the LVM is
setup.
#Plain dm-crypt
uses dm-crypt plain
mode, i.e. without a
LUKS header and its
options for multiple
keys.
This scenario also
employs USB devices
for /boot and key
3 of 21
https://wiki.archlinux.org/index.php/Dm-crypt/En...
Advantages Disadvantages
Inexible; disk-space to
Simple partitioning
be encrypted has to be
and setup
pre-allocated
Simple partitioning
with knowledge of
LVM
Only one key required
LVM adds an additional
to unlock all volumes
mapping layer and
(e.g. easy resume-
hook
from-disk setup)
Less useful, if a
Volume layout not
singular volume should
transparent when
receive a separate key
locked
Easiest method to
allow suspension to
disk
Complex; changing
LVM can be used to volumes requires
have encrypted changing encryption
volumes span multiple mappers too
disks Volumes require
Easy mix of individual keys
un-/encrypted volume LVM layout is
groups transparent when
locked
Data resilience for High care to all
cases where a LUKS encryption parameters
header may be is required
damaged Single encryption key
Allows deniable and no option to
encryption change it
03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

storage, which may be

applied to the other
scenarios.

#Encrypted boot
partition (GRUB)
Same advantages as
Same disadvantages as
shows how to encrypt the scenario the
the scenario the
the boot partition installation is based on
installation is based on
(LVM on LUKS for this
using the GRUB (LVM on LUKS for this
particular example)
bootloader. particular example)
Less data is left
This scenario also More complicated
unencrypted, i.e. the
employs an ESP conguration
boot loader and the
partition, which may Not supported by other
ESP partition, if
be applied to the boot loaders
present
other scenarios.

While all above scenarios provide much greater protection from outside threats
than encrypted secondary lesystems, they also share a common disadvantage:
any user in possession of the encryption key is able to decrypt the entire drive,
and therefore can access other users' data. If that is of concern, it is possible to
use a combination of blockdevice and stacked lesystem encryption and reap the
advantages of both. See Disk encryption to plan ahead.

See Dm-crypt/Drive preparation#Partitioning for a general overview of the

partitioning strategies used in the scenarios.

Another area to consider is whether to set up an encrypted swap partition and

what kind. See Dm-crypt/Swap encryption for alternatives.

If you anticipate to protect the system's data not only against physical theft, but
also have a requirement of precautions against logical tampering, see
Dm-crypt/Specialties#Securing the unencrypted boot partition for further
possibilities after following one of the scenarios.

Simple partition layout with LUKS

This example covers a full system encryption with dmcrypt + LUKS in a simple
partition layout:

+--------------------+--------------------------+--------------------------+
|Boot partition |LUKS encrypted system |Optional free space |
| |partition |for additional partitions |
|/dev/sdaY |/dev/sdaX |or swap to be setup later |
+--------------------+--------------------------+--------------------------+

4 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

The rst steps can be performed directly after booting the Arch Linux install
image.

Preparing the disk

Prior to creating any partitions, you should inform yourself about the importance
and methods to securely erase the disk, described in Dm-crypt/Drive preparation.

Then create the needed partitions, at least one for / (e.g. /dev/sdaX ) and /boot (
/dev/sdaY ), see Partitioning.

Preparing non-boot partitions

The following commands create and mount the encrypted root partition. They
correspond to the procedure described in detail in Dm-crypt/Encrypting a
non-root le system#Partition (which, despite the title, can be applied to root
partitions, as long as mkinitcpio and the boot loader are correctly congured). If
you want to use particular non-default encryption options (e.g. cipher, key length),
see the encryption options before executing the rst command:

# cryptsetup -y -v luksFormat /dev/sdaX

# cryptsetup open /dev/sdaX cryptroot
# mkfs -t ext4 /dev/mapper/cryptroot
# mount -t ext4 /dev/mapper/cryptroot /mnt

Check the mapping works as intended:

# umount /mnt
# cryptsetup close cryptroot
# cryptsetup open /dev/sdaX cryptroot
# mount -t ext4 /dev/mapper/cryptroot /mnt

If you created separate partitions (e.g. /home ), these steps have to be adapted and
repeated for all of them, except for /boot . See Dm-crypt/Encrypting a non-root le
system#Automated unlocking and mounting on how to handle additional
partitions at boot.

Note that each blockdevice requires its own passphrase. This may be
inconvenient, because it results in a separate passphrase to be input during boot.
An alternative is to use a keyle stored in the system partition to unlock the
separate partition via crypttab . See Dm-crypt/Device encryption#Using LUKS to
Format Partitions with a Keyle for instructions.

Preparing the boot partition

What you do have to setup is a non-encrypted /boot partition, which is needed for

5 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

a crypted root. For a standard MBR/non-EFI /boot partition, for example, execute:

# mkfs -t ext4 /dev/sdaY

# mkdir /mnt/boot
# mount -t ext4 /dev/sdaY /mnt/boot

Mounting the devices

At Installation guide#Mount the partitions you will have to mount the mapped
devices, not the actual partitions. Of course /boot , which is not encrypted, will
still have to be mounted directly.

Afterwards continue with the installation procedure up to the mkinitcpio step.

Conguring mkinitcpio

Add the encrypt hook to mkinitcpio.conf:

etc/mkinitcpio.conf

HOOKS="... encrypt ... filesystems ..."

Depending on which other hooks are used, the order may be relevant. See
dm-crypt/System conguration#mkinitcpio for details and other hooks that you
may need.

Conguring the boot loader

In order to unlock the encrypted root partition at boot, the following kernel
parameters need to be set by the boot loader:

cryptdevice=UUID=<device-UUID>:cryptroot root=/dev/mapper/cryptroot

See Dm-crypt/System conguration#Boot loader for details.

The <device-UUID> refers to the UUID of /dev/sdaX , see Persistent block device
naming for details.

LVM on LUKS
The straight-forward method is to set up LVM on top of the encrypted partition
instead of the other way round. Technically the LVM is setup inside one big
encrypted blockdevice. Hence, the LVM is not transparent until the blockdevice is

6 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

unlocked and the underlying volume structure is scanned and mounted during
boot.

The disk layout in this example is:

+-----------------------------------------------------------------------+ +----------------+
| Logical volume1 | Logical volume2 | Logical volume3 | | |
|/dev/mapper/MyVol-swap |/dev/mapper/MyVol-root |/dev/mapper/MyVol-home | | Boot partition |
|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _| | (may be on |
| | | other device) |
| LUKS encrypted partition | | |
| /dev/sdaX | | /dev/sdbY |
+-----------------------------------------------------------------------+ +----------------+

This method does not allow you to span the logical volumes over multiple disks,
even in the future. The #LUKS on LVM method does not have this limitation.

Tip: Two variants of this setup:

Instructions at Dm-crypt/Specialties#Encrypted system using a remote

LUKS header use this setup with a remote LUKS header on a USB device to
achieve a two factor authentication with it.
Instructions at Pavel Kogan's blog (http://www.pavelkogan.com/2014/05
/23/luks-full-disk-encryption/) show how to encrypt the /boot partition while
keeping it on the main LUKS partition when using GRUB, but be aware of
FS#43663 (https://bugs.archlinux.org/task/43663).

Preparing the disk

Prior to creating any partitions, you should inform yourself about the importance
and methods to securely erase the disk, described in Dm-crypt/Drive preparation.

When using the GRUB bootloader together with GPT, create a BIOS Boot Partition
as explained in GRUB#BIOS systems.

Create a partition to be mounted at /boot of type 8300 with a size of 100 MB or

more.

Create a partition of type 8E00 , which will later contain the encrypted container.

Create the LUKS encrypted container at the "system" partition. Enter the chosen
password twice.

# cryptsetup luksFormat /dev/sdaX

For more information about the available cryptsetup options see the LUKS

7 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

encryption options prior to above command.

Open the container:

# cryptsetup open --type luks /dev/sdaX lvm

The decrypted container is now available at /dev/mapper/lvm .

Preparing the logical volumes

Create a physical volume on top of the opened LUKS container:

# pvcreate /dev/mapper/lvm

Create the volume group named MyVol (or whatever you want), adding the
previously created physical volume to it:

# vgcreate MyVol /dev/mapper/lvm

Create all your logical volumes on the volume group:

# lvcreate -L 8G MyVol -n swap

# lvcreate -L 15G MyVol -n root
# lvcreate -l 100%FREE MyVol -n home

Format your lesystems on each logical volume:

# mkfs.ext4 /dev/mapper/MyVol-root
# mkfs.ext4 /dev/mapper/MyVol-home
# mkswap /dev/mapper/MyVol-swap

Mount your lesystems:

# mount /dev/mapper/MyVol-root /mnt

# mkdir /mnt/home
# mount /dev/mapper/MyVol-home /mnt/home
# swapon /dev/mapper/MyVol-swapv

Preparing the boot partition

The bootloader loads the kernel, initramfs, and its own conguration les from
the /boot directory. This directory must be located on a separate unencrypted
lesystem.

8 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

Create an Ext2 lesystem on the partition intended for /boot . Any lesystem that
can be read by the bootloader is eligible.

# mkfs.ext2 /dev/sdbY

Create the directory /mnt/boot :

# mkdir /mnt/boot

Mount the partition to /mnt/boot :

# mount /dev/sdbY /mnt/boot

Afterwards continue with the installation procedure up to the mkinitcpio step.

Conguring mkinitcpio

Add the encrypt and lvm2 hooks to mkinitcpio.conf:

/etc/mkinitcpio.conf

HOOKS="... encrypt lvm2 ... filesystems ..."

Note: The order of both hooks no longer matters with the current
implementation of lvm2 .

See dm-crypt/System conguration#mkinitcpio for details and other hooks that

you may need.

Conguring the boot loader

In order to unlock the encrypted root partition at boot, the following kernel
parameters need to be set by the boot loader:

cryptdevice=UUID=device-UUID:lvm root=/dev/mapper/MyVol-root

The <device-UUID> refers to the UUID of /dev/sdaX , see Persistent block device
naming for details.

See Dm-crypt/System conguration#Boot loader for details.

LUKS on LVM

9 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

To use encryption on top of LVM, the LVM volumes are set up rst and then used
as the base for the encrypted partitions. This way, a mixture of encrypted and
non-encrypted volumes/partitions is possible as well. Unlike #LVM on LUKS, this
method allows normally spanning the logical volumes over multiple disks.

The following short example creates a LUKS on LVM setup and mixes in the use of
a key-le for the /home partition and temporary crypt volumes for /tmp and /swap .
The latter is considered desirable from a security perspective, because no
potentially sensitive temporary data survives the reboot, when the encryption is
re-initialised. If you are experienced with LVM, you will be able to ignore/replace
LVM and other specics according to your plan. If you want to span a logical
volume over multiple disks during setup already, a procedure to do so is described
in Dm-crypt/Specialties#Expanding LVM on multiple disks.

Preparing the disk

Partitioning scheme:

/dev/sda1 -> /boot

/dev/sda2 -> LVM

Randomise /dev/sda2 according to Dm-crypt/Drive preparation#dm-crypt wipe

before installation.

Preparing the logical volumes

# lvm pvcreate /dev/sda2

# lvm vgcreate lvm /dev/sda2
# lvm lvcreate -L 10G -n lvroot lvm
# lvm lvcreate -L 500M -n swap lvm
# lvm lvcreate -L 500M -n tmp lvm
# lvm lvcreate -l 100%FREE -n home lvm

# cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/lvm/lvroot

# cryptsetup open --type luks /dev/lvm/lvroot root
# mkfs -t ext4 /dev/mapper/root
# mount /dev/mapper/root /mnt

More information about the encryption options can be found in Dm-crypt/Device

encryption#Encryption options for LUKS mode. Note that /home will be encrypted
in #Encrypting logical volume /home. Further, note that if you ever have to access
the encrypted root from the Arch-ISO, the above open action will allow you to after
the LVM shows up.

Preparing the boot partition

10 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

# dd if=/dev/zero of=/dev/sda1 bs=1M

# mkfs -t ext4 /dev/sda1
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

Now after setup of the encrypted LVM partitioning, it would be time to install:
Arch Install Scripts.

Conguring mkinitcpio

Add the lvm2 and encrypt hooks to mkinitcpio.conf:

etc/mkinitcpio.conf

HOOKS="... block ''encrypt lvm2 ... filesystems ..."

See dm-crypt/System conguration#mkinitcpio for details and other hooks that

you may need.

Conguring the boot loader

In order to unlock the encrypted root partition at boot, the following kernel
parameters need to be set by the boot loader:

cryptdevice=/dev/lvm/lvroot:cryptoroot root=/dev/mapper/cryptoroot

See Dm-crypt/System conguration#Boot loader for details.

Conguring fstab and crypttab

/etc/fstab

/dev/mapper/root / ext4 defaults 0 1

/dev/sda1 /boot ext4 defaults 0 2
/dev/mapper/tmp /tmp tmpfs defaults 0 0
/dev/mapper/swap none swap sw 0 0

The following crypttab options will re-encrypt the temporary lesystems each
reboot:

/etc/crypttab

swap /dev/lvm/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256

tmp /dev/lvm/tmp /dev/urandom tmp,cipher=aes-xts-plain64,size=256

11 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

Encrypting logical volume /home

Since this scenario uses LVM as the primary and dm-crypt as secondary mapper,
each encrypted logical volume requires its own encryption. Yet, unlike the
temporary lesystems congured with volatile encryption above, the logical
volume for /home should be persistent, of course. The following assumes you have
rebooted into the installed system, otherwise you have to adjust paths. To safe on
entering a second passphrase at boot for it, a keyle is created:

mkdir -m 700 /etc/luks-keys

dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256

The logical volume is encrypted with it:

cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home

cryptsetup -d /etc/luks-keys/home open --type luks /dev/lvm/home home
mkfs -t ext4 /dev/mapper/home
mount /dev/mapper/home /home

The encrypted mount is congured in crypttab:

/etc/crypttab

home /dev/lvm/home /etc/luks-keys/home

/etc/fstab

/dev/mapper/home /home ext4 defaults 0 2

and setup is done.

If you want to expand the logical volume for /home (or any other volume) at a later
point, it is important to note that the LUKS encrypted part has to be resized as
well. For a procedure see Dm-crypt/Specialties#Expanding LVM on multiple
disks.

LUKS on software RAID

Plain dm-crypt
This scenario sets up a system on a dm-crypt a full disk with plain mode
encryption. Note that for most use cases, the methods using LUKS described
above are the better options for both system encryption and encrypted partitions.
LUKS features like key management with multiple pass-phrases/key-les are

12 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

unavailable with plain mode.

dm-crypt plain mode does not require a header on the encrypted disk: this means
that an unpartitioned, encrypted disk will be indistinguishable from a disk lled
with random data, which is the desired attribute for this scenario, see also
Wikipedia:Deniable encryption.

Plain dm-crypt encrypted disks can be more resilient to damage than LUKS
encrypted disks, because it does not rely on an encryption master-key which can
be a single-point of failure if damaged. However, using plain mode also requires
more manual conguration of encryption options to achieve the same
cryptographic strength. See also Disk encryption#Cryptographic metadata.

Tip: If headerless encryption is your goal but you are unsure about the lack of
key-derivation with plain mode, then two alternatives are:

tcplay which oers headerless encryption but with the PBKDF2 function, or
dm-crypt LUKS mode by using the cryptsetup --header option. It cannot be
used with the standard encrypt hook, but the hook may be modied.

The scenario uses a USB stick for the boot device and another one to store the
encryption key. The disk layout is:

+--------------------+------------------+--------------------+ +---------------+ +---------------+

|Volume 1: |Volume 2: |Volume 3: | |Boot device | |Encryption key |
| | | | | | |file storage |
|root |swap |home | |/boot | |(unpartitioned |
| | | | | | |in example) |
|/dev/store/root |/dev/store/swap |/dev/store/home | |/dev/sdY1 | |/dev/sdZ |
|--------------------+------------------+--------------------| |---------------| |---------------|
|disk drive /dev/sdaX encrypted using plain mode and LVM | |USB stick 1 | |USB stick 2 |
+------------------------------------------------------------+ +---------------+ +---------------+

/bootand the boot loader cannot be kept on the encrypted drive, or it will defeat
the purpose of using plain mode for deniable encryption. This also allows storing
the options required to open/unlock the plain encrypted device in the boot loader
conguration, since typing them on each boot would be error prone.

This scenario also uses a key le, assuming it stored as raw bits on a second USB
stick, so that to the eyes of an unaware attacker who might get the usbkey the
encryption key will appear as random data instead of being visible as a normal
le. See also Wikipedia:Security through obscurity, follow Dm-crypt/Device
encryption#Keyles to prepare the keyle.

Tip:

It is also possible to use a single usb key by copying the keyle to the

13 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

initram directly. An example keyle /etc/keyfile gets copied to the initram

image by setting FILES="/etc/keyfile" in /etc/mkinitcpio.conf . The way to
instruct the encrypt hook to read the keyle in the initram image is using
rootfs: prex before the lename, e.g. cryptkey=rootfs:/etc/keyfile .
Another option is using a passphrase with good entropy.

Preparing the disk

It is vital that the mapped device is lled with data. In particular this applies to
the scenario usecase we apply here.

See Dm-crypt/Drive preparation and Dm-crypt/Drive preparation#dm-crypt

specic methods

Preparing the non-boot partitions

See Dm-crypt/Device encryption#Encryption options for plain mode for details.

Using the device /dev/sdX , with the twosh-xts cipher with a 512 bit key size and
using a keyle we have the following options for this scenario:

# cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --offset=0 --key-file=/dev/sdZ --key-size=512 open --type=pl

Unlike encrypting with LUKS, the above command must be executed in full
whenever the mapping needs to be re-established, so it is important to remember
the cipher, hash and key le details.

We can now check a mapping entry has been made for /dev/mapper/enc :

# fdisk -l

Next, we setup LVM logical volumes on the mapped device, see LVM#Installing
Arch Linux on LVM for further details:

# pvcreate /dev/mapper/enc
# vgcreate store /dev/mapper/enc
# lvcreate -L 20G store -n root
# lvcreate -L 10G store -n swap
# lvcreate -l 100%FREE store -n home

We format and mount them and activate swap, see File systems#Format a device
for further details:

# mkfs.ext4 /dev/store/root

14 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

# mkfs.ext4 /dev/store/home
# mount /dev/store/root /mnt
# mkdir /mnt/home
# mount /dev/store/home /mnt/home
# mkswap /dev/store/swap
# swapon /dev/store/swap

Preparing the boot partition

The /boot partition can be installed on the standard vfat partition of a USB stick,
if required. But if manual partitioning is needed, then a small 200MB partition is
all that is required. Create the partition using a partitioning tool of your choice.

We choose a non-journalling le system to preserve the ash memory of the /boot

partition, if not already formatted as vfat:

# mkfs.ext2 /dev/sdY1
# mkdir /mnt/boot
# mount /dev/sdY1 /mnt/boot

Conguring mkinitcpio

Add the encrypt and lvm2 hooks to mkinitcpio.conf:

etc/mkinitcpio.conf

HOOKS="... encrypt lvm2 ... filesystems ..."

See dm-crypt/System conguration#mkinitcpio for details and other hooks that

you may need.

Conguring the boot loader

In order to boot the encrypted root partition, the following kernel parameters
need to be set by the boot loader:

cryptdevice=/dev/sdX:enc cryptkey=/dev/sdZ:0:512 crypto=sha512:twofish-xts-plain64:512:0:

See Dm-crypt/System conguration#Boot loader for details and other parameters

that you may need.

15 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

Tip: If using GRUB, you can install it on the same USB as the /boot partition
with:

# grub-install --recheck /dev/sdY

Post-installation

You may wish to remove the USB sticks after booting. Since the /boot partition is
not usually needed, the noauto option can be added to the relevant line in
/etc/fstab :

/etc/fstab

# /dev/sdYn
/dev/sdYn /boot ext2 noauto,rw,noatime 0 2

However, when an update to the kernel or bootloader is required, the /boot

partition must be present and mounted. As the entry in fstab already exists, it can
be mounted simply with:

# mount /boot

Encrypted boot partition (GRUB)

This setup utilizes the same partition layout and conguration for the system's
root partition as the previous #LVM on LUKS section, with two distinct
dierences:

1. The setup is performed for an UEFI system and

2. A special feature of the GRUB bootloader is used to additionally encrypt the
boot partition /boot . See also GRUB#Boot partition.

The disk layout in this example is:

+---------------+----------------+----------------+----------------+----------------+
|ESP partition: |Boot partition: |Volume 1: |Volume 2: |Volume 3: |
| | | | | |
|/boot/efi |/boot |root |swap |home |
| | | | | |
| | |/dev/store/root |/dev/store/swap |/dev/store/home |
|/dev/sdaX |/dev/sdaY +----------------+----------------+----------------+
|unencrypted |LUKS encrypted |/dev/sdaZ encrypted using LVM on LUKS |
+---------------+----------------+--------------------------------------------------+

16 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

Tip: All scenarios are intended as examples. It is, of course, possible to apply
both of the two above distinct installation steps with the other scenarios as well.
See also the variants linked in #LVM on LUKS.

Preparing the disk

Prior to creating any partitions, you should inform yourself about the importance
and methods to securely erase the disk, described in Dm-crypt/Drive preparation.

Create an EFI System Partition (ESP) with an appropriate size, it will later be
mounted at /boot/efi .

Create a partition to be mounted at /boot of type 8300 with a size of 100 MB or

more.

Tip: When using the GRUB bootloader together with a BIOS/GPT, create a BIOS
Boot Partition as explained in GRUB#BIOS systems instead of the ESP.

Create a partition of type 8E00 , which will later contain the encrypted container.

Create the LUKS encrypted container at the "system" partition.

# cryptsetup luksFormat /dev/sdaZ

For more information about the available cryptsetup options see the LUKS
encryption options prior to above command.

Your partition layout should look similar to this:

gdisk /dev/sda

Number Start (sector) End (sector) Size Code Name

1 2048 1050623 512.0 MiB EF00 EFI System
2 1050624 1460223 200.0 MiB 8300 Linux filesystem
3 1460224 41943006 19.3 GiB 8E00 Linux LVM

Open the container:

# cryptsetup open --type luks /dev/sdaZ lvm

The decrypted container is now available at /dev/mapper/lvm .

Preparing the logical volumes

17 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

The LVM logical volumes of this example follow the exact layout as the previous
scenario. Therefore, please follow Preparing the logical volumes above or adjust
as required.

Preparing the boot partition

The bootloader loads the kernel, initramfs, and its own conguration les from
the /boot directory.

First, create the LUKS container where the les will be located and installed into:

# cryptsetup luksFormat /dev/sdaY

Next, open it:

# cryptsetup open /dev/sdaY cryptboot

Create a lesystem on the partition intended for /boot . Any lesystem that can be
read by the bootloader is eligible:

# mkfs.ext2 /dev/mapper/cryptboot

Create the directory /mnt/boot :

# mkdir /mnt/boot

Mount the partition to /mnt/boot :

# mount /dev/mapper/cryptboot /mnt/boot

Create a mountpoint for the ESP at /boot/efi for compatibility with grub-install
and mount it:

# mkdir /mnt/boot/efi
# mount /dev/sdaX /mnt/boot/efi

At this point, you should have the following partitions and logical volumes inside
of /mnt :

lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

18 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

sda 8:0 0 200G 0 disk

sda1 8:1 0 512M 0 part /boot/efi
sda2 8:2 0 200M 0 part
boot 254:0 0 198M 0 crypt /boot
sda3 8:3 0 100G 0 part
lvm 254:1 0 100G 0 crypt
MyStorage-swapvol 254:2 0 8G 0 lvm [SWAP]
MyStorage-rootvol 254:3 0 15G 0 lvm /
MyStorage-homevol 254:4 0 77G 0 lvm /home

Afterwards continue with the installation procedure up to the mkinitcpio step.

Conguring mkinitcpio

Add the encrypt and lvm2 hooks to mkinitcpio.conf:

/etc/mkinitcpio.conf

HOOKS="... encrypt lvm2 ... filesystems ..."

See dm-crypt/System conguration#mkinitcpio for details and other hooks that

you may need.

Conguring the boot loader

In order to unlock the encrypted root partition at boot, the following kernel
parameters need to be set by the boot loader:

cryptdevice=UUID=<device-UUID>:lvm root=/dev/mapper/MyStorage-rootvol

See Dm-crypt/System conguration#Boot loader for details.

The <device-UUID> refers to the UUID of /dev/sdaX , see Persistent block device
naming for details.

Now we prepare the GRUB bootloader installation to recognize the LUKS

encrypted /boot partition according to GRUB#Boot partition.

Open /etc/default/grub and add the parameter to the end:

GRUB_ENABLE_CRYPTODISK=y

Create the GRUB menu conguration le:

# grub-mkconfig -o /boot/grub/grub.cfg

19 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

Install GRUB to the mounted ESP:

# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

If this nished without errors, GRUB should prompt for the passphrase to unlock
the /boot partition after the next reboot.

Conguring fstab and crypttab

This section deals with extra conguration to let the system mount the encrypted
/boot .

While GRUB asks for a passphrase to unlock the encrypted /boot after above
instructions, the partition unlock is not passed on to the initramfs. Hence, /boot
will not be available after the system has re-/booted, because the encrypt hook
only unlocks the system's root.

If you used the genfstab script during installation, it will have generated
/etc/fstab entries for the /boot and /boot/efi mount points already, but the system
will fail to nd the generated device mapper for the boot partition. To make it
available, add it to crypttab. For example:

/etc/crypttab

cryptboot /dev/sdaY none luks

will make the system ask for the passphrase again (i.e. you have to enter it twice
at boot: once for GRUB and once for systemd init). To avoid the double entry for
unlocking /boot , follow the instructions at Dm-crypt/Device encryption#Keyles
to:

1. Create a randomtext keyle,

2. Add the keyle to the ( /dev/sdaY ) boot partition's LUKS header and
3. Check the /etc/fstab entry and add the /etc/crypttab line to unlock it
automatically at boot.

If for some reason the keyle fails to unlock the boot partition, systemd will
fallback to ask for a passphrase to unlock and, in case that is correct, continue
booting.

Tip: Optional post-installation steps:

It may be worth considering to add the GRUB bootloader to the ignore list
of /etc/pacman.conf in order to take particular control of when the bootloader
(which includes its own encryption modules) is updated.

20 of 21 03/14/2016 02:27 PM
dm-crypt/Encrypting an entire system - ArchWiki https://wiki.archlinux.org/index.php/Dm-crypt/En...

If you want to encrypt the /boot partition to protect against oine

tampering threats, the mkinitcpio-chkcryptoboot hook has been contributed
to help.

Retrieved from "https://wiki.archlinux.org/index.php?title=Dm-

crypt/Encrypting_an_entire_system&oldid=423749"

Categories: Encryption File systems Getting and installing Arch

This page was last modied on 3 March 2016, at 07:55.

Content is available under GNU Free Documentation License 1.3 or later
unless otherwise noted.

21 of 21 03/14/2016 02:27 PM