Partitioning: /boot and dm-crypt/LUKS

This is a continuation to my first post on writing random data to the disk.

(Warning: This is setup supposes you already erased the data on the disk, or that you don’t care.)

Partitioning is easy. My partition table:

# fdisk -l /dev/sda

Disk /dev/sda: 250.1 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xa6c04c66

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1          17      136521   83  Linux
/dev/sda2              18       30401   244059480   83  Linux

/dev/sda1 is on /boot, ext2 and has 131MB (this is probably overkill)
the rest of the disk is on /dev/sda2 and has a luks encrypted partition on it. How to do that?

First, you need to boot from a live-cd or pen drive. Then, as root, type

fdisk /dev/sda

(Adjust accordingly. You can see all your disks with fdisk -l. Here I’m testing with /dev/red/test)

Then, create the partitions:

# fdisk /dev/red/test
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x49b873cc.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

The number of cylinders for this disk is set to 13674.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
Partition number (1-4): 1
First cylinder (1-13674, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-13674, default 13674): +128M

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
Partition number (1-4): 2
First cylinder (18-13674, default 18):
Using default value 18
Last cylinder, +cylinders or +size{K,M,G} (18-13674, default 13674):
Using default value 13674

Command (m for help): p

Disk /dev/red/test: 112.5 GB, 112474456064 bytes
255 heads, 63 sectors/track, 13674 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x49b873cc

        Device Boot      Start         End      Blocks   Id  System
/dev/red/test1               1          17      136521   83  Linux
/dev/red/test2              18       13674   109699852+  83  Linux

n is the command for creating new partitions; p is the command for showing the table. (More here or on the man page)

This will setup two partitions: one with ~ 128MB (the first one, for /boot; change the +128M bit if you want something else), and another with the rest of the disk. If you are ok with it, you then use w to write (If not, just type q)

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 22: Invalid argument.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

If this message appears to you, you need to reboot; if not, then you have /dev/sda1 and /dev/sda2 (or whatever your disk is). Then do:

mke2fs /dev/sda1

This will make a simple ext2 filesystem on /dev/sda1. You don’t need more than that. Then, do:

Then the interesting part, luks:

cryptsetup luksFormat /dev/sda2

It will ask for YES, then for a password. (This will use the default cipher. Here is some discussion on choosing a cipher. You can set a cipher with --cipher. aes-cbc-essiv:sha256 is probably sufficient)

then, open it:

cryptsetup luksOpen /dev/sda2 vault

It will ask for your password and open the encrypted partition into /dev/mapper/vault. Anything you would do with /dev/sda2 if it were unencrypted, you will now do with /dev/mapper/vault. So let’s create an lvm volume:

pvcreate /dev/mapper/vault
vgcreate vg /dev/mapper/vault

It now created a volume group named vg (You can name it the way you prefer. Here it’s red). All your partitions inside it will be acessible as /dev/vg/something (or /dev/mapper/vg-something). Ok, partitions:

lvcreate -C y -n swap -L 2G vg
lvcreate -n root -L 16G vg
lvcreate -n home -l 100%FREE vg

Here I created /dev/vg/swap with 2GB (to hibernate safely, you should put there at least your amount of ram), /dev/root with 16GB and the /dev/vg/home with the rest. But you should have some free space less space if you plan to have snapshots.

Then, formatting!

mke2fs -t ext4 /dev/vg/root
mke2fs -t ext4 /dev/vg/home

It’s bare ext4. You can use ext3 or other filesystem if you prefer. And that’s it. But, how would be the /etc/fstab? It’s something like that:

/dev/sda1      /boot     ext2 defaults,sync,noatime 0 2

/dev/vg/root   /         ext4 defaults,noatime      0 1
/dev/vg/home   /home     ext4 defaults,noatime      0 2

/dev/vg/swap   none      swap defauls               0 0

devpts         /dev/pts  devpts  defaults           0 0
proc           /proc     proc    defaults           0 0

I use noatime for better performance (It may break a program called mutt, which I don’t use), tune it to your needs.

If you want to manually access the files, you need to do:

cryptsetup luksOpen /dev/sda vault
vgchange -ay

This will make /dev/vg/root, etc. to appear. But you usually will want it mounted on the boot (specially if your root partition is inside it!), so you will need a compatible initramfs (some distros comes with one, otherwise you have to build your own).

I will post here how to install a debian system, from this point on. (Some links: a much more concise howto, a doc on lvm, also this subject on gentoo wiki, multiple times, and also on arch wiki).


About Elias

Some random geek
This entry was posted in Linux and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s