HOWTO: Install SolydX with encryption on LVM

Post your tutorials and howtos here.
User avatar
vilbjoern
Posts: 16
Joined: 23 Aug 2013 11:40
Location: Rørvig, Denmark

HOWTO: Install SolydX with encryption on LVM

Postby vilbjoern » 26 Aug 2013 21:05

SolydX doesn't come with 'native' encryption and LVM volume system. I want these features, and as I have made something similiar in the past, I decided to do it 'by hand'.

There is an excellent posting from 'hashstat' over at Linux Mint Forum from 2011 with instructions for doing this kind of installation ( http://forums.linuxmint.com/viewtopic.php?f=141&t=71159). But its a somewhat outdated and not entirely applicable for SolydXK so I made notes of the installation intending to make this howto about it.

I'm not native English speaking, so be prepared for some linguistic chaos here and there :-)

What is LVM (from wikipedia):
LVM is a logical volume manager for the Linux kernel; it manages disk drives and similar mass-storage devices. The term "volume" refers to a disk drive or partition thereof...
LVM is suitable for:
  • Managing large hard disk farms by letting you add disks, replace disks, copy and share contents from one disk to another without disrupting service (hot swapping).
  • On small systems (like a desktop at home), instead of having to estimate at installation time how big a partition might need to be in the future, LVM allows you to resize your disk partitions easily as needed.
  • Making backups by taking snapshots.
  • Creating single logical volumes of multiple physical volumes or entire hard disks (somewhat similar to RAID 0, but more similar to JBOD), allowing for dynamic volume resizing.
One can think of LVM as a thin software layer on top of the hard disks and partitions, which creates an illusion of continuity and ease-of-use for managing hard-drive replacement, repartitioning, and backup.
(http://en.wikipedia.org/wiki/Logical_Vo ... 28Linux%29)

What is encryption (from wikipedia):
Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage.
(http://en.wikipedia.org/wiki/Disk_encryption)

If you intend to try doing this yourself, following this howto, it's necessary that you:
  • know a little about Linux and computers
  • are not afraid of the command line (it should be possible to just follow the steps below, entering exactly what is written, answer questions with sensible answers and have your system up and running after some time - a long time, maybe - se below).
  • have patience - some of this takes rather a long time (urandomizing the partition may take several hours, even days if a big partition
  • are curious - always use 'man [commandname]' to get an explanation of a command you don't understand
And be warned:

This will erase your entire drive - remember to back up anything important. And: It worked for me, but it may ruin your computer.

What we will do is this:
1. boot the live iso image, partition the harddisk, and prepare for the installation
2. fill one partition with random numbers
3. set up the encryption on that partition
4. create the volumes in that partition
5. populate the filesystem with the system files
6. make prelimary customization
7. reboote into the new system
8. configure a couple of things

1. Booting, partitioning and preparing
Boot the computer from a USB stick or CDrom drive.

a. When on the desktop, fire up GParted and make a new GPT partition table like this (notice: this will erase all on the drive, so anything on it that you want to keep has to be backed up before this step!):
  • 5 MB partition flagged bios_grub
  • 200 MB for /boot (without encryption - necessary for being able to boot)
  • the rest of the disk unformatted (for the encrypted LVM volumes)
ScottQuier has made a great howto about this (http://forums.solydxk.nl/viewtopic.php?f=9&t=1231), so look at that if you want further detaills about partitioning with GParted.

b. All the rest of the work is done at the command line. So open a terminal window.

c. Some tools has to be installed on top of the live system to encrypt, make volumes and populate the filesystem; this requires root privileges, as does the rest of the setup:

Code: Select all

$ sudo -s
d. The prompt changes, and we'll install the packages:

Code: Select all

# apt-get update && apt-get install cryptsetup lvm2 squashfs-tools
2. Fill partition with random numbers
It's considered a safe precaution to fill the entire partition with random numbers - this will make it more difficult for a stranger in the night to see what is data and what is empty space.

a. It works like this: dd is started in the background and sends it the USR1 signal every minute until dd is done, causing dd to print its progress every minute. So you'll be able to see the progress in the terminal.

Code: Select all

# dd if=/dev/urandom of=/dev/sda3 bs=1M & sleep 5; while kill -USR1 ${!}; do sleep 60; done
This takes a long time - around 20 minutes pr 10GB.

3. Set up encryption
When urandomized, it is time to set up the encryption. If you forget the passphrase, that you use, you will never be able to unlock the drive again, and all will be lost. It's important to remember it - make a note of the passphrase with invisible ink - we're wearing tin foil hat :-)

a. Set up the encryption - give the passphrase:

Code: Select all

# cryptsetup luksFormat /dev/sda3
b. The partition is locked, to work on it we have to unlock it:

Code: Select all

# cryptsetup luksOpen /dev/sda3 sda3_crypt
4. Creating the volumes
Now we can make the volumes.

a. First make a variable to hold the name to avoid typing it several times:

Code: Select all

# VOLUME=/dev/mapper/sda3_crypt
b. Then initialize the partition:

Code: Select all

# pvcreate $VOLUME
c. Next create a volume group named 'volumes':

Code: Select all

# vgcreate volumes $VOLUME
d. Then make the volumes; if you want to have the possibility to suspend to ram, make swap the size of the ram on the machine. Besides the swap volume we make a volume for the system (/) and one for /home:

Code: Select all

# lvcreate -Z n -n system -L 48G volumes
# lvcreate -Z n -n swap -L 4G volumes
# lvcreate -Z n -n home -L 100 G volumes
Replace the numbers with the numbers that suits your hardware.
These lines will give warnings that the volumes won't be zero'ed: the parameter '-Z n' means: don't zero the volume - why should we? We've placed random numbers all over the place for hours :-)

In case the summarized size of the volumes exceeds the total size of the volume group you will get an error message - rerun the command again with smaller size.

e. The new logical volumes are now created, they are symlinks to the actual places:

Code: Select all

# ls -al /dev/mapper
f. Setting up the volumes, make the swap partition & activate it:

Code: Select all

# mkswap -L swap /dev/mapper/volumes-swap
# swapon /dev/mapper/volumes-swap
g. Time to format the partitions/volumes:

Code: Select all

# mkfs -t ext2 -L boot /dev/sda2
# mkfs -t ext4 -L root /dev/mapper/volumes-system 
# mkfs -t ext4 -L home /dev/mapper/volumes-home
h. Prepare the filesystem, make mount points and mount the volumes on /mnt/solydxk just like they will be when in use on the machine after reboot, ie with what is now /mnt/solydxk as root (/):

Code: Select all

# mkdir /mnt/solydxk
# mount /dev/mapper/volumes-system /mnt/solydxk/
# mkdir /mnt/solydxk/home
# mkdir /mnt/solydxk/boot
# mount /dev/sda2 /mnt/solydxk/boot/
# mount /dev/mapper/volumes-home /mnt/solydxk/home
5. Populating the filesystem:
The live system is mounted as a squash file system.

a. Extract the files into /mnt/solydxk/

Code: Select all

# unsquashfs -f -d /mnt/solydxk/ /lib/live/mount/medium/solydxk/filesystem.squashfs
b. With your favorite editor (gedit, vi) make and edit the fstab file that will be used for mounting the filesystem when booting:

Code: Select all

# /etc/fstab: static file system information.
#
# <file system>         <mount point>   <type>  <options>       <dump>  <pass>
proc                            /proc   proc    defaults        0       0
/dev/mapper/volumes-swap        none    swap    sw              0       0
/dev/sda2                       /boot   ext2    defaults        0       2
/dev/mapper/volumes-system      /       ext4    errors=remount-ro   0   1
/dev/mapper/volumes-home        /home   ext4    defaults        0       2
If the computer has a cdrom drive add a line something like this:

Code: Select all

/dev/sdc0               /media/cdrom    udf,iso9669 user,noauto 0       0

6. Customizing the new installation
Having made an encrypted system edit /mnt/solydxk/etc/crypttab; if it doesn't exist create it:

a. The file will contain only one line; comment lines (starting with #) are said not always to be ignored:

Code: Select all

sda3_crypt      /dev/sda3       none    luks
b. The system must be prepared for running in chroot, almost as if it was booted:

Code: Select all

# cp /etc/resolv.conf /mnt/solydxk/etc/
# mount -o bind /dev /mnt/solydxk/dev
# mount -o bind /proc /mnt/solydxk/proc
# mount -o bind /sys /mnt/solydxk/sys
c. Now we'll run the system in chroot jail to be able to make the last changes:

Code: Select all

# chroot /mnt/solydxk/ /bin/bash
The prompt looked until now like this:

Code: Select all

solydxk solydxk #
and it will change to the following to indicate that we are in chroot:

Code: Select all

solydxk / #
Then we make some necessary changes to the new system:

d. First we remove all Live system packages and update the package list:

Code: Select all

# apt-get purge 'live-*' && apt-get update

e. Then we must install packages for encryption and LVM - if not, we will not be able to unlock the partition on boot.

Code: Select all

# apt-get install cryptsetup lvm2
f. A bug in plymouth causes an ugly unlocking screen and will prevent shutting down from the graphical interface (see below) - removing plymouth will get rid of that bug, but leaves us without the boot splash and gives instead a console with a lot of boot lines scrolling - I prefer that :-)

Code: Select all

# apt-get purge plymouth* debian-plymouth-manager 
If you have made changes to /etc/crypttab after installing cryptsetup you will need to update the initial ramdisk image:

Code: Select all

# update-initramfs -u
g. The bootloader GRUB must be set up. Check that the files needed for booting are where they are supposed to be:

Code: Select all

solydxk / # ls -al /boot/
total 25588
drwxr-xr-x  4 root root     1024 Aug 24 14:49 .
drwxr-xr-x 22 root root     4096 Aug 15 07:27 ..
-rw-r--r--  1 root root   145434 Jun 30 06:08 config-3.9-1-amd64
drwxr-xr-x  3 root root     5120 Aug 15 07:16 grub
-rw-r--r--  1 root root 21164804 Aug 24 14:49 initrd.img-3.9-1-amd64
drwx------  2 root root    12288 Aug 24 12:50 lost+found
-rw-r--r--  1 root root  2314311 Jun 30 06:08 System.map-3.9-1-amd64
-rw-r--r--  1 root root  2445696 Jun 30 06:06 vmlinuz-3.9-1-amd64
h. Update the grub config file and install grub on the harddisk:

Code: Select all

# update-grub
# grub-install /dev/sda
i. To personalize the new system we remove the user 'solydxk' and add a user - remember to make a note of the password:

Code: Select all

# deluser --remove-home solydxk
# adduser [username] 
# addgroup [username] sudo
j. If you prefer to have a separate root password:

Code: Select all

# passwd root
k. We need to be sure that we can log properly in, so edit the configuration file for the displaymanager that SolydX uses (/etc/lightdm/lightdm.conf), and comment two lines out like this:

Code: Select all

#autologin-user=solydxk
#autologin-user-timeout=0
l. We are almost there now, we'll leave the system saying properly goodbye:

Code: Select all

# exit

m. We're out of chroot now and close the doors behind us:

Code: Select all

# umount /mnt/solydxk/{dev,proc,sys}
n. ... and clean up:

Code: Select all

# umount /mnt/solydxk/home
# umount /mnt/solydxk/boot
# umount /mnt/solydxk
# sync
We will leave the root login and become ordinary user:

Code: Select all

# exit


7. Rebooting into the new system:
Reboot and the boot process will stop at a console screen - fair enough, We'll have to give the passphrase for unlocking the encrypted partition.

Code: Select all

Loading, please wait ...
    Volume group "volumes" not found
    Skipping volume group volumes
Unable to find LVM volume volumes/system
Unlocking the disk /dev/sda3 (sda3_crypt)
Enter passphrase: :
Typing in the the passphrase (you can't see anything of what you type) and hitting <Enter> will continue the boot, and the Log In screen should appear properly. Log in and the system is up.

8. Final Configuration of the new system:
The configuration that should have taken place during an 'ordinary' install are missing of course (timezone, keyboard, etc). Let's do it now. Log in as your user and open a terminal; to set the timezone, type:

Code: Select all

$ sudo dpkg-reconfigure tzdata
We give our password and are presented with a screen that lets us navigate to our timezone.
If we want to give our new system another hostname instead of 'solydxk', continue in the terminal:

Code: Select all

$ sudo hostname [newname]
$ hostname 
The above commands first replace the [newname] with the hostname wanted and then checking it.
To make the change permanent, continue:

Code: Select all

sudo cp /etc/hosts /etc/hosts.orig
... copies the original file as a sort of back up, then with the editor of choice (eg. vi, gedit) replace the line:

Code: Select all

127.0.1.1       bilskir
#with this line:
127.0.1.1       [newname]
Then edit the file /etc/hostname and replace 'solydxk' with the [newname].

At last we will configure the keyboard. At first for the console; in the terminal type:

Code: Select all

$ sudo dpkg-reconfigure keyboard-configuration
Navigate to the correct keyboard, use <Tab> to go to bottom line and choose OK or Cancel, then continue with the layout of the keyboard. The last point is whether you want to use <ctrl><alt><Backspace> to terminate the graphics server; this might be a good idea if you want to experiment with the graphics resolution.
Having finished this we get a warning:

Code: Select all

update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
... meaning that the changes have not takien effect, not until reboot. But we can cope with that:

Code: Select all

$ sudo invoke-rc.d keboard-setup start
The changes should have been committed now, and in console (<ctrl><<alt>F1 - <ctrl><alt>F6 & return to graphics screen <ctrl><alt>F7) you may log in and see this.

The keyboard in the graphics screen has not been changed. To do this choose 'Settings' from the menu, and click the 'Layout' tab, then choose the keyboard model; if your language is not in the keyboard layout box, click 'Add' and choose your language. Highlight the language in the layout box, and choose 'Close'. You are done, changes will take place if you log out & log in again.

We should be done now - happy computing :-)

The plymouth bug
The plymouth bug I mentioned above is apparently known. At Ubuntu Launchpad there is a filed bug from 2010 describing this behavior (https://bugs.launchpad.net/ubuntu/+sour ... bug/566818). It's a bug in plymouth, the bootsplash for Linux that also handles user interaction during boot. Apparently plymouth also effects shutdown & reboot. Without removing plymouth the splash screen will show up and the the progress bar will stop after a short while without any message. Typing <Ec> will terminate the splash screen and show a console with a message telling us to enter the passphrase. When we then do that, every time we type a character the console will echo the message:"Unlocking the disk /dev/sda3 (sda3_crypt)" followed by:"Enter passphrase: :" with an asterisk for every character we have typed, thus:

Code: Select all

Unlocking the disk /dev/sda3 (sda3_crypt)
Unlocking the disk /dev/sda3 (sda3_crypt)
Unlocking the disk /dev/sda3 (sda3_crypt)
Unlocking the disk /dev/sda3 (sda3_crypt)
Unlocking the disk /dev/sda3 (sda3_crypt)
Enter passphrase: :*****
I've not been able to find any bug report at debian. I'm not sure if SolydXK is responsible for the bug.
/vbj
DONATING = LOVING [ well, 'loving' is a bit strong about software, so s/loving/appreciating/ ]
...says AmandaFuckingPalmer http://blog.amandapalmer.net/post/20058 ... -by-amanda - s/artist|music/developer|code/

User avatar
vilbjoern
Posts: 16
Joined: 23 Aug 2013 11:40
Location: Rørvig, Denmark

Re: HOWTO: Install SolydX with encryption on LVM

Postby vilbjoern » 01 Sep 2013 18:11

The above HOWTO was originally written as mere posting in this forum, being only a walk through of my experiences with installing a box with encryption & LVM.

During the work I found what seems to be a bug, so I didn't find it decent to make the posting as a regular howto. Having found not a solution but a work around, that I find satisfactory (thanks Schoelje, for your posting http://forums.solydxk.nl/viewtopic.php?f=53&t=814, it pointed me to the obvious :-) - then I decided to make a regular howto. So up there it is :-)

I was not able to test it with a new setup following the instructions - I haven't yet set up my workstation, and my netbook is not strong enough to run eg VirtualBox. So if anybody could do that, please do and comment.

Regards
DONATING = LOVING [ well, 'loving' is a bit strong about software, so s/loving/appreciating/ ]
...says AmandaFuckingPalmer http://blog.amandapalmer.net/post/20058 ... -by-amanda - s/artist|music/developer|code/

arjmage
Posts: 1
Joined: 25 Jan 2014 05:00

Re: HOWTO: Install SolydX with encryption on LVM

Postby arjmage » 25 Jan 2014 05:12

Hi, that's a great walk-through on how to go about installing solydxk, which is slowly becoming my distro of choice on multiple machines.

However, I have one question: what changes are necessary to the above process to install onto a machine that uses EFI (with refind) and not BIOS+GRUB as a bootloader?

From this link: http://www.thinkwiki.org/wiki/UEFI_Firmware it seems that during the 'by hand' install process, one could run

Code: Select all

aptitude install grub-efi-amd64
with the appropriate /boot/efi mountpoints prepared.

I am currently running UEFI + Full Disk Encryption + Arch Linux on this machine, with refind as the efi boot manager.

juanito
Posts: 5
Joined: 23 Feb 2014 10:14

Re: HOWTO: Install SolydX with encryption on LVM

Postby juanito » 23 Feb 2014 10:22

Hi and thanks for this great tutorial. I followed step by step your instructions with the solydK 201401 iso file installation.
And at step d. and e. I got a connection error to retrieve the packages. So I downloaded lvm2 manually from debian repository.

And at step f. I got this error:

Code: Select all

apt-get purge plymouth* debian-plymouth-manager 
The following packages will be REMOVED:
  debian-plymouth-manager* plymouth* plymouth-drm* plymouth-themes-solydk*
plymouth-x11*
0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded.
After this operation, 1,459 kB disk space will be freed.
Do you want to continue? [Y/n] y
E: Can not write log (Is /dev/pts mounted?) - openpty (2: No such file or directory)
(Reading database ... 146438 files and directories currently installed.) Removing debian-plymouth-manager (2.1.6) ...
Purging configuration files for debian-plymouth-manager (2.1.6) ... Removing plymouth-x11 (0.8.8-14) ...
Removing plymouth-themes-solydk (1.1.0) ...
Removing plymouth-drm (0.8.8-14) ...
Purging configuration files for plymouth-drm (0.8.8-14) ...
Removing plymouth (0.8.8-14) ...
update-initramfs: deferring update (trigger activated)
Purging configuration files for plymouth (0.8.8-14) ...
dpkg: warning: while removing plymouth, directory
'/usr/share/plymouth/themes/text' not empty so not removed
dpkg: warning: while removing plymouth, directory
'/usr/lib/x86_64-linux-gnu/plymouth' not empty so not removed
Processing triggers for desktop-file-utils (0.22-1) ...
Processing triggers for mime-support (3.54) ...
Processing triggers for libc-bin (2.17-97) ...
Processing triggers for man-db (2.6.5-2) ...
Processing triggers for initramfs-tools (0.115) ...
update-initramfs: Generating /boot/initrd.img-3.11-2-amd64
cryptsetup: WARNING: could not determine root device from /etc/fstab

Then later at step k. could you give the file location?
k. We need to be sure that we can log properly in, so edit the configuration file for the displaymanager that SolydX uses, and comment two lines out like this:
So I finished the setup and reboot but I didnt got the password entry to unlock /dev/sda3. I got stuck with a command line starting with: initramfs.

Thanks for your help.

User avatar
vilbjoern
Posts: 16
Joined: 23 Aug 2013 11:40
Location: Rørvig, Denmark

Re: HOWTO: Install SolydX with encryption on LVM

Postby vilbjoern » 24 Feb 2014 11:39

Hi juanito,

I don't use that PC anymore - the motherboard has broken down, so until I've build a new one I'm stuck with my ancient netbook/notebook. So my reply is based on guessing.

Regarding 6.f:
I would remove the contents of:
'/usr/share/plymouth/themes/text' & '/usr/lib/x86_64-linux-gnu/plymouth' - to get rid of the "dpkg: warning: while removing plymouth, directory"
- I think this only is a cosmetic problem - deleting files that are not used any more.

Did you update the initramfs? thus:

Code: Select all

# update-initramfs -u
- remember to edit /etc/fstab (5.b) according to your setup prior to updating initramfs - the contents of your fstab may vary from what you see in the box.

Regarding 6.k:
Then later at step k. could you give the file location?
... is/was for xfce: /etc/lightdm/lightdm.conf. Thanks for the question - I've edited the HOWTO accordingly.

Hope this helps.
DONATING = LOVING [ well, 'loving' is a bit strong about software, so s/loving/appreciating/ ]
...says AmandaFuckingPalmer http://blog.amandapalmer.net/post/20058 ... -by-amanda - s/artist|music/developer|code/

juanito
Posts: 5
Joined: 23 Feb 2014 10:14

Re: HOWTO: Install SolydX with encryption on LVM

Postby juanito » 06 Mar 2014 21:45

Hi Vilbjoern,
I finally got the time to try it again. Here is my feed back.

At 6.e I got the message

Code: Select all

cryptsetup: WARNING: could not determine root device from /etc/fstab
At 5.b should the file /etc/fstab not be the same as the one you posted here? What should be different, how could mine vary. I didn't get that point. Is it not enough if I do vi /etc/fstab and copy/paste what you indicated?

At 6.f again the same message

Code: Select all

update-initramfs: Generating /boot/initrd.img-3.11-2-amd64
cryptsetup: WARNING: could not determine root device from /etc/fstab
After that I just checked the content of /etc/fstab and it was empty! And at step 5.b I did save the file with the changes. So I populated again, saved it and run update-initramfs -u and it worked, no more warning.

At 6.k this is still a mystery for me with KDE. I don't know where the configuration file of the displaymanager is! :?

So I rebooted, I got the prompt to enter my passphrase and unlock the partition, that's fine. Then I got a black screen, no login into solydK. I tried recovery mode and it's the same. I think that's because I wasn't able to change the displaymanager. So I am stuck here. Too bad. :cry: I hope someone on the forum will help because I won't reinstall my system without encryption!

Thanks.

davidcim
Posts: 17
Joined: 11 Mar 2014 00:51
Location: Madrid, Spain

Re: HOWTO: Install SolydX with encryption on LVM

Postby davidcim » 11 Mar 2014 02:02

First of all, thanks for your great tutorial vilbjoern! . I've a perfectly installed solydk + encrypted LVM thanks to you.

I would like to share my experience as it could help others. When I firstly completed this tutorial my system only booted if the pen drive was plugged in. The cause was that my main drive change from sdc to sdb if the usb drive is removed. I easily solved it by providing an UUID insted of the path to the device in fstab and crypttab. Actually in fstab you can even specify the label of the drive instead of the path by using the option LABEL.

Code: Select all

$ sudo e2label /dev/sdb2
boot
$ cat /etc/fstab
# <file system>                 <mount point>   <type>  <options>               <dump>  <pass>
proc                            /proc           proc    defaults                0       0
/dev/mapper/volumes1-swap       none            swap    sw                      0       0
LABEL=boot                      /boot           ext2    defaults                0       2
/dev/mapper/volumes1-system     /               ext4    errors=remount-ro       0       1
/dev/mapper/volumes1-home       /home           ext4    defaults                0       2
As crypttab doesn't accept the LABEL option you have to use the UUID option here.

Code: Select all

$ ls -la /dev/disk/by-uuid | grep sdb3
lrwxrwxrwx 1 root root  10 mar 11 01:44 b450a2bb-8fec-4a97-a3ab-a0d144ee4eb9 -> ../../sdb3
$ cat /etc/crypttab
# <target name>         <source device>                                 <key file>      <options>
crypt1                  UUID=b450a2bb-8fec-4a97-a3ab-a0d144ee4eb9       none            luks
The second and most important thing to comment is about the manual installation by copying the squashfs to the new fs. It did work but it's a lot of time and there are some glitches with the kdm and the localization of firefox, libreoffice and others. Fortunately it's possible to skip all this manual installation part of the vilbjoern procedure by running the installer in advanced mode (http://forums.solydxk.nl/viewtopic.php?f=5&t=517#p5378).

Code: Select all

gksudo "live-installer --advanced"
With this flag the live installer will allow you to make all the lvm and encryption configuration without needing the second part of the tutorial dedicated to the customization of the new system. Basically the installer gives you a chance to mount your volumes manually at /target/ before the files are copied.

Once all the files have been copied to the new fs, the installer stops and ask you to configure fstab and crypttab and to install the extra stuff needed to boot.

Code: Select all

$ sudo su
$ cp /etc/resolv.conf /target/etc/
$ chroot /target/
$ kwrite /etc/fstab &
$ kwrite /etc/crypttab &
$ aptitude install cryptsetup lvm2
After this the live installer will continue with the installation process as usual.

juanito
Posts: 5
Joined: 23 Feb 2014 10:14

Re: HOWTO: Install SolydX with encryption on LVM

Postby juanito » 11 Mar 2014 23:51

Thanks davidcim for your input, I gave it a try. But when I restarted I got the splash screen and then a black screen with written in white at the top left: Loading...
Time passed but nothing happened and it didn't ask for the passphrase to decrypt my volume.

I followed the instructions you put here but I didn't get the point with your syntax when you wrote:

Code: Select all

kwrite /etc/fstab &
kwrite /etc/crypttab &
Here is what I did.
At step 4.h from tutorial vilbjoern, I changed it by

Code: Select all

# mkdir /target
# mount /dev/mapper/volumes-system /target/
# mkdir /target/home
# mkdir /target/boot
# mount /dev/sda2 /target/boot/
# mount /dev/mapper/volumes-home /target/home
I changed /etc/fstab and /etc/crypttab like you advised with my own UUID.

Code: Select all

gksudo live-installer --advanced
That didn't work, I had to do:

Code: Select all

gksudo
and then in the dialog box insert: live-installer --advanced

Before the end of the install I ran this:

Code: Select all

cp /etc/fstab/ /target/etc/fstab/
cp /etc/crypttab/ /target/etc/crypttab/
What did I miss?

davidcim
Posts: 17
Joined: 11 Mar 2014 00:51
Location: Madrid, Spain

Re: HOWTO: Install SolydX with encryption on LVM

Postby davidcim » 12 Mar 2014 11:00

> I followed the instructions you put here but I didn't get the point with your syntax when you wrote...

I mean here is the time to edit fstab and crypttab with your own settings. If you make this edits after installing lvm2 and cryptsetup then you'll need to call explicitly update-initramfs so that the new settings are available for grub.

Code: Select all

$ update-initramfs -u
> At step 4.h from tutorial vilbjoern, I changed it by ...
You are right

> gksudo live-installer --advanced
> That didn't work, I had to do...
You're right. It should be:

Code: Select all

gksudo "live-installer --advanced"
I'm going to edit it now.


> Before the end of the install I ran this...
Actually I never edited the live installer's fstab and crypttab and therefore I didn't need to copy them to /target/. I only edited the files at /target/etc/ just before installing lvm2 and cryptsetup. To clarify a little the advanced installer stops twice. The first time it stops to allow you mounting the volumes at /target/. The second time it stops to allow you editing fstab and crypttab at /target/etc/ and to chroot and install lvm2 and cryptsetup.


> What did I miss?

To fix it I would try to boot with the live cd/usb, mount your volumes, chroot and update initramfs.

Code: Select all

$ update-initramfs -u
Another thing I did was disabling the Plymouth checkbox in the installer options. There was two checkboxes. One about installing grub which I kept checked and another one about installing Plymouth which I unchecked having in mind vilbjoern warnings about it. So you could also uninstall plymouth package after chroot.

Hope this helps you

davidcim
Posts: 17
Joined: 11 Mar 2014 00:51
Location: Madrid, Spain

Re: HOWTO: Install SolydX with encryption on LVM

Postby davidcim » 12 Mar 2014 11:36

Uhm... thinking about your issue it sounds to me as if the plymouth splash screen would be hiding the password question behind. Try to type your pass and hit enter or if it doesn't work try to uninstall plymouth package.

User avatar
Wazza
Posts: 158
Joined: 19 Apr 2014 12:00
Location: South Australia

Re: HOWTO: Install SolydX with encryption on LVM

Postby Wazza » 26 Apr 2014 07:09

Many thanks to vilbjoern and davidcim, combining your suggestions has resulted in a smooth install.

As far as installing Solydxk goes, having full disk encryption has been a deal maker for me.

Appreciated!

juanito
Posts: 5
Joined: 23 Feb 2014 10:14

Re: HOWTO: Install SolydX with encryption on LVM

Postby juanito » 27 Apr 2014 00:59

Hi,

Thanks to Wazza's help in PM I was able to do it.
I think it would be necessary to update the initial howto by adding some more detailed explanations.

Just for information at step 3a. instead of doing

Code: Select all

cryptsetup luksFormat /dev/sda3
I run a more secure version of encryption

Code: Select all

cryptsetup --verify-passphrase luksFormat /dev/sda3 -c aes-xts-plain64 -s 512 -h sha512
Thanks to all of you, and I hope that the next installer will add an option to encrypt the disk by default. It would be very helpfull for first users to install solydxk easily.

User avatar
Arjen Balfoort
Site Admin
Posts: 9254
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: HOWTO: Install SolydX with encryption on LVM

Postby Arjen Balfoort » 01 May 2014 15:05

While building the new ISOs, the kids with the grandparents, and wife with friends, I had the time to browse for interesting things in our own forum.

This is quiet a pearl!

I only now get a headache on how to automate this to use in the live-installer :mrgreen:


SolydXK needs you!
Development | Testing | Translations

User avatar
Wazza
Posts: 158
Joined: 19 Apr 2014 12:00
Location: South Australia

Re: HOWTO: Install SolydX with encryption on LVM

Postby Wazza » 01 May 2014 20:48

I'm aware that people have been requesting this function over at the LMDE camp for a while now. From what I've read, it's not an easy thing to include, and that development time is more of a priority in other areas. If encryption did become available during the Solydxk install at some future time, I think it would interest quiet a few people, especially those using laptops. I also think it would be a feature that deserves advertising.

Thanks again for this how-to, I've had no problems at all.

juanito
Posts: 5
Joined: 23 Feb 2014 10:14

Re: HOWTO: Install SolydX with encryption on LVM

Postby juanito » 12 Aug 2014 15:05

Hi,

For those who had problems like me and some steps were not super clear, here is an add-on to the first tuto with the help of Wazza. I just did it with the new iso from July 2014 and all went smooth.

3a. I found an enhanced command to encrypt the disk

Code: Select all

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda3

4h. Instead, start the live installer in advanced mode from a new terminal with gksudo "live-installer --advanced" (you’ll need your current terminal for the next part)
Run through the set up until you come to the partitioning section, then select “manually mount partitions” at the bottom, select “forward”, Now STOP there!

Get back into the original terminal that you were using to create the volumes, still as “sudo -s”. Now we can create the mount points on /target and mount the file systems.
So now, assuming you’ve created the volumes exactly as the tutorial says...

Code: Select all

# mkdir /target
# mount /dev/mapper/volumes-system /target/
# mkdir /target/home
# mkdir /target/boot
# mount /dev/sda2 /target/boot/
# mount /dev/mapper/volumes-home /target/home

Switch back to the installer and select “forward”. The installer will copy whats needed to /target automatically, no need to specify anything else. Keep going through the installer prompts until it stops a second time, it should ask you to now set up fstab and crypttab. Again, leave the installer and hop back into your console. Now we chroot into the new system and set up the needed files and programs. Replace nano with any edit program you like.

Code: Select all

$ cp /etc/resolv.conf /target/etc/

Code: Select all

$ chroot /target/

Code: Select all

$ nano /etc/fstab
# /etc/fstab: static file system information.
#
# <file system>         <mount point>   <type>  <options>       <dump> 
<pass>
proc                            /proc   proc    defaults        0       0
/dev/mapper/volumes-swap        none    swap    sw              0       0
/dev/sda2                       /boot   ext2    defaults        0       2
/dev/mapper/volumes-system      /       ext4    errors=remount-ro   0   1
/dev/mapper/volumes-home        /home   ext4    defaults        0       2

Code: Select all

$ nano /etc/crypttab
#this is a new file, insert (copy from tutorial)
sda3_crypt  /dev/sda3  none  luks
then

Code: Select all

$ aptitude install cryptsetup lvm2
For good measure, run:

Code: Select all

$ update-initramfs -u
Back to the installer now and click forward, and finish.


Return to “Tutorials”

Who is online

Users browsing this forum: No registered users and 1 guest