View previous topic :: View next topic |
Author |
Message |
FOSSilized_Daemon n00b
Joined: 08 Mar 2019 Posts: 20
|
Posted: Sat Mar 09, 2019 3:15 am Post subject: Encrypted Install partitioning |
|
|
Hello everyone, I am new to Gentoo and am trying to do an encrypted installation as I want to have a hardened system. I have been working through the handbook and have been trying like crazy to figure out partitions. The handbook gives a great walk through of general partitioning, but I need some help bad. I am setting up Gentoo on a test laptop to get to know the system, I am taking notes and writing down everything I am learning for future reference. I can not for the life of me figure out how to do an encrypted partitioning setup. I have done this on Void Linux and Arch Linux and had notes on both, but I lost these notes the old fashion way... I forgot to back them up. I am very confused and could use a little guidance. I have done some searching and this guide: https://linux.arantius.com/gentoo-encrypted-root-with-luks-and-lvm does just about everything I planned to do on my initial install partition wise, but I am having a brain failure here. I can't remember how in the world to make the boot partition and the second partition (which he omits in his guide). I understand this has to be a very noob question, but I am going crazy trying to figure out how I did this. Please, any help would be severally welcomed. Sorry for the noob question.
Edit: I do really want to apologize about this question, I know this is a place for more advanced users and I have used Linux for a while. A lot of my questions have been easily solved with a quick duckduckgo search and the handbook. But partitions are something I have always struggled with. I want to thank everyone who even is taking the time to read this. |
|
Back to top |
|
|
jburns Veteran
Joined: 18 Jan 2007 Posts: 1214 Location: Massachusetts USA
|
|
Back to top |
|
|
fturco Veteran
Joined: 08 Dec 2010 Posts: 1181 Location: Italy
|
Posted: Sat Mar 09, 2019 9:51 am Post subject: |
|
|
@FOSSilized_Daemon: Do you need LVM? Do you prefer LUKS only? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21706
|
Posted: Sat Mar 09, 2019 4:56 pm Post subject: Re: Encrypted Install partitioning |
|
|
FOSSilized_Daemon wrote: | Hello everyone, I am new to Gentoo and am trying to do an encrypted installation as I want to have a hardened system. I have been working through the handbook and have been trying like crazy to figure out partitions. The handbook gives a great walk through of general partitioning, but I need some help bad. I am setting up Gentoo on a test laptop to get to know the system, I am taking notes and writing down everything I am learning for future reference. I can not for the life of me figure out how to do an encrypted partitioning setup. I have done this on Void Linux and Arch Linux and had notes on both, but I lost these notes the old fashion way... I forgot to back them up. I am very confused and could use a little guidance. I have done some searching and this guide: https://linux.arantius.com/gentoo-encrypted-root-with-luks-and-lvm does just about everything I planned to do on my initial install partition wise, but I am having a brain failure here. I can't remember how in the world to make the boot partition and the second partition (which he omits in his guide). I understand this has to be a very noob question, but I am going crazy trying to figure out how I did this. Please, any help would be severally welcomed. Sorry for the noob question. | Perhaps you are thinking too much. For the unencrypted partitions, which includes /boot, you can use the basic guidance offered to people who are not using any encryption at all. You want to make two partitions (at least, but let's go with exactly two for now). This will be a small /boot partition and a large partition that spans the rest of the drive. In the first partition, follow exactly the same steps you would for an unencrypted system. For the second partition, create a LUKS container on it. (Obligatory warning: creating LUKS containers destroys any prior contents. Since you just created this partition, there will not be any contents worth saving this time.) Open the LUKS container. Within the device representing the inside of the LUKS container, create your LVM PV. Then create your LVM VGs and LVs as normal. Create your filesystem(s) on the LV(s) (one filesystem per LV; choose number and size of LVs based on how you want to separate your filesystems).
That is an overview of what you want. It doesn't discuss making the environment bootable later. If you can't work out the details or you want confirmation before you do something expensive or dangerous, post back and someone can elaborate further.
FOSSilized_Daemon wrote: | Edit: I do really want to apologize about this question, I know this is a place for more advanced users and I have used Linux for a while. | We routinely help users with questions much easier than this one. If you put reasonable effort into solving your problem and you're still stuck, posting here is fine even if you think the question should be easy. |
|
Back to top |
|
|
FOSSilized_Daemon n00b
Joined: 08 Mar 2019 Posts: 20
|
Posted: Sat Mar 09, 2019 5:48 pm Post subject: |
|
|
First, I just want to thank you so much for responding and taking the time to read my post. I am looking to do a LUKS + LVM install, however on my initial install I am not including /boot however I do plan on adding that at some point. The laptop that I am doing my install on doesn't have UEFI support, so this will be done using the older bios boot. I am just looking to do a simple encrypted install with /root, /swap and /home, just a standard install. I am having a hard time remembering this and feel very foolish. It has just been so long since I have done this. I am also looking at the other solutions provided by the other memebers of this forums. Thank you so much for your time, I do really appreciate it. |
|
Back to top |
|
|
FOSSilized_Daemon n00b
Joined: 08 Mar 2019 Posts: 20
|
Posted: Sat Mar 09, 2019 5:53 pm Post subject: Re: Encrypted Install partitioning |
|
|
So I have been looking through guides and just want some assistance figuring out whether this is correct. I am using GPT.
create two partitions:
cfdisk
new:
first one will get 512M
new
second one will get the rest of disk
save
after this how do I make the first partition into boot? I know how to do all of the second partition, but /boot is confusing me |
|
Back to top |
|
|
fturco Veteran
Joined: 08 Dec 2010 Posts: 1181 Location: Italy
|
Posted: Sat Mar 09, 2019 8:19 pm Post subject: |
|
|
If you don't have UEFI and use GPT then you need an extra small partition at the beginning of the disk. For now I recommend you to stick with MBR, to simplify things.
So suppose you have /dev/sda1 (512M) and /dev/sda2 (all the rest) as your newly created partitions. Warning: change the device names according to your system, in order to avoid overwriting important data.
First, you need to format the boot partition using your choice of filesystem. For ext4 the command is:
Code: | mkfs.ext4 /dev/sda1 |
Then you need to encrypt and format the other partition with LUKS:
Code: |
cryptsetup luksFormat /dev/sda2 # choose a strong password and type it twice
cryptsetup luksOpen /dev/sda2 MyRootPartition # type the same password as before
mkfs.ext4 /dev/mapper/MyRootPartition
|
Now you can mount your root partition:
Code: | mount /dev/mapper/MyRootPartition /mnt/gentoo |
Now you can continue following the Gentoo Handbook. Remember to mount the boot partition (/dev/sda1) under /mnt/gentoo/boot after having extracted the stage3 tarball.
You should at this point choose if you want to use Systemd or OpenRC as the init manager.
And Genkernel or Dracut for the initramfs.
On my system I have Systemd and Dracut, so I don't know how to guide you if you choose other programs, but I'm sure there are other people that can help you too! |
|
Back to top |
|
|
fturco Veteran
Joined: 08 Dec 2010 Posts: 1181 Location: Italy
|
Posted: Sat Mar 09, 2019 8:22 pm Post subject: Re: Encrypted Install partitioning |
|
|
FOSSilized_Daemon wrote: | after this how do I make the first partition into boot? I know how to do all of the second partition, but /boot is confusing me |
In the previous reply I forgot to answer this question.
Basically the configuration file where you will assign your 512M boot partition to the /boot mount point is placed into /etc/fstab.
You just need to add a single line, very easy to do.
But that comes later. First you need to create partitions, format them, and extract the stage3 tarball. |
|
Back to top |
|
|
FOSSilized_Daemon n00b
Joined: 08 Mar 2019 Posts: 20
|
Posted: Sat Mar 09, 2019 8:28 pm Post subject: Re: Encrypted Install partitioning |
|
|
My big question is how do I create those two partitions? I usually use cfdisk, but cfdisk doesn't have an option for mbr. |
|
Back to top |
|
|
fturco Veteran
Joined: 08 Dec 2010 Posts: 1181 Location: Italy
|
Posted: Sat Mar 09, 2019 9:19 pm Post subject: |
|
|
Use GNU Parted (parted command). |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21706
|
Posted: Sat Mar 09, 2019 9:25 pm Post subject: |
|
|
cfdisk can do MBR or GPT, depending on how you use it.
Note that fturco's commands for LUKS assume you will not use LVM and will instead have exactly one filesystem, which is stored directly in the LUKS container. This is a valid configuration, but much less flexible. I prefer your original design of LVM-inside-LUKS. |
|
Back to top |
|
|
fturco Veteran
Joined: 08 Dec 2010 Posts: 1181 Location: Italy
|
Posted: Sat Mar 09, 2019 9:28 pm Post subject: |
|
|
@Hu: Since he's a beginner, I think he should attempt a simpler install first, without LVM or GPT. Once he fully understands the basics, he may try more advanced configurations. |
|
Back to top |
|
|
FOSSilized_Daemon n00b
Joined: 08 Mar 2019 Posts: 20
|
Posted: Sat Mar 09, 2019 9:57 pm Post subject: |
|
|
Code: |
code:
fdisk /dev/sda
# this part will create the sda1 (for /boot)
n
p
1
2048
512M
# this part will create the sda2 (for the rest)
n
p
(I am unsure what should go here for the 2048 part)
(for this part I assume this gets the rest of the disk)
mke2fs /dev/sda1
cryptsetup --verify-passphrase luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 root
pvcreate /dev/mapper/root
vgcreate vg /dev/mapper/root
lvcreate --size 4G --name swap vg
lvcreate --size 50G --name root vg
lvcreate --size 1G --name tmp vg
lvcreate --size 50G --name var vg
lvcreate --extents 100%FREE --name home vg
vgchange --available y
mkswap /dev/mapper/vg-swap
mkfs.xfs /dev/mapper/vg-root
mkfs.xfs /dev/mapper/vg-tmp
mkfs.xfs /dev/mapper/vg-var
mkfs.xfs /dev/mapper/vg-home
|
how is this? I would love a lot of help with sizing, my drive is 750 GB. What do you recommend for this? Also if there are any flags I can use to make cryptsetup more secure I would love to hear them. I think I am missing flagging /dev/sda1 as boot |
|
Back to top |
|
|
|