AES-encrypted root partition using LVM2

This howto describes installing Gentoo to achieve strong and full encryption, yet still be fast and flexible.

Introduction
Gentoo will be installed on the following layers
 * 1) filesystem
 * 2) loop-AES encryption
 * 3) LVM2 logical volumes
 * 4) disk partition.

Approach
The approach taken here is to store an encrypted gpg keyfile in a ~20M unencrypted /boot partition. The rest of the disk is either encrypted swap or encrypted storage.

An alternative is to put the keyfile on a thumb drive, or even boot from a thumb drive. There might be a theoretical advantage of this, but practically, I don't see the point. It's much better to concentrate on strong passwords.

The storage can be an ordinary device-backed loop or LVM backed loop. Either way an initrd is needed, so I think the LVM route is not that much extra effort.

Don't put swap inside a logical volume. Establish it on the first possible partition. From what I've read swap needs to be at the beginning of the disk and if it is inside LVM you can't say where on the disk it is. I can't think of why you would want the flexibility of LVM for swap anyway.

Assumptions
This howto assumes:
 * 1) That the installation will be on fresh hardware; and
 * 2) That the user is reasonably familiar with installing Gentoo and the use of logical volumes.

Work
For a livecd Knoppix <= 5 is a possibility, as is current GRML. Current Knoppix and Gentoo do not include a patched losetup.

Boot the livecd, check and maybe repair the network connection and stop the X server (you don't need it):

Set a password so you can log in later:

Partition the disk(s)
Use,  or something to arrange the partitions that you will be installing onto. Reboot if the software requires it. For the purpose of this documentation the following configuration will be used:

Disk /dev/hdb: 40.0 GB, 40020664320 bytes 255 heads, 63 sectors/track, 4865 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot     Start         End      Blocks   Id  System /dev/hdb1              1           2       16033+  83  Linux /dev/hdb2              3          63      489982+  82  Linux swap / Solaris /dev/hdb3             64        2495    19535040   8e  Linux LVM /dev/hdb4           2496        4865    19037025    5  Extended /dev/hdb5           2496        4865    19036993+  8e  Linux LVM

hdb3 and hdb5 could have been one partition but are two here to illustrate a point later on. needs a filesystem, so make one:

A volume for root
Create the physical volumes:

Physical volume "/dev/hdb3" successfully created Physical volume "/dev/hdb5" successfully created Put a volume group called "vg" on those physical volumes:

Volume group "vg" successfully created Put a logical volume to hold your root filesystem on the volume group:

Logical volume "root" created

Encryption for /dev/vg/root
Make a gpg key with something like

Or, make one available from somewhere else. I don't care how much mouse wiggling you do, my experience is that this takes forever with, so if experimenting, choose.

Fill the partition with random looking data.

An encrypted loopback is established within the '/dev/vg/root' logical volume with: By way of a suggestion: Then and follow the rest of the install procedure.

In addition to the tools listed in the howto, also:

Don't reboot yet.

A new mount, umount, losetup, swapon and swapoff
Other distro users will have to follow Section 4 of the readme. We:

Loop-AES readme steps
What follows are some annotations against example 5 in the loop-AES readme.

Aespipe
This is not required because we are doing a fresh install, not a conversion.

Backup
Only you know what to do here.

Kernel
If necessary, and copy the kernel into.

Loop module
Grab the latest loop-AES: Then make the module:

Copy loop module
Make sure is mounted and copy the module in:

Encryption keys
Completed

build-initrd.sh
This is the most difficult part. In :

and remove and remove everything after ### End of options. Edit build-initrd.conf along the following lines

Create :

Note the line. If the logical volume on which root is placed consists of more than one physical volume, you need manually for each device in addition to the one create by  in rootsetup.

In this example the logical volume is composed of the physical volumes and. The CRYPTROOT=/dev/hdb3 line in build-initrd.conf establishes, and to make we need the  line in.

We need some more preparations:

Boot loader config
I use. My looks something like:

A new /boot/initrd.gz
Make sure is mounted.

Loading config from 'build-initrd.conf' 13 blocks -rw--- 1 root root 2721 Dec 10 19:50 /boot/initrd.gz Copying /sbin/losetup to /boot/losetup Copying /lib/libc.so.6 to /boot Copying /lib/ld-linux.so.2 to /boot Copying /sbin/insmod.static to /boot/insmod Copying /usr/bin/gpg to /boot/gpg Done.

Boot loader
Perform this as part of the howto.

Exit out of chroot
Complete Rebooting the System up to, but not including, the partitions. Make sure that the root partition has the devices, and. If necessary:

Boot
The first boot into Gentoo.

A boot into Gentoo feels like this. After the power is turned on, your computer will proceed through bios checks, the boot loader and the kernel will load. Booting will then pause with a password prompt. After the password is correctly entered booting will continue. Once booted, lists the mounted loopback devices.

A cleartext loopback for a data logical volume
We have an encrypted but still no where for data to go. We need to size create a cleartext encrypted loopback.

Size /data
It is assumed that the rest of the disk should be allocated to. When booted from a CD and not in a chroot, and add up all of the Free PE values. Then create the logical volume

Clear text keyfile
The keyfile for the data logical volume should not have a password. The file should be clear text. This is because it is going to be stored in an encrypted partition and you don't want to have to enter passwords unnecessarily.

etc might return bash: uuencode: command not found. This can be solved by, or perform the etc from outside the chroot. for <=loop-AES-v3.2b does not work.

Inside the chroot edit

And create.

fstab
fstab might end up looking like

Murphy's law
When things go wrong, like grub not working or something, a set of commands like this might be needed to re-establish a chroot.

Welcome to Knoppix! root@Knoppix:~#