Arch linux with an encrypted LVM

In an earlier post, I described my initial experience with arch linux.  But I did not discuss my use of encryption there, planning instead to separate that out to another post.  So here goes.

My test machine had already been setup with an encrypted LVM for use with opensuse.  I naturally wanted to continue with that arrangement when testing arch.  I had a couple of false starts along the way, but it was easy enough once I knew what I was doing.

Preliminary steps

The arch installer does not have direct support for using already encrypted partitions.  It is expected that access to those encrypted partitions would already be made available before starting the installer.

Immediately on booting the install system (I used a USB for that), I was placed in a root shell session, with a message displayed that I could start the install with

/arch/setup

when I was ready.  At that point, I had to make the encrypted LVM available.  So I did:

cryptsetup luksOpen /dev/sda6 cr_sda6
#### enter password as prompted
vgscan
vgchange -a y system
### my LVM2 volume name is "system".  I could have omitted
### that name from the command

At this stage, the volumes in my encrypted LVM were now all available as devices, and the installer would list those devices during the hard disk preparation section of the install.

I proceeded with installation, which included configuring the volumes from the LVM volume group.

Configuration

At the configuration stage of the install, there are several files to edit.  And some of those are relevant to encryption.  The most important of these is “/etc/mkinitcpio.conf”.  There, I looked for the “HOOKS=” line (the version that is not commented out).  There, I inserted “encrypt lvm2” just in front of “filesystems” on that line.

This is the most important step.  This ensures that the encryption and lvm software is available during boot (in the “initrd” image).  Without that, you won’t be able to boot and might have to reinstall.

The second important file to edit during install is “rc.conf”.  Look for the line containing “USELVM”.  Make sure that it is set as

USELVM="yes"

Those are the only changes needed during the configuration stages of install.

Boot setup

The remaining change is needed for the boot installer stage.  At this stage you are thrown into an edit session on the “menu.lst” file.  Look for the kernel line.  In my case, the kernel line, before editing, was:

kernel vmlinuz-linux root=/dev/mapper/system-root ro

I changed that to

kernel vmlinuz-linux cryptdevice=/dev/sda6:cr_sda6 root=/dev/mapper/system-root ro

and note that there were two similar kernel lines, so I changed both.  Here the “/dev/sda6” is the luks encrypted partition, and the “cr_sda6” is the symbolic name used to reference it after decryption.  Change those names to suit.

If you mess up

If you don’t properly do the editing of “/etc/mkinitcpio.conf” correctly, your system will probably be unusable.  If you miss one of the other steps it is probably recoverable.  You should be thrown into a shell during boot.  Within that shell you can activate the needed partitions.  The “cryptsetup” and “lvm” commands should be available.  You wont be able to use “vgscan” or “vgchange” but you can do the equivalent with “lvm vgscan” and “lvm vgchange” to activate the virtual devices as needed.  Then exit from the temporary shell should continue the boot.

Once the system is booted, you should be able to correctly edit “/etc/rc.conf” and “/boot/grub/menu.lst”.  Then run “mkinitcpio” to rebuild the “initrd” images.

Advertisements

Tags: ,

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: