Arch linux with an encrypted LVM
In an earlier post, I described my initial experience with arch linux. But I did not discuss my use of encryption there, planning instead to separate that out to another post. So here goes.
My test machine had already been setup with an encrypted LVM for use with opensuse. I naturally wanted to continue with that arrangement when testing arch. I had a couple of false starts along the way, but it was easy enough once I knew what I was doing.
The arch installer does not have direct support for using already encrypted partitions. It is expected that access to those encrypted partitions would already be made available before starting the installer.
Immediately on booting the install system (I used a USB for that), I was placed in a root shell session, with a message displayed that I could start the install with
when I was ready. At that point, I had to make the encrypted LVM available. So I did:
cryptsetup luksOpen /dev/sda6 cr_sda6 #### enter password as prompted vgscan vgchange -a y system ### my LVM2 volume name is "system". I could have omitted ### that name from the command
At this stage, the volumes in my encrypted LVM were now all available as devices, and the installer would list those devices during the hard disk preparation section of the install.
I proceeded with installation, which included configuring the volumes from the LVM volume group.
At the configuration stage of the install, there are several files to edit. And some of those are relevant to encryption. The most important of these is “/etc/mkinitcpio.conf”. There, I looked for the “HOOKS=” line (the version that is not commented out). There, I inserted “encrypt lvm2” just in front of “filesystems” on that line.
This is the most important step. This ensures that the encryption and lvm software is available during boot (in the “initrd” image). Without that, you won’t be able to boot and might have to reinstall.
The second important file to edit during install is “rc.conf”. Look for the line containing “USELVM”. Make sure that it is set as
Those are the only changes needed during the configuration stages of install.
The remaining change is needed for the boot installer stage. At this stage you are thrown into an edit session on the “menu.lst” file. Look for the kernel line. In my case, the kernel line, before editing, was:
kernel vmlinuz-linux root=/dev/mapper/system-root ro
I changed that to
kernel vmlinuz-linux cryptdevice=/dev/sda6:cr_sda6 root=/dev/mapper/system-root ro
and note that there were two similar kernel lines, so I changed both. Here the “/dev/sda6” is the luks encrypted partition, and the “cr_sda6” is the symbolic name used to reference it after decryption. Change those names to suit.
If you mess up
If you don’t properly do the editing of “/etc/mkinitcpio.conf” correctly, your system will probably be unusable. If you miss one of the other steps it is probably recoverable. You should be thrown into a shell during boot. Within that shell you can activate the needed partitions. The “cryptsetup” and “lvm” commands should be available. You wont be able to use “vgscan” or “vgchange” but you can do the equivalent with “lvm vgscan” and “lvm vgchange” to activate the virtual devices as needed. Then exit from the temporary shell should continue the boot.
Once the system is booted, you should be able to correctly edit “/etc/rc.conf” and “/boot/grub/menu.lst”. Then run “mkinitcpio” to rebuild the “initrd” images.