Arch Linux: LVM on top of an encrypted partition

Introduction
Here, I'm describing how to set up full disk encryption using dm-crypt combined with logical volumes with Arch Linux. Most people use encryption to avoid physical access to their data by people who aren't explicitly allowed. It makes quite much sense to set up encryption at a notebook in case it's getting lost or stolen - the finder/thief has the hardware but not your data! For this scenario, it is not necessary to have all copies of that data encrypted because you usually keep the copies on a safe place (i.e. if you are using a home server for backups). In the other case, if you explicitly don't want anybody to access your data at any time at any place you have to make sure that all copies of the data are either erased or stored encrypted. Also don't forget: A running system which uses full disk encryption is still vulnerable to network/Internet attacks!

There are two ways of setting up an encrypted disk using LVM:
1. Create the LVM and encrypt every volume separately
2. Set up LVM on top of an encrypted partition

The first method is described in the Arch Wiki

I'll explain the second way (which is even easier):

Step 0: Preparing the hard drive
At the start we have to talk about the hard disk. I know, it is mentioned very often but it's important: BACKUP your data before you execute any of the commands below!
After that we can start. To ensure that all sensible data is erased I'd suggest to overwrite the disk first. There are two options to erase data:
1. Overwrite with zeros
2. Overwrite with random data

In our case the second is the method of choice. This is because we are going to store data on the disk and in most cases the disk won't get full. The main point is here, that someone could see where your encrypted data ends because of the zeros at the end - an ideal starting point for an attack.
The command to overwrite the disk with random data is:

dd if=/dev/urandom of=/dev/HARDDRIVE

This can take quite long depending on the size of your disk. Then we can setup the partitions, where we have to mention that we need at least one boot partition (~150 MB) and a partition for the LVM.
pic3
The partitioning can be done with cfdisk. Don't forget to select "Write" before "Quit" and to mark the boot parition as "Bootable".
Now, we are going to set up the encryption and the LVM.
From now on, we call the partition where we want to have the encrypted LVM on /dev/sda2 and the boot partition /dev/sda1.

Step 1: Encryption
To encrypt /dev/sda2 we can use the following commands:

Load the encryption module:
modprobe dm-crypt

Set up encryption (aes-xts-plain is just a suggestion):
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

To explain what it does:
-c is for the chiper algorithm (which is lrw)
-y is for typing in passphrase a second time (as confirmation)
-s is the length of the key (whereas in our case (lrw) just 256 are used)
pic6
Now we have to access the encrypted volume:

cryptsetup luksOpen /dev/sda2 lvm

Of course, all the steps above work as well with different settings and a different chiper algorithm.

Step 2: LVM
First of all we have to initialize the physical volume (in our case the reference to the encrypted volume) and create a volume group:

lvm pvcreate /dev/mapper/lvm
lvm vgcreate vgroup /dev/mapper/lvm

You can adjust the following commands to your needs but be aware that you need at least a root and a swap partition. The command lvm lvcreate adds logical volumes to the volume group we just created:

lvm lvcreate -L 2GB -n root vgroup
lvm lvcreate -L 512MB -n swap vgroup
lvm lvcreate -L 512MB -n tmp vgroup
lvm lvcreate -l 100%FREE -n home vgroup
arch1

Step 3: Installation and configuration of Arch Linux
IMPORTANT: If you changed your keyboard layout by using the "km"-command you have to follow the KEYMAP instructions below. If you are using standard us keyboard layout, you can ignore these instructions!

Start the Arch installer:

/arch/setup

-> Prepare Hard Drive -> Set Filesystem Mountpoints

First, you have to choose the mountpoints of / (root) and /swap. The other mountpoints are not mandatory but we already set up partitions for /home, /tmp and /boot. It is important to understand that the boot partition has to be unencrypted, so we choose /dev/sda1 in our case. Then you can install Arch. There is an installation guide in the Arch Wiki.
arch2
pic7

After install we have to alter several configuration files:

/etc/rc.conf
Set USELVM="no" to USELVM="yes"
KEYMAP: Change the KEYMAP field to the same as you chose with command "km". You can find a list of available KEYMAPS at the Arch Wiki. The extension ".map.gz" should be removed.
arch5-mod

/etc/mkinitcpio.conf
Alter this line:
HOOKS="base udev autodetect pata scsi sata filesystems"
to this:
HOOKS="base udev autodetect pata scsi sata encrypt lvm2 filesystems"

It is important that encrypt is loaded BEFORE lvm2.

KEYMAP: Add keymap BEFORE encrypt:
HOOKS="base udev autodetect pata scsi sata keymap encrypt lvm2 filesystems"
arch4-mod
/boot/grub/menu.lst
Then, before installing grub you have to change the file /boot/grub/menu.lst at two points:
Add "cryptdevice=/dev/sda2:vgroup" between "root=..." and "ro" in the paragraphs "Arch Linux" and "Arch Linux Fallback"
pic1
Then install the bootloader to /dev/sda

You can exit the installer now and restart with a fully encrypted system (except boot partition). No further changes are necessary.
arch6-mod

And remember:

(Source: http://xkcd.com/538/)

Changelog:
- 6th June 2009: Added new screen shots, added the KEYMAP part (thanks to Jean's hint!) and altered the structure.

- 18th September 2012: Changed suggested cipher from aes-lrw to  aes-xts (thanks to Stephen).

[del.icio.us] [Digg] [Facebook] [Google] [Mister Wong] [Yahoo!] [Email] More »

Verfasst von fensterplatz am Februar 27th, 2009
Abgelegt unter Allgemein, Linux, Technik | Kommentare (46)

46 Responses to “Arch Linux: LVM on top of an encrypted partition”

  1. Pierre on März 19, 2009 12:48

    Mate...I can not thank you enough for sharing this. I have been battling with this for three weeks now, and now I can see where I got it wrong.
    Thank you.

  2. Lathqe on März 26, 2009 20:23

    Thanks for this guide! I can't seem to boot, though. I'm getting this error message:
    Error 14: Filesystem compatibility error, cannot read whole file.
    Any ideas?

  3. fensterplatz on März 28, 2009 14:42

    Hi Lathqe,

    what kind filesystem did you choose for boot, home and swap partitions (e.g. ext3)? Usually this error occurs if a file is bigger than the filesystem. Maybe you chose a wrong size for the boot partition (should be at least 150 MegaByte).

  4. soldiar on März 31, 2009 14:27

    Hello,

    thanks for this tutorial. It's much more easy to setup this way. Great.

    I'm starting to use arch linux (I'm an ex Debian/Ubuntu user) and this interests me very much.

    I'm having problems to boot. The system boots, asks for the passphrase and then gives an error:

    Enter LUKS passphrase:
    padlock: VIA PadLock not detected.
    Enter LUKS passphrase:

    I'm using the benbi cipher as is explained here. Do I need to add a module or something? Don't we need to edit /etc/crypttab? I did encrypt the partition and then create the lvm group and volumes before starting /arch/setup.

    Can you say why is this happening? Thanks in advance.

  5. soldiar on März 31, 2009 15:54

    err... I was trying to install to an extended partition (/dev/sda6).

    I tried this again in a vbox vm using an entire disk and it worked like a charm (the padlock message appears after typing the passphrase but the kernel boots anyway).

    I'm going to try again using only primary partitions on my disk.

    Thank you for this.

  6. fensterplatz on März 31, 2009 16:25

    > Don’t we need to edit /etc/crypttab?

    crypttab is there to map keys and partitions. So if you created a key randomly and stored it to a file (like in arch-wiki) you have to map the partiton (eg. /dev/sda1) to the file containing the key. We don't need crypttab for the reason that we don't store a key to a file. There is to say, that with our method, the passphrase should be long (>20 characters) and well chosen.

    I get the padlock message, too. It's just a note that padlock support couldn't be enabled (I don't think you have a VIA processor). For more information: http://www.via.com.tw/en/initiatives/padlock/hardware.jsp

  7. lathqe on März 31, 2009 21:50

    Sorry to delay in responding.
    My initial problem was one of not pointing it to the right HD. (read: "noob") Ok, so I pointed GRUB to sda, but then I ran into more problems, further down the process.

    So to back up and take it from the top:
    I'm trying to do this on a SD card on my eee701 (I have my own slimmed-down ubuntu with LXDE on the internal, and I'm wanting to start to move toward Arch. I'm in a situation that demands full encryption on everything, so my OS choices are a bit more limited.)

    So in the initial install I told it to install to sdb (because that's what the SD was at the time), but now it thinks it's sda because I booted to it.

    I did the "edit" option from within grub and changed it to see hd0 and sda, and then it got past the first error I mentioned...

    Now, however, it gets hung up because it "Failed to parse block device name for '/dev/mapper/vgroup-root' unknown" etc. etc. Somehow it's not allowing me to unlock that ("enter my passphrase").

    Thanks for your help

  8. lathqe on März 31, 2009 21:54

    and of course I failed to answer your primary question.
    it's just one boot partition of 150 or 200meg (don't remember) and the rest is used for the encrypted chunk - all just as / - and I did this a couple times, so I don't remember if I ended up with ext2 or ext4 (I tried it both ways). No swap

  9. fensterplatz on April 1, 2009 23:36

    ERROR: Failed to parse block device name for '/dev/mapper/vgroup-root'
    unknown
    ERROR: root fs cannot be detected...

    This indicates that you forgot to add "cryptdevice=/dev/sda2:vgroup" between "root=…" and "ro" in /boot/grub/menu.lst

    Of course you have to adjust the device and volume group.
    This is also described in Step 3 of the tutorial.

  10. soldiar on April 2, 2009 05:27

    Just to say that I was wrong about extended partitions. You can use extended partitions (/dev/sda5 and beyon) with this tutorial, I've just confirmed it.

    My original problem was that I'm using a non-us keyboard and somehow, on boot, when the passphrase is asked, the keyboard isn't set to non-us yet. So beware with non-alphabatical keys in non-yankees keyboards when you are sure about the passphrase (doesn't happen on windows and debian, both encrypted, installed on the same computer, so it's an arch problem/misconfiguration, still have to verify).

    So, great tutorial, fensterplatzm, thanks. It allows me to have several encrypted OS and several partitions on the same PC.

  11. jean on Mai 16, 2009 02:51

    As regards non-us keyboards, you just have to add the "keymap" hook before the "encrypt" one.
    I use a dvorak keyboard and it worked fine.
    Also, set the right keymap in rc.conf

  12. fensterplatz on Juni 6, 2009 19:28

    Thanks Jean! I added the KEYMAP part as most people don't use standard us-layout.

  13. Name on Juli 12, 2009 02:56

    If you are using an USB keyboard, you will need to add MODULES to /etc/mkinitcpio.conf and regenerate your initcpio to be able to enter the passphrase:

    MODULES="usbcore uhci_hcd ehci_hcd hid usbhid"

    You might be able to trim that list but once working I stopped testing.

  14. Dieter Plaetinck on August 27, 2009 18:26

    Note that all of this is not needed anymore with the new installer. AIF supports lvm and dm_crypt out of the box.
    It could be that you still need to update crypttab yourself but that should be it. If you find anything that doesn't work on can be improved with aif, just report a bug.

    Dieter

  15. Anonymous on September 17, 2009 18:05

    hi, I liked your article a lot
    but I had a problem with your dd comand, it was slow as hell
    I tried a if=/dev/urandom and with that it was a lot quicker to fill the disk with randomness
    you should compare the output speed of 'cat /edv/random' versus the speed of 'cat /dev/urandom', the later spit garbage at a faster rate

  16. fensterplatz on September 18, 2009 00:01

    Hi

    >hi, I liked your article a lot

    thanks!

    >but I had a problem with your dd comand, it was slow as hell
    >I tried a if=/dev/urandom and with that it was a lot quicker
    >to fill the disk with randomness
    >you should compare the output speed of ‘cat /edv/random’
    >versus the speed of ‘cat /dev/urandom’, the later spit
    >garbage at a faster rate

    I've always referred to the /dev/urandom command, so I guess this is just a misunderstanding on your side.

    Thanks for your comment anyway!

  17. Anonymous on September 18, 2009 17:48

    you are right it's my mistake, I guess that happens when you read too fast :P
    on a side note, using /dev/urandom it took me like 20 hours for my 320gb on my laptop, at the pace /dev/random was taking it would have taken over a thousand days to fill the same disk!

  18. paul on Oktober 12, 2009 10:40

    What an excellent guide! I printed it out and used this a couple of days ago to reconfigure my laptop and it went like a dream.

    thanks

  19. solsTiCe on Dezember 14, 2009 00:52

    i would suggest using frandom for filling partition before encryption. it is faster then /dev/urandom

    look at frandom at AUR.
    once installed, run /etc/rc.d/frandom start
    and then use /dev/frandom to dd your partition

  20. JD on Januar 28, 2010 01:05

    I'm a bit confused.
    A separate boot partition has been created (sda1) but you say to install the boot loader to sda (the MBR right?) is this a typo.
    I don't understand the point of an /boot partition if GRUB is being installed to sda.

    Any help would be appreciated as I installed GRUB to sda1 (like I normally do when using encrypted *partitions* [I'm new to LVM]) and I can't boot to grub (black blinking dot appears) and so I have to use the GRUB on a USB to boot my harddrive.

  21. fensterplatz on Januar 31, 2010 14:16

    Hi JD,

    This is a mistake that took me some while as well. Installing Grub on a disk means to which disk's MBR the link to the bootloader is written. The files needed for boot are automatically written to the partition which is currently mounted as /boot (the mounting is done earlier). By "installing" Grub to /dev/sda1, the MBR of /dev/sda is not changed and the system won't boot Grub.

    Hope that this explanation helps.

    fensterplatz

  22. johannes on März 26, 2010 10:13

    Hi, I tried to follow the installer with plain dm-crypt volumes without LVM. Everything works fine, but I don't know how to modify the grub: menu.lst
    I have 2 hard drives,
    /dev/sda1 = /boot (no dm-crypt)
    /dev/sda5 = / (dm-crypt) label: sda5crypt
    /dev/sdb1 = /home (dm-crypt) label: sdb1crypt

    I tried several options in the menu.lst, but I didn't succeed. Any proposals?

    Thanks.

  23. fensterplatz on März 26, 2010 12:54

    have u tried something like: "root=/dev/sda5 cryptdevice=/dev/sda5" or "root=/dev/sda5 cryptdevice=/dev/sda5:"?

  24. johannes on März 26, 2010 16:19

    Hi, yes I tried both versions, didn't work. I looked at the /etc/crypttab and the /etc/fstab and the installer didn't touch these files either. I didn't find a file (like in debian) /etc/default/cryptdisk
    I created the files, but I still can't get into my system, it won't boot.

    Thanks for your help

  25. JD on Mai 25, 2010 18:05

    I'm new to LVM, but how would I go about splitting a hard drive as follows:
    I would like a partition for Arch Linux, which is split up into 5 volumes (/,/var,/home,swap, and /tmp) which is encrypted with one key.

    I would then like another partition for my data, which is split up into 4 volumes (music, vidoes, pictures, documents) which is encrypted with a different key.

    And, another 2 paritions, for the installation of backtrack and debian each of which are encrypted with a different key for each.

    So in essence, I have 4 partitions (well 5 including my boot partition), and each of these partitions are encrypted with different keys, and split up into volumes.

    How would I go about implementing this?
    Would I need to create multiple physical volumes (pvArch, pvData, pvBacktrack, pvDebian), or just one phsyical volume with multiple volume groups.
    Thanks.

  26. vio on Juni 16, 2010 22:30

    Well, nice tut, but....

    Using the following setup i have some problem booting into the system:

    sda1 > /boot
    sda2 > dm_crypt (sda2crypt)
    sdb1 > dm_crypt (sdb1crypt)

    I have a lvm volume group using both crypted partitions as physical volumes, which contains several logical volumes - one of those is the root partition.

    How can i tell the Kernel at boot-time to decrypt BOTH luks partitions (by keyfile) in order for lvm to be able to work?

    Currently just one of the crypted partitions is opened via keyfile/passphrase - then the system drops into a recovery shell: if i decrypt the second partition manually and do a pvscan and vgchange -ay , then exiting the recovery shell the system continues booting as expected.

    thx for your help in advance ;)

  27. vio on Juni 16, 2010 23:52

    hmmm... seems i have found the reason: The 'encrypt' hook-script is not capable handling multiple crypted partition at once - I will rework it myself (and maybe submit a patch: using volume groups consisting of several PVs HAS to be possible at all...)

  28. Mervyn on Juni 22, 2010 11:35

    Thanks for your guide, really nice. But I've discovered a point which differs from the howto on wiki.archlinux.org(http://wiki.archlinux.org/index.php/LUKS).

    The Arch guide said, "...In /etc/rc.conf set USELVM="yes" In /etc/mkinitcpio.conf add lvm2 before encrypt in the HOOKS variable if you set up LVM on top of the encrypted partition."

    That's where I got confused. It doesn't make sense. Actually, I'm new to LVM and dm-crypt so I did as what the official guide on their release iso said--encrypt before lvm2, which is generated by the aif program. However I get the error saying "no key available with this passphrase" when booting the new installation. I wonder if it is really needed to add lvm2 before encrypt or the problem was just caused by wrong settings. Anyway, I'll keep trying to find it out.

  29. AE on September 30, 2010 22:25

    I'm thinking of doing this on my ppc machine. I'm guessing that I need to make additions to /etc/yaboot.conf (comparable to editing /boot/grub/menu.lst, I suppose). What do I need to put in there?

  30. Kyle Reid on Januar 10, 2011 04:01

    Thanks for this, after a day of setting up the encryption method off the arch wiki and breaking it repeatedly playing with mkinitcpio for early user land framebuffer support I found this in the discussion page. Clean straightforward and concise, thanks!

  31. Der mit dem Tux tanzt on Februar 15, 2011 22:08

    Thank you very much. Works perfectly. Should be on Arch wiki.

    Keep up the good work. :)

  32. Stella on Juli 7, 2011 20:29

    Was totally stuck until I read this, now back up and rnuinng.

  33. Robbie on Juli 7, 2011 21:45

    I relaly wish there were more articles like this on the web.

  34. Marilu on Juli 8, 2011 02:47

    I sraeched a bunch of sites and this was the best.

  35. Dotty on Juli 9, 2011 14:44

    HHIS I should have thoguht of that!

  36. ignotus on September 23, 2011 05:26

    I've followed your directions to the letter, twice, both times with the same result.

    kernel /vmlinuz26 root=/dev/mapper/vgroup-root cryptdevice=/dev/sda6:vgroup ro

    Error 15: File not found

    Anyone else have this problem?

  37. Duxon on November 11, 2011 07:06

    Since kernel 3.1 we can optionally activate TRIM support for SSDs using dm-crypts parameter '--enable-discards'. Where do I have to put this command in order to open my device with TRIM using your guide?

    See here: http://www.redhat.com/archives/dm-devel/2011-October/msg00134.html

    Very nice work btw, helped me a lot!

  38. T Buitenhuis on Dezember 9, 2011 14:42

    I ended up with this:

    (etc etc)
    :: Running Hook [udev]
    Triggering uevents... done
    :: Running Hook [encrypt]
    Waiting 10 seconds for device /dev/mapper/vgroup-root ...
    :: Running Hook [lvm2]
    Activating logical volumes...
    No volume groups found
    Waiting 10 seconds for device /dev/mapper/vgroup-root ...
    ERROR: Unable to determine major/minor number of root device '/dev/mapper/vgroup-root'.
    You are being dropped to a recovery shell
    (etc etc)

    The passphrase was never asked for.

    The differences: I created swap before /, and I used aes-xts-plain64 with cryptsetup. Neither should be a problem :/

    Help?

  39. chris on Januar 29, 2012 10:57

    badass. really simple, but you wouldn't have known it until you see it spelled out like you did here.

    I had the right idea, but the order of operations was tough because I knew that I wanted lvm on top of luks, but wasn't sure what the proper order of steps was.

    Thanks a lot!

  40. Anon on Februar 5, 2012 00:07

    Thanks a ton for this guide you should put it in the arch wiki!!

  41. Anon on Februar 5, 2012 00:10

    Awesome howto! Should for sure be added to the archlinux wiki.

  42. Stephen Tanner on August 22, 2012 13:49

    Just thought you might want to know, LRW has been mostly replaced by XTS due to security concerns.

    https://en.wikipedia.org/wiki/Disk_encryption_theory#Liskov.2C_Rivest.2C_and_Wagner_.28LRW.29

    cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

  43. Stephen Tanner on August 22, 2012 14:04

    **Correction**
    cryptsetup create -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

  44. Stephen Tanner on August 22, 2012 15:15

    Actually, ignore previous two posts.

  45. Chargeling on November 6, 2012 18:59

    I'm running a similar setup and I'm a little dissatisfied by the reaction time. ls can take more than a second if the folder hasn't been accessed for a longer time. (ecryptfs felt a lot 'jumpier', I didn't really like the idea behind it though.) Is there anything I could do about that?

    Oh, and as we have seen, /dev/urandom isn't necessarily as secure as /dev/random. It probably won't have any effect, though.

  46. LVM on LUKS on Raid1 on Arch Linux on November 19, 2012 18:47

    [...] gleaned gratefully from other sources; principally the Arch Wiki entries on LUKS and LVM and this helpful blog post. This post (and the next) are notes to remind me how I got here and, in the follow-up, what I need [...]

Trackback URI | Comments RSS

Leave a Reply

Name (erforderlich)

Email (erforderlich)

Website


Speak your mind