Last active
August 29, 2015 14:07
-
-
Save jeffsharpe/f0bfc51538a65dd721cf to your computer and use it in GitHub Desktop.
arch-luks-on-lvm.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Using LUKS on LVM is different than LVM on LUKS | |
# | |
# idea is to create the root encrypted system, then use a password file to mount the others | |
# so for the initial install, do this instead of the above | |
# | |
# load this module | |
modprobe dm-mod | |
# | |
pvcreate /dev/sda3 | |
vgcreate lvm /dev/sda3 | |
lvcreate -l 100%FREE -n root lvm | |
cryptsetup —verify-passphrase luksFormat /dev/lvm/root | |
cryptsetup open —type luks /dev/lvm/root lvm | |
mkfs.ext4 /dev/lvm/root | |
mount /dev/lvm/root /mnt | |
# a bit different on mkinitcpio, on the HOOK, use “lvm2 encrypt” (instead of the reverse) | |
vi /etc/mkinitcpio.conf | |
# your boot loader is also a bit different GRUB_CMDLINE_LINUX=“cryptdevice=/dev/lvm/root:root root=/dev/mapper/root” | |
vi /etc/default/grub | |
# once you reboot, lets create a new encrypted /home partition | |
# lets make the home password file | |
mkdir -m 700 /etc/luks-keys | |
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 | |
# now create the partition | |
pvcreate /dev/sdb1 | |
vgextend lvm /dev/sdb1 | |
lvcreate -l 100%FREE -n home lvm | |
# now encrypt it | |
cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home | |
cryptsetup -d /etc/luks-keys/home open —type luks /dev/lvm/home home | |
mkfs.ext4 /dev/mapper/home | |
mount /dev/mapper/home /home | |
# now add “home /dev/lvm/home /etc/luks-keys/home” | |
vi /etc/crypttab | |
# finally, add it to stab | |
blkid /dev/mapper/home | |
# take the UUID and create the line `UUID=“SOMENUMBERS” /home ext4 defaults 0 2” | |
vi /etc/fstab | |
reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment