Changing Distributions

$\"cover\"$

Index

8. Salix on Luks

8.1. Intro

If you have a laptop that you take with you some of the time, you will want harddisk encryption. On Linux systems, that can be done with LUKS. However, the installation process of Salix does not offer these facilities. Furthermore, the installation process is simplified, so it is not that easy to insert specific steps.

First of all, it is assumed that you have a Salix install image, so I won't go into the download of Salix. Second, you need a computer to test with. I first tested this on a virtualbox, and it is a wise approah to test is before disabeling all your computers.

8.2. Installation

After the boot, you will get some screens that ask for keymaps etc. Then you get:

Select "Exit installation" here. You will be greeted with a prompt.

8.2.1. Partitioning the disk

First we will be partitioning the harddrive in two partitions:

An unencrypted partition to boot from
A partition that contains the encrypted volume group

In my virtualbox set-up, the installable disk is /dev/sda and at the beginning it is completely empty.

Start fdisk /dev/sda and type:

n (for a new partition)
p (for a primary partition)
1 (the first)
press enter for the default first sector
+500M to create a partition of 500M
a (to make the partition bootable)
n to make the second partition
enter to accept all the defaults. This will create a partition for the rest of the disk.
w to write the partition table to the disk.

If you are paranoid, you will probably take the time to write random bytes to your encrypted partition here. This is a good step to keep forensics people in the dark, but it takes time, so if you do a virtualbox test, you might skip that step.

dd if=/dev/urandom of=/dev/sda2

8.2.2. LVM and Luks

The second partition will be an encrypted volume group, with two logical volumes, root and swap.

Now we get the partition ready for encryption:

root@salix64:/# cryptsetup -s 256 -y luksFormat /dev/sda2
WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
root@salix64:/#

Next, we'll open the encrypted partition with:

cryptsetup luksOpen /dev/sda2 slackcrypt

This will open a partition /dev/mapper/slackcrypt that can be accessed as unencrypted.

On this partition, we'll create a physical volume group with:

pvcreate /dev/mapper/slackcrypt

and a volumgroup:

vgcreate cryptvg /dev/mapper/slackcrypt

And in that volumegroup a number of logical volumes:

lvcreate -L 25G -n root cryptvg
lvcreate -L 5G -n swap cryptvg

You will adjust the size to your specific situation.

The stuff we created need some nodes to find everything back:

vgscan --mknodes
vgchange -ay

And we'll created the swap-space:

mkswap /dev/cryptvg/swap

8.2.3. Install Salix

Now, we'll restart the set-up menu:

setup

In the screen for the PARTITIONS EDITOR, don't select any partitions, but just select Go.

Setup will detect the swap-space /dev/cryptvg/swap so you might as well enable it.

For the root filesystem, select /dev/cryptvg/root because that will be your LVM root partition. Format it (I usually format as ext4fs).

Next, add /dev/sda1 as /boot because you will boot from an un-encrypted partition. Format it. And then, select done. Your partition table will look like this.

The rest of the install is the standard Salix install. Because that is so simplified, that it won't need any explanation. After a while, you will come to the screen

Select Expert and then Begin; accept a number of defaults, until you get to the screen SELECT LILO TARGET LOCATTION. As target, select MBR, select /dev/sda and choose your delay.

Now you have to select “Linux: Add a linux partition …” and select /dev/cryptvg/root to boot. (Yes, /dev/cryptvg/root not /boot ) As Partition name, you might use "Salix". Once that’s been selected, install lilo. It may throw a warning.

There are a number of additional steps in the standard installation:

hardware clock
timezone
numlock
user setup
etcetera

until you reach:

where we choose Exit to command line.

8.2.4. Fix boot

Now we have to fix lilo because of our encryption scheme. First of all, run this:

chroot /mnt

Find out which kernel you are installing with

ls /lib/modules

It will be someting like 3.10.17 or 4.4.14. Next type:

mkinitrd -c -k *insert kernel number* -m *insert ROOT file system type 
here* -f *insert root file system type here* -r /dev/cryptvg/root -C 
/dev/sdx2  -L

For me (Salix 14.2), that was:

mkinitrd -c -k 4.4.19 -m ext4 -f  ext4  -r /dev/cryptvg/root -C /dev/sda2  -h /dev/cryptvg/swap -L

The -h should allow hybernation.

Edit Lilo's config-file

vi /etc/lilo.conf

and make the image-section look like:

image = /boot/vmlinuz
  initrd = /boot/initrd.gz
  root = /dev/cryptvg/root
  label = Salix
  read-only
  append = "vt.default_utf8=0 resume=/dev/cryptvg/swap"

Check with ls /boot if the image and initrd are there. Run

lilo

and reboot.

The boot process will throw some error messages about modules that cannot be loaded. I'm working on how they should be solved. But the boot process will ask for the passphrase to unlock the encrypted volume, and, when the passphase is given, it will present the system on the encrypted volume.

Previous: 7. Conclusion

Index