8. Salix on Luks
If you have a laptop that you take with you some of the time, you will want
harddisk encryption. On Linux systems, that can be done with LUKS. However,
the installation process of Salix does not offer these facilities. Furthermore,
the installation process is simplified, so it is
not that easy to insert specific
First of all, it is assumed that you have a Salix install image, so
I won't go into the download of Salix. Second, you need a computer
to test with. I first tested this on a virtualbox, and it is a wise
approah to test is before disabeling all your computers.
After the boot, you will get some screens that ask for keymaps etc.
Then you get:
Select "Exit installation" here. You will be greeted with a prompt.
8.2.1. Partitioning the disk
First we will be partitioning the harddrive in two partitions:
In my virtualbox set-up, the installable disk is /dev/sda and at the beginning
it is completely empty.
n (for a new partition)
p (for a primary partition)
1 (the first)
press enter for the default first sector
+500M to create a partition of 500M
a (to make the partition bootable)
n to make the second partition
enter to accept all the defaults. This will create a partition for the rest of the disk.
w to write the partition table to the disk.
If you are paranoid, you will probably take the time to write
random bytes to your encrypted partition here. This is a good step
to keep forensics people in the dark, but it takes time, so
if you do a virtualbox test, you might skip that step.
dd if=/dev/urandom of=/dev/sda2
8.2.2. LVM and Luks
The second partition will be an encrypted volume group, with
two logical volumes, root and swap.
Now we get the partition ready for encryption:
root@salix64:/# cryptsetup -s 256 -y luksFormat /dev/sda2
This will overwrite data on /dev/sda2 irrevocably.
Are you sure? (Type uppercase yes): YES
Next, we'll open the encrypted partition with:
cryptsetup luksOpen /dev/sda2 slackcrypt
This will open a partition
that can be accessed as unencrypted.
On this partition, we'll create a physical volume group with:
and a volumgroup:
vgcreate cryptvg /dev/mapper/slackcrypt
And in that volumegroup a number of logical volumes:
lvcreate -L 25G -n root cryptvg
lvcreate -L 5G -n swap cryptvg
You will adjust the size to your specific situation.
The stuff we created need some nodes to find everything back:
And we'll created the swap-space:
8.2.3. Install Salix
Now, we'll restart the set-up menu:
In the screen for the PARTITIONS EDITOR, don't select any partitions, but
just select Go.
Setup will detect the swap-space
so you might as well enable it.
For the root filesystem, select
because that will be your LVM root partition. Format it (I usually
format as ext4fs).
because you will boot from an un-encrypted partition. Format
it. And then, select done. Your partition table will look like this.
The rest of the install is the standard Salix install. Because that is
so simplified, that it won't need any explanation.
After a while, you will come to the screen
Select Expert and then Begin; accept a number of defaults, until
you get to the screen SELECT LILO TARGET LOCATTION. As target,
select MBR, select
and choose your delay.
Now you have to select “Linux: Add a linux partition …” and select
to boot. (Yes,
) As Partition name, you might use "Salix".
Once that’s been selected, install lilo. It may throw a warning.
There are a number of additional steps in the standard installation:
until you reach:
where we choose Exit to command line.
8.2.4. Fix boot
Now we have to fix lilo because of our encryption scheme.
First of all, run this:
Find out which kernel you are installing with
It will be someting like 3.10.17 or 4.4.14. Next type:
mkinitrd -c -k *insert kernel number* -m *insert ROOT file system type
here* -f *insert root file system type here* -r /dev/cryptvg/root -C
For me (Salix 14.2), that was:
mkinitrd -c -k 4.4.19 -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sda2 -h /dev/cryptvg/swap -L
The -h should allow hybernation.
Edit Lilo's config-file
and make the image-section look like:
image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/cryptvg/root
label = Salix
append = "vt.default_utf8=0 resume=/dev/cryptvg/swap"
if the image and initrd are there. Run
The boot process will throw some error messages about modules that cannot
be loaded. I'm working on how they should be solved. But the boot process
will ask for the passphrase to unlock the encrypted volume, and, when the
passphase is given, it will present the system on the encrypted volume.