byte.size...@simplelogin.com wrote: > Dale wrote: >> Do you have a link, or several links, on how to set that up? I'd >> like to read it and may even play with it on one of my old rigs, then >> maybe on my main rig at some point. > > I don't think I have any step-by-step resources at hand but I can > outline a general "recipe" if that helps. > > For LVM, if unfamiliar, I can highly recommend the Gentoo [1] and Arch > Wiki [2] pages. The former has useful information on boot parameters, > which I'll get to near the end, and kernel configuration. > > But other than getting the initramfs to unlock the LUKS-encrypted > volume there isn't anything unusual to the set up - it's simply > combining the two building blocks together. > > Let's start with the sample layout I gave earlier: > >> /dev/sda >> ├─ /dev/sda1 : EFI System Partition >> ├─ /dev/sda2 : /boot partition, not encrypted >> └─ /dev/sda3 : LUKS crypt container >> └─ hello_lvm - LVM Physical Volume and "hello_lvm" Volume Group >> ├─ hello_lvm/root : LVM volume, OS / partition >> └─ hello_lvm/home : LVM volume, /home partition > > The above assumes a GPT formatted drive, but GPT is not a > prerequisite. If using MBR, there's no need for the /dev/sda1 ESP. > Everything below, of course, also assumes that it is not done on a > "live" system and something like the gentoo live install ISO or > another live distro is used. > > 1) /dev/sda2 - format as usual with filesystem of choice, e.g. ext4 > (must be supported by GRUB). > > 2) Now for /dev/sda3. Format as LUKS as usual: > > # cryptsetup luksFormat /dev/sda3 > > and supply the unlock password. Any LUKS configuration specifics that > one might have can also be specified here - e.g. hashing algorithm, > key size, etc, see cryptsetup-luksFormat(8) > > You can now open the LUKS container and call it, e.g. "crypt_gentoo": > > # cryptsetup open /dev/sda3 crypt_gentoo > > which will show up as "/dev/mapper/crypt_gentoo". This is the now > unlocked device where LVM will be set up. > > 3) "Format" the unlocked device as an LVM Physical Volume: > > # pvcreate /dev/mapper/crypt_gentoo > > You can confirm LVM can detect it as such by inspecting the output of > > # pvdisplay > > Which should show information about "/dev/mapper/crypt_gentoo", its > overall size, etc. > > 4) Next, create the "hello_lvm" LVM Volume Group (or a name of your > choice) by passing in the LVM Physical Device where it will be placed: > > # vgcreate hello_lvm /dev/mapper/crypt_gentoo > > and can verify if LVM can detect it with > > # vgdisplay > > 5) Create the "root" logical volume, say 30GB, into the target VG: > > # lvcreate --size 30G --name root hello_lvm > > The device for this volume will appear under "/dev/hello_lvm/root" and > "/dev/mapper/hello_lvm-root" > > 6) Create the "home" volume, and let it occupy all the remaining > available space: > > # lvcreate --extents 100%FREE --name home hello_lvm > > The device for this volume will appear under "/dev/hello_lvm/home" and > "/dev/mapper/hello_lvm-home" > > You can check that both the volumes are correctly configured with: > > # lvdisplay hello_lvm > > 7) Format the volumes as usual with a filesystem of choice, e.g. ext4 > > # mkfs.ext4 /dev/hello_lvm/root > # mkfs.ext4 /dev/hello_lvm/home > > These can now be mounted as usual to a target location, e.g.: > > # mount /dev/hello_lvm/root /mnt/gentoo > > 8) Skipping forward and assuming that Gentoo is now present on the > root volume, configuring fstab is nothing special. the UUID entries > for "/" and "/home" are those of the LVM volumes: > > # blkid /dev/hello_lvm/root > # blkid /dev/hello_lvm/home > > e.g. > > UUID=<lvm fs uuid> / ext4 defaults 1 1 > > 9) Ensure the relevant LUKS and LVM tools are available on the Gentoo > installation, if not already, i.e. "sys-fs/cryptsetup" and > "sys-fs/lvm2". Add lvm2 to the boot runlevel (chroot will be needed): > > # rc-update add lvm2 boot > > 10) Setting up the boot parameters. This is really the "critical" part > as you need to tell the initramfs that a LUKS volume needs to be > unlocked. Support for LUKS and LVM must be added to the initramfs. > > 10.1) If using genkernel, Enable LUKS and LVM in "/etc/genkernel.conf": > > LVM="yes" > LUKS="yes" > > Alternatively, one must remember to add "--lvm" and "--luks" when > generating an initramfs. > > For GRUB you also need to add the relevant parameters. In > "/etc/default/grub" add the following to "GRUB_CMDLINE_LINUX": > > crypt_root=UUID=<UUID of /dev/sda3> dolvm > > Note that the UUID is that of /dev/sda3, i.e. the LUKS formatted > partition, *not* the unlocked one: > > # blkid /dev/sda3 > > Regenerate the initramfs and GRUB config as usual (chroot will be > needed). > > 10.2) If using Dracut things are a bit simpler. LUKS and LVM support > is added in by default. So you only need to add the relevant boot > parameters to "/etc/default/grub" > > rd.luks.uuid=luks-<UUID of /dev/sda3> rd.lvm.vg=hello_lvm > rd.lvm.lv=hello_lvm/root > > Regenerate the initramfs and GRUB config as usual (chroot will be > needed). > > And that's it! Encrypted /boot is not covered, as I've not dabbled > into it so far. Whether that is merited and poses a risk is > subjective. If compiling your own kernel, I'd suggest looking at the > relevant kernel configuration sections in [1,3]. Otherwise, > "gentoo-kernel-bin" with Dracut should work out of the box. > > If the system doesn't boot, it will be most likely due to boot > parameters or the initramfs not having support for LUKS and LVM. Any > error messages should hint to the cause. > > As always, please, please backup any data beforehand, sanity check > commands at every step, and I would always recommend using a > disposable VM to try on first. None of it is complicated, but can be > error-prone and risks data loss. > > Hope this helps and that I've not missed anything. I usually refrain > from sharing "guides" on disk setup with working CLI examples to avoid > people blindly following without sanity checking and messing up their > data. But this a Gentoo community, an exception can be made :) > > > Refs: > [1] https://wiki.gentoo.org/wiki/LVM > [2] https://wiki.archlinux.org/title/LVM > [3] https://wiki.gentoo.org/wiki/Dm-crypt
I'm somewhat familiar with LVM. I got over a dozen drives using it. I'm not saying I know all of LVM tho. Just the parts I use a lot, mostly referring back to notes. If I did this, I'd likely do it on a spare drive at first. I may even buy another m.2 or use a m.2 I already have laying around here. That way I can easily go back if needed. I moved a copy of this to my folder where I put other howtos and guides. Makes it easier to find later. Thanks much for the info and links. May help some other poor soul wanting to do this too. Search engines are amazing at finding good info, sometimes. ;-) Dale :-) :-)
