Encryption saves your valuable data from bad people or people who want to get access to your data. LUKS encryption is a low-overhead, lightweight encryption for Linux platform. This one is about how to install Void Linux inside a LUKS encrypted drive. Don’t worry this does not use volume groups and such, so it is easy for starters.
Create a boot partition preferably 1GB or at least 512MB. (Because Void Linux does not delete the old kernel files from /boot when new kernel is installed. We’ll have to clean up the old kernel version files more often if we have a smaller partition). We’ll have to have a separate boot partition because encrypted boot partition cannot be read by GRUB. But Note: Librebooted machines have the ability to use encrypted boot partitions. This article just does not cover that.
In this article we will use a simple structure for our LUKS setup without a volume group. Also, this article will not need the void-installer to be run. So it will be a similar setup like Arch Linux.
If you want to use the void-installer for some of the intricate parts of the installation, you can follow this guide. It is useful for DE based installations (e.g. if you are using XFCE iso, you won’t have to install everything like, xorg, xfce, xfce apps manually).
Creating LUKS drive and mounting
sudo -s
modprobe dm-crypt
modprobe dm-mod
cryptsetup luksFormat -v -s 512 -h sha512 /dev/sdx3
cryptsetup open /dev/sdx3 void_root
mkfs.ext4 -L root /dev/mapper/void_root
mount /dev/mapper/void_root /mnt
Mounting boot
mkdir -p /mnt/boot
mount /dev/sdx1 /mnt/boot
* assuming /dev/sdx1 is your boot drive
Chrooting into the drive
for dir in dev proc sys; do
>mkdir /mnt/$dir
>mount --rbind /$dir /mnt/$dir
>done
or
mount --rbind /dev /mnt/dev
mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys
Now run this to install a minimal system:
xbps-install -Sy -R https://alpha.de.repo.voidlinux.org/current -r /mnt base-system lvm2 cryptsetup grub os-prober nano
You can change it to the mirror that is closest to you. e.g.
xbps-install -Sy -R https://void.webconverger.org/current -r /mnt base-system lvm2 cryptsetup grub os-prober nano
Consult the Download page for mirrors. I had to try twice because this mirror was not responding.
This will download and install all of the required packages. Overview of flags:
-S — used to force xbps to update from the repository rather than relying on local package cache
-y — automatically answer “yes” to all questions
-R — specify a particular repository url
-r — specify a non-standard root directory (we need to use this to tell xbps to install packages in /mnt. Without this option we’d install all the packages to our live system, which isn’t what we want.)
Now chroot into the new system
chroot /mnt /bin/bash
Now you can access the new linux installation and continue with the setup.
Initial Setup
Set the root password:
passwd root
Set ownership and permissions for the root directory:
chown root:root /
chmod 755 /
Set the machine’s hostname using
echo <your-hostname> > /etc/hostname.
Now edit your /etc/fstab:
xbps-install -Sy nano
nano /etc/fstab
A typical fstab would look like:
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs defaults,nosuid,nodev 0 0
UUID=b82bbadd-f33a-45b1-ba84-e665183dc707 / ext4 defaults 0 0
UUID=e803d7a5-999e-46e0-af02-3d8938df4106 /boot ext2 defaults 0 0
UUID=t233d7b8-945e-4g40-2w02-j7j938df4798 none swap defaults 0 0
Or with dev id (not recommended):
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs defaults,nosuid,nodev 0 0
/dev/mapper/root / ext4 defaults 0 0
/dev/sda1 /boot ext2 defaults 0 0
/dev/sda2 none swap defaults 0 0
grub-install /dev/sda echo "LANG=en_US.UTF-8" > /etc/locale.conf echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales xbps-reconfigure -f glibc-locales
Run nano /etc/default/grub then find the GRUB_CMDLINE_LINUX line and add this to the value:
to set it with UUID, run sudo blkid or sudo cryptsetup luksDump /dev/sdx3 then use the UUID of the /dev/mapper/luks_root like this:
GRUB_CMDLINE_LINUX="rd.luks.uuid=529ab394-4abc-4a1u-9cd9-1864a1b7j6k9"
Add this also:
GRUB_ENABLE_CRYPTODISK=y
Look for rd.auto=1 in either GRUB_CMDLINE_LINUX or GRUB_CMDLINE_LINUX_DEFAULT and probably remove it, because it asks for passwords for all the LUKS encrypted drive passwords even if you are not accessing all of them to boot. This is described as a shortcut on the original wiki, but is an annoying thing.
Now run this to create linux image and update grub config:
xbps-reconfigure -f linux4.19
*to see installed linux kernels xbps-query --regex -Rs '^linux[0-9.]+-[0-9._]+'
If you want to run everything manually:
sudo dracut --force # or... sudo dracut -a crypt --force sudo grub-mkconfig -o /boot/grub/grub.cfg
Finishing things up
Install dhcpcd or NetworkManager so that you can connect to internet. I personally like NetworkManager because it is easier to use wifi. We also need to enable dbus because without it nmcli returns a could not create nmclient object error. So:
sudo xbps-install NetworkManager
sudo ln -s /etc/sv/dbus/ /var/service/
sudo ln -s /etc/sv/NetworkManager/ /var/service/
* the ending / at the end is so that we don’t have to write the service name twice
With this, you can use the nmcli commands as normal.
Then exit and umount -R /mnt. Now reboot and boot to your new LUKS encrypted Void linux!
Troubleshooting
If you can’t boot into your new linux, it is possible that your UUID is wrong or something else. If this is a problem you face, check out this page.
Resources:
https://wiki.voidlinux.org/Install_LVM_LUKS
https://docs.voidlinux.org/print.html
https://docs.voidlinux.org/config/kernel.html
https://wiki.gentoo.org/wiki/Dracut#LVM_on_LUKS
http://people.redhat.com/harald/dracut.html
https://bugzilla.redhat.com/show_bug.cgi?id=598602#c4
Reblog00 