Uefi and full disk encryption with lvm on luks with luks keyfile
by lancsuk from LinuxQuestions.org on (#5G1FC)
Hiya guys,
just for interest I have installed Slackware current on a vm with full disk encryption with lvm on luks.
Code:sda1: ef02 Bios 5MB
sda2: ef00 EFI 160M
sda3: 8309 LUKS 100%FREE
Code:cryptsetup luksFormat --type luks1 /dev/sda3
cryptsetup luksOpen /dev/sda3 slackpv0
pvcreate /dev/mapper/slackpv0
vgcreate slack /dev/mapper/slackpv0
lvcreate -C y -L 4GB -n swap slack
lvcreate -C n -L 20GB -n root slack
lvcreate -C n -l 100%FREE -n home slackcontinue the installation with setup
Code:cd /mnt
chroot /mnt /bin/bash -lCode:dd bs=512 count=4 if=/dev/random of=/root/slackpv.keyfile iflag=fullblock
chmod 000 /root/slackpv.keyfile
cryptsetup -v luksAddKey /dev/sda3 /root/slackpv.keyfileCode:cd /boot
rm initrd.gz
mkinitrd -c -k 5.10.27 -m ext4 -f ext4 -r /dev/slack/root -C /dev/sda3 -L -K /root/slackpv.keyfile -l gb/etc/default/grub
Code:GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx:slackpv0 root=/dev/slack/root cryptkey=rootfs:/root/slackpv.keyfile resume=/dev/slack/swap"
GRUB_ENABLE_CRYPTODISK=yCode:grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
grub-mkconfig -o /boot/grub/grub.cfgIt acutally works but I still have to enter the passphrase twice.
I guess mkinitrd -K works just with vfat as a filesystem?
I know It makes no sense to install lvm on luks without passphrase on the root-filesystem, but I just would like to know how it works.
thanks
just for interest I have installed Slackware current on a vm with full disk encryption with lvm on luks.
Code:sda1: ef02 Bios 5MB
sda2: ef00 EFI 160M
sda3: 8309 LUKS 100%FREE
Code:cryptsetup luksFormat --type luks1 /dev/sda3
cryptsetup luksOpen /dev/sda3 slackpv0
pvcreate /dev/mapper/slackpv0
vgcreate slack /dev/mapper/slackpv0
lvcreate -C y -L 4GB -n swap slack
lvcreate -C n -L 20GB -n root slack
lvcreate -C n -l 100%FREE -n home slackcontinue the installation with setup
Code:cd /mnt
chroot /mnt /bin/bash -lCode:dd bs=512 count=4 if=/dev/random of=/root/slackpv.keyfile iflag=fullblock
chmod 000 /root/slackpv.keyfile
cryptsetup -v luksAddKey /dev/sda3 /root/slackpv.keyfileCode:cd /boot
rm initrd.gz
mkinitrd -c -k 5.10.27 -m ext4 -f ext4 -r /dev/slack/root -C /dev/sda3 -L -K /root/slackpv.keyfile -l gb/etc/default/grub
Code:GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx:slackpv0 root=/dev/slack/root cryptkey=rootfs:/root/slackpv.keyfile resume=/dev/slack/swap"
GRUB_ENABLE_CRYPTODISK=yCode:grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
grub-mkconfig -o /boot/grub/grub.cfgIt acutally works but I still have to enter the passphrase twice.
I guess mkinitrd -K works just with vfat as a filesystem?
I know It makes no sense to install lvm on luks without passphrase on the root-filesystem, but I just would like to know how it works.
thanks