linux: February 2009 Archives

Previously I described how to partition your drive using LVM2 and dm-crypt. This time, I'm going to go over how to boot this system.

First off, you're going to want to have your livecd handy, because it's likely something won't quite be right the first time around. Also, you'll want to make sure your kernel is built with support for initramfs. This requires the BLK_DEV_INITRD configure option, named "Initial RAM filesystem and RAM disk (initramfs/initrd) support" in the "General setup" menu. You'll then need to specify the location of a source file for the initramfs.

Probably the easiest thing to do is to grab my current initramfs package and tweak it to suit your needs. You'll at the least need to change some paths in the config.txt and init files. But, it should serve as a good starting point. When you're done, put the path to the config.txt file in the "Initramfs source file(s)" (CONFIG_INITRAMFS_SOURCE) setting in the kernel.

Now, rebuild and reinstall your kernel, reboot, and pray.

I hope this will help people improve their laptop's security. Feel free to post any questions you have in the comments. Good luck!

Last time I kinda cheated and gave pretty much a redux of an earlier post. This one will hopefully have some more substance to it.

The partitioning scheme I'm currently using is like this:

/dev/sda1 - /boot (ext2)
/dev/sda2 - LUKS encrypted lvm2 physical volume

The /boot partition is created like any normal ext2 partition.

The sda2 partition is created like so:

cryptsetup luksFormat /dev/sda2

This usually is sufficient to provide decent encryption, but it is worth checking the documentation for cryptsetup to look for further options -- in particular, the option to use a keyfile.

Once we formatted this partition, we'll need to open it, so that we can then add our lvm pv to it:

cryptsetup luksOpen /dev/sda2 sda2_crypt

We'll now have a new device available as /dev/mapper/sda2_crypt. This can be treated just like any other block device -- we could just format it as a regular ext3 partition, but then we can't really ever resize it. So, we're going to make a LVM2 partition:

pvcreate /dev/mapper/sda2_crypt

Now, we create a volume group. I choose 'Exherbo' as the name, but you can really just use whatever (often people just use 'vg').

vgcreate Exherbo /dev/mapper/sda2_crypt

Now, we just need to make our partitions:

lvcreate -L 1G -n swap Exherbo
lvcreate -n root Exherbo
vgscan
vgchange -a y

This creates a 1G swap partition, and uses the rest of the space for our root (/) partition. Again, see the documentation for lvm2 for more options.

Finally, we need to format those partitions:

mkswap /dev/mapper/Exherbo-swap
mke2fs -T ext3 /dev/mapper/Exherbo-root

Next time, I'll go over how to boot this system.