Gentoo with LUKS and LVM

My company has security policy that forces us to encrypt the hard drive of the computer and any other media. Well, not the whole hard drive, but 99% of it: the 1% is what is required for the PC to boot and ask for a password to decrypt the rest of the drive. The good news is that I'm allowed to use Linux. The bad news is that they have red hat enterprise linux and I like Gentoo. For a long time I've been using kubuntu. It is not bad, but it is too easy to use that it borks some time and I like the control Gentoo gives. Since I only installed Gentoo 2 times, one in 2003 and another in 2007 I decided to write all the steps for a bare minimum Gentoo installation. I have tested these steps on a Virtual Machine using KVM. Next step is to make it on the real laptop. It should take something like 35 minutes to do this on a Core 2 Duo at 2.2ghz.

Notice: This works for me. Use it at your own risk and remember that these commands wipe your hard drive so, if you want something special read the commands and adapt.

The list of steps is optimized. For more information you should read the gentoo handbook.

Partition the hard Drive

I used a simple partition scheme: 200mb for the boot (the 1% that is not encyrpted) and the rest for the crypted part. The crypted part is 512mb for the swap and the rest for the root file system. Everything is using ext4.

Using fdisk delete all the partitions on the harddrive and create two partitions: one with 200Mb (+200M in fdisk) and another with the rest.

Crypt and Open the Crypted Parition

Execute the following command:
cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda2
I'm using serpent because it has no patent issues and it is one of the fastest according to a benchmark I saw on the web.

You will have to answer YES (in upper case) and then enter and verify the pass-phrase.
If for some reason you loose this pass-phrase then you loose your data. You have backups don't you? If not, good luck trying to crack it :-)

After creating the crypted mapping you need to open it with the command:
cryptsetup luksOpen /dev/sda2 sda2_crypt
LVM Setup

This is quite easy: just do the following (I'm calling internalhd to the volume, but you can choose another name).
   pvcreate /dev/mapper/sda2_crypt
   vgcreate internalhd /dev/mapper/sda2_crypt
   lvcreate -L512m -nswap internalhd
   lvcreate -L7G -nroot internalhd
Next step is to create the swap and all the file systems. I chose ext4 and created all file systems and swap with labels. This allows me to use the label in the fstab later.
   mkswap -L SWAP /dev/mapper/internalhd-swap
   swapon /dev/mapper/internalhd-swap
   mkfs.ext4 -j /dev/mapper/internalhd-root -L ROOT
   mount /dev/mapper/internalhd-root /mnt/gentoo
   mkfs.ext4 -j /dev/sda1 -L BOOT
   mount /dev/sda1 /mnt/gentoo/boot
Gentoo Install

If you need to setup a proxy now is the time ("export http_proxy=..."). Just remember that you need to configure it also in links.

Use links and download the stage3 tarball and portage snapshot. You can do "links http://www.gentoo.org/main/en/mirrors.xml", choose a mirror and navigate.

Next you extract all the things:
    cd /mnt/gentoo
    tar xvjpf stage3-*.tar.bz2
    tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
Now its time to configure the portage. I opted to do it the easy way. Editing /mnt/gentoo/etc/make.conf and changing CLFAGS to "-O2 -march=native -pipe" and making CXXFLAGS="${CFLAGS}". I also aded MAKEOPTS="-j" and FEATURES="fixpackages sandbox". Later on I added the test features, but for now it is off to avoid a bug in the glib ebuild file. I need to check it and report it back to gentoo.

Next you need to select a mirror for packages and for rsync. Jut do:
    mirrorselect -i -o >> /mnt/gentoo/etc/make.conf
    mirrorselect -i -r -o >> /mnt/gentoo/etc/make.conf
Final preparations and entering the gentoo installation using chroot:
    cp -L /etc/resolv.conf /mnt/gentoo/etc/
    mount -t proc none /mnt/gentoo/proc
    mount -o bind /dev /mnt/gentoo/dev
    chroot /mnt/gentoo /bin/bash
    env-update
    source /etc/profile
    export PS1="(chroot) $PS1"
    cp /usr/share/zoneinfo/GMT /etc/localtime
The last command will change the shell prompt so we remember were we are doing things. Next you can select your profile. I choose the desktop profile:
    eselect profile list
    eselect profile set 2
You should also choose your locale by editing "/etc/locale.gen". I use 2 locales: en_GB and pt_PT. I do a little trick by doing the following:
    grep en_GB /usr/share/i18n/SUPPORTED >> /etc/locale.gen
    grep pt_PT /usr/share/i18n/SUPPORTED >> /etc/locale.gen


Then you should run "locale-gen" to generate the i18n information for the chosen locales.

Configuring the kernel

I'm going to use genkernel because it has support for lvm, luks and so forth. But it has a bug: although it builds lvm internally to use in its initrd image it does not do so for luks. The solution is to emerge cryptsetup before. Well, since I'm emerge the kernel I simply emerge all the packages that I'm going to need later on with the command:
    emerge -av gentoo-sources genkernel syslog-ng logroate dhcpcd lvm2 cryptsetup grub
I then add the log daemon to the default run level with:
    rc-update add syslog-ng default
You need to tune the "/etc/genkernel.conf" file. Here are the options you should change (the LUKS option must be added since it doesn't exist):
    CLEAN="no"
    MAKEOPTS="-j2"
    LVM="yes"
    LUKS="yes"
    BUSYBOX="yes"
    MENUCONFIG="yes"
    DISKLABEL="yes"
I chose no cleaning because I don't want it to clean on each attempt. Then you can issue "genkernel all" and make sure you have the following kernel options (of course you should have the kernel options tuned for your computer):
    Device Drivers  --->
      Multi-device support (RAID and LVM)  --->
       [*] Multiple devices driver support (RAID and LVM)
       < >   RAID support
       <*>   Device mapper support
         <*> Crypt target support
    File systems
      <*> The extended 4 (ext3) file system

    Cryptographic API
      <*> SHA224 and SHA256 digest algorithm
      <*> AES cipher algorithms (i586)
      <*> Serpent cipher algorithm
The cryptographic APIs can't be modules. It seems genkernel only includes storage modules in the initrd... I simply tried it and it didn't work and since the disk is always encrypted why have it as modules?

Configuring the System

First you need to change "/etc/fstab". You labels as follows:
    LABEL=BOOT   /boot  ext4  ...
    LABEL=ROOT   /      ext4  ...
    LABEL=SWAP   none   swap  ...
Set your hostname by editing "etc/hostname"

Change the root password by running "passwd". You can add a user for yourself now or after you boot.

Don't forget to set your keymap in "/etc/conf.d/keymaps" and to set your clock settings in "/etc/conf.d/clock".

Grub Configuration

Edit grubs configuration file "/boot/grub/grub.conf". Add something like the following (might need to be adapted if the kernel version is different):
    title Gentoo Linux 2.6.31-r6
    root (hd0,0)
    kernel /boot/kernel-genkernel-x86-2.6.31-gentoo-r6 root=/dev/ram0 crypt_root=/dev/sda2 real_root=/dev/mapper/internalhd-root dolvm quiet
    initrd /boot/initramfs-genkernel-x86-2.6.31-gentoo-r6
To install grub I do the following (a short cut from the gentoo handbook):
    grep -v rootfs /proc/mounts > /etc/mtab
    grub-install --no-floppy /dev/sda
Reboot into it

Now that everything is ready you can reboot into the system. Do the following:
    exit
    cd
    umount /mnt/gentoo/boot
    umount /mnt/gentoo/dev
    umount /mnt/gentoo/proc
    umount /mnt/gentoo
    reboot
Next steps

Since the disk is encrypted and if you forget something in your kernel you won't be able to boot. What I did was to create a backup kernel like this:
    cp /boot/kernel-genkernel-x86-2.6.31-gentoo-r6 /boot/kernel-backup
    cp /boot/initramfs-genkernel-x86-2.6.31-gentoo-r6 /boot/initramfs-backup
And added its entry to grub:
    title Gentoo Backup Kernel
    root (hd0,0)
    kernel /boot/kernel-backup root=/dev/ram0 crypt_root=/dev/sda2 real_root=/dev/mapper/internalhd-root quiet
    initrd /boot/initramfs-backup
Even more steps

I advise you to emerge some utilities for network and portage as follows:
    emerge -av mirrorselect openresolv eix portage-utils gentoolkit
"eix" indexes portage and it is really fast. You should create the index and then do your first sync but using "eix" so it updates the index in the end.
    eix-update
    eix-sync
Finally some tuning of "/etc/conf.drc" (to get a faster startup and, since this is a laptop, ensure it isn't waiting for eth0 to be available before starting other services):
    RC_PARALLEL_STARTUP="yes"
    RC_NET_STRICT_CHECKING="lo"
Next you should check if your system is really secure:
    glsa-check -f all
And then you can have fun emerging packages, but since you synced recently and probably changed profile you should do something like:
    emerge -uDNav world
Have fun!!!

Comments

  1. Anonymous07:56

    Are you sure it's a good idea to put the SWAP partition inside the LVM ??
    It seems to work that way but Gentoo is almost not using it at all.

    ReplyDelete
  2. Nuno Sousa08:22

    The idea of getting the SWAP inside LVM is have it encrypted too. You don't want any password that was swapped out to be available to anyone who steals your laptop.

    As for gentoo using it: it will use it when it is needed, but since gentoo can be really optimized you end up not using it many most of the time. I've used it when rebuilding things like libreoffice.

    ReplyDelete

Post a Comment

Popular posts from this blog

Back to C: CMake and CUnit

I'm back at programming in C. I proposed something 8 months ago at work that was totally ignore. Now my boss wants me to do it because the other alternatives have totally failed. The idea is to implement an ODBC Driver. If I have the time I'll put a tutorial here on how to do that on Linux. But back to the point of this entry. This small guide will help you create a simple project using CMake to build it and cunit to test it. Yes, I believe in test driven development, no matter the language. Let's imagine a simple project that produces an executable that prints the result of 2 + 3 (I know, lame but sufficient for this example). To make it easier to test I split the application. The functions will go into a library and there will be a source file that starts the program. The library header file is called "lib.h" (extra points for originality). Here are its contents: int add(int a, int b) ; The implementation is on the lib.c file as follows: int add(int a, int b)
Read more

OpenClock and Gentoo

Image
OpenClonk is an open source game that has been in development for some time. Its fun and free. I downloaded a binary some time ago and started using it, but the latest release just doesn't work on my Gentoo machine in binary form. After some digging I didn't found an ebuild for this release, just for the live version. So I wrote my own and added to Gentoo's bug database . I learned a few things along the way but didn't get it as clean as I wanted. If someone knows how to convince cmake to install to a different directory than the prefix used it would be great. I ended up doing a patch for the generated cmake_install.cmake . If anyone knows how to avoid that patch I would appreciate the help. Here is a preview of the game:
Read more