I struggled for days following outdated and incorrect gentoo wiki: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
Finally I figured out how to do that so I will share it here for future reference. This guide however may not work on future gentoo versions.
Note that primary difference between suggestions on Gentoo wiki is that disk is encrypted with -d – option which is necessary for it to work with dracut and genkernel generated initramfs which always use that option to open it.
Setup:
In this guide I have 1 physical disk with 2 partitions:
/dev/sda1 for /boot
/dev/sda2 for LVM with 2 LV’s
* root – /
* swap
Step 1:
Create an image of whole current filesystem for backup purpose
Step 2:
Before you reboot, prepare your initramfs so that it’s ready to work with luks, I am using dracut, there is high chance you won’t boot after encrypting so prepare it for debugging as well:
dracut -a crypt --install "bash vim"
Step 3:
Create an image of your root fs (boot from livecd)
dd if=<device> of=original_fs.iso
Store it on external disk.
Step 4:
Create a keyfile you will need to decrypt the filesystem, you can store this file on /boot partition, it will be encrypted with password:
openssl rand -base64 48 | gpg --symmetric --cipher-algo aes --armor > key.gpg
Step 5:
Encrypt sda2, this will wipe all data on it:
gpg -qd /boot/key.gpg | cryptsetup luksFormat -d - /dev/sda2
Step 6:
Mount the device and setup LV disks
|
1 2 3 4 5 |
gpg -qd /boot/key.gpg | cryptsetup luksOpen -d - /dev/sda2 encrypted pvcreate /dev/mapper/encrypted vgcreate vg /dev/mapper/encrypted lvcreate vg -n root -L <size> lvcreate vg -n swap -L <size> |
Restore the fs:
dd if=original_fs.iso of=/dev/mapper/vg-root
Step 7:
Mount fs
mount /dev/vg/root /mnt
Now update /etc/fstab to contain proper stuff
Step 8:
Update /etc/default/grub and add kernel parameters:
rd.luks.uuid=<UUID of /dev/sda2> rd.luks.key=key.gpg:/dev/sda1:/dev/sda2
Now reboot and pray. It may fail, if you wait about 5 minutes, dracut might fall into recovery console which you can use to investigate what is wrong, try to mount the device by hand.
1 Comment
Hi Peter,
I am a PhD student in Hong Kong. We used to build a 7-machine private cloud to provide cloud-based simulation service to our lab mates. However, our NAS crashed recently, and we lost the XVP Appliance webpage platform to host the management interface for lab mates. I found that the XVP Appliance project website (www.xvpsource.org) has been shut down. Therefore, unfortunately we cannot find the downloading link of the XVP Appliance VM image. I saw that you recently asked a question in the Github page of XVP Appliance. Therefore, I would be appreciated if you could share the XVPAppliance VM image with me if you still have it? Thanks a lot!!!
Yuxuan