Home Home > 2009 > 03 > 18 > encrypted root file system on LVM
Sign up | Login

encrypted root file system on LVM

March 18th, 2009 by

openSUSE 11.1 doesn’t officially support an encrypted root file
system which also means YaST doesn’t allow to create such a setup.

By manually creating an encrypted partition and putting LVM into the
encrypted container it’s however possible to trick YaST into
accepting that as root file system.

In the following example I assume that the system has one harddisk,
/dev/sda. We use a /boot (100MB), swap (500MB), / (4GB) and /usr
(remaining space) partition. For your own setup you have to adapt
the device names and sizes of course.

Start the installation by e.g. booting the openSUSE 11.1
installation DVD. After you’ve selected your language and keyboard
layout switch to a text console (ctrl-alt-f2).

Use e.g. fdisk to create two partitions:

  • /dev/sda1, 100MB for /boot
  • /dev/sda2, remaining space

Now create and open a LUKS volume on /dev/sda2:
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 root

After that create the logical volumes inside the encrypted
container:

pvcreate /dev/mapper/root
vgcreate system /dev/mapper/root
lvcreate -L 500M -n swap system
lvcreate -L 4G -n root system
lvcreate -l 100%FREE -n usr system

Continue the installation, go to the expert partitioner and format

  • /dev/sda1 for /boot
  • /dev/mapper/system-swap for swap
  • /dev/mapper/system-root for /
  • /dev/mapper/system-usr for /usr

You may need to order YaST to re-read the harddisk layout in order
for it to display the volume groups.

When the initial installation is nearly finished and counts down
until reboot stop the timer. We need some hacks to tell the initrd
that we need luks. So go to a text console again and mount
the new system and chroot into it:

mount /dev/mapper/system-root /mnt
mount /dev/mapper/system-usr /mnt/usr
mount /dev/sda1 /mnt/boot
for i in dev sys proc; do mount --bind /$i /mnt/$i; done
chroot /mnt

Create /etc/sysconfig/initrd with the following two lines:
root_luks=1
luks=root

in /boot/grub/menu.lst append the following to the kernel command line:
luks_root=/dev/sda2

now run mkinitrd
mkinitrd

it should print ‘luks’ and ‘lvm2′ in the features line

Update: kernel updates will revert the changes to menu.lst. To
prevent that edit /etc/sysconfig/bootloader. Search for _APPEND
variables (DEFAULT_APPEND, FAILSAFE_APPEND) and add
luks_root=/dev/sda2 there as well. Thanks Earl Ruby for that
hint!

log out of the chroot and continue the reboot. If YaST does not
really reboot but uses kexec to directly start the kernel things
won’t work the first time. Just press ctrl-alt-del to perform a real
reboot while it unsuccessfully tries to find the root partition then.

If after a real reboot the initrd still drops you to a shell after a
long timeout instead of prompting for the password use the following
commands to unlock the crypted partition:

cryptsetup luksOpen /dev/sda2 root
vgchange -a y system

then press ctrl-d to continue booting.

Good luck and please don’t blame me for any breakage. I haven’t tried to use this in production either yet.

Both comments and pings are currently closed.

14 Responses to “encrypted root file system on LVM”

  1. CzP

    And will this be added to 11.2 installer?

  2. j.engelh

    When you only ever use a single password, the normal dm-crypt is much faster than LUKS during setup of the crypt mapping.
    And if it were not for yast, the LVM indirection could also be saved.

    • Ludwig Nussel

      Well, maybe. Chances to have the setup supported (e.g. for distribution upgrade) are much higher when using formats that are already supported and can easily be detected though.

  3. Andreas Stieger

    Works before leaving language/keyboard layout screen when you “modprobe dm-crypt” and “modprobe aes”. Doing it a screen later locked the disk device for some reason.

  4. Ludwig Nussel

    Additional note for those trying it: Beware of kernel updates. The luks_root option seems to get lost so check your menu.lst before rebooting:
    https://bugzilla.novell.com/show_bug.cgi?id=490045

    • mapia

      Since the latest kernel update my system is not booting anymore even after restoring menu.lst. Is it possible that the order of loading necesary files changed?

      • Ludwig Nussel

        You can’t use the old menu.lst as the file name of the kernel has changed. You just need to add the luks_root=/dev/sda2 parameter in the new file again.

        • mapia

          Sorry i think I expressed myself here a bit unprecise. I did not use the initial menu.lst instead I edited the newly created menu.lst file with the reference to the new kernel and added luks_root=/dev/sda3 (in my case) and luks=root. Still after the reboot I’m no more prompted for th eluks password

        • You need to re-add it to menu.lst and re-run mkinitrd. If you updated your kernel and then rebooting failed, boot off the SUSE Live CD disk, fire up Gnome Terminal, and:


          cryptsetup luksOpen /dev/sda2 root

          Enter decrypt password. Then:


          mount /dev/mapper/system-root /mnt
          mount /dev/mapper/system-usr /mnt/usr
          mount /dev/sda1 /mnt/boot
          for i in dev sys proc; do mount --bind /$i /mnt/$i; done
          chroot /mnt

          Add “luks_root=/dev/sda2″ to /boot/grub/menu.lst, then re-run mkinitrd.

          To keep kernel updates from messing up your system again, add the string “luks_root=/dev/sda2″ to the end of the DEFAULT_APPEND and FAILSAFE_APPEND lines in /etc/sysconfig/bootloader.

      • mapia

        I can confirm that this is the only necesary change. My problem arose because I added an additional grub item and I forgot to specify the initrd. Beginner error sorry.

  5. mapia

    Hi,

    can you explain a bit more in detail why
    Create /etc/sysconfig/initrd with the following two lines:
    root_luks=1
    luks=root

    is necesary and what it is doing. Is it just necesary for the making of the new initrd or also during the startup?

    • Ludwig Nussel

      it’s a hack to trick mkinitrd into using luks (root_luks=1) for the device in the variable ‘luks_root’ (due to luks=root). See /lib/mkinitrd/scripts/setup-luks.sh

  6. One step you need to add: People need to modify the /etc/sysconfig/bootloader configuration file and add the string “luks_root=/dev/sda2″ to the end of both the DEFAULT_APPEND and FAILSAFE_APPEND lines, otherwise the next time the system updates the kernel it will not include this setting in /boot/grub/menu.lst file and the system fail to boot.