Setting up LUKS + LVM on a UEFI laptop
Update 2023/10/22
Slackware 15, on a laptop
If you have 2 drives, one with Windows 11, as I do – remove the Windows drive for now, EFI partition tends to take priority if a new one is not formatted right away. Just easier.
cgdisk /dev/nvme0n1
set up partitions:
100M - code EF00, name it EFI (so it's /dev/nvme0n1p1 in my case) 500M - default, name it boot (yes, 100M is not enough when redoing initrd) (that's /dev/nvme0n1p2) the rest - one big partition (aaand /dev/nvme0n1p3)
Why do I use name cryptlaptop instead of cryptvg? I have multiple drives, so I use unique names in case I need to pop a drive between devices, otherwise it will throw a warning/error when using same names
cryptsetup -y luksFormat /dev/nvme0n1p3 cryptsetup luksOpen /dev/nvme0n1p3 lukspartition pvcreate /dev/mapper/lukspartition vgcreate cryptlaptop /dev/mapper/lukspartition lvcreate -L 450G -n root cryptlaptop lvcreate -L 26G -n swap cryptlaptop mkswap /dev/cryptlaptop/swap
now do a setup
setup
add root /dev/cryptlaptop/root partition, when asked for more add the other:
/dev/nvme0n1p2 /boot
and when EFI comes agree to format /dev/nvme0n1p1 as EFI, so you end with
/dev/nvme0n1p1 /EFI /dev/nvme0n1p2 /boot /dev/cryptlaptop/root /
go through everything, including elilo, but drop down to shell when the setup ends. All the necessary binds (/dev, /proc, /sys) are already done, so just drop into chroot
chroot /mnt /bin/bash /usr/share/mkinitrd/mkinitrd_command_generator.sh -r > /root/cmd.sh chmod +x /root/cmd.sh /root/cmd.sh eliloconfig exit reboot
And that’s it
—
Older version:
IF YOU ALREADY HAVE EVERYTHING and only want to erase old system / you are doing a recovery / fixing your 51st trial of getting LUKS to work:
cryptsetup luksOpen /dev/sda2 lukssda2
vgchange -ay
mount /dev/cryptvg/root /mnt
mount /dev/sda1 /mnt/boot
mount –bind /dev /mnt/dev
mount –bind /proc /mnt/proc
mount –bind /sys /mnt/sys
chroot /mnt /bin/bash
/usr/share/mkinitrd/mkinitrd_command_generator.sh -r
and be sure to add -C /dev/sda2 or else you will probably get:
mount: mounting /dev/cryptvg/root on /mnt failed: No such file or directory
ERROR: No /sbin/init found on rootdev (or not mounted). Trouble ahead.
Now, cryptsetup requires at least n/libgcrypt and n/libgpg or something like that – you cannot install barebone a/ packages and do it, will not boot with:
LUKS device ‘/dev/sda2’ unavailable for unlocking!
either manually launch the mkinitrd, or do:
/usr/share/mkinitrd/mkinitrd_command_generator.sh -r > /root/cmd.sh
chmod +x /root/cmd.sh
/root/cmd.sh
Then with lilo:
boot = /dev/sda
image = /boot/vmlinuz-generic-smp-3.10.17-smp
initrd = /boot/initrd.gz
label = Slackware
read-only
you don’t really need root = /dev/cryptvg/root, it is encoded together with mkinitrd
and
lilo
—
Update 2021:
So my current disk setup is:
/dev/nvme0n1 – my disk
/dev/nvme0n1p1 – EFI
/dev/nvme0n1p2 – /boot
/dev/nvme0n1p3 – my encrypted disk (root + swap)
If I pop out the disk for testing, the boot entry may get lost, so the shortest recovery path for it is:
Grab any bootable slackware install usb stick. boot it
cryptsetup luksOpen /dev/nvme1n1p3 luks
mount /dev/cryptvg/root /mnt
mount /dev/nvme1n1p2 /mnt/boot
mount /dev/nvme1n1p1 /mnt/boot/EFI
mount –bind /dev /mnt/dev
mount –bind /proc /mnt/proc
mount –bind /sys /mnt/sys
chroot /mnt /bin/bash
eliloconfig
And choose to add the entry. Done.
—
Update 2021/12/10:
Open and close an encrypted LUKS+LVM:
cryptsetup luksOpen /dev/sda2 lukssda2 # adds into /dev/mapper vgchange -ay # will open all vgchange -a y lukssda2 # only opens lukssda2 then to close: umount /mnt/... # unmount them all vgchange -a n lukssda2 # volume out cryptsetup luksClose lukssda2
—