• HOW TO: Install Antergos /w custom LUKS/LVM2 partitioning


    Although Antergos Installer, Cnchi, now offers the option Encrypt single partition with LUKS when making your own partition scheme, it still doesn’t support LVM2 (Logical Volume Manager) volumes over LUKS for custom partitionning.

    Doing full disk install with LVM2 over LUKS is great if you can spare the whole hard drive for Linux. If you can’t but still want to get the benefit of installing Antergos on a LUKS/LVM2 combo while sharing the drive with other partitions, this tutorial was made for you!

    I initially picked up the knowledge early last year when Cnchi didn’t even support any custom partition encryption. There’s alot of good information about this topic already on the Arch Wiki but I had found it to be spread out and difficult to piece together. I thought it would be nice if I took what I learned and put out a more unified tutorial for you guys.

    WHY LVM2 ON LUKS VS MULTIPLE LUKS only partitions?

    You may be wondering why you would bother with a big LUKS partition containing several logical volumes within it (LVM2) as opposed to several simple LUKS custom partitions which Cnchi supports already? Having an LVM2 volume group in the LUKS partition offers a few advantages. First, having only to undergoe a single decryption, you’ll only need to enter one passphrase on boot to decode all your volumes as opposed to the multiple LUKS scheme where you’ll have to enter a passphrase for each of the encrypted volumes. If your passphrase is very long and if you’ve got something like 2 or 3 volumes, this makes a huge difference. If you don’t have a long passphrase, I would urge you to make one as most crypto devs recommend passphrase of at least 25 characters in length to ensure robustness against cloud based brute force attacks which pretty much anyone with a lot of money can setup these days. Additionally, I’ve found LVM volumes to be a pleasure to work with. They are alot easier/flexible to manipulate then LUKS partitions which you would essentially have to destroy and recreate.

    PROCEDURE


    PREP WORK

    You’re better off plugging the HD/SSD on which you’re going to install Antergos on the SATA0 or SATA1 ports of your motherboard as it’ll save you some headaches with Grub (see end of article TROUBLESHOOTING1).

    Boot into your Antergos USB media via the bios menu. At the bios menu, if your going to install grub on a GPT drive, you’ll need to select the UEFI boot option. If your grub is going to run off an MBR disk, you’ll need to use the USB option. Be aware that if you’re working with a drive that’s larger then 2TB, you can only use GPT partitioning.

    Once you’re in the live environment, use the Windows/Meta key and search for GParted. Use it to partition your drive the way you want it. Set a partition aside for your LUKS(it can be any format as the partition will just get overwritten later). If you’re going to install grub on the same drive as your Antergos installation (which I recommend) and the drive has an mbr partition, set aside a 150-300mb partition for a seperate non-encrypted/non-lvm “/boot” partition. If you’re installing grub on the same drive and it’s GPT, you’ll also have to set aside the first 100mb (again non-encrypted/non-lvm) for the “/boot/efi” partition in addition to the “/boot” partition.

    0_1454797195429_1.png

    To manually setup LUKS and LVM, open Terminal (Meta, search for terminal) and enter the following commands:

    sudo su #<== (from here on out, I'll assume you're in sudo when running my commands)
    cryptsetup luksFormat /dev/sdXX #<==(replace sdXX with the partition you set aside for your luks(ex sdd3 or sda4), keep note of sdXX for later)
    cryptsetup open --type luks /dev/sdXX myCRYPTname #(The decrypted container is now available at /dev/mapper/myCRYPTname)
    pvcreate /dev/mapper/myCRYPTname
    vgcreate MyVolumeGroupsName /dev/mapper/myCRYPTname
    

    Keep a note of the names you’ve selected for myCRYPTname and MyVolumeGroupsName as you’ll need it at the end of this tutorial.

    You can then create as many volumes as you want. For example

    lvcreate -L 8G MyVolumeGroupsName -n swapvol
    lvcreate -L 15G MyVolumeGroupsName -n myROOTvolume
    lvcreate -l 270G MyVolumeGroupsName -n homevol
    

    Keep a note of the name you’ve selected for myROOTvolume (future /), as you’ll also need it at the end.

    Reference: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

    Cnchi Install:

    You can use Cnchi to do most of the rest from here:

    run Cnchi installer and when you get to the point that asks you “how would you like to proceed?”, select “choose exactly where Antergos should be installed.”
    0_1454802608449_2.png

    The installer sees the decrypted lvm volumes you’ve setup/mounted and places them above the regular partitions. You’ll be able to treat the volumes as any other physical partition in Cnchi.

    0_1454802688535_3.png

    Now would be a good time to format them and give them a mount point. At the very least, to proceed, you’ll have to assign/format your root volume (/), your (/boot) partition which (again) must be outside of your LUKS partition and, if you’re on GPT, the (/boot/efi) partition (at very beginning of the drive). You will also have to specify the hard drive where you want to install grub. In general it’s a good policy to keep all hard drives self sufficient and install grub on the same drive you’re running the OS.

    0_1454802777234_4.png

    You can then run the installer as usual after that but don’t reboot at the end of the install.

    Fixing /etc/default/grub and /etc/mkinitcpio.conf files:

    Once the installation is finished, you’ll have 90% of the job finished but you still won’t be able to boot into your new OS. Since you installed Antergos on lvms that you decrypted yourself, Cnchi will not know that they are encrypted and your kernel will be missing the “encrypt” hook and grub will need a few parameters added to it as well. You’ll have to fix some config files and recompile them before rebooting the system.

    First, go to “/intall/boot” and make a copy of your kernel and grub.cfg files (they’re probably not useful but might as well keep them in case you need to refer to grub.cfg).

    FYI “/install” is where your future root volume (/) has been mounted by the Antergos installer. If you’ve rebooted and mounted the root volume somewhere else, just replace the “/install” in my instructions with the path you’ve used to mount the root volume. Be sure to mount the /boot and /boot/efi partitions within the root volume’s mount path. And the caveat of choosing USB vs UEFI would still apply at this point.

    Edit /install/etc/mkinitcpio.conf and go down to the HOOKS section(it will look something like HOOKS=“base, udev…, lvm2,…”) and add the encrypt hook before the lvm2 one.

    Edit /install/etc/default/grub

    At the very beginning of the “grub” file, after this section:
    GRUB_DEFAULT=0
    GRUB_TIMEOUT=5
    GRUB_DISTRIBUTOR=Antergos
    GRUB_CMDLINE_LINUX_DEFAULT="quiet"
    GRUB_ENABLE_CRYPTODISK=y <======ADD THIS LINE

    Replace GRUB_CMDLINE_LINUX="" with:
    GRUB_CMDLINE_LINUX=“cryptdevice=/dev/sdXX:myCRYPTname:allow-discards root=/dev/mapper/MyVolumeGroupsName-MYrootVOLUME”

    [Remember the info I told you to note? You’ll need it in the above line. Be aware that the sdXX location in cryptdevice=/dev/sdXX:… can vary due to various circumstances(see TROUBLESHOOTING1 at the end), so it would be a good idea to doublecheck it by running “lsblk” in terminal and check for the /dev/sdXX of your luks partition before fillingout /install/etc/default/grub].

    In the section that says:

    Preload both GPT and MBR modules so that they are not missed

    GRUB_PRELOAD_MODULES=“part_gpt part_msdos lvm” <== ADD lvm, if it’s not there already.

    Recompiling kernel image:

    Now that these two config files are corrected, we can re-compile grub.cfg and the kernel image using chroot.

    Go to terminal and enter the following commands:

    mount --bind /proc /install/proc
    mount --bind /dev /install/dev
    mount --bind /sys /install/sys
    mount --bind /run/lvm /install/run/lvm 
    

    (make the /install/run/lvm directory if it doesn’t already exit).

    chroot /install 
    

    If for some reason that doesn’t work, try:

    /install/usr/bin/chroot /install
    

    Once in chroot:

    dir /usr/lib/modules  # (will get you the current Kernel version installed on your root, it will be different from the one in your liveCD or the example below).
    mkinitcpio -g /boot/initramfs-linux.img -k 4.19.2-1-ARCH #<== change the Kernel version to the one you just found in the line above, you're only interested in the main version, not the extramodules.
    

    It needs to compile with no errors or warnings. If you get the following warning during compilation: “bsdcpio: Failed to set default locale”, enter:

    locale
    locale -a
    

    If they output an error message, enter:

    nano /etc/locale.gen #(and uncomment the locale you want to install, Ctrl-O to save/Ctrl-X to exit without saving)
    nano /etc/locale.conf #(make sure that the locale you just selected in locale.gen is in locale.conf)
    locale-gen #<= will compile the newly selected locale(s)
    (and redo the kernel compilation step with your compiled locale)
    

    Recompiling grub.cfg

    grub-mkconfig -o /boot/grub/grub.cfg
    

    TROUBLESHOOTING1:Grub

    ERROR: device ‘/dev/mapper/MyVolumeGroupsName-myROOTvolume’ not found. Skipping fsck.
    ERROR: Unable to find root device '/dev/mapper/MyVolumeGroupsName-myROOTvolume’
    You are being dropped to a recovery shell
    etc… etc…

    Grub is telling you they can’t find the luks partition or it can’t decrypt it. Could be because of many different reasons (missing encrypt hook in kernel, mis-entered info when filling out /etc/default/grub) but the most common I’ve found is because grub use non-persistent naming (for example cryptdevice=/dev/sdd3:(…)) to mount the crypt partition instead of persistent naming (such UUID). See the full example below:

    linux /vmlinuz-linux root=/dev/mapper/buckDOEkit-Antergos2015root rw cryptdevice=/dev/sdd3:buckDOEkit:allow-discards root=/dev/mapper/buckDOEkit-Antergos2015root GRUB_CMDLINE_LINUX_DEFAULT quiet splash

    (you’ll find this at the end of the encrypted-antergos menu entry)

    The problem with specifying cryptdevice=/dev/sdd3 instead of cryptdevice=UUID=sjfkdl-djdskj-sdjkdskjsd-sdjdskj etc, is that your disk will not always be at /dev/sdd3. This can change with something as simple as you booting with a usb stick plugged into your PC which happened to me. As soon as I unplugged my Antergos installation USB, the disk address of the luks partition went from /dev/sdd3 to /dev/sdc3. Booting the live USB as UEFI vs USB will also influence device addressing. Adding or removing other drives as well will shift things around as well. I’ve tried modding grub.cfg with cryptdevice=UUID=(my luks UUID) but that doesn’t seem to work.

    There’s a couple of ways of getting around this design flaw. Easiest, plug disk containing (or that will contain) LUKS on SATA port 0 in mobo. You’re better off doing this before installing Antergos but you can do it after as well, just correct the grub.cfg file accordingly: if don’t want to guess, you can boot with the live USB and use lsblk to verify LUKS address and mod grub.cfg. If you don’t want to go to the trouble and don’t mind guessing, just hit E when you’re in grub and temporarily mod the cryptdevice=/dev/sdXX:(…) with your best guess and hit F10 to start.

    TROUBLESHOOTING2: Grub

    Error device name required…
    Loading linux kernel…
    Press any Key to continue
    (and then it loads fine after that)

    Running the grub compilation script results in an out of context “cryptomount -u” being placed for each of the encrypted menu entries. This causes a confusing but harmless error message at the very beginning of boot. You can make the error message go away by deleting the bogus “cryptomount -u” line. You’ll find it in the fifth or sixth line of all the encrypted menu entries, for example:

    menuentry ‘Antergos Linux’ --class antergos --class arch --class gnu-linux --class gnu --class os $menuentry_id_option ‘gnulinux-simple-c6fcdd0e-ddab-4381-bc40-b402ae96659e’ {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_gpt
    insmod fat
    cryptomount -u <<<==== BOGUS! DELETE! The real cryptomount -u entry is at the beginning of the grub.cfg file and not in the menu entries.
    set root='hd3,gpt2’
    if [ x$feature_platform_search_hint = xy ]; then
    search --no-floppy --fs-uuid --set=root --hint-bios=hd3,gpt2 --hint-efi=hd3,gpt2 --hint-baremetal=ahci3,gpt2 F787-2E3B
    else
    search --no-floppy --fs-uuid --set=root F787-2E3B
    fi
    echo 'Loading linux kernel …'
    linux /vmlinuz-linux root=/dev/mapper/myVGname-myROOTvolume rw cryptdevice=/dev/sdXX:myCRYPTname:allow-discards root=/dev/mapper/myVGname-myROOTvolume quiet
    echo 'Loading initial ramdisk …'
    initrd /initramfs-linux.img
    }

    ========================================================================================================================
    IF IT REBOOTS AND GIVES YOU A PASSWORD PROMPT, PAT YOURSELVES ON THE BACK! YOU ARE DONE! YEEEEEEEHHHHAAAAWWWWWWW!

  • @Fadi-R , nice work!:clap:
    I think it deserves a place in the wiki:thumbsup:

    1.Antergos Linux KDE plasma / Gnome 2.Ubuntu 17.10 64bit Unity
    Intel Core2 Duo CPU P8400 2.26GHz‖ RAM 3908 MiB ‖ Dell Inc. 0F328M - Dell Inc. Latitude E6500
    Intel Mobile 4 Series Chipset Integrated Graphics [8086:2a42] {i915

  • Thanks so much!

    It’s a good idea about the wiki, I didn’t think of that.

  • Heheheh…that s what friends are for…:stuck_out_tongue_winking_eye:

    1.Antergos Linux KDE plasma / Gnome 2.Ubuntu 17.10 64bit Unity
    Intel Core2 Duo CPU P8400 2.26GHz‖ RAM 3908 MiB ‖ Dell Inc. 0F328M - Dell Inc. Latitude E6500
    Intel Mobile 4 Series Chipset Integrated Graphics [8086:2a42] {i915

  • Had a minor issue when following this procedure on antergos-2016.02.21-x86_64 live disc with Cnchi 0.14. It seems that unless you create filesystems on the logical volumes the advanced configuration (“choose exactly where Antergos should be installed”) does not properly recognize them and displays a blank slide instead.

  • @sero Hmmm, interesting, I don’t recall needing to format the the lvm2 volumes for the installer to see them but that could have changed since I made the guide. Thanks for the heads up.

  • @sero said:

    Had a minor issue when following this procedure on antergos-2016.02.21-x86_64 live disc with Cnchi 0.14. It seems that unless you create filesystems on the logical volumes the advanced configuration (“choose exactly where Antergos should be installed”) does not properly recognize them and displays a blank slide instead.

    I just thought of something. Was the lux partition already decrypted when you ran the installer? It won’t see the lvm2 volumes if you haven’t decypted the lux container where they reside.

  • Kudos to @Fadi-R ! Great work!

  • @Noctem Thanks so much. It’s good to know the tutorial is helping others! :)

partition map2 custom5 luks13 lvm22 installation185 Posts 9Views 1746
Log in to reply