Slackware LVM over LUKS

This is mostly a post to document my process of setting up Full Disk Encryption (FDE) using the Linux Unified Key Setup (LUKS) and the Logical Volume Manager (LVM). Most major distributions already enable this process at installation, however Slackware does not and it must be done by hand. I am going to use an unencrypted boot partition. My boot manager does not currently support booting a LUKS container. Sometime in the future I will consider a rebuild of my laptop using grub2, which has support for LUKS and LVM.

Note: I am going to omit most of the installation steps and focus more on the procedures for getting LUKS/LVM up and running.

Boot the Slackware install media in UEFI mode then check which disks are visible:

The first thing we need to do is to overwrite ALL data on the entire disk with crypto-grade randomness. This will serve to mitigate cryptographic attacks, since it will be difficult to tell the random data from the encrypted data in your LUKS container.

Warning: Pay close attention to the disk you select, especially if you have multiple attached storage devices. This process will overwrite ALL data on the target disk.

Now fill the container with zeros.

Depending on the size of the disk you could be waiting for a while, but this method is significantly faster than using only dd and /dev/urandom to sanitize a disk.

Once it completes close the container.

Use gdisk to setup two partitions. The unencrypted EFI boot partition and the LVM partition that will be encrypted. The recommended size for the boot partition varies by operating system, however I usually go with 513MB.

Then create the LVM partition using the rest of the disk space.

Write the changes and exit. Then take a look at the devices.

Now setup the encrypted container on /dev/sda2. Use a strong password when prompted.

Open the container so we can setup LVM.

Looking at our devices again we can see our crypt container.

First step for LVM setup is to create our physical volume.

Then we create our volume group.

The Common Configuration Enumeration (CCE) recommends creating multiple partitions or logical volumes for system directories such as /tmp, /var/log, /home, etc. This segmentation enables the ability to select restrictive mount options, which helps to mitigate various file system attacks.

I tend to create six logical volumes: root, home, var, tmp, log, and swap

Then format the swap space:

Format and install a filesystem. I am using xfs.

When we take a look at the logical volumes we get:

Now run setup. If you booted in UEFI mode, then when prompted, skip the LILO install. Then select yes, when the Slackware installer detects and asks to format the EFI partition.

Now finish the installation, but do not reboot. Exit to the command prompt and take a look at our disk configuration.

Double check the filesystem types and mount options

Notice that our filesystems are mounted under /mnt so we need to chroot before we continue.

Once everything looks correct, it is time to setup our Initial RAM Disk (initrd.gz) to support LUKS, LVM, and XFS. Slackware comes bundled with a script that helps to determine what you need:

 /usr/share/mkinitrd/mkinitrd_command_generator.sh

The shell script above can get you most of the way there, but I needed to tweak it a bit.

Note: I found that ‘luks’ gets prepended to the root device which you will only see once the system boots

Copy the initial ram disk to the efi directory and remove the huge kernel, it will not work with a ram disk.

Edit elilo.conf to reflect your use case:

Now when you reboot you will be eventually prompted for your password to unlock your LUKS container.

When you upgrade the kernel, generate a new initrd.gz and copy the new kernel and initrd to

/boot/efi/EFI/Slackware

Modify elilo.conf to reflect the new kernel. Keep the old kernel around until a successful boot with the new kernel.

Thanks for reading.



Categories: System Administration

Tags: , , , , , , , , , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: