I wrote that article for my personal blog 2010-08-01, so it may be a bit outdated, yet the info might still be useful, so here it is.
I have not tested this setup with a recently, so please be aware that the described steps may not work with an up-to-date ArchLinux version.
On the web, you’ll find how to setup ArchLinux with LVM, or with RAID, or with encryption, but not with the combination of these three technologies.
This article explains the different steps I took to setup these three technologies with ArchLinux.
Required skills
Sound understanding of Linux (ArchLinux specifics may be useful…) and RAID, LVM2, partitioning, encryption.
The story
During the last days I reinstalled my server (AMD x86_64), which runs several VirtualBox VMs, with ArchLinux.
It’s a simple PC with 3 hard drives: one for the OS and two 500GB drives which hold my data and VMs.
Here’s the detail of my hard disk setup:
- The OS hard drive: This one is encrypted using LUKS and then runs LVM for the partitioning. There are 2 primary partitions: one for /boot, not encrypted, and one which contains the encrypted LVM partitions. Thus, the root partition is encrypted and on LVM, which needs specific setup in Grub.
- The 2 data hard drives: These are raid-1 (simple duplication), the raid array is encrypted, and the partitioning is done using LVM. The array only contains 1 single primary partition, spanning the whole space and containing the LVM partitions.
I never dared install ArchLinux on top of this setup before (so I ran my server using openSUSE, and recently Fedora 13), because of the not so user friendly ArchLinux install software. I added encryption to my setup when I installed Fedora 13, using the Fedora installer Anaconda. But some days ago, as I encountered several issues using Fedora 13, I decided to give ArchLinux a try. Please note that I was really surprised by the Fedora 13 release (it’s quite slick and very stable), but ArchLinux (the control I have over it and the gargantuous software collection it provides) is better suited to my advanced needs. More precisely, in Fedora 13, I’ve found nothing as easy as netcfg to setup my network interfaces like I wanted (quite complicated, not explained here).
So here are the steps:
Hard drive setup
Setup the hard drives (partitioning, RAID-1 and LVM2) with the Fedora 13 installer Anaconda. Simply put in the Fedora 13 install disk and make a simple install with the correct disk setup you need. The installed OS will be of no use, the purpose here is to setup the disks, not the OS. The Fedora 13 install software is very easy to use, as the hard drive setup is visual.
openSUSE may be OK as well, as Yast is visual and easy to use as well.
ArchLinux installation
Boot using the ArchLinux Install CD.
Choose the correct keymap for your PC:
km
Load the encryption, raid1 and LVM modules:
modprobe dm-crypt
modprobe dm-mod
modprobe raid1
Assemble the raid (as it was created with the Fedora 13 installer, there is no need to create it):
mdadm -A /dev/md0 /dev/sdc1 /dev/sdb1
Setup encryption on the OS hard drive and the data array (again, as the encrypted drives already exist, there is no need to create them, simply open them with your passphrases):
cryptsetup luksOpen /dev/sda2 system
cryptsetup luksOpen /dev/md0 data
Scan for LVM volume groups and keep them in memory:
vgscan
vgchange -ay
Then run the ArchLinux install software:
/arch/setup
Configure your installation (use the existing partitions!) until when packages were installed.
Immediately after package installation, change to another terminal with the key combination CTRL-ALT-F2, and login as root.
Now, replace the mdadm.conf file by the one corresponding to your setup (this step is needed, as this file is used to generate the initrd image with mkinitcpio):
rm /mnt/etc/mdadm.conf
mdadm --examine --scan >> /mnt/etc/mdadm.conf
Come back to the install software with the key combination CTRL-ALT-F1.
Now, in the install software, edit your configuration files:
rc.conf
USELVM=yes
KEYMAP=be-latin1
You may replace be-latin1 with your keymap.
mkinitcpio.conf
MODULES=(... dm-mod dm-crypt aes_x86_64 raid1 ...)
HOOKS=(... mdadm keymap encrypt lvm2 filesystems...)
The order in the HOOKS array is very important:
-
keymappermits to set the keymap before the encryption password for the drives is required. -
encryptis necessary to decrypt the drives, which allows content access tolvm2 -
lvm2provides partitions, which are needed to mount the filesystems
I think the mdadm hook is not needed, as the root partition is not on top of a raid. But if it was, it would be required!
Based on your setup (lvm2 over encryption over raid, encryption of single lvm2 drives,…), the order may change, so your understanding of how these technologies are set up on your drives really is relevant.
locale.gen
Remove the leading dashes (#) in front of your locale.
pacman.conf
Strictly speaking, this is not needed at all for this setup, but I can’t imagine using ArchLinux without this repository, so I always enable it:
[archlinuxfr]
Server = http://repo.archlinux.fr/x86_64
Now validate your config files. The system launches mkinitcpio, which generates initrd images.
Now edit your menu.lst file. Add cryptdevice=/dev/sda2:vg_system to the kernel line (adapt it to your config, replace sda2 by your encrypted partition and vg_system by your LVM2 volume group’s name). Following are my configurations:
# (0) Arch Linux
title Arch Linux
root (hd0,0)
kernel /vmlinuz26 root=/dev/mapper/vg_system-root cryptdevice=/dev/sda2:vg_system ro
initrd /kernel26.img
# (1) Arch Linux
title Arch Linux Fallback
root (hd0,0)
kernel /vmlinuz26 root=/dev/mapper/vg_system-root cryptdevice=/dev/sda2:vg_system ro
initrd /kernel26-fallback.img
Save the file, install grub to your MBR.
Now, to automatically mount the encrypted data partitions (those on the raid1), the system must know your passphrase. That’s the purpose of the /etc/crypttab file.
nano /mnt/etc/crypttab
Add the line:
data /dev/md0 PASSPHRASE
The device `/dev/md0` should be the same as the one in `/etc/mdadm.conf`.
Replace `PASSPHRASE` with the one you chose for your system.
Make sure `/etc/crypttab` is only readable by root, or maybe someone else may read your passphrase!
The use of /etc/crypttab conveniently avoids asking the user for two passphrases, one for the OS encrypted drive and one for the data encrypted drive. At boot, you enter your OS-encrypted-partition passphrase, and then the system reads /etc/crypttab to decrypt the data-encrypted-partition.
Enjoy!
Now, if everything went fine, you may reboot and enjoy using your fresh ArchLinux system.
Should there be some steps you don’t understand or with errors, feel free to leave a comment, I’ll do the corrections.
Top comments (0)