You are not logged in.
--- Moved from "Basic Help & Support". Please note the question at the end... ---
Edit: added some clarifications, and fixed a typo.
After a lot of trying and retrying, I was able to install Lithium on an encrypted partition with no extra unencrypted /boot partition. This was done on a Dell Latitude E7450 with 256GB SSD and 12GB RAM. To follow this guide, you need a similar machine with UEFI, the BunsenLabs Lithium live USB drive, and another USB drive with at least 2GB of free space.
Here's a rundown:
Boot the BunsenLabs installer. Once the installer has launched, switch to a console with Ctrl-Alt-F2, press Enter to activate the console, and run the command:
blkdiscard /dev/sda
Switch back to the installer with Ctrl-Alt-F5, and perform a guided installation with encryption and LVM. This should create partitions /dev/sda1 for EFI, /dev/sda2 for /boot, and /dev/sda3 for the crypto container; inside that, create a volume group named vg0, one LV for swap named swap, and another for the file system named root.
After the installation is done, boot into it, run through the Welcome script, and perform first customizations.
Boot back into the live system, and make a backup. Example: plug in a USB stick with at least 2GB of free space; let's say it's labeled backup, and run the following commands:
cryptsetup open /dev/sda3 sysroot0
mount -o ro /dev/mapper/vg0-root /mnt
( cd /mnt;tar -c --numeric-owner --sort=name .|xz -9 >/media/live/backup/lithium-install.txz )
umount /mnt
Delete the just installed system, and create the basis for redoing it. Personally, I like my system just so, so perhaps some of the choices feel slightly weird. However, the gist is to create an EFI partition (380MB), a LUKS partition (238GB), and inside that create a volume group named vg0, one LV for root (221.99GB) named root, and another for swap (16GB) named swap:
blkdiscard /dev/sda
sfdisk /dev/sda <<EOF
label: gpt
label-id: 38FA7916-ADB7-4640-9CD0-7EFF5F6FC99A
device: /dev/sda
unit: sectors
first-lba: 2048
last-lba: 500118158
/dev/sda1 : start= 8192, size= 778240, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=45635A8E-00C9-7142-8C49-C89FD9576256
/dev/sda2 : start= 786432, size= 499122176, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=E1397C7A-53F6-CD49-9AD2-7CDCA9634C01
EOF
# Using mtools to format EFI but you can use mkdosfs as well
mformat -v EFI -F -N 0xef -H 8192 -R 560 -i /dev/sda1 ::
mmd -i /dev/sda1 ::efi
shred -n 1 /dev/sda2
cryptsetup luksFormat -M luks1 --align-payload=8192 /dev/sda2
cryptsetup open /dev/sda2 sysroot0
pvcreate --dataalignment 4096k /dev/mapper/sysroot0
vgcreate vg0 /dev/mapper/sysroot0
lvcreate --name root -L 227320M vg0
lvcreate --name swap -L 16G vg0
mkswap /dev/mapper/vg0-swap
mkfs.btrfs -K -f /dev/mapper/vg0-root
Now you have encrypted root (btrfs) and swap file systems. To segregate data a bit, and prepare for taking snapshots easily, create some subvolumes:
mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd /dev/mapper/vg0-root /mnt
for i in root snap home var;do btrfs subvolume create /mnt/@$i;done
btrfs subvolume list
# Find the id of subvolume @root, and use it in the next command
btrfs subvolume set-default 257 /mnt
umount /mnt
Finally, mount everything, and restore the backup:
mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root /dev/mapper/vg0-root /mnt
for i in .snapshots .toplevel home var boot/efi;do mkdir -p /mnt/$i;done
mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap /dev/mapper/vg0-root /mnt/.snapshots
mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ /dev/mapper/vg0-root /mnt/.toplevel
mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home /dev/mapper/vg0-root /mnt/home
mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var /dev/mapper/vg0-root /mnt/var
mount -o rw,noatime,umask=0077,utf8 /dev/sda1 /mnt/boot/efi
( cd /mnt;xzcat /media/live/backup/lithium-install.tgz|tar -x )
umount /mnt/boot/efi /mnt/var /mnt/home /mnt/.toplevel /mnt/.snapshots /mnt
As the original install was for three partitions with /boot outside of encryption, you'll have to do some adjustments. For that, boot to the installer again, and go through its screens until you get to the partitioning. Then switch to a console with Ctrl-Alt-F2, press Enter to activate it, and use the following commands:
anna-install cryptsetup-udeb partman-crypto-dm crypto-dm-modules crypto-modules
depmod -a
cryptsetup open /dev/sda2 sysroot0
vgscan;vgs;vgchange -a y vg0;lvs
mkdir /tgt
mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root /dev/mapper/vg0-root /tgt
mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap /dev/mapper/vg0-root /tgt/.snapshots
mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ /dev/mapper/vg0-root /tgt/.toplevel
mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home /dev/mapper/vg0-root /tgt/home
mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var /dev/mapper/vg0-root /tgt/var
mount -t vfat -o rw,noatime,utf8 /dev/sda1 /tgt/boot/efi
mount -t efivarfs -o rw efivarfs /sys/firmware/efi/efivars
chmod 1777 /tmp
for i in dev dev/pts proc run sys sys/firmware/efi/efivars tmp;do mount -o bind /$i /tgt/$i;done
chroot /tgt /bin/bash
Now you are 'in' the new system. Fix /etc/fstab, /etc/crypttab, /etc/default/grub:
cat >/etc/fstab <<EOF
UUID=43f0d5ba-99d5-4a5b-afc1-ebd7d346a0c7 none swap sw 0 0
UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de / btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root 0 0
UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /.toplevel btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ 0 0
UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /.snapshots btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap 0 0
UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /home btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home 0 0
UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /var btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var 0 0
UUID=0000-00EF /boot/efi vfat rw,noatime,umask=0077,utf8 0 1
tmpfs /tmp tmpfs rw,noatime,nodev,nosuid,size=66% 0 0
EOF
echo 'sysroot0 UUID=6dd42f4a-a585-4cf8-a24e-35c9194c1882 /boot/keys/sysroot0.key luks,key-slot=1' >/etc/crypttab
echo 'GRUB_ENABLE_CRYPTODISK=y' >>/etc/default/grub
Add a key to the crypto volume so you don't have to enter the passphrase twice at boot, and update the initramfs:
( umask 0077;mkdir /boot/keys;dd if=/dev/urandom of=/boot/keys/sysroot0.key bs=64 count=1 )
cryptsetup luksAddKey /dev/sda2 /boot/keys/sysroot0.key
echo 'KEYFILE_PATTERN="/boot/keys/*.key"' >>/etc/cryptsetup-initramfs/conf-hook
echo 'UMASK=0077' >>/etc/initramfs-tools/initramfs.conf
echo 'RESUME=UUID=43f0d5ba-99d5-4a5b-afc1-ebd7d346a0c7' >/etc/initramfs-tools/conf.d/resume
update-initramfs -u
The GRUB that comes with Lithium is too old to boot from a btrfs volume using zstd compression. Add bullseye (testing) to apt sources, and install the newer GRUB version from there:
echo 'APT::Default-Release "buster";' >/etc/apt/apt.conf.d/10defaultrelease
cat >/etc/apt/sources.list <<EOF
deb https://deb.debian.org/debian buster main non-free contrib
deb-src https://deb.debian.org/debian buster main non-free contrib
## Debian security updates
deb https://deb.debian.org/debian-security buster/updates main contrib non-free
# buster-updates, previously known as 'volatile'
deb https://deb.debian.org/debian buster-updates main contrib non-free
deb-src https://deb.debian.org/debian buster-updates main contrib non-free
EOF
echo 'deb https://deb.debian.org/debian bullseye main contrib non-free' >/etc/apt/sources.list.d/debian-bullseye.list
echo 'deb-src https://deb.debian.org/debian bullseye main contrib non-free' >>/etc/apt/sources.list.d/debian-bullseye.list
printf 'Package: *\nPin: release a=buster\nPin-Priority: 900\n' >/etc/apt/preferences.d/buster.pref
printf 'Package: *\nPin: release a=buster\nPin-Priority: 400\n' >/etc/apt/preferences.d/bullseye.pref
apt update
apt install --reinstall grub-common/testing grub-efi-amd64/testing grub-efi-amd64-bin/testing grub-efi-amd64-signed/testing grub2-common/testing
update-grub
grub install /dev/sda
exit
Almost done, just clean up:
for i in tmp sys/firmware/efi/efivars sys run proc dev/pts dev boot/efi var home .toplevel .snapshots '';do umount /tgt/$i;done
Switch to the installer with Ctrl-Alt-F5, abort the installation, and reboot.
Unfortunately, there is one snag: on my laptop, GRUB boots into a shell prompt. Running set shows prefix is set to (hd0,gpt1)/efi/debian although it should be (hd0,gpt1)/efi/bunsenlabs. Boot continues normally after running the following command:
configfile (hd0,gpt1)/bunsenlabs/grub.cfg
If anyone has any idea how to fix this, I welcome any constructive suggestions.
Last edited by dumetrulo (2020-10-19 12:31:21)
Offline