#1 2020-10-18 19:35:43

dumetrulo

Member

Registered: 2019-07-03

Posts: 16

Install Lithium with full disk encryption (no unencrypted /boot)

---  Moved from "Basic Help & Support".  Please note the question at the end...  ---

Edit: added some clarifications, and fixed a typo.

After a lot of trying and retrying, I was able to install Lithium on an encrypted partition with no extra unencrypted /boot partition. This was done on a Dell Latitude E7450 with 256GB SSD and 12GB RAM. To follow this guide, you need a similar machine with UEFI, the BunsenLabs Lithium live USB drive, and another USB drive with at least 2GB of free space.

Here's a rundown:

1. Boot the BunsenLabs installer. Once the installer has launched, switch to a console with Ctrl-Alt-F2, press Enter to activate the console, and run the command:

   blkdiscard /dev/sda

2. Switch back to the installer with Ctrl-Alt-F5, and perform a guided installation with encryption and LVM. This should create partitions /dev/sda1 for EFI, /dev/sda2 for /boot, and /dev/sda3 for the crypto container; inside that, create a volume group named vg0, one LV for swap named swap, and another for the file system named root.

3. After the installation is done, boot into it, run through the Welcome script, and perform first customizations.

4. Boot back into the live system, and make a backup. Example: plug in a USB stick with at least 2GB of free space; let's say it's labeled backup, and run the following commands:

   cryptsetup open /dev/sda3 sysroot0
   mount -o ro /dev/mapper/vg0-root /mnt
   ( cd /mnt;tar -c --numeric-owner --sort=name .|xz -9 >/media/live/backup/lithium-install.txz )
   umount /mnt

5. Delete the just installed system, and create the basis for redoing it. Personally, I like my system just so, so perhaps some of the choices feel slightly weird. However, the gist is to create an EFI partition (380MB), a LUKS partition (238GB), and inside that create a volume group named vg0, one LV for root  (221.99GB) named root, and another for swap (16GB) named swap:

   blkdiscard /dev/sda
   sfdisk /dev/sda <<EOF
   label: gpt
   label-id: 38FA7916-ADB7-4640-9CD0-7EFF5F6FC99A
   device: /dev/sda
   unit: sectors
   first-lba: 2048
   last-lba: 500118158
   
   /dev/sda1 : start=        8192, size=      778240, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=45635A8E-00C9-7142-8C49-C89FD9576256
   /dev/sda2 : start=      786432, size=   499122176, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=E1397C7A-53F6-CD49-9AD2-7CDCA9634C01
   EOF
   # Using mtools to format EFI but you can use mkdosfs as well
   mformat -v EFI -F -N 0xef -H 8192 -R 560 -i /dev/sda1 ::
   mmd -i /dev/sda1 ::efi
   shred -n 1 /dev/sda2
   cryptsetup luksFormat -M luks1 --align-payload=8192 /dev/sda2
   cryptsetup open /dev/sda2 sysroot0
   pvcreate --dataalignment 4096k /dev/mapper/sysroot0
   vgcreate vg0 /dev/mapper/sysroot0
   lvcreate --name root -L 227320M vg0
   lvcreate --name swap -L 16G vg0
   mkswap /dev/mapper/vg0-swap
   mkfs.btrfs -K -f /dev/mapper/vg0-root

6. Now you have encrypted root (btrfs) and swap file systems. To segregate data a bit, and prepare for taking snapshots easily, create some subvolumes:

   mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd /dev/mapper/vg0-root /mnt
   for i in root snap home var;do btrfs subvolume create /mnt/@$i;done
   btrfs subvolume list
   # Find the id of subvolume @root, and use it in the next command
   btrfs subvolume set-default 257 /mnt
   umount /mnt

7. Finally, mount everything, and restore the backup:

   mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root /dev/mapper/vg0-root /mnt
   for i in .snapshots .toplevel home var boot/efi;do mkdir -p /mnt/$i;done
   mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap /dev/mapper/vg0-root /mnt/.snapshots
   mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ /dev/mapper/vg0-root /mnt/.toplevel
   mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home /dev/mapper/vg0-root /mnt/home
   mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var /dev/mapper/vg0-root /mnt/var
   mount -o rw,noatime,umask=0077,utf8 /dev/sda1 /mnt/boot/efi
   ( cd /mnt;xzcat /media/live/backup/lithium-install.tgz|tar -x )
   umount /mnt/boot/efi /mnt/var /mnt/home /mnt/.toplevel /mnt/.snapshots /mnt

8. As the original install was for three partitions with /boot outside of encryption, you'll have to do some adjustments. For that, boot to the installer again, and go through its screens until you get to the partitioning. Then switch to a console with Ctrl-Alt-F2, press Enter to activate it, and use the following commands:

   anna-install cryptsetup-udeb partman-crypto-dm crypto-dm-modules crypto-modules
   depmod -a
   cryptsetup open /dev/sda2 sysroot0
   vgscan;vgs;vgchange -a y vg0;lvs
   mkdir /tgt
   mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root /dev/mapper/vg0-root /tgt
   mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap /dev/mapper/vg0-root /tgt/.snapshots
   mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ /dev/mapper/vg0-root /tgt/.toplevel
   mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home /dev/mapper/vg0-root /tgt/home
   mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var /dev/mapper/vg0-root /tgt/var
   mount -t vfat -o rw,noatime,utf8 /dev/sda1 /tgt/boot/efi
   mount -t efivarfs -o rw efivarfs /sys/firmware/efi/efivars
   chmod 1777 /tmp
   for i in dev dev/pts proc run sys sys/firmware/efi/efivars tmp;do mount -o bind /$i /tgt/$i;done
   chroot /tgt /bin/bash

9. Now you are 'in' the new system. Fix /etc/fstab, /etc/crypttab, /etc/default/grub:

   cat >/etc/fstab <<EOF
   UUID=43f0d5ba-99d5-4a5b-afc1-ebd7d346a0c7 none swap sw 0 0
   UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de / btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root 0 0
   UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /.toplevel btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ 0 0
   UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /.snapshots btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap 0 0
   UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /home btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home 0 0
   UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /var btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var 0 0
   UUID=0000-00EF /boot/efi vfat rw,noatime,umask=0077,utf8 0 1
   tmpfs /tmp tmpfs rw,noatime,nodev,nosuid,size=66% 0 0
   EOF
   echo 'sysroot0 UUID=6dd42f4a-a585-4cf8-a24e-35c9194c1882 /boot/keys/sysroot0.key luks,key-slot=1' >/etc/crypttab
   echo 'GRUB_ENABLE_CRYPTODISK=y' >>/etc/default/grub

10. Add a key to the crypto volume so you don't have to enter the passphrase twice at boot, and update the initramfs:

    ( umask 0077;mkdir /boot/keys;dd if=/dev/urandom of=/boot/keys/sysroot0.key bs=64 count=1 )
    cryptsetup luksAddKey /dev/sda2 /boot/keys/sysroot0.key
    echo 'KEYFILE_PATTERN="/boot/keys/*.key"' >>/etc/cryptsetup-initramfs/conf-hook
    echo 'UMASK=0077' >>/etc/initramfs-tools/initramfs.conf
    echo 'RESUME=UUID=43f0d5ba-99d5-4a5b-afc1-ebd7d346a0c7' >/etc/initramfs-tools/conf.d/resume
    update-initramfs -u

11. The GRUB that comes with Lithium is too old to boot from a btrfs volume using zstd compression. Add bullseye (testing) to apt sources, and install the newer GRUB version from there:

    echo 'APT::Default-Release "buster";' >/etc/apt/apt.conf.d/10defaultrelease
    cat >/etc/apt/sources.list <<EOF
    deb https://deb.debian.org/debian buster main non-free contrib
    deb-src https://deb.debian.org/debian buster main non-free contrib
    
    ## Debian security updates
    deb https://deb.debian.org/debian-security buster/updates main contrib non-free
    
    # buster-updates, previously known as 'volatile'
    deb https://deb.debian.org/debian buster-updates main contrib non-free
    deb-src https://deb.debian.org/debian buster-updates main contrib non-free
    EOF
    echo 'deb https://deb.debian.org/debian bullseye main contrib non-free' >/etc/apt/sources.list.d/debian-bullseye.list
    echo 'deb-src https://deb.debian.org/debian bullseye main contrib non-free' >>/etc/apt/sources.list.d/debian-bullseye.list
    printf 'Package: *\nPin: release a=buster\nPin-Priority: 900\n' >/etc/apt/preferences.d/buster.pref
    printf 'Package: *\nPin: release a=buster\nPin-Priority: 400\n' >/etc/apt/preferences.d/bullseye.pref
    apt update
    apt install --reinstall grub-common/testing grub-efi-amd64/testing grub-efi-amd64-bin/testing grub-efi-amd64-signed/testing grub2-common/testing
    update-grub
    grub install /dev/sda
    exit

12. Almost done, just clean up:

    for i in tmp sys/firmware/efi/efivars sys run proc dev/pts dev boot/efi var home .toplevel .snapshots '';do umount /tgt/$i;done

13. Switch to the installer with Ctrl-Alt-F5, abort the installation, and reboot.

Unfortunately, there is one snag: on my laptop, GRUB boots into a shell prompt. Running set shows prefix is set to (hd0,gpt1)/efi/debian although it should be (hd0,gpt1)/efi/bunsenlabs. Boot continues normally after running the following command:

configfile (hd0,gpt1)/bunsenlabs/grub.cfg

If anyone has any idea how to fix this, I welcome any constructive suggestions.

Last edited by dumetrulo (2020-10-19 12:31:21)