You are not logged in.

#1 2020-10-18 19:35:43

Registered: 2019-07-03
Posts: 16

Install Lithium with full disk encryption (no unencrypted /boot)

---  Moved from "Basic Help & Support".  Please note the question at the end...  ---

Edit: added some clarifications, and fixed a typo.

After a lot of trying and retrying, I was able to install Lithium on an encrypted partition with no extra unencrypted /boot partition. This was done on a Dell Latitude E7450 with 256GB SSD and 12GB RAM. To follow this guide, you need a similar machine with UEFI, the BunsenLabs Lithium live USB drive, and another USB drive with at least 2GB of free space.

Here's a rundown:

  1. Boot the BunsenLabs installer. Once the installer has launched, switch to a console with Ctrl-Alt-F2, press Enter to activate the console, and run the command:

    blkdiscard /dev/sda
  2. Switch back to the installer with Ctrl-Alt-F5, and perform a guided installation with encryption and LVM. This should create partitions /dev/sda1 for EFI, /dev/sda2 for /boot, and /dev/sda3 for the crypto container; inside that, create a volume group named vg0, one LV for swap named swap, and another for the file system named root.

  3. After the installation is done, boot into it, run through the Welcome script, and perform first customizations.

  4. Boot back into the live system, and make a backup. Example: plug in a USB stick with at least 2GB of free space; let's say it's labeled backup, and run the following commands:

    cryptsetup open /dev/sda3 sysroot0
    mount -o ro /dev/mapper/vg0-root /mnt
    ( cd /mnt;tar -c --numeric-owner --sort=name .|xz -9 >/media/live/backup/lithium-install.txz )
    umount /mnt
  5. Delete the just installed system, and create the basis for redoing it. Personally, I like my system just so, so perhaps some of the choices feel slightly weird. However, the gist is to create an EFI partition (380MB), a LUKS partition (238GB), and inside that create a volume group named vg0, one LV for root  (221.99GB) named root, and another for swap (16GB) named swap:

    blkdiscard /dev/sda
    sfdisk /dev/sda <<EOF
    label: gpt
    label-id: 38FA7916-ADB7-4640-9CD0-7EFF5F6FC99A
    device: /dev/sda
    unit: sectors
    first-lba: 2048
    last-lba: 500118158
    /dev/sda1 : start=        8192, size=      778240, type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B, uuid=45635A8E-00C9-7142-8C49-C89FD9576256
    /dev/sda2 : start=      786432, size=   499122176, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=E1397C7A-53F6-CD49-9AD2-7CDCA9634C01
    # Using mtools to format EFI but you can use mkdosfs as well
    mformat -v EFI -F -N 0xef -H 8192 -R 560 -i /dev/sda1 ::
    mmd -i /dev/sda1 ::efi
    shred -n 1 /dev/sda2
    cryptsetup luksFormat -M luks1 --align-payload=8192 /dev/sda2
    cryptsetup open /dev/sda2 sysroot0
    pvcreate --dataalignment 4096k /dev/mapper/sysroot0
    vgcreate vg0 /dev/mapper/sysroot0
    lvcreate --name root -L 227320M vg0
    lvcreate --name swap -L 16G vg0
    mkswap /dev/mapper/vg0-swap
    mkfs.btrfs -K -f /dev/mapper/vg0-root
  6. Now you have encrypted root (btrfs) and swap file systems. To segregate data a bit, and prepare for taking snapshots easily, create some subvolumes:

    mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd /dev/mapper/vg0-root /mnt
    for i in root snap home var;do btrfs subvolume create /mnt/@$i;done
    btrfs subvolume list
    # Find the id of subvolume @root, and use it in the next command
    btrfs subvolume set-default 257 /mnt
    umount /mnt
  7. Finally, mount everything, and restore the backup:

    mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root /dev/mapper/vg0-root /mnt
    for i in .snapshots .toplevel home var boot/efi;do mkdir -p /mnt/$i;done
    mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap /dev/mapper/vg0-root /mnt/.snapshots
    mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ /dev/mapper/vg0-root /mnt/.toplevel
    mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home /dev/mapper/vg0-root /mnt/home
    mount -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var /dev/mapper/vg0-root /mnt/var
    mount -o rw,noatime,umask=0077,utf8 /dev/sda1 /mnt/boot/efi
    ( cd /mnt;xzcat /media/live/backup/lithium-install.tgz|tar -x )
    umount /mnt/boot/efi /mnt/var /mnt/home /mnt/.toplevel /mnt/.snapshots /mnt
  8. As the original install was for three partitions with /boot outside of encryption, you'll have to do some adjustments. For that, boot to the installer again, and go through its screens until you get to the partitioning. Then switch to a console with Ctrl-Alt-F2, press Enter to activate it, and use the following commands:

    anna-install cryptsetup-udeb partman-crypto-dm crypto-dm-modules crypto-modules
    depmod -a
    cryptsetup open /dev/sda2 sysroot0
    vgscan;vgs;vgchange -a y vg0;lvs
    mkdir /tgt
    mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root /dev/mapper/vg0-root /tgt
    mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap /dev/mapper/vg0-root /tgt/.snapshots
    mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ /dev/mapper/vg0-root /tgt/.toplevel
    mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home /dev/mapper/vg0-root /tgt/home
    mount -t btrfs -o rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var /dev/mapper/vg0-root /tgt/var
    mount -t vfat -o rw,noatime,utf8 /dev/sda1 /tgt/boot/efi
    mount -t efivarfs -o rw efivarfs /sys/firmware/efi/efivars
    chmod 1777 /tmp
    for i in dev dev/pts proc run sys sys/firmware/efi/efivars tmp;do mount -o bind /$i /tgt/$i;done
    chroot /tgt /bin/bash
  9. Now you are 'in' the new system. Fix /etc/fstab, /etc/crypttab, /etc/default/grub:

    cat >/etc/fstab <<EOF
    UUID=43f0d5ba-99d5-4a5b-afc1-ebd7d346a0c7 none swap sw 0 0
    UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de / btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@root 0 0
    UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /.toplevel btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=/ 0 0
    UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /.snapshots btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@snap 0 0
    UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /home btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@home 0 0
    UUID=bc0ac0f8-0292-489e-9c2a-5997c9a695de /var btrfs rw,noatime,ssd,space_cache,commit=360,compress=zstd,subvol=@var 0 0
    UUID=0000-00EF /boot/efi vfat rw,noatime,umask=0077,utf8 0 1
    tmpfs /tmp tmpfs rw,noatime,nodev,nosuid,size=66% 0 0
    echo 'sysroot0 UUID=6dd42f4a-a585-4cf8-a24e-35c9194c1882 /boot/keys/sysroot0.key luks,key-slot=1' >/etc/crypttab
    echo 'GRUB_ENABLE_CRYPTODISK=y' >>/etc/default/grub
  10. Add a key to the crypto volume so you don't have to enter the passphrase twice at boot, and update the initramfs:

    ( umask 0077;mkdir /boot/keys;dd if=/dev/urandom of=/boot/keys/sysroot0.key bs=64 count=1 )
    cryptsetup luksAddKey /dev/sda2 /boot/keys/sysroot0.key
    echo 'KEYFILE_PATTERN="/boot/keys/*.key"' >>/etc/cryptsetup-initramfs/conf-hook
    echo 'UMASK=0077' >>/etc/initramfs-tools/initramfs.conf
    echo 'RESUME=UUID=43f0d5ba-99d5-4a5b-afc1-ebd7d346a0c7' >/etc/initramfs-tools/conf.d/resume
    update-initramfs -u
  11. The GRUB that comes with Lithium is too old to boot from a btrfs volume using zstd compression. Add bullseye (testing) to apt sources, and install the newer GRUB version from there:

    echo 'APT::Default-Release "buster";' >/etc/apt/apt.conf.d/10defaultrelease
    cat >/etc/apt/sources.list <<EOF
    deb buster main non-free contrib
    deb-src buster main non-free contrib
    ## Debian security updates
    deb buster/updates main contrib non-free
    # buster-updates, previously known as 'volatile'
    deb buster-updates main contrib non-free
    deb-src buster-updates main contrib non-free
    echo 'deb bullseye main contrib non-free' >/etc/apt/sources.list.d/debian-bullseye.list
    echo 'deb-src bullseye main contrib non-free' >>/etc/apt/sources.list.d/debian-bullseye.list
    printf 'Package: *\nPin: release a=buster\nPin-Priority: 900\n' >/etc/apt/preferences.d/buster.pref
    printf 'Package: *\nPin: release a=buster\nPin-Priority: 400\n' >/etc/apt/preferences.d/bullseye.pref
    apt update
    apt install --reinstall grub-common/testing grub-efi-amd64/testing grub-efi-amd64-bin/testing grub-efi-amd64-signed/testing grub2-common/testing
    grub install /dev/sda
  12. Almost done, just clean up:

    for i in tmp sys/firmware/efi/efivars sys run proc dev/pts dev boot/efi var home .toplevel .snapshots '';do umount /tgt/$i;done
  13. Switch to the installer with Ctrl-Alt-F5, abort the installation, and reboot.

Unfortunately, there is one snag: on my laptop, GRUB boots into a shell prompt. Running set shows prefix is set to (hd0,gpt1)/efi/debian although it should be (hd0,gpt1)/efi/bunsenlabs. Boot continues normally after running the following command:

configfile (hd0,gpt1)/bunsenlabs/grub.cfg

If anyone has any idea how to fix this, I welcome any constructive suggestions.

Last edited by dumetrulo (2020-10-19 12:31:21)


Board footer

Powered by FluxBB