User avatar
mirimir
Posts: 20
Joined: Fri Feb 27, 2015 10:50 am

[SOLVED] Configuring LUKS and LVM2 on Raspbian wheezy

Sat Feb 28, 2015 6:19 am

I'm using a Raspberry Pi 2 Model B v1.1 with SanDisk 8GB microSDHC cards. My goal is a Raspbian Wheezy system with full-disk encryption, using dm-crypt/LUKS with LVM2 (for easy encryption of /swap, and even /boot). Using a standard approach, I've added dm-crypt/LUKS/LVM2 to the stock image. But I need help in configuring /boot etc. properly for decryption and mounting.

I apologize for the uncommented walls of commands. Once this is working, I'll be happy to write a more coherent how-to post. Anyway, the first step is to flash two microSDHC cards, and then to initialize and update them. One ("systemsd") will become the final system, and the other ("bootsd") will be used for working on it. The steps are the same for both. Using a Debian machine:

Code: Select all

$ sudo umount /dev/sdb1
$ sudo dd bs=4M if=/home/user/Pi_Stuff/2015-02-16-raspbian-wheezy.img of=/dev/sdb
After booting the Pi, I expanded the image to fill the card, enabled SSH server, and changed the hostname (to "systemsd" and "bootsd" respectively). Then I updated and installed necessary packages:

Code: Select all

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install cryptsetup
$ sudo apt-get install lvm2
$ sudo apt-get install dcfldd
$ sudo reboot
$ ifconfig
   => 192.168.1.104
$ ssh user@192.168.1.111
   => got in
$ sudo shutdown -hP now
Then I put "systemsd" in a USB adapter, and booted "bootsd". In the Pi:

Code: Select all

$ sudo su
# mount /dev/sda2 /mnt
# rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/ user@192.168.1.111:/home/user/Pi_Stuff/pione_backup/
# umount /mnt
In backup box, prune pione_backup. Delete /boot (empty anyway) and move /home to a separate folder pione_backup_home. Back in the Pi:

Code: Select all

# dcfldd if=/dev/urandom of=/dev/sda2
# cryptsetup --verbose luksFormat --verify-passphrase /dev/sda2
# cryptsetup luksOpen /dev/sda2 crypt
# service lvm2 start
# pvcreate /dev/mapper/crypt
# vgcreate cvg /dev/mapper/crypt
# lvcreate -L 500M cvg -n swap
# lvcreate -L 4G cvg -n root
# lvcreate -l +100%FREE cvg -n home
# mkswap -L swap /dev/mapper/cvg-swap
# mkfs.ext4 /dev/mapper/cvg-root
# mkfs.ext4 /dev/mapper/cvg-home
# mkdir /mnt/boot
# mkdir /mnt/root
# mkdir /mnt/home
# mount /dev/sda1 /mnt/boot
# umount /mnt/boot
# mount /dev/mapper/cvg-root /mnt/root
# mount /dev/mapper/cvg-home /mnt/home
# rsync -aAXv user@192.168.1.111:/home/user/Pi_Stuff/pione_backup/ /mnt/root/
# chown -R root:root /mnt/root
# rsync -aAXv user@192.168.1.111:/home/user/Pi_Stuff/pione_backup_home/ /mnt/home/
# umount /mnt/root
# umount /mnt/home
# service lvm2 stop
# shutdown -hP now
So, how do I configure /boot etc. properly for decryption and mounting? Also, how do I escape failed boot attempts without damaging the microSDHC card?
Last edited by mirimir on Mon Mar 16, 2015 7:05 pm, edited 1 time in total.

User avatar
mirimir
Posts: 20
Joined: Fri Feb 27, 2015 10:50 am

Re: How do I configure /boot etc. properly for LUKS and LVM2

Tue Mar 03, 2015 2:54 am

I now have a working procedure for Raspbian wheezy. Although I've used dm-crypt/LUKS and LVM2 for years, I've always setup during installation, and have never needed to mess with the setup. Overall, I'm very impressed by the system's tendency to auto-configure, once basic parameters are specified.

Having a working initramfs is a key step. I've managed to brick two SD cards, by pulling the plug after they hung during bootup. But with initramfs, pulling the plug when hung doesn't seem to brick SD cards.

Working in Debian wheezy, write Raspbian wheezy image to 8 GB SanDisk Ultra microSDHC card "bootsd".

Code: Select all

$ sudo umount /dev/sdb1
$ sudo dd bs=4M if=/home/user/Pi_Stuff/2015-02-16-raspbian-wheezy.img of=/dev/sdb
> powerup Pi
> expand image to fill SD card
> change password
> enable SSH server
> change hostname to "bootsd"
> let reboot
> login as pi

Install required packages, and update the firmware.

Code: Select all

$ sudo passwd
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install cryptsetup
$ sudo apt-get install lvm2
$ sudo apt-get install dcfldd
$ sudo reboot
$ sudo rpi-update
   ... and let reboot
$ sudo shutdown -hP now
Working in Debian wheezy, write Raspbian image to 8 GB SanDisk Ultra microSDHC card "systemsd".

Code: Select all

$ sudo umount /dev/sdb1
$ sudo dd bs=4M if=/home/user/Pi_Stuff/2015-02-16-raspbian-wheezy.img of=/dev/sdb
> powerup Pi
> expand image to fill SD card
> change password
> enable SSH server
> change hostname to "systemsd"
> let reboot
> login as pi

Set a root password (because you will need to login as root during the process) and install required packages.

Code: Select all

$ sudo passwd
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install cryptsetup
$ sudo apt-get install lvm2
$ sudo apt-get install dcfldd
$ sudo reboot
Now create initramfs, enable in /boot/config.txt, and shutdown.

Code: Select all

$ sudo mkinitramfs -o /boot/initramfs.gz
$ sudo nano /boot/config.txt
   ...
   initramfs initramfs.gz followkernel
$ sudo shutdown -hP now
Boot SD "bootsd" with SD "systemsd" in USB adapter, login as pi, and backup to a target computer on LAN.

Code: Select all

$ sudo mount /dev/sda2 /mnt/usb
$ sudo rsync -aAXv --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} /mnt/usb/ user@192.168.1.111:/home/user/backup/root/
$ sudo umount /mnt/usb
Now tweak the backup on the target:

Code: Select all

$ mv /home/user/backup/root/home /home/user/backup/home
$ mkdir /home/user/backup/root/home
Back on Pi, wipe the initial root partition. Then encrypt, and configure LVM2.

Code: Select all

$ sudo dcfldd if=/dev/urandom of=/dev/sda2
$ sudo cryptsetup luksFormat --verify-passphrase /dev/sda2
$ sudo cryptsetup luksOpen /dev/sda2 crypt
$ sudo service lvm2 start
$ sudo pvcreate /dev/mapper/crypt
$ sudo vgcreate cvg /dev/mapper/crypt
$ sudo lvcreate -L 500M cvg -n swap
$ sudo lvcreate -L 4G cvg -n root
$ sudo lvcreate -l +100%FREE cvg -n home
Now setup logical volumes, create mount points, and mount them.

Code: Select all

$ sudo mkswap -L swap /dev/mapper/cvg-swap
$ sudo mkfs.ext4 /dev/mapper/cvg-root
$ sudo mkfs.ext4 /dev/mapper/cvg-home
$ sudo mkdir /mnt/boot
$ sudo mkdir /mnt/root
$ sudo mkdir /mnt/home
$ sudo mount /dev/sda1 /mnt/boot
$ sudo mount /dev/mapper/cvg-root /mnt/root
$ sudo mount /dev/mapper/cvg-home /mnt/home
Then restore from the backup.

Code: Select all

$ sudo rsync -aAXv user@192.168.1.111:/home/user/backup/home/ /mnt/home/
$ sudo rsync -aAXv user@192.168.1.111:/home/user/backup/root/ /mnt/root/
$ sudo chown -R root:root /mnt/root
Now tweak cmdline.txt, fstab (crudely, for now) and crypttab (which is tab-delimited).

Code: Select all

$ sudo nano /mnt/boot/cmdline.txt
   change root=/dev/mmcblk0p2 to root=/dev/mapper/cvg-root
   add cryptdevice=/dev/mmcblk0p2:crypt
$ sudo nano /mnt/root/etc/fstab
   change /dev/mmcblk0p2 to /dev/mapper/crypt
$ sudo nano /mnt/root/etc/crypttab
   crypt	/dev/mmcblk0p2	none	luks
Unmount stuff and shutdown.

Code: Select all

$ sudo umount /mnt/boot
$ sudo umount /mnt/root
$ sudo umount /mnt/home
$ sudo service lvm2 stop
$ sudo shutdown -hP now
Now boot SD "systemsd" and fix stuff. The first boot will fail, and you will drop into (initramfs).

Code: Select all

(initramfs) cryptsetup luksOpen /dev/mmcblk0p2 crypt
(initramfs) lvm
   lvm> lvscan
      inactive           '/dev/cvg/swap' [500.00 MiB] inherit
      inactive           '/dev/cvg/root' [4.00 GiB] inherit
      inactive           '/dev/cvg/home' [2.85 GiB] inherit
   lvm> lvs
      LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
      home cvg  -wi-----   2.85g
      root cvg  -wi-----   4.00g
      swap cvg  -wi----- 500.00m
You need to activate the logical volumes, because they weren't mounted from fstab.

Code: Select all

   lvm> vgchange -a y
      3 logical volume(s) in volume group "cvg" now active
   lvm> lvscan
      ACTIVE            '/dev/cvg/swap' [500.00 MiB] inherit
      ACTIVE            '/dev/cvg/root' [4.00 GiB] inherit
      ACTIVE            '/dev/cvg/home' [2.85 GiB] inherit
   lvm> lvs
      LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
      home cvg  -wi-a---   2.85g
      root cvg  -wi-a---   4.00g
      swap cvg  -wi-a--- 500.00m
   lvm> quit
      Exiting.
(initramfs) exit
After the system finishes booting, login as root, fix fstab, and rewrite initramfs.

Code: Select all

# nano /etc/fstab
   proc                  /proc       proc    defaults          0        0
   /dev/mmcblk0p1        /boot       vfat    defaults          0        0
   /dev/mapper/cvg-root  /           ext4    defaults,noatime  0        1
   /dev/mapper/cvg-home  /home       ext4    defaults          0        2
   /dev/mapper/cvg-swap  none        swap    sw                0        0
# mkinitramfs -o /boot/initramfs.gz
You need to remove and reinstall sudo, in order to fix a setuid glitch introduced by the process.

Code: Select all

# apt-get remove sudo
# apt-get install sudo
# reboot
Now confirm that the logical volumes are active, and that all filesystems have been mounted.

Code: Select all

# lvm
   lvm> lvs
      LV   VG   Attr     LSize   Pool Origin Data%  Move Log Copy%  Convert
      home cvg  -wi-ao--   2.85g
      root cvg  -wi-ao--   4.00g
      swap cvg  -wi-ao-- 500.00m
   lvm> quit
# df -ah
   Filesystem            Size  Used Avail Use% Mounted on
   rootfs                3.9G  2.5G  1.2G  68% /
   sysfs                    0     0     0    - /sys
   proc                     0     0     0    - /proc
   udev                   10M     0   10M   0% /dev
   devpts                   0     0     0    - /dev/pts
   tmpfs                  93M  244K   93M   1% /run
   /dev/mapper/cvg-root  3.9G  2.5G  1.2G  68% /
   tmpfs                 5.0M     0  5.0M   0% /run/lock
   tmpfs                 186M     0  186M   0% /run/shm
   /dev/mmcblk0p1         56M   20M   37M  36% /boot
   /dev/mapper/cvg-home  2.8G  6.1M  2.6G   1% /home
# exit
Login as pi, and make sure that sudo works.

Code: Select all

$ sudo su
# shutdown -hP now
That's it. You are done.

User avatar
Korbin
Posts: 5
Joined: Sun Mar 15, 2015 1:39 am

Re: How do I configure /boot etc. properly for LUKS and LVM2

Sun Mar 15, 2015 2:09 am

Howdy Mirimir! Thanks a million for this detailed writeup. I'm trying to adapt it to my own use case, which unfortunately isn't going too well. Rather than use Raspbian, I want to try to create an encrypted LVM on my RPi 2 using Ryan Finnie's Ubuntu 14.04 image that's floating around. Following your guide as closely as I can, everything works great until I get to the step where it's time to boot into the "systemsd" card after creating the encrypted LVM. You note that the first boot after that should fail to initramfs where you can proceed to make config tweaks. In my case, boot does fail as expected but not into initramfs. Instead, mine gets stuck at "sd 0:0:0:0: [sda] Attached SCSI removable disk" - that's the last thing that displays aside from a message about the entropy pool being initialized. I know my volumes are good because I can mount them without any trouble if I switch back to booting with the "bootsd" card and hang "systemsd" off an external reader.

Do you have any suggestions on where I might go from here? I've been scouring the Interwebs for insights but so far I haven't found anyone who's trying to run whole disk encryption with the Ubuntu 14.04 image like I am. This is new territory for me so any advice would be greatly appreciated!

User avatar
mirimir
Posts: 20
Joined: Fri Feb 27, 2015 10:50 am

Re: How do I configure /boot etc. properly for LUKS and LVM2

Sun Mar 15, 2015 5:08 pm

Bummer :(

When booted with bootsd, and systemsd /boot mounted on /mnt/boot, what do these report?

$ ls /mnt//boot/initramfs.gz
$ cat /mnt/boot/config.txt | less

I am planning to work with Ubuntu 14.10, because I want to test a deterministic build of Tor Browser from <​https://git.torproject.org/builders/tor ... bundle.git>, which depends on Ubuntu and Gitian. I've considered wintrmute's Ubuntu 14.10 / Linaro 15.01 image <http://www.raspberrypi.org/forums/viewt ... 56&t=98997> and the Canonical image <https://wiki.ubuntu.com/ARM/RaspberryPi> which I gather is Ryan Finnie's.

I haven't yet delved into the differences between them, and determined (or guessed) which might be better for the task. But whichever I go with, I will first be encrypting with LUKS.

So far, by the way, I have managed to build the browser component of Tor Browser in Raspbian wheezy using <https://trac.torproject.org/projects/to ... er/Hacking> and combined it with standard Tor Browser for Linux.

User avatar
Korbin
Posts: 5
Joined: Sun Mar 15, 2015 1:39 am

Re: How do I configure /boot etc. properly for LUKS and LVM2

Sun Mar 15, 2015 11:58 pm

I'm starting to think there may be differences in the way the Wheezy image you used and the Trusty image I'm using are laid out as far as booting / partitions, etc. In the unmodified Trusty image, /dev/mmcblk0p1 is mounted as "/boot/firmware". Is that relevant at all?

Code: Select all

mmcblk0               179:0    0   7.4G  0 disk
|-mmcblk0p1           179:1    0    64M  0 part  /boot/firmware
`-mmcblk0p2           179:2    0   1.7G  0 part  /
Anyway, as requested here's the output of /mnt/boot (/dev/sda1 while booted via "bootsd"):

Code: Select all

root@bootsd:~# ls -al /mnt/boot/initramfs.gz
-rwxr-xr-x 1 root root 6452543 Mar 15 23:08 /mnt/boot/initramfs.gz
And the contents of /mnt/boot/config.txt:

Code: Select all

root@bootsd:~# cat /mnt/boot/config.txt
# For more options and information see
# http://www.raspberrypi.org/documentation/configuration/config-txt.md
# Some settings may impact device functionality. See link above for details

# uncomment if you get no picture on HDMI for a default "safe" mode
#hdmi_safe=1

# uncomment this if your display has a black border of unused pixels visible
# and your display can output without overscan
#disable_overscan=1

# uncomment the following to adjust overscan. Use positive numbers if console
# goes off screen, and negative if there is too much border
#overscan_left=16
#overscan_right=16
#overscan_top=16
#overscan_bottom=16

# uncomment to force a console size. By default it will be display's size minus
# overscan.
#framebuffer_width=1280
#framebuffer_height=720

# uncomment if hdmi display is not detected and composite is being output
#hdmi_force_hotplug=1

# uncomment to force a specific HDMI mode (this will force VGA)
#hdmi_group=1
#hdmi_mode=1

# uncomment to force a HDMI mode rather than DVI. This can make audio work in
# DMT (computer monitor) modes
#hdmi_drive=2

# uncomment to increase signal to HDMI, if you have interference, blanking, or
# no display
#config_hdmi_boost=4

# uncomment for composite PAL
#sdtv_mode=2

#uncomment to overclock the arm. 700 MHz is the default.
#arm_freq=800

initramfs initramfs.gz followkernel
So after a bit of tinkering, my RPi is finally failing to initramfs (hooray!). However, once I get dumped into the initramfs prompt, I have no keyboard. The RPi isn't frozen because if you wait long enough, the entropy pool message appears. Also, just to confirm it wasn't my USB keyboard, I plugged in another and a message popped up saying it had been detected. Unfortunately I still couldn't input anything. When I unplugged the new keyboard another message popped up noting it had been removed.

I'm happy to hear you're considering using an Ubuntu image for your upcoming project. With your knowledge and experience, I'm sure you'll have a much easier time getting it to work with LUKS than I am. But, I'm not giving up - I'm determined to learn how this stuff all fits together!

--

User avatar
mirimir
Posts: 20
Joined: Fri Feb 27, 2015 10:50 am

Re: How do I configure /boot etc. properly for LUKS and LVM2

Mon Mar 16, 2015 5:30 am

Your keyboard isn't working in (initramfs) because the USB keyboard drivers aren't being loaded. This is a classic bug. See <https://wiki.debian.org/Keyboard#How_to ... _initramfs>. But I don't know why it's happening in Ubuntu but not in Debian. Anyway, you can try the recommended fix.

Boot with bootsd, and mount /boot. Then:

Code: Select all

$ sudo nano /etc/initramfs-tools/modules
........
usbcore
uhci_hcd
ehci_hcd
usbhid
........
$ sudo update-initramfs -u
Also, maybe /etc/fstab should look like

Code: Select all

..........................................................................
proc                  /proc           proc    defaults          0        0
/dev/mmcblk0p1        /boot/firmware  vfat    defaults          0        2
/dev/mapper/cvg-root  /               ext4    defaults,noatime  0        1
/dev/mapper/cvg-home  /home           ext4    defaults          0        2
/dev/mapper/cvg-swap  none            swap    sw                0        0
..........................................................................

User avatar
Korbin
Posts: 5
Joined: Sun Mar 15, 2015 1:39 am

Re: [SOLVED] Configuring LUKS and LVM2 on Raspbian wheezy

Mon Mar 16, 2015 11:14 pm

Well, I still don't have keyboard but I'm definitely making progress. I'm now being prompted for my passphrase by cryptsetup during bootup. I can't type anything in though so I don't know how close I am to the finish line but I definitely feel like I'm getting there. My initramfs config is set to "MODULES=most" so it should already include the USB keyboard stuff but no joy. I also tried listing the four modules manually in my /etc/initramfs-tools/modules file as you and the Debian wiki entry you linked to recommended but that still doesn't seem to get me keyboard access.

I think I may start over from scratch just to confirm I haven't fat-fingered something along the way. It's good practice anyway. :lol:

--

User avatar
mirimir
Posts: 20
Joined: Fri Feb 27, 2015 10:50 am

Re: [SOLVED] Configuring LUKS and LVM2 on Raspbian wheezy

Mon Mar 16, 2015 11:52 pm

Hey, progress :)

If there were some way to attach a PS/2 keyboard, it would work. Maybe a PS/2-to-USB adapter?

User avatar
Korbin
Posts: 5
Joined: Sun Mar 15, 2015 1:39 am

Re: [SOLVED] Configuring LUKS and LVM2 on Raspbian wheezy

Mon Mar 16, 2015 11:59 pm

Woo hoo, further progress! I found other initramfs modules I was missing:

Code: Select all

hid
usbhid
hid_generic
ohci_pci
After adding those to my modules file and generating a new initramfs, I now have keyboard. And... I'm able to successfully unlock my encrypted LVM! I get a kernel panic shortly after that but hey, progress is progress. I'm attaching a pic of my screen (apologies for the potato quality but max file size here is 64KB). It looks like I still have some detective work to do.

--
Attachments
IMG_20150316_193310_resized2.jpg
IMG_20150316_193310_resized2.jpg (59.61 KiB) Viewed 13444 times


User avatar
Korbin
Posts: 5
Joined: Sun Mar 15, 2015 1:39 am

Re: [SOLVED] Configuring LUKS and LVM2 on Raspbian wheezy

Wed Mar 18, 2015 2:42 am

Just a quick update before bed - I'm still hacking away on this in my spare time. This evening I started over from scratch and decided to leave out the LUKS stuff so I could see if plain old LVM would work with the Ubuntu image. I'm finally failing into the initramfs as outlined in your guide and I can successfully mount the volumes by hand but as soon as I exit the initramfs I'm back to getting a kernel panic. This one is complaining about not bring able to mount /dev on /root/dev because of too many levels of symbolic links. I have a funny feeling this is somehow related to the backing up and restoring of the root partition step of the procedure but it's hard to say for certain. Oh well, if nothing else I'm having fun learning about all this stuff I've always taken for granted by letting the installer do all the dirty work for me. :D

--

User avatar
mirimir
Posts: 20
Joined: Fri Feb 27, 2015 10:50 am

Re: [SOLVED] Configuring LUKS and LVM2 on Raspbian wheezy

Wed Mar 18, 2015 5:58 am

Maybe it would be useful to have a go using the Raspbian wheezy image. Or if you're set on Ubuntu, try wintrmute's Ubuntu 14.10 / Linaro 15.01 image <http://www.raspberrypi.org/forums/viewt ... 56&t=98997>.

I've also depended on installers for this stuff, and doing it by hand has been very educational. And occasionally very frustrating ;) Plus I'm a total n00b around SD cards. But hey :D

spacebug
Posts: 3
Joined: Wed Jul 18, 2012 10:26 pm

Re: [SOLVED] Configuring LUKS and LVM2 on Raspbian wheezy

Mon Jul 18, 2016 7:50 pm

I'm trying to get this to work using Debian for Raspberry pi 2 from http://sjoerd.luon.net/posts/2015/02/de ... e-on-rpi2/
So it's not raspbian.

Anyhow, I'm getting stuck when trying to boot systemsd where I should come to the initramfs prompt.
I never get there.
I have no keyboard loaded it seems (as people have talked about here).
System also is not frozed because after sopm time I also get the message about random pool initialized.

I'm also not really gettign some of your instructions. Sometimes when you mount /boot and then run update-initramfs, don't you need to chroot first? Otherwise the change will be to bootsd, not systemsd which is mounted.

Return to “Advanced users”