Installing Slackware64 14.1 with LVM/Luks Encryption.

by intox

Last Edited: June 23, 2015

A couple of people have requested this, and the documentation can be a little confusing, so I figured I’d write this up. I’ll assume some basic familiarity with Linux because Slackware isn’t really an easy “noob friendly” operating system, but I’ll still give enough detail that someone who’s unfamiliar with this stuff can get it done and hopefully learn some stuff about linux along the way…

Step One: Getting Slack

Grab a copy of slack off of their downloads page. My system is 64 bit so I went with that, yours might be 32, however, so you should figure out what your architecture is prior to downloading.

Next, burn that shit to a DVD or put it on a flash drive. These two options are the easiest, in my experience. The alternative is distributing it and burning like 10 CD’s, but I didn’t bother with that mess. Here are instructions for getting the Slackware ISO to boot from a USB:

Install Slackware using a USB Flash Drive

After that’s done, insert whatever medium you’ve chosen to use and make sure your BIOS options are set to boot from said medium. Google that if needed, it’s not hard and it’s hardware specific, so I can’t really tell you how your specific computer does it.

Step Two: Partition Tables

After you get your medium of choice up and running, you should see a screen asking you if you want to enter extra parameters. You probably don’t want to enter any extra parameters, so go ahead and hit enter, then Select your keyboard map/language from the menu. After that, you’ll find yourself at the login prompt. Login as root, you shouldn’t have to input a password but if you do it’ll be blank.

Here’s where we have to do some pre-configuration. This guide assumes slack will be the only operating system on your system, so if you need to dual boot and want encryption, you’ll have to do a few things differently, but I’m not going to cover that here.

Type “cfdisk” at the prompt, this should come up:

cfdisk

What we’re doing here is setting up the partition table. Essentially, we’re dividing up the hard drive into a few logical partitions so that certain things can run in certain places, and not be affected by others. Now, in order to create a bootable encrypted operating system there needs to be a small partition that is not encrypted, that is to say, it’s unencrypted and readable, so the computer can use it to figure out how to start the operating system and all that jazz.

The first partition we’ll make is a boot partition. Delete every other existing partition (if there are any) and write (again, assuming this will be your only OS on here). Next, select new and create a primary partition that is relatively small, I usually do 1000mb’s which is extreme and excessive, but most people do somewhere around 100mb’s and it works out well. Select “Beginning”, which pretty much puts that partition at the front of the disk. Now, this is important, DO NOT forget to make the first partition bootable by selecting it, and selecting bootable, otherwise the installation won’t know to use this partition to install the boot scripts and such.

cfdisk done

Next, we have to create another partition with the remaining space. Follow the same steps, except do not make it bootable and use the rest of the available space. The default is to use all remaining space, so basically just hit enter when it asks how much space to use. After you’ve done this, make sure you go down and select “write” to ensure the changes are in place. Then exit cfdisk. Our partition tables are done… for now.

Step Three: LVM / Luks Config

LVM or Logical Volume Manager is used here to configure volumes inside of the large partition we set up earlier. (sdx2) It’s an easy way to separate things internally and keep it all encrypted as one partition. What we’re going to want to do here is create three internal logical volumes, root, home, and swap. For those of you who know you want more, or have installed other distributions and prefer it a different way, just follow the same steps and size it out how you want, but for me this works out pretty well.

Before we do that, however, it might be a good idea for you to rewrite the entire large partition with random data. This is so computer forensics folks cannot determine where encryption starts and stops, making it harder to find out a way to circumvent the encryption and stuff. To do this, run this:

dd if=/dev/urandom of=/dev/sdx2

Where the “sdx2” is the large partition you made. You can check cfdisk for it’s actual location, but it’s probably /dev/sda2.

Now that we’ve finished that, let’s get the partition ready for encryption with cryptsetup:

cryptsetup -s 256 -y luksFormat /dev/sdx2

It’ll give you a warning, type YES (all caps or it won’t work), then decide on a password and type it. Be careful, however, later on if you put stuff on the drive and you forget your password, it’s gone forever. Such is the nature of encryption. Basically this is setting up luks encryption on /dev/sdx2.

LUKS passphrase prompt

Next, we’re gonna want to run

cryptsetup luksOpen /dev/sdx2 slackcrypt

This opens up the encrypted volume after you type in your password. It is now basically decrypted and we can set things up on the drive as if it were unencrypted. It opens to /dev/mapper/slackcrypt.

Following that, we’ll want to run

pvcreate /dev/mapper/slackcrypt 

pvcreate is a linux command used to initialize physical volumes for use by logical volume management (lvm) later.

Next, we’ll want to run

vgcreate cryptvg /dev/mapper/slackcrypt

Which creates the volume group “cryptvg”.

And finally we want to create a few logical volumes in the group.

lvcreate -L 20G -n root cryptvg

lvcreate -L 2G -n swap cryptvg

lvcreate -l 100%FREE -n home cryptvg

LVM creation

Clearly, these will be your root, home, and swap “partitions”. You can adjust the sizes to whatever you want them to be. I use a pretty large amount of space in root because I have run out of space installing tons of programs before, but I’ve also used tiny root partitions on machines where I didn’t plan on installing much. It really depends, but if you have the extra space I’d do like 20+ just to be on the safe side. The home directory gets everything that’s not allocated to swap or root.

Next thing we’ve got to do is make sure some nodes get set so everything knows where things are and what not:

vgscan --mknodes

vgchange -ay

Also, we should run this in order to make sure the slack installation stuff can detect our swap partition:

mkswap /dev/cryptvg/swap

volume groups

That concludes the pre-scrypt setup, now we’ll dig into the slackware script. Don’t worry, things are a bit easier from here on out…

Step Four: Slack Setup and Installation.

Next we’re going to want to start the slack setup utility.

Run setup

You should see something like this:

Slack setup

Select Keymap and the installer will walk you through it from here on out, however, there are a few things you’ll have to know about to get everything working with encryption. It should auto-detect the swap partition we designated, continue until you get to this screen:

Selecting root partition

Make sure you select /dev/cryptvg/root here, because that’ll be your LVM root partition. Pick whichever file-system suits you best. I usually go with either ext3 or ext4. After that it should bring you back to the same screen. It’s important to designate your other partitions here.

Select /dev/cryptvg/home and format it. It will then bring you to a screen like this:

Type in /home, as shown above. Next we have to designate boot, which is essential, otherwise your machine will not work properly. Select /dev/sdx1/ (probably /dev/sda1), format it, and type /boot. As shown here:

After you’ve got that done, you can go ahead and select which medium to install software from (whichever you’re booted from) and choose what you want installed on your system. This is pretty self explanatory so I won’t cover it here…

Once that’s done, you’ll reach a screen that looks like this:

Here we are going to install the bootloader Lilo. Select expert, then begin. Ignore the optional LILO Append, you probably don’t need to do anything with that. Keep going until you reach this:

Select mbr, hit confirm when it asks you to confirm /dev/sdx (probably /dev/sda), and keep going through the options until you’re back at the screen where you selected “begin”.

Now you have to select “Linux: Add a linux partition …” and select /dev/cryptvg/root to to boot. For example:

Once that’s been selected, install lilo. It may throw a warning, but we’ll fix that pretty soon. Continue with the installation until you reach a screen listing slackwares installation steps.

Step Five: Fixing Lilo, Restarting, And Finishing!

Now that lilo is installed, select exit. This should bring you back to the original prompt. Now we have to fix lilo because of our encryption scheme. First of all, run this:

chroot /mnt 

The simple explanation for this command is that you basically just entered the installed system, which is mounted at /mnt. Now you can work on things that are installed on the system.

Next, we have to run some derivative of this command, but don’t run it just yet, we have to change a few things to meet your systems specific needs.

mkinitrd -c -k  3.10.17 -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sdx2 -L

First of all, you need to figure out what kernel you’re running. This can be done by running

uname -a

For slackware 14.1 it’s probably the same: 3.10.17, however, you should double check to make sure.

You also have to replace sdx2 with your own, which is probably sda2, but you can check with cfdisk. Another change you may need to make is the file system type. Here I have ext4, however, that depends on which type you chose to use for your /boot partition. Basically, here’s the changes needed:

mkinitrd -c -k *insert kernel number* -m *insert ROOT file system type 
here* -f *insert root file system type here* -r /dev/cryptvg/root -C 
/dev/sdx2  -h /dev/cryptvg/swap -L

Once you’ve made those changes, run that command. This will write an image to /boot/initrd.gz in your system which we will use for booting. The -h /dev/cryptvg/swap part should enable hibernation.

Next, (don’t worry, we’re almost done) you have to edit lilo’s configuration file and point it to the correct places so it knows what to boot with. Don’t forget the initrd line here.

vim /etc/lilo.conf

Edit the pertinent parts to look like this:

image = /boot/vmlinuz-generic-3.10.17
 initrd = /boot/initrd.gz
 root = /dev/cryptvg/root
 label = Slackware
 read-only  # Partitions should be mounted read-only for checking

Above that, there’s an “append” line. Edit it to look something like this:

append = "vt.default_utf8=0 resume=/dev/cryptvg/swap"

Of course, substituting your kernel where necessary. You can check what you need to put for “image = ” by going to /boot and checking which generic kernel you want to use to boot. Save your changes and exit.

Run

lilo

You may get an error or two from lilo, but you can usually ignore these. Exit, to get out of the chroot, then Reboot. Type in your password, and enjoy encrypted slack… You’re done. Remember to remove the installation CD or USB or whatever so it doesn’t boot back into that.

Source: ftp://ftp.slackware.com/pub/slackware/slackware-current/README_CRYPT.TXT

Broken Configuration.

If something went wrong, you probably configured something incorrectly along the way. To get back into your system and repair lilo or some other part of the system, here are some useful commands:

cryptsetup luksOpen /dev/sdx2 slackcrypt
vgscan --mknodes
vgchange -ay
lvscan 
mount /dev/cryptvg/root /mnt
mount /dev/cryptvg/home /mnt/home
mount /dev/sdx1 /mnt/boot
mount -o bind /proc /mnt/proc
mount -o bind /sys /mnt/sys
mount -o bind /dev /mnt/dev
chroot /mnt

Now you should be working in your system on the drive. You can edit lilo and configure the system however you need to. Sometimes adding modules to mkinitrd may be necessary for USB support at boot. One useful command slackware comes with is:

/usr/share/mkinitrd/mkinitrd_command_generator.sh

It’s pretty good for outputting a good mkinitrd command with appropriate module support. Remember to add swap as outlined earlier. Here’s an example of a command it generated and I modified for swap on one of my boxes:

mkinitrd -c -k 3.10.17 -f ext4 -r /dev/cryptvg/root -m usb-storage:xhci-
hcd:usbhid:hid_generic:mbcache:jbd2:ext4 -C /dev/sda2 -h /dev/cryptvg/swap 
-L -u -o /boot/initrd.gz

If you have any questions, feel free to drop in at forums.darknedgy.net and ask, I’ll probably be around to help out. Check out this blog post to add a new hard drive to your lvm / luks setup.


Comments

By: Glenda (Fri Sep 4 00:33:03 EDT 2015)
Why the vt.default_utf8=0 ?? WHAT'S WRONG WITH UTF-8

By: Glenda (Tue Sep 15 11:34:23 EDT 2015)
"Select /dev/sdx1/ (probably /dev/sda1), format it, and type /root."...

Shouldn't that be "/boot" as the screenshot seems to show or am I missing something?

Very, very good guide by the way, thank you!

By: Glenda (Wed Sep 30 18:35:16 EDT 2015)
Yes, it should be /boot. I rarely ever see /root on a separate partition. The only partition outside LVM should be /boot.

By: Glenda (Wed Sep 30 18:39:25 EDT 2015)
this guide is also pretty good ftp://ftp.slackware.com/pub/slackware/slackware-current/README_LVM.TXT

By: absent (Mon Oct 12 12:39:33 EDT 2015)
Ah, sorry. Fixed the /root / boot typo. Hopefully that didn't mess anybody up.

By: Glenda (Wed Nov 18 03:19:21 EST 2015)
Note that the "-L" option to mkinitrd is needed even if LVM is not used because that actually brings in device mapper support which is needed for LUKS anyway.

Tried 15 times without that and got frustrated by a message after unlocking the LUKS partition that /sbin/dmsetup is missing from initramfs.


By: Glenda (Tue Nov 24 11:21:00 EST 2015)
Not workin! :(

By: Glenda (Sun Nov 29 17:40:41 EST 2015)
This does work. I slowly and meticulously did each step. Lilo comes up, but I get no 'ask for password prompt' Instead says stuff like 'Unable to mount root fs...' '...panic...'

By: Glenda (Thu Dec 17 10:22:21 EST 2015)
great guide to actually help demystify this whole process! everything looks to be working with the exception of a "warning" when shutting down or restarting the system with a message:

Can't deactivate volume group "cryptvg" with 1 open logical volume(s)

EDIT: looks like this message is "normal"

By: Glenda (Tue Aug 9 03:04:35 EDT 2016)
Pathetic, this sums up the problem of the linux conmunity vs the OpenBSD community. I figured this all out, on my own, reading the docs. 1.) linux users should rRTFM 2) Docs should be a higher quality 3) linux users are not expected to be advanced users.

By: Glenda (Wed Nov 23 16:14:35 EST 2016)
Thank you for this guide. Helped a lot. I have a dual boot and it wasn't much different, just had to be careful which partitions to effect.

One thing you could add for those using a USB keyboard. I had to add some modules to the initrd. It took me a while. Here's my Slackware 14.2 thingy:

mkinitrd -c -k 4.4.14 -f ext4 -r /dev/cryptvg/root -C /dev/sda4 -h /dev/cryptvg/swap -L -m ext4:ehci-pci:xhci-pci:usbhid:hid_generic








By: Glenda (Sun Jul 9 16:27:03 EDT 2017)
I've had to learn so many boot loader systems, their interactions with many different initrd systems.

I don't have the time anymore a distro should generate their own initrd system and be capable of autoing a luks lvm install with a correctly configured boot loader with keymap support every step of the way.

This is the only thing in Linux that totally burns me out, I've had to learn so many of pecularities of this across so many distros that I'm burnt to a crisp on it.

If you ever reads this plz plz conisder just making the installer able to auto a luks lvm its about time it had it.

This is the only one I failed on, and its because I was learing to do it on a system were I have to deliver a servicable machine in a time frame with several other machines I have to install.