Installing Slackware with LVM/Luks Encryption.
Last Tested / Updated: Slackware 14.2 on Jan 6, 2019.
Some minor changes in the installer script, but everything still works as expected and as explained here.
A couple of people have requested this, and the documentation can be a little confusing, so I figured I’d write this up. I’ll assume some basic familiarity with Linux because Slackware isn’t really an easy “noob friendly” operating system, but I’ll still give enough detail that someone who’s unfamiliar with this stuff can get it done and hopefully learn some stuff about linux along the way…
Step One: Getting Slack
Grab a copy of slack off of their downloads page. My system is 64 bit so I went with that, yours might be 32, however, so you should figure out what your architecture is prior to downloading.
Next, burn that shit to a DVD or put it on a flash drive. These two options are the easiest, in my experience. The alternative is distributing it and burning like 10 CD’s, but I didn’t bother with that mess. Here are instructions for getting the Slackware ISO to boot from a USB:
After that’s done, insert whatever medium you’ve chosen to use and make sure your BIOS options are set to boot from said medium. Google that if needed, it’s not hard and it’s hardware specific, so I can’t really tell you how your specific computer does it.
Step Two: Partition Tables
After you get your medium of choice up and running, you should see a screen asking you if you want to enter extra parameters. You probably don’t want to enter any extra parameters, so go ahead and hit enter, then Select your keyboard map/language from the menu. After that, you’ll find yourself at the login prompt. Login as root, you shouldn’t have to input a password but if you do it’ll be blank.
Here’s where we have to do some pre-configuration. This guide assumes slack will be the only operating system on your system, so if you need to dual boot and want encryption, you’ll have to do a few things differently, but I’m not going to cover that here.
Type “cfdisk” at the prompt, this should come up:
If it doesn’t, check lsblk to see which /dev/ device your drive is on. Then type “cfdisk /dev/whatever”.
What we’re doing here is setting up the partition table. Essentially, we’re dividing up the hard drive into a few logical partitions so that certain things can run in certain places, and not be affected by others. Now, in order to create a bootable encrypted operating system there needs to be a small partition that is not encrypted, that is to say, it’s unencrypted and readable, so the computer can use it to figure out how to start the operating system and all that jazz.
The first partition we’ll make is a boot partition. Delete every other existing partition (if there are any) and write (again, assuming this will be your only OS on here). Next, select new and create a primary partition that is relatively small, I usually do 1000mb’s which is extreme and excessive, but most people do somewhere around 100mb’s and it works out well. Select “Beginning”, which pretty much puts that partition at the front of the disk. Now, this is important, DO NOT forget to make the first partition bootable by selecting it, and selecting bootable, otherwise the installation won’t know to use this partition to install the boot scripts and such.
Note that if you’re using a GPT partition table you can ignore the boot flag. This guide is using DOS / MBR. Also note that if you need a partition greater than 2TB, you’ll likely end up needing GPT. I ran into this issue with my most recent install. Instead of using cfdisk / fdisk at all, you can delete your partition table by following this sequence:
“gdisk”, “x”, “z”, “Y”, “Y”
Which basically removes your partition table entirely. After that I used cfdisk one more time to create a GPT partition table. Finally, I used parted to partition. More on that in a minute if you need to do it this way.
Next, we have to create another partition with the remaining space. Follow the same steps, except do not make it bootable and use the rest of the available space. The default is to use all remaining space, so basically just hit enter when it asks how much space to use. After you’ve done this, make sure you go down and select “write” to ensure the changes are in place. Then exit cfdisk. Our partition tables are done… for now. Proceed to the next section unless you’re using GPT.
If you’re using parted / GPT, just type “parted” to start it. Then “print” to check your current layout. If you haven’t already created a GPT partition table, you can do that with parted as well by typing “mklabel gpt”.
Finally, we’ll create the partitions as we would have using cfdisk / fdisk. The process is slightly different using parted, however, and you need to know a few gotchas for GPT as well. The command we’ll use is “mkpart” inside of parted’s interactive mode. I did it like this:
“parted /dev/vga” just denotes my own drive label. It’s entirely possible yours is /dev/sda or something else. Again, use lsblk to check. These commands:
“mkpart primary ext4 1MiB 500MiB” “mkpart primary ext4 500MiB 100%”
Are fairly intuitive. It creates a 500MB partition, then a partition taking up the rest of the drive. You can now quit parted and proceed.
Step Three: LVM / Luks Config
LVM or Logical Volume Manager is used here to configure volumes inside of the large partition we set up earlier. (sdx2) It’s an easy way to separate things internally and keep it all encrypted as one partition. What we’re going to want to do here is create three internal logical volumes, root, home, and swap. For those of you who know you want more, or have installed other distributions and prefer it a different way, just follow the same steps and size it out how you want, but for me this works out pretty well.
Before we do that, however, it might be a good idea for you to rewrite the entire large partition with random data. This is so computer forensics folks cannot determine where encryption starts and stops, making it harder to find out a way to circumvent the encryption and stuff. To do this, run this:
dd if=/dev/urandom of=/dev/sdx2
Where the “sdx2” is the large partition you made. You can check cfdisk for it’s actual location, but it’s probably /dev/sda2.
Now that we’ve finished that, let’s get the partition ready for encryption with cryptsetup:
cryptsetup -s 256 -y luksFormat /dev/sdx2
It’ll give you a warning, type YES (all caps or it won’t work), then decide on a password and type it. Be careful, however, later on if you put stuff on the drive and you forget your password, it’s gone forever. Such is the nature of encryption. Basically this is setting up luks encryption on /dev/sdx2.
Next, we’re gonna want to run
cryptsetup luksOpen /dev/sdx2 slackcrypt
This opens up the encrypted volume after you type in your password. It is now basically decrypted and we can set things up on the drive as if it were unencrypted. It opens to /dev/mapper/slackcrypt.
Following that, we’ll want to run
pvcreate is a linux command used to initialize physical volumes for use by logical volume management (lvm) later.
Next, we’ll want to run
vgcreate cryptvg /dev/mapper/slackcrypt
Which creates the volume group “cryptvg”.
And finally we want to create a few logical volumes in the group.
lvcreate -L 20G -n root cryptvg lvcreate -L 2G -n swap cryptvg lvcreate -l 100%FREE -n home cryptvg
Clearly, these will be your root, home, and swap “partitions”. You can adjust the sizes to whatever you want them to be. I use a pretty large amount of space in root because I have run out of space installing tons of programs before, but I’ve also used tiny root partitions on machines where I didn’t plan on installing much. It really depends, but if you have the extra space I’d do like 20+ just to be on the safe side. The home directory gets everything that’s not allocated to swap or root.
Next thing we’ve got to do is make sure some nodes get set so everything knows where things are and what not:
vgscan --mknodes vgchange -ay
Also, we should run this in order to make sure the slack installation stuff can detect our swap partition:
That concludes the pre-scrypt setup, now we’ll dig into the slackware script. Don’t worry, things are a bit easier from here on out…
Step Four: Slack Setup and Installation.
Next we’re going to want to start the slack setup utility.
You should see something like this:
Select Keymap and the installer will walk you through it from here on out, however, there are a few things you’ll have to know about to get everything working with encryption. It should auto-detect the swap partition we designated, continue until you get to this screen:
Make sure you select /dev/cryptvg/root here, because that’ll be your LVM root partition. Pick whichever file-system suits you best. I usually go with either ext3 or ext4. After that it should bring you back to the same screen. It’s important to designate your other partitions here.
Select /dev/cryptvg/home and format it. It will then bring you to a screen like this:
Type in /home, as shown above. Next we have to designate boot, which is essential, otherwise your machine will not work properly. Select /dev/sdx1/ (probably /dev/sda1), format it, and type /boot. As shown here:
After you’ve got that done, you can go ahead and select which medium to install software from (whichever you’re booted from) and choose what you want installed on your system. This is pretty self explanatory so I won’t cover it here…
Once that’s done, you’ll reach a screen that looks like this:
Here we are going to install the bootloader Lilo. Select expert, then begin. Ignore the optional LILO Append, you probably don’t need to do anything with that. Keep going until you reach this:
Select mbr, hit confirm when it asks you to confirm /dev/sdx (probably /dev/sda), and keep going through the options until you’re back at the screen where you selected “begin”.
Now you have to select “Linux: Add a linux partition …” and select /dev/cryptvg/root to boot. (Yes, /dev/cryptvg/root, not /boot.) For example:
Once that’s been selected, install lilo. It may throw a Fwarning, but we’ll fix that pretty soon. Continue with the installation until you reach a screen listing slackwares installation steps.
Note: If you’re using qemu/kvm you may fail to install lilo with the error: “Fatal: Linux experimental device 0xfc00 needs to be defined.”, or some variation. Just gotta edit /etc/lilo.conf and add “disk = /dev/vda bios=0x80 max-partitions=7”, above boot= at the top of the file, then run “lilo”.
Step Five: Fixing Lilo, Restarting, And Finishing!
Now that lilo is installed, select exit. This should bring you back to the original prompt. Now we have to fix lilo because of our encryption scheme. First of all, run this:
The simple explanation for this command is that you basically just entered the installed system, which is mounted at /mnt. Now you can work on things that are installed on the system.
Next, we have to run some derivative of this command, but don’t run it just yet, we have to change a few things to meet your systems specific needs.
mkinitrd -c -k 3.10.17 -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sdx2 -L
First of all, you need to figure out what kernel you’re running. This can be done by running
For slackware 14.1 it’s probably the same: 3.10.17, however, you should double check to make sure.
You also have to replace sdx2 with your own, which is probably sda2, but you can check with cfdisk. Another change you may need to make is the file system type. Here I have ext4, however, that depends on which type you chose to use for your /boot partition. Basically, here’s the changes needed:
mkinitrd -c -k *insert kernel number* -m *insert ROOT file system type here* -f *insert root file system type here* -r /dev/cryptvg/root -C /dev/sdx2 -h /dev/cryptvg/swap -L
Once you’ve made those changes, run that command. This will write an image to /boot/initrd.gz in your system which we will use for booting. The -h /dev/cryptvg/swap part should enable hibernation.
Next, (don’t worry, we’re almost done) you have to edit lilo’s configuration file and point it to the correct places so it knows what to boot with. Don’t forget the initrd line here.
Edit the pertinent parts to look like this:
image = /boot/vmlinuz-generic-3.10.17 initrd = /boot/initrd.gz root = /dev/cryptvg/root label = Slackware read-only # Partitions should be mounted read-only for checking
Above that, there’s an “append” line. Edit it to look something like this:
append = "vt.default_utf8=0 resume=/dev/cryptvg/swap"
Of course, substituting your kernel where necessary. You can check what you need to put for “image = ” by going to /boot and checking which generic kernel you want to use to boot. Save your changes and exit.
You may get an error or two from lilo, but you can usually ignore these. Exit, to get out of the chroot, then Reboot. Type in your password, and enjoy encrypted slack… You’re done. Remember to remove the installation CD or USB or whatever so it doesn’t boot back into that.
If something went wrong, you probably configured something incorrectly along the way. To get back into your system and repair lilo or some other part of the system, here are some useful commands:
cryptsetup luksOpen /dev/sdx2 slackcrypt vgscan --mknodes vgchange -ay lvscan mount /dev/cryptvg/root /mnt mount /dev/cryptvg/home /mnt/home mount /dev/sdx1 /mnt/boot mount -o bind /proc /mnt/proc mount -o bind /sys /mnt/sys mount -o bind /dev /mnt/dev chroot /mnt
Now you should be working in your system on the drive. You can edit lilo and configure the system however you need to. Sometimes adding modules to mkinitrd may be necessary for USB support at boot. One useful command slackware comes with is:
It’s pretty good for outputting a good mkinitrd command with appropriate module support. Remember to add swap as outlined earlier. Here’s an example of a command it generated and I modified for swap on one of my boxes:
mkinitrd -c -k 3.10.17 -f ext4 -r /dev/cryptvg/root -m usb-storage:xhci- hcd:usbhid:hid_generic:mbcache:jbd2:ext4 -C /dev/sda2 -h /dev/cryptvg/swap -L -u -o /boot/initrd.gz