Encrypt SSD with LUKS and LVM#

IMPORTANT NOTES#

Some important notes to consider before encryption.

Use hdparm instead of BIOS password for hardware self-encryption#

Since BIOS passwords can make encryption keys unusable on other systems (due to hashes etc.), you should use hdparm.

See https://www.zeitgeist.se/2014/09/07/enabling-ata-security-on-a-self-encrypting-ssd/ for detailed explanations.

Partition table#

  • 200MB, type EF00 (EFI partition). This is used by GRUB2/BIOS-GPT. (/dev/sda1)
  • 100MB, type 8300 (Linux). This will store /boot (/dev/sda2)
  • 8GB, type 8200 (swap). This is our dedicated swap partition (not part of lvm). (/dev/sda3)
  • Remaining space, type 8E00 (LVM). Store both / and /home. (/dev/sda4).

So we get the following partition table:

sudo fdisk -l /dev/sda
Disk /dev/sdb: 238.5 GiB, 256060514304 bytes, 500118192 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 2745CF02-2F53-4647-9EDF-0D7FA8DA3110

Device        Start       End   Sectors   Size Type
/dev/sda1      2048   1026047   1024000   500M EFI System
/dev/sda2   1026048   1435647    409600   200M Linux filesystem
/dev/sda3   1435648  18212863  16777216     8G Linux swap
/dev/sda4  18212864 500118158 481905295 229.8G Linux LVM

Prepare encrypted LUKS space#

We need to align, enable TRIM and use the right payload for SSD.

sudo cryptsetup benchmark sudo cryptsetup -c aes-xts-plain --key-size 512 -y -h sha512 --align-payload=8192 luksFormat /dev/sda4 sudo cryptsetup luksOpen --allow-discards /dev/sda4 enc-lvm

Setup LVM space#

sudo lvm pvcreate --dataalignment 4M /dev/mapper/enc-lvm
sudo lvm vgcreate vgroup /dev/mapper/enc-lvm
sudo lvm lvcreate -L 30GB -n root vgroup
sudo lvm lvcreate -n root -L 30G vgroup
### sudo lvm lvcreate -n home -l 100%FREE vgroup  ## not recommended if you want  to  keep  some free space for snapshots
### sudo lvm lvcreate -n home -L 400GB -n home vgroup

Configure block devices, filesystems, and mountpoints#

Format /boot, /root and /home#

Format and enable TRIM support.

sudo mkfs.ext2 /dev/sda2
sudo mkfs.ext4 -E discard /dev/mapper/vgroup-root
sudo mkfs.ext4 -E discard /dev/mapper/vgroup-home

Get 5% space from /home partition#

5% space are by default hidden on ext4 partitions. This is typically used on root partition as a safeguard when the disk gets full. On non-root partition this hidden space can be easily and safely reclaimed back by using the following command.

sudo tune2fs -m 0 /dev/mapper/vgroup-home

Installation#

Install your system via CLI or GUI installer.

Do not reboot after installation is finnished.

Mount and chroot into newly installed system#

sudo cryptsetup luksOpen --allow-discards /dev/sda4 enc-lvm
sudo mount /dev/mapper/vgroup-root /mnt/
sudo mount /dev/mapper/vgroup-home /mnt/home/
sudo  mount  /dev/sda2 /mnt/boot/
sudo  mount  /dev/sda1 /mnt/boot/efi/
sudo  mount -t proc proc /mnt/proc
sudo  mount -t sysfs sys /mnt/sys
sudo mount -o bind /dev /mnt/dev
sudo  mount -t devpts pts /mnt/dev/pts/
sudo chroot /mnt/

Configure and build ramdisk#

Edit MODULES and HOOKS in /etc/mkinitcpio.conf

MODULES="dm_mod dm_crypt ext4 aes_x86_64 sha256 sha512"

Aadd encrypt and lvm2 prior to filesystem and resume under the HOOKS section:

HOOKS="base udev autodetect modconf block keyboard keymap plymouth plymouth-encrypt lvm2 resume filesystems fsck"

Rebuild kernel's ramdisk:

mkinitcpio -p linux

The version string represents your current kernel. For example "linux318" if you're running kernel 3.18

mkinitcpio -p linux318

Adjust GRUB config#

Edit /etc/defaults/grub and adjust as follows:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda4:vgroup:allow-discards"
# if your want to use UUIDs (get with "blkid /dev/sda"):
# GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/8c57b57b-9714-40eb-9b4d-13f8a67c164b:vgroup:allow-discards"

If you don't want to enable TRIM support, leave out the allow-discards option.

Mount Flags#

Edit /mnt/etc/fstab to add TRIM support

# <file system>                           <mount point>  <type>  <options>  <dump>  <pass>
/dev/mapper/vgroup-home            /home      ext4    defaults,noatime,discard 0 2
/dev/mapper/vgroup-root            /          ext4    defaults,noatime,discard 0 1
# using UUIDs (blkid /dev/mapper/vgroup-root)
# UUID=cc323893-0ee3-42b1-af8c-9f3bdde904e7 /home          ext4    defaults,noatime 0       2
# UUID=8c57b57b-9714-40eb-9b4d-13f8a67c164b /              ext4    defaults,noatime,discard 0       1

UUID=f6c7a434-278b-4e65-baea-5b8baffec853 swap           swap    defaults,noatime,discard 0       2
UUID=CA3B-BF7A                            /boot/efi      vfat    defaults,noatime 0       2
UUID=15197f00-0536-4847-96f0-2d33204adf0f /boot          ext2    defaults,noatime 0       2

We're done und you finally can safely reboot into your new system ;)