The Music in Noise

Full Disk Encryption with GRUB2 - 2017-10-14

A long time ago I figured out that GRUB2 has the capability of decrypting a LUKS encrypted partition therefore allowing for the `/boot' partition to be encrypted, however I haven't had the time to test it out until today. After that I decided it'd be a good idea to write a blog entry on how I did it, to help others and to serve as a reference for myself next time I want to do an install.

First, please note that I did all this while installing ArchLinux, but it should work just about the same for any manual installation of any distro. Also, some of the steps I explain here will be repeats of the post I did on LVM on LUKS encryption (where `/boot' is not encrypted so GRUB can boot the kernel).

NOTICE: In this post I will be using `/dev/sda' to refer to the device on which I want to put the encrypted partition, I will be calling my LVM container `lvmcrypt', the logical volume group `CryptGroup', the swap logical partition `swap', and the root logical partition `root'. Change any of these if you care to, feel free to customize.

Alright, so let's get to it!

Partitioning & Formatting

My physical partitioning is quite simple, I have one partition (`/dev/sda1') set to be the entire disk, make sure the type is set to `Linux LVM'. After this you'll want to setup a LUKS partition using `cryptsetup'. First load the `dm-crypt' module via `modprobe dm-crypt', afterwards you can format the partition via `cryptsetup -s luksFormat /dev/sda1'. You can probably change come settings to it to choose different ciphers and such. In order to get some benchmarks for what cipher would be best for your system use `cryptsetup benchmark'. After formatting the partition you'll have to open it via `cryptsetup luksOpen /dev/sda1 lvmcrypt'.

Now to setup and format the LVM partitions. Simply follow the following commands:

# Load kernel module
modprobe dm-mod
# Create physical LVM container on partition
pvcreate /dev/mapper/lvmcrypt
# Create LVM group
vgcreate CryptGroup /dev/mapper/lvmcrypt
# Create swap partition
lvcreate -C y -L 4G CryptGroup -n swap
# Create root partition
lvcreate -l +100%FREE CryptGroup -n root

Now you should have the following special files in your mapper: `CryptGroup-swap' and `CryptGroup-root'. These now need to be formatted:

mkfs.ext4 /dev/mapper/CryptGroup-root
mkswap /dev/mapper/CryptGroup-swap -L swap

After this point you can continue with your typical installation using `CryptGroup-root' and `CryptGroup-swap' until you reach the end of the installation where you need to configure a boot loader and custom kernel hooks.

Bootloader (GRUB2)

Firstly, make sure you're using GRUB2, older versions of GRUB do not have the decrypt functionality. You'll want to edit the `/etc/default/grub' file. Uncomment the line that says `GRUB_ENABLE_CRYPTODISK=y'. This will allow GRUB to decrypt the partition in order to find the kernel.

Kernel Hooks

Just like in LVM on LUKS, the kernel will need to decrypt as well (not only GRUB). For this you will want to edit the command line parameters of Linux in `/etc/default/grub' to look like this: `GRUB_CMDLINE_LINUX_DEFAULT="quiet splash cryptdevice=/dev/sda1:lvmcrypt root=/dev/mapper/VolGroup0-root resume=/dev/mapper/VolGroup0-swap"'. This will tell the Linux kernel where the kernel, root, and swap are. Since we have the root in an LVM container you will also have to set `GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"'.

You will also have to edit the kernel hooks in `/etc/mkinitcpio.conf' to look like this: `HOOKS="base udev autodetect modconf keyboard block encrypt lvm2 resume filesystems fsck"'. The important hooks here are `keyboard', `encrypt', `lvm2', and `resume'.

Final Remarks

Please note that you will be asked for your password twice, once by GRUB (to find the kernel image to boot) and another by the Linux kernel (to boot the entire OS). If you notice that anything here is incorrect or that something should be fixed, contact me from my contact page and I'll edit this post.

Last updated: