Question about LUKS

[ktn]

Hello! This is my first post here. I'm curious to hear other's points of view. Is it advisable to use the void-installer after (or before) setting up LUKS, or does using encrypted drives require manually setting up the rest of the install? Are there any special considerations that should be taken in this case, and are there any alternative approaches to encrypted storage that are more compatible with void-installer?

[pid1]

I, personally, partition my drive(s) and format then mount LUKS/dm-crypt devices before running void-installaer. During void-installer installation, I skip the partitioning since it's already done and select the opened crypt devices to be formatted with the filesystems appropriately.

[ktn]

I'm going to try this later tomorrow, I might need to come back to this if I have any difficulty or further questions if that's all right. It seems much more straightforward than I imagined, though. Thanks a bunch!

[ktn]

I'm following the documentation for full disk encryption with BIOS on an HDD, opting for musl, ext4, and no swap partition (doing swapfile later) in a bash shell (for ease of reusing commands.) I followed it to the point just after where the guide states to install the base system, (https://docs.voidlinux.org/installation ... stallation). I'm not totally sure at exactly what point to use void-installer, though.

I mounted the volumes, copied xbps/keys/* into /mnt/var/db/xbps/keys/ and immediately started void-installer. In void-installer's Filesystem step, I chose the /home and /root options that had fstype:lvm, and made (what I suspect is the) mistake of overwriting the lvm filesystem with ext4. At this point I started over and reformatted. After repeating the process up to this point, I chose the fstype:lvm home partition and chose not to create a new filesystem at the end (it still overwrote fstype:lvm into fstype:ext4), I chose fstype:none for root, and put ext4. At this point I was locked out of the Filesystems option somehow, but tried the install anyway, and it failed to install grub. I'm going to try again very soon with a slightly different approach.

I might be making it more complicated that it needs to be. Can I ask for more details about where to switch over form the guide to void-installer? Thanks for your advice.

[ktn]

Ookie giving it another try. Starting out again following the official guide for encryption on a wiped disk, same preferences. This T410 uses BIOS, (though I'm not sure of this), so I'm using MBR.

I'm leaving the encryption guide right after lvcreating root and home, and running void-installer. I'm not sure if I should mount or chroot now, but I did neither. I may have messed up here.

In the Filesystem step of v-i, there are a total of six options:

Code: Select all

~~(installation medium)~~
/dev/mapper/t410        size:298.1G;fstype:none
/dev/mapper/t410-home   size:273.1G;fstype:none
/dev/mapper/t410-root   size:25G;fstype:none
/dev/mapper/t410-home   size:273.07g;fstype:lvm
/dev/mapper/t410-root   size:25.00g;fstype:lvm

I tried choosing those that have fstype:lvm, which I would guess are the opened volumes, and formatting with ext4, which also formats the ones marked 'none'. This again kicks me, and locks me out of the dialog. At his point, I install, which fails to install GRUB with an unknown filesystem error on tty8.

I'm not totally sure what I'm doing/ doing wrong. Any ideas?

[pid1]

It's been a very long time since I used LVM since I really just stick to Btrfs, but I think what you want to do (and maybe you have) is after opening the encrypted volume, create the LVM devices (again, I think you have but not sure if you did CLI or in void-installer). With those virtual devices made, you can then select them as your desired mountpoints and you must select desired filesystem.

When you're at that point if you're not able to get what you desire, get out of the void installer and show the output of lsblk -f so we can see how things are structured at that point.

[ktn]

Hey seiously thanks.

All right, going again. Tried cryptfs-utils on /home yesterday, had to do some kernel module stuff, I wasn't really a fan. Found Tomb https://dyne.org/software/tomb/, though and that was siiiick.

It's for sure a BIOS machine, so I've created two partitions: one empty BIOS boot partition and one big one. This worked earlier w/o luks.

`fdisk -l /dev/sda` returns something like:
Disklabel type: gpt,
and two devices, sda1 at 1M w/BIOS boot flag &
sda2 at 298.1G w/ Linux filesystem.

I do `cryptsetup luksFormat --type luks1 /dev/sda2 and `cryptsetup luksOpen /dev/sda2 T410`.

A paraphrase of `lsblk -f` at this point is as follows:

Code: Select all

NAME              FSTYPE      FSVER    LABEL    UUID    ...
(loop0&1)
|_sda1
|_sda2            crypto_LUKS 1                 (theUUID) 
    |_T410
(install medium stuff)

Do I have a choice here about whether to enter void-installer now or run `vgcreate T410 /dev/mapper/T410` and `lvcreate --name root -L 30G T410` and `lvcreate --name home -l 100%FREE T410`?

After running those commands, I enter void-installer. Should I be selecting `manage the bootloader otherwise`? I'm picking sda. On Filesystems, I chose the lvm options again and ran the installer. Grub failed to install again, unknown filesystem. Idk if I need to chroot and install manually. Feeling a little dense.

Here's `lsblk -f` after the install, before reboot:

Code: Select all

NAME              FSTYPE      FSVER    LABEL    UUID    ...
(loop0&1)
|_sda1
|_sda2            crypto_LUKS 1                 (theUUID) 
    |_T410        LVM2_member LVM2 001          (theUUID)
      |_T410-root ext4        1.0               (theUUID)
      |_T410-home ext4        1.0               (theUUID)
(install medium stuff)

I'm actually interested in the btrfs route as well if I can't work put how to combine void-installer with encryption, is there a particular encrypted btrfs guide you recommend off the top of your head? Understanding btrfs has always eluded me but it seems to be a lifesaver for my friend on garuda.

[ktn]

Weirdly enough, doing `grub-install /dev/sda` at the end of the FDE guide without void-installer throws the same unknown filesystem error.

[pid1]

As a tip, you should use LUKS version 2 if able.

To ease the process, and how I do it myself, you can set sda1 to a larger size, say 500MB and format ad ext4 and mount as /boot. This will almost certainly clear up some of the issues with grub installing. Most of my Linux woes is grub not properly installing or updating the MBR or program files in /boot.

I have not run Grub with an encrypted /boot, nor have a researched the option myself. Does it exist? I always had to have /boot unencrypted to get the the LUKS/dm_crypt enabled initrd to open the encrypted devices.

You can run your LVM commands prior to running void-installer, just be sure to select the appropriate virtual devs as your desired mount points and let void-installer format the filesystem on these virtual devs.