stafwag Blog

staf wagemakers blog

Install Parabola GNU/Linux on an Encrypted Btrfs Logical Volume

"413px-Gnu10-mascot-logo_100ppi.png"

I finally found time to complete the installation of my Libreboot laptop

I decided to give Parabola GNU/Linux a try as my daily driver to get a fully Free Software Laptop/tablet.

Download the Parabola GNU/Linux iso and boot it

After Parabola GNU/Linux is booted verify that you have internet access if the network card is support and dhcp is enabled on you network you should get a network address.

Network access

To setup the system remotely we first need to setup network to our system.

Verify the interface

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
1 root@parabolaiso ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:16:d3:b7:3a:96 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.11/24 brd 192.168.1.255 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::e5db:c85f:4478:1f44/64 scope link 
       valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:1b:77:4d:5a:57 brd ff:ff:ff:ff:ff:ff
root@parabolaiso ~ # 

Verify internet access

1
2
3
4
5
6
7
8
9
10
root@parabolaiso ~ # ping -c 3 www.google.be
PING www.google.be (172.217.17.67) 56(84) bytes of data.
64 bytes from ams16s30-in-f3.1e100.net (172.217.17.67): icmp_seq=1 ttl=56 time=91.3 ms
64 bytes from ams16s30-in-f3.1e100.net (172.217.17.67): icmp_seq=2 ttl=56 time=48.7 ms
64 bytes from ams16s30-in-f3.1e100.net (172.217.17.67): icmp_seq=3 ttl=56 time=47.9 ms

--- www.google.be ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 47.998/62.714/91.366/20.264 ms
root@parabolaiso ~ # 

ssh access

If you want to install Parabola GNU/Linux over ssh you need to assign a root passwd and start the sshd service.

root password

1
2
3
4
5
root@parabolaiso ~ # passwd root
New password: 
Retype new password: 
passwd: password updated successfully
root@parabolaiso ~ # 

create a user account

Parabola doesn’t allow remote ssh root logons. Create a new account to access the system remotely.

1
2
3
4
5
6
root@parabolaiso ~ # useradd install
root@parabolaiso ~ # passwd install
New password: 
Retype new password: 
passwd: password updated successfully
root@parabolaiso ~ # 

start sshd

1
2
root@parabolaiso ~ # systemctl start sshd
root@parabolaiso ~ # 

Logon remotely

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[staf@vicky ~]$ ssh install@petronella 
install@petronella's password: 

===============================================================================
                                                                          
         Parabola live media 2016.11.03                                
                                                                          
    To install Parabola, the system must be connected to the internet.    
    For instructions, enter this command:                                 
      lynx network.html                                           
                                                                          
    Press the number keys while holding Alt to switch virtual terminals.  
    This allows entering commands without closing lynx.                   
                                                                          
===============================================================================

Could not chdir to home directory /home/install: No such file or directory
[install@parabolaiso /]$ su -
Password: 
root@parabolaiso ~ # 

Partition your harddisk

Find your harddisk device name

1
2
3
4
5
6
7
8
9
10
11
12
13
root@parabolaiso ~ # lsblk -o NAME,VENDOR,MODEL,TYPE,SIZE 
NAME                  VENDOR   MODEL            TYPE   SIZE
loop1                                           loop   1.9G
`-parabola_root-image                           dm     1.9G
sdb                   ATA      OCZ-VERTEX2      disk 107.1G
`-sdb1                                          part 107.1G
loop2                                           loop   1.9G
`-parabola_root-image                           dm     1.9G
loop0                                           loop 269.7M
sda                   Kingston DataTraveler 2.0 disk   7.2G
|-sda2                                          part    31M
`-sda1                                          part   613M
root@parabolaiso ~ # 

Overwrite it with random data

Because we are creating an ecrypted filesystem it’s a good idea to overwrite it with random data.

We’ll use badblocks for this another method is to use “dd if=/dev/random of=/dev/xxx” the “dd” method is probably the best method but is a lot slower.

1
2
3
4
5
6
7
8
9
10
root@parabolaiso ~ # badblocks -c 10240 -s -w -t random -v /dev/sdb


Checking for bad blocks in read-write mode
From block 0 to 112337063
Testing with random pattern: done                                                 
Reading and comparing: done                                                 
Pass completed, 0 bad blocks found. (0/0/0 errors)
badblocks -c 10240 -s -w -t random -v /dev/sdb  82.82s user 20.08s system 3% cpu 48:12.29 total
root@parabolaiso ~ # 

Partition the harddisk

We’ll use lvm is this setup, while it should be possible to boot from an encrypted partition with Libreboot partition I create a small unencrypted boot partition.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
root@parabolaiso ~ # fdisk /dev/sdb

Welcome to fdisk (util-linux 2.28.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x2640923c.

Command (m for help): p
Disk /dev/sdb: 107.1 GiB, 115033153536 bytes, 224674128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x2640923c

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 
First sector (2048-224674127, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-224674127, default 224674127): +1G

Created a new partition 1 of type 'Linux' and of size 1 GiB.

Command (m for help): n
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 
First sector (2099200-224674127, default 2099200): 
Last sector, +sectors or +size{K,M,G,T,P} (2099200-224674127, default 224674127): 

Created a new partition 2 of type 'Linux' and of size 106.1 GiB.

Command (m for help): p
Disk /dev/sdb: 107.1 GiB, 115033153536 bytes, 224674128 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x2640923c

Device     Boot   Start       End   Sectors   Size Id Type
/dev/sdb1          2048   2099199   2097152     1G 83 Linux
/dev/sdb2       2099200 224674127 222574928 106.1G 83 Linux

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

root@parabolaiso ~ # 

Encrypt the LVM physical volume

Benchmark

We bechmark the encryption to decide which encryption we’ll use.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@parabolaiso ~ # cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1       382134 iterations per second for 256-bit key
PBKDF2-sha256     479239 iterations per second for 256-bit key
PBKDF2-sha512     347671 iterations per second for 256-bit key
PBKDF2-ripemd160  319687 iterations per second for 256-bit key
PBKDF2-whirlpool  221032 iterations per second for 256-bit key
#  Algorithm | Key |  Encryption |  Decryption
     aes-cbc   128b    79.1 MiB/s    93.9 MiB/s
 serpent-cbc   128b    30.0 MiB/s   112.0 MiB/s
 twofish-cbc   128b    77.5 MiB/s   102.5 MiB/s
     aes-cbc   256b    62.7 MiB/s    71.0 MiB/s
 serpent-cbc   256b    30.0 MiB/s   111.9 MiB/s
 twofish-cbc   256b    77.5 MiB/s   102.4 MiB/s
     aes-xts   256b    93.0 MiB/s    93.3 MiB/s
 serpent-xts   256b   100.3 MiB/s   104.5 MiB/s
 twofish-xts   256b    93.8 MiB/s    95.0 MiB/s
     aes-xts   512b    70.5 MiB/s    70.7 MiB/s
 serpent-xts   512b   100.3 MiB/s   104.4 MiB/s
 twofish-xts   512b    93.9 MiB/s    94.9 MiB/s
cryptsetup benchmark  3.91s user 24.02s system 99% cpu 28.093 total
root@parabolaiso ~ # 

Create Luks volume

The serpent xts with a 512 bits keys seems to give a pretty good performance while sha256 hashing gives the best performance.

1
2
3
4
5
6
7
8
9
10
root@parabolaiso ~ # cryptsetup luksFormat --cipher serpent-xts-plain64 --key-size 512 --hash sha256 --use-random /dev/sdb2 

WARNING!
========
This will overwrite data on /dev/sdb2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
root@parabolaiso ~ # 

LVM setup

Create the volumes

Open the LUKS volume

1
2
3
root@parabolaiso ~ #  cryptsetup luksOpen /dev/sdb2 pv
Enter passphrase for /dev/sdb2: 
root@parabolaiso ~ # 

This create /dev/mapper/pv

Create the physical volume

1
2
3
root@parabolaiso ~ # pvcreate /dev/mapper/pv                 
  Physical volume "/dev/mapper/pv" successfully created.
root@parabolaiso ~ # 

Show the pv

1
2
3
4
root@parabolaiso ~ # pvs
  PV             VG Fmt  Attr PSize   PFree  
  /dev/mapper/pv    lvm2 ---  106.13g 106.13g
root@parabolaiso ~ # 

Create the volume group

1
2
3
root@parabolaiso ~ # vgcreate vg /dev/mapper/pv
  Volume group "vg" successfully created
root@parabolaiso ~ # 

Show the created volume group

1
2
3
4
root@parabolaiso ~ # vgs
  VG #PV #LV #SN Attr   VSize   VFree  
  vg   1   0   0 wz--n- 106.13g 106.13g
root@parabolaiso ~ # 

Create the swap logical volume

1
2
3
root@parabolaiso ~ # lvcreate -L 4G vg -n lv_swap 
  Logical volume "lv_swap" created.
root@parabolaiso ~ # 

Create the root logical volume

1
2
3
root@parabolaiso ~ # lvcreate -L 20G vg -n lv_root   
  Logical volume "lv_root" created.
root@parabolaiso ~ # 

Display the create logical volumes

1
2
3
4
5
root@parabolaiso ~ # lvs
  LV      VG Attr       LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  lv_root vg -wi-a----- 20.00g                                                    
  lv_swap vg -wi-a-----  4.00g                                                    
root@parabolaiso ~ # 

Format the logical volumes

Create the swapspace

1
2
3
4
root@parabolaiso ~ # mkswap /dev/mapper/vg-lv_swap       
Setting up swapspace version 1, size = 4 GiB (4294963200 bytes)
no label, UUID=32f6e5d4-67a3-42e3-8a90-6ee3ae0fdaa3
root@parabolaiso ~ # 

And activate it;

1
2
root@parabolaiso ~ # swapon /dev/mapper/vg-lv_swap       
root@parabolaiso ~ # 

Create the root filesystem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@parabolaiso ~ # mkfs.btrfs /dev/mapper/vg-lv_root       
btrfs-progs v4.8.2
See http://btrfs.wiki.kernel.org for more information.

Detected a SSD, turning off metadata duplication.  Mkfs with -m dup if you want to force metadata duplication.
Label:              (null)
UUID:               
Node size:          16384
Sector size:        4096
Filesystem size:    20.00GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         single            8.00MiB
  System:           single            4.00MiB
SSD detected:       yes
Incompat features:  extref, skinny-metadata
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1    20.00GiB  /dev/mapper/vg-lv_root

root@parabolaiso ~ # 

Create the boot filesystem

1
2
3
4
5
6
7
8
9
10
11
12
13
root@parabolaiso ~ # mkfs.ext2 /dev/sdb1 
mke2fs 1.43.3 (04-Sep-2016)
Discarding device blocks: done                            
Creating filesystem with 262144 4k blocks and 65536 inodes
Filesystem UUID: e3fd741d-d0e0-483f-a9cd-3fbd3f9d66d1
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376

Allocating group tables: done                            
Writing inode tables: done                            
Writing superblocks and filesystem accounting information: done

root@parabolaiso ~ # 

Mount the filesystems

Mount the root filesystem;

1
2
3
root@parabolaiso ~ # 
root@parabolaiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults /dev/mapper/vg-lv_root /mnt
root@parabolaiso ~ # 

Create the /home and /boot directories

1
root@parabolaiso ~ # mkdir -p /mnt/{boot,home}

Mount the boot filesystem

1
2
root@parabolaiso ~ # mount /dev/sdb1 /mnt/boot
root@parabolaiso ~ # 

Show;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@parabolaiso ~ # df -h
Filesystem                       Size  Used Avail Use% Mounted on
dev                              1.6G     0  1.6G   0% /dev
run                              1.6G   26M  1.6G   2% /run
/dev/sda1                        613M  613M     0 100% /run/parabolaiso/bootmnt
cowspace                         2.4G  8.9M  2.4G   1% /run/parabolaiso/cowspace
/dev/loop0                       270M  270M     0 100% /run/parabolaiso/sfs/root-image
/dev/mapper/parabola_root-image  1.9G  885M 1003M  47% /
tmpfs                            1.6G     0  1.6G   0% /dev/shm
tmpfs                            1.6G     0  1.6G   0% /sys/fs/cgroup
tmpfs                            1.6G     0  1.6G   0% /tmp
tmpfs                            1.6G  1.6M  1.6G   1% /etc/pacman.d/gnupg
tmpfs                            320M     0  320M   0% /run/user/0
tmpfs                            320M     0  320M   0% /run/user/1001
/dev/mapper/vg-lv_root            20G   17M   20G   1% /mnt
/dev/sdb1                       1008M  1.3M  956M   1% /mnt/boot
root@parabolaiso ~ # 

System installation

boostrap the system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@parabolaiso ~ # pacstrap /mnt base base-devel btrfs-progs
==> Creating install root at /mnt
==> Installing packages to /mnt
:: Synchronizing package databases...
 libre                                              437.7 KiB   228K/s 00:02 [############################################] 100%
 core                                               111.1 KiB   280K/s 00:00 [############################################] 100%
 extra                                             1535.4 KiB   544K/s 00:03 [############################################] 100%
 community                                            3.6 MiB   615K/s 00:06 [############################################] 100%
 pcr                                                620.0 KiB   662K/s 00:01 [############################################] 100%
:: There are 52 members in group base:
:: Repository libre
   1) filesystem  2) licenses  3) linux-libre  4) pacman  5) pacman-mirrorlist  6) systemd-sysvcompat  7) your-freedom
:: Repository core
   8) bash  9) bzip2  10) coreutils  11) cryptsetup  12) device-mapper  13) dhcpcd  14) diffutils  15) e2fsprogs  16) file
   17) findutils  18) gawk  19) gcc-libs  20) gettext  21) glibc  22) grep  23) gzip  24) inetutils  25) iproute2  26) iputils
   27) jfsutils  28) less  29) logrotate  30) lvm2  31) man-db  32) man-pages  33) mdadm  34) nano  35) netctl  36) pciutils
   37) pcmciautils  38) perl  39) procps-ng  40) psmisc  41) reiserfsprogs  42) s-nail  43) sed  44) shadow  45) sysfsutils
   46) tar  47) texinfo  48) usbutils  49) util-linux  50) vi  51) which  52) xfsprogs

Enter a selection (default=all): 

< snip >

1
2
3
4
5
6
7
8
(2/7) Updating udev hardware database...
(3/7) Updating system user accounts...
(4/7) Creating temporary files...
(5/7) Arming ConditionNeedsUpdate...
(6/7) Updating the info directory file...
(7/7) Rebuilding certificate stores...
pacstrap /mnt base base-devel btrfs-progs  62.07s user 14.31s system 1% cpu 1:13:22.44 total
root@parabolaiso ~ # 

Generate /etc/fstab

1
2
3
root@parabolaiso ~ #
root@parabolaiso ~ # genfstab -U -p /mnt  >> /mnt/etc/fstab
root@parabolaiso ~ # 

review

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@parabolaiso ~ # cat /mnt/etc/fstab
# 
# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>       <dump>  <pass>
# UUID=3731a69b-7240-4618-8e5e-4684d7e719e3
# /dev/mapper/vg-lv_root
UUID=3731a69b-7240-4618-8e5e-4684d7e719e3       /               btrfs           rw,relatime,ssd,space_cache,subvolid=5,subvol=/0 0

# /dev/sdb1
UUID=e3fd741d-d0e0-483f-a9cd-3fbd3f9d66d1       /boot           ext2            rw,relatime,block_validity,barrier,user_xattr,acl       0 2

# /dev/mapper/vg-lv_swap
UUID=32f6e5d4-67a3-42e3-8a90-6ee3ae0fdaa3       none            swap            defaults        0 0

root@parabolaiso ~ # 

chroot

1
2
root@parabolaiso ~ # arch-chroot /mnt
[root@parabolaiso /]# 

Set the timezone

Set the link for the correct timezone

1
2
[root@parabolaiso /]# ln -sf /usr/share/zoneinfo/Europe/Brussels /etc/localtime
[root@parabolaiso /]# 

Set the hardwareclock to UTC

1
2
[root@parabolaiso /]# hwclock --systohc --utc
[root@parabolaiso /]# 

Generate the required locales

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@parabolaiso /]# vi /etc/locale.gen 
[root@parabolaiso /]# local 
local       locale      locale-gen  localectl   localedef   
[root@parabolaiso /]# locale-gen
Generating locales...
  en_IE.UTF-8... done
  en_IE.ISO-8859-1... done
  en_IE.ISO-8859-15@euro... done
  en_US.UTF-8... done
  en_US.ISO-8859-1... done
  nl_BE.UTF-8... done
  nl_BE.ISO-8859-1... done
  nl_BE.ISO-8859-15@euro... done
Generation complete.
[root@parabolaiso /]# 

Hostname

1
2
[root@parabolaiso /]# vi /etc/hostname
[root@parabolaiso /]# 

mkinitcpio

HOOKS

Add “encrypt lvm2” to HOOKS before filesystems in /etc/mkinitcpio.conf

1
[root@parabolaiso /]# vi /etc/mkinitcpio.conf
1
HOOKS="base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck"

Create boot image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[root@parabolaiso /]#  mkinitcpio -p linux-libre
==> Building image from preset: /etc/mkinitcpio.d/linux-libre.preset: 'default'
  -> -k /boot/vmlinuz-linux-libre -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-libre.img
==> Starting build: 4.10.6-gnu-1
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [sd-encrypt]
/usr/lib/initcpio/install/sd-encrypt: line 21: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 25: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 26: add_systemd_unit: command not found
  -> Running build hook: [lvm2]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-libre.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-libre.preset: 'fallback'
  -> -k /boot/vmlinuz-linux-libre -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-libre-fallback.img -S autodetect
==> Starting build: 4.10.6-gnu-1
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: isci
  -> Running build hook: [sd-encrypt]
/usr/lib/initcpio/install/sd-encrypt: line 21: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 25: add_systemd_unit: command not found
/usr/lib/initcpio/install/sd-encrypt: line 26: add_systemd_unit: command not found
  -> Running build hook: [lvm2]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-libre-fallback.img
==> Image generation successful
[root@parabolaiso /]# 

set the root password

1
2
3
4
5
[root@parabolaiso /]# passwd root
New password: 
Retype new password: 
passwd: password updated successfully
[root@parabolaiso /]# 

GRUB

install Grub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[root@parabolaiso /]#  pacman -Sy grub
:: Synchronizing package databases...
 libre is up to date
 core is up to date
 extra is up to date
 community is up to date
 pcr is up to date
resolving dependencies...
looking for conflicting packages...

Packages (1) grub-1:2.02.rc2-1.parabola1

Total Download Size:    6.04 MiB
Total Installed Size:  35.87 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 grub-1:2.02.rc2-1.parabola1-x86_64                   6.0 MiB   128K/s 00:48 [############################################] 100%
(1/1) checking keys in keyring                                               [############################################] 100%
(1/1) checking package integrity                                             [############################################] 100%
(1/1) loading package files                                                  [############################################] 100%
(1/1) checking for file conflicts                                            [############################################] 100%
(1/1) checking available disk space                                          [############################################] 100%
:: Processing package changes...
(1/1) installing grub                                                        [############################################] 100%
Generating grub.cfg.example config file...
This may fail on some machines running a custom kernel.
done.
Optional dependencies for grub
    freetype2: For grub-mkfont usage
    fuse: For grub-mount usage
    dosfstools: For grub-mkrescue FAT FS and EFI support
    efibootmgr: For grub-install EFI support
    libisoburn: Provides xorriso for generating grub rescue iso using grub-mkrescue
    os-prober: To detect other OSes when generating grub.cfg in BIOS systems
    mtools: For grub-mkrescue FAT FS support
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Updating the info directory file...
[root@parabolaiso /]# 

Install grub to your boot disk

1
2
3
4
[root@parabolaiso /]# grub-install --target=i386-pc /dev/sdb
Installing for i386-pc platform.
Installation finished. No error reported.
[root@parabolaiso /]# 

Create grub.cfg

We’ll use the uuid for the crypted device.

Get the UUID for the encrypted physical volume
1
2
3
4
5
6
7
8
9
10
[root@parabolaiso /]# ls -l /dev/disk/by-uuid/
total 0
lrwxrwxrwx 1 root root 10 Apr  3 10:07 2016-11-03-15-52-21-00 -> ../../sda1
lrwxrwxrwx 1 root root 10 Apr  3 10:09 32f6e5d4-67a3-42e3-8a90-6ee3ae0fdaa3 -> ../../dm-2
lrwxrwxrwx 1 root root 10 Apr  3 10:09 3731a69b-7240-4618-8e5e-4684d7e719e3 -> ../../dm-3
lrwxrwxrwx 1 root root 10 Apr  3 10:07 BD3C-9D8E -> ../../sda2
lrwxrwxrwx 1 root root 10 Apr  3 10:07 e3fd741d-d0e0-483f-a9cd-3fbd3f9d66d1 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Apr  3 10:09 eb600d4a-a2fd-4698-8847-14e6dc1b5e6c -> ../../sdb2
lrwxrwxrwx 1 root root 10 Apr  3 10:07 f6312bc5-7593-4b6d-8427-0cf92d9de40b -> ../../dm-0
[root@parabolaiso /]# 
Update /etc/default/grub
1
2
3
4
5
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Parabola"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/eb600d4a-a2fd-4698-8847-14e6dc1b5e6c:pv"
Generate grub.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@parabolaiso /]# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
Found linux image: /boot/vmlinuz-linux-libre
Found initrd image: /boot/initramfs-linux-libre.img
Found fallback initramfs image: /boot/initramfs-linux-libre-fallback.img
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
  WARNING: Failed to connect to lvmetad. Falling back to device scanning.
done
[root@parabolaiso /]# 

Reboot

1
2
3
4
5
6
7
8
9
10
11
[root@parabolaiso /]# exit
root@parabolaiso ~ # umount /mnt/boot
root@parabolaiso ~ # umount /mnt/    
root@parabolaiso ~ # lvchange -an /dev/vg/lv_root  
root@parabolaiso ~ # swapoff /dev/vg/lv_swap
root@parabolaiso ~ # lvchange -an /dev/vg/lv_swap
root@parabolaiso ~ # cryptsetup luksClose  /dev/mapper/pv
root@parabolaiso ~ # reboot
Connection to petronella closed by remote host.
Connection to petronella closed.
[staf@vicky octopress]$ 

First boot

If everything goes well GNU/Linux get booted, … if not. You’ll have some fun to resolve the boot issues :-)

Have fun!

Links

Comments