Thanks everybody for your comments.
So here's a quick'n dirty howto for both / and /boot encrypted Slackware64-current.
Only tested under Qemu 5.1.0 with a 10G disk img.
As is, it won't work on a UEFI-only computer.
Reviews and comments welcome.
/boot is luks1.
You can test that install using only those three packages set: a/ ap/ l/
#Non-EFI
#GPT
#GRUB (+GPT) -> BIOS BOOT partition
#Encrypted / and /boot
grub-2.04-x86_64-3 will not work !!! You will get a grub-install: error: Decompressor is too big
Use an older grub-2.04-x86_64-2 or even grub-2.04-x86_64-1 that you will install after the setup without reboot
sda1, 500M (too much ! 1M should be enough) BIOS BOOT
sda2, 500M /boot
sda3, remaining space for lvm
Code:
dd if=/dev/urandom of=/dev/sda2
cryptsetup -s 256 -y luksFormat --type luks1 /dev/sda2
Code:
cryptsetup luksOpen /dev/sda2 lukssda2
//not needed for a single partition, but probably doable
//pvcreate /dev/mapper/lukssda2
//vgcreate cryptvgboot /dev/mapper/lukssda2
//lvcreate -l100%FREE -n boot cryptvgboot
Code:
dd if=/dev/urandom of=/dev/sda3
cryptsetup -s 256 -y luksFormat /dev/sda3
Code:
cryptsetup luksOpen /dev/sda3 lukssda3
Code:
pvcreate /dev/mapper/lukssda3
vgcreate cryptvg /dev/mapper/lukssda3
lvcreate -L 8G -n root cryptvg
lvcreate -L 100M -n swap cryptvg
lvcreate -l100%FREE -n home cryptvg
mkswap /dev/cryptvg/swap
cryptvg-root as /
cryptvg-home as /home
/dev/mapper/lukssda2 as /boot
Skip lilo install.
Don't reboot !
Copy the old grub package into /mnt
Code:
chroot /mnt
removepkg grub
installpkg the_old_grub_package
Code:
cat /etc/fstab
/dev/mapper/cryptvg-root on / type ext4 (rw,relatime)
/dev/mapper/cryptvg-home on /home type ext4 (rw,relatime)
/dev/mapper/lukssda2 on /boot type ext4 (rw,relatime)
Code:
cd /boot
mkinitrd -c -k 5.10.26 -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sda3 -L
//or for french keyboard
//mkinitrd -c -k 5.10.26 -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sda3 -L -l fr
Code:
vim /etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
If you use a ssd, read that before applying the code below:
https://wiki.archlinux.org/index.php...e_drives_(SSD)
https://wiki.gentoo.org/wiki/Full_Di...ied#SSD_tricks
Code:
vim /etc/default/grub
GRUB_CMDLINE_LINUX="root_trim=yes"
vim /etc/lvm/lvm.conf
issue_discards = 1
"When using SSDs and UEFI-boot the boot sequence might be too fast. When entering the correct passphrase Kernel complains about missing modules or no root device. Try rootdelay=3 added with GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub or directly append it in edit mode of Grub menu when booting"
Code:
grub-install /dev/sda
//seems not needed
//grub-install --modules=part_gpt /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
Pass are needed for /boot (grub), then / .
After boot, you'll notice that /boot isn't mounted. Open the luks then "mount -a" if you plan to update the kernel or grub settings.
Don't forget to blacklist grub in slackpkg !
I have trouble with nano, ctrl-x to quit don't work with this encrypted setup !!!
Any insight about avoiding typing the / password and also automounting /boot is welcome.