In this howto, I explain how I installed Arch Linux, with an encrypted LVM setup. The tricky part is that I have 2 physical volumes for my volume group, which required some hacking to get it working.
(I did all this on a virtual machine, as a proof of concept. I want to do something similar on my laptop, which already has an encrypted LVM system, and on which I want to install Arch beside the other installed OS'es.)
disclaimer: I am an Arch newbie. This is the first time a setup Arch, so I might explain things wrong. I've used LVM on other distributions though, and I have used encrypted LVM on Fedora (where the installer did al the work for me, without me completely understanding how it worked.)
Setting up the encrypted LVM system
Boot your machine from the installation iso, and use e.g. cfdisk to create the partitions.
My partitioning scheme looks like this:
sda1 510 MB ext2 (boot) sda5 2048 MB Linux LVM sda6 6029 MB Linux LVM
The boot partition cannot be inside LVM, and cannot be encrypted either, because it should be accessable by grub. All other file systems will be on logical LVM volumes, which will be in one volume group. I set this up like this:
modprobe dm-mod cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/sda5 cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/sda6 cryptsetup luksOpen /dev/sda5 crypt1 cryptsetup luksOpen /dev/sda6 crypt2 pvcreate /dev/mapper/crypt1 pvcreate /dev/mapper/crypt2 vgcreate vgroup /dev/mapper/crypt1 vgextend vgroup /dev/mapper/crypt2 lvcreate -L 1G -n swap vgroup lvcreate -L 6G -n root vgroup lvcreate -l 100%FREE -n home vgroup
aes-xts-plain defines the used encryption method. I don't know
anything about that, so I just copied something from yet another howto.
crypt2 are just arbitrary names, which allow access
to the unecrypted partitions on
Reactivating the LVM volumes after reboot
At this point, you can just start the installation procedure. But, if something goes wrong, and you have to reboot, you obviously don't have to recreate your encrypted partitions. This is how you can reactivate them:
modprobe dm-mod cryptsetup luksOpen /dev/sda5 crypt1 cryptsetup luksOpen /dev/sda5 crypt2 vgchange -ay
(The last line just activates all available logical volumes.)
Setting up arch
To setup arch, just run
/arch/setup, as usual. For the step
‘prepare hard drive’, choose option 3: manually configure block devices,
file systems, mount points.
Choose the physical partition as boot partition, and the correct logical partitions for root, home, swap, or whatever partitions you created.
In order to use two (or more)
encrypted physical volumes, you have to apply a hack to the encrypt
hook. You do this when the installer shows you the different
configuration files you can edit. At this point, just press CTRL+ALT+F2,
log in as root again, and apply the changes in this
Update: It seems the patch got lost in a migration of my blog 😢. But I obviously didn't invent the patch myself, I just shamelessly stole it from this post on the arch linux forums.
you've done that, press CTRL+ALT+F1 again, to switch back to the
mkinitcpio.conf: search for
HOOKS, and add
encrypt lvm2 directly before
my case, the HOOKS-line looks like
HOOKS="base udev autodetect pata scsi sata encrypt lvm2 filesystems"
That's all you have to change in the configuration files. Continue the installation until the step you have to configure grub. For the menu entries 'Arch Linux' and 'Arch Linux Fallback' you should make sure that the kernel line looks as follows:
kernel /vmlinuz27 root=/dev/mapper/vgroup-root cryptdevice=/dev/sda5:crypt1,/dev/sda6:crypt2 ro
course you should change
vgroup-root to the name of your root
volume, and choose the correct partitions after
chose the same names for the unencrypted devices (
crypt2) as above, but I am not sure this is a
Adding two partitions after
non-standard, this is why you had to hack the
That's all. It should work. During bootup, you will be asked for the passphrases to decrypt your physical LVM partition. After entering these, your system will boot.
Things to be done
Although this setup works, it isn't perfect yet. In my situation, both encrypted partitions can be unlocked with the same password. It would be nice if entering the password one time, would decrypt both partitions at once; this is e.g. the case with Fedora.
I guess I will have to modify the encrypt hook again, such that it would try the first entered password for decrypting all the volumes. Only if this fails, it should ask to enter another password. This should be perfectly doable, but I wasn't able to try this out. Yet. ;-)