https://area31.net.br/wiki/index.php?action=history&feed=atom&title=Rootfs_criptografado_com_LUKS_usando_LVM
Rootfs criptografado com LUKS usando LVM - Histórico de revisão
2026-06-07T23:50:54Z
Histórico de revisões para esta página neste wiki
MediaWiki 1.45.1
https://area31.net.br/wiki/index.php?title=Rootfs_criptografado_com_LUKS_usando_LVM&diff=4590&oldid=prev
Coffnix em 01h58min de 27 de abril de 2021
2021-04-27T01:58:13Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="pt-BR">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Edição anterior</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Edição das 22h58min de 26 de abril de 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l204">Linha 204:</td>
<td colspan="2" class="diff-lineno">Linha 204:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Categoria:Segurança]]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Categoria:Segurança]]</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Categoria:Deploy Linux]]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[Categoria:Deploy Linux]]</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Categoria:CryptoProjects]]</ins></div></td></tr>
<!-- diff cache key wiki_area31:diff:1.41:old-4445:rev-4590:php=table -->
</table>
Coffnix
https://area31.net.br/wiki/index.php?title=Rootfs_criptografado_com_LUKS_usando_LVM&diff=4445&oldid=prev
Coffnix: Criou página com '== Encrypting the drive == Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/ (1)] # cryptsetup --cipher aes...'
2021-03-31T15:55:51Z
<p>Criou página com '== Encrypting the drive == Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/ (1)] # cryptsetup --cipher aes...'</p>
<p><b>Página nova</b></p><div>== Encrypting the drive ==<br />
Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/ (1)]<br />
<br />
# cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3<br />
<br />
Or use SHA512 for increase security. Do NOT use SHA-1: LUKS disk encryption. As the cryptography expert Bruce Schneier already told in year 2005, do not use SHA-1 because its broken. See his article here: [http://www.schneier.com/blog/archives/2005/02/sha1_broken.html (2)]<br />
<br />
# cryptsetup --cipher twofish-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sda<br />
<br />
<br />
== Initializes the volume ==<br />
Initializes the volume, and sets an initial key or passphrase:<br />
<br />
# cryptsetup luksOpen /dev/sda3 dmcrypt_root<br />
<br />
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there. :D<br />
<br />
<br />
== Create logical volumes ==<br />
<br />
<pre><br />
# pvcreate /dev/mapper/dmcrypt_root<br />
# vgcreate vg /dev/mapper/dmcrypt_root<br />
# lvcreate -L10G --name root vg <br />
# lvcreate -L2G --name swap vg<br />
# lvcreate -L5G --name portage vg<br />
# lvcreate -l 100%FREE -nhome vg<br />
</pre><br />
<br />
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.<br />
<br />
<br />
'''OBS: Please, notice that above mentioned partitioning scheme is an example and not a default recommendation, change it accordingly to desired scheme.'''<br />
<br />
<br />
== Create a filesystem on volumes ==<br />
<br />
<pre><br />
# mkfs.ext2 /dev/sda1<br />
# mkswap /dev/mapper/vg-swap<br />
# mkfs.ext4 /dev/mapper/vg-root<br />
# mkfs.ext4 /dev/mapper/vg-portage<br />
# mkfs.ext4 /dev/mapper/vg-home<br />
</pre><br />
<br />
== Basic system setup ==<br />
<br />
<pre><br />
# swapon /dev/mapper/vg-swap<br />
# mkdir /mnt/funtoo<br />
# mount /dev/mapper/vg-root /mnt/funtoo<br />
# mkdir -p /mnt/funtoo/{boot,usr/portage,home}<br />
# mount /dev/sda1 /mnt/funtoo/boot<br />
# mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage<br />
# mount /dev/mapper/vg-home /mnt/funtoo/home<br />
</pre><br />
<br />
Now perform all the steps required for basic system install, please follow [4] don't forget to emerge the following before your install is finished:<br />
<br />
* cryptsetup<br />
* lvm2<br />
* a bootloader (Grub2 recommended)<br />
* kernel sources (hardened/grsec recommended)<br />
<br />
== Editing the fstab ==<br />
Fire up your favorite text editor to edit /etc/fstab. You want to put the following in the file:<br />
<br />
cat /etc/fstab<br />
<br />
<pre><br />
# <fs> <mountpoint> <type> <opts> <dump/pass><br />
/dev/sda1 /boot ext2 noauto,noatime 1 2<br />
/dev/mapper/vg-swap none swap sw 0 0<br />
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1<br />
/dev/sr0 /mnt/cdrom auto noauto,ro 0 0<br />
/dev/mapper/vg-portage /usr/portage ext4 noatime,nodiratime 0 0<br />
/dev/mapper/vg-home /home ext4 noatime,nodiratime 0 0<br />
</pre><br />
<br />
<br />
== Kernel options ==<br />
Note: If you are using debian-sources as included in mid-May 2015 and later Funtoo stages, you do not need to rebuild the kernel. The following instructions are for other kernels that you may choose to install.<br />
<br />
<pre><br />
General setup ---><br />
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support<br />
Device Drivers ---><br />
Generic Driver Options ---> <br />
[*] Maintain a devtmpfs filesystem to mount at /dev<br />
Device Drivers ---><br />
[*] Multiple devices driver support ---><br />
<*>Device Mapper Support<br />
<*> Crypt target support<br />
Cryptographic API ---><br />
<*> XTS support<br />
-*-AES cipher algorithms<br />
</pre><br />
<br />
<br />
== Initramfs setup and configuration ==<br />
=== Better-initramfs ===<br />
<br />
<pre><br />
# cd /opt<br />
# git clone git://github.com/slashbeast/better-initramfs.git<br />
# cd better-initramfs<br />
# less README.rst<br />
# bootstrap/bootstrap-all<br />
# make prepare<br />
# make image<br />
</pre><br />
<br />
<br />
Copy resulting initramfs.cpio.gz to /boot:<br />
# cp output/initramfs.cpio.gz /boot<br />
<br />
<br />
Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads<br />
<br />
<pre><br />
# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2<br />
# tar xf release-x86_64-v0.5.tar.bz2<br />
# cd release*<br />
# gzip initramfs.cpio<br />
# cp initramfs.cpio.gz /boot<br />
</pre><br />
<br />
<br />
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:<br />
<br />
<pre><br />
# cd /opt/better-initramfs<br />
# git pull<br />
# less ChangeLog<br />
</pre><br />
<br />
<br />
== Bootloader Configuration==<br />
=== Grub2 configuration ===<br />
<br />
Emerge Grub2 with device-mapper support:<br />
<br />
# echo 'sys-boot/grub device-mapper' >> /etc/portage/package.use/grub<br />
# emerge grub<br />
<br />
<br />
==== better-initramfs with HARDENED kernel ====<br />
<br />
An example /etc/boot.conf for better-initramfs:<br />
<br />
<pre><br />
boot {<br />
generate grub<br />
default "Funtoo Linux Hardened"<br />
timeout 3<br />
}<br />
<br />
"Funtoo Linux Hardened" {<br />
kernel vmlinuz[-v]<br />
initrd /initramfs.cpio.gz<br />
params += enc_root=UUID="5b9ef51d-525e-4141-ad9f-7de802d1cdcf" lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet video.allow_duplicates=1 iomem=relaxed<br />
}<br />
</pre><br />
<br />
<br />
==== better-initramfs with default kernel ====<br />
<br />
<pre><br />
boot {<br />
generate grub<br />
default "Funtoo Linux"<br />
timeout 3<br />
}<br />
"Funtoo Linux" {<br />
kernel vmlinuz[-v]<br />
initrd /initramfs.cpio.gz<br />
params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet<br />
}<br />
</pre><br />
<br />
==== better-initramfs with genkernel ====<br />
<br />
<pre><br />
boot {<br />
generate grub<br />
default "Funtoo Linux"<br />
timeout 3<br />
}<br />
"Funtoo Linux" {<br />
kernel kernel-genkernel-x86_64-3.13.0<br />
initrd initramfs-genkernel-x86_64-3.13.0<br />
params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet<br />
}<br />
</pre><br />
<br />
<br />
Now, run boot-update to write the configuration files to /boot/grub/grub.cfg<br />
<br />
# boot-update<br />
<br />
<br />
More infos: http://www.funtoo.org/Rootfs_over_encrypted_lvm<br />
<br />
[[Categoria:Segurança]]<br />
[[Categoria:Deploy Linux]]</div>
Coffnix