How to install encrypted root on OS 12.3 without LVM?

Hello,

I need to install OS 12.3 on a Mac Powerbook (dual boot) with encrypted /, swap and /home.
I cannot install an LVM because of Powerbooks/OSX/EFI properties (*).
The OS 12.3 installer does not allow encrypting /.

I used to encrypt my other systems (until 12.1) using 4 partitions (/boot, /, /home, swap), installed the system on the partition that later would become /home, encrypted the partition that will become / with cryptsetup, copied the system to there, adjusted cryptotab, fstab, made a new initrd, adjusted menu.lst and run chkconfig boot.crypto. And so on.

Now boot.crypto does not exist anymore and I find no explanation on how to make the system ask me for the passphrase at boot.

How can I achieve a fully (except /boot) encrypted OS 12.3 now?

Thank you for help!

Daniel

(*) Powerbooks/OSX/EFI properties demand that the partitions are created within OSX and later being reformated in Linux. Otherwise boot wouldn’t work. However, the installer does not give me the oportunity to use two of those prepared partitions to install /boot and an encrypted LVM. It just says that there is no space. Manual partitioning does not offer to create an LVM volume.

You need to add volume group first. And when adding volume group you can select any existing partition.

How can I do that?
When I choose to install in a LVM the installer says that there is not enough space. (As mentioned above I have to create the partitions first in OSX due to the properties of the Macbook). When I choose the manual partitioner during install (even after clicking “use LVM”) there is no option to create a volume group using one of these prepared partitions.

You go to LVM and select Add Volume Group. It is possible as long as there is at least one “unused” partition.

Please show screenshot of what you are doing. Or even better multiple step by step screenshots.

I don’t have a power book, but I have tried similar in a wintel box.

Boot from the live media (I used the KDE live).

Start Yast, and go to the partitioner.

In the partitioner, set your predefined partition to be an encrypted LVM. Then add root, home and swap volumes to the LVM.

You will also need a “/boot” partition, perhaps 200M (my current system uses 60M of a 200M “/boot” partition).

Ok, so here I document my latest attempt. To not make this a miles long post I placed the (poor, with mobile taken) screenshots on my server and put links here…

  1. In Max OSX I created two partitions (1GB for the later boot [1GB is the smallest Max OSX allows…], and 400 GB for the later LVM)
    (note: these are Mac-GB’s, i.e. with 1000 MBs)
    screenshot: 404 Not Found

  2. Restarted the Powerbook, selected Partinioning Tool in rEFIt
    screenshot: 404 Not Found

  3. Let sync gpt table in rEFIt
    screenshot: 404 Not Found

  4. Restarted the Powerbook to boot the OS 12.3 installation dvd, went thru the first steps until “Partitioning”,
    selected LVM, and answered the Message “will change” with YES
    screenshot: 404 Not Found

  5. got the message that there is no enough space
    screenshot: 404 Not Found

  6. choosed Expert-Partitioning
    screenshot: 404 Not Found
    and got this partition table according to the prepared from OSX:
    screenshot: 404 Not Found

  7. Formated /dev/sda3 as /boot
    screenshot: 404 Not Found

  8. Searched for a possibility to make a LVM Volume on /dev/sda4, but the partitioner does not offer this, only common filesystems
    screenshot: 404 Not Found

  9. Thought I’d try Volume-Management, but got the message, that there are not enough devices:
    screenshot: 404 Not Found

  10. deleted /dev/hda4, tried again in Volume-Management, got the same message

  11. added a new Partition on /dev/sda4 without mountpoint
    screenshot: 404 Not Found

  12. Went again to Volume-Management and created a Volume-Group
    screenshot: 404 Not Found
    (found no way to make an encrypted volume group), resultin partition table:
    screenshot: 404 Not Found

  13. went to Volume Management and added a logical volume, in which I wanted to put the system:
    screenshot 1: 404 Not Found
    screenshot 2: 404 Not Found
    screenshot 3: 404 Not Found
    checked “encrypt” and added mount-point /
    sreenshot: 404 Not Found

  14. Got the message, that this cannot be encrypted:
    screenshot: 404 Not Found

  15. Said 25 times f**k without asterikses and loud, closed the Macbook, puted the photos on my server and wrote down my adventure here…

So. What did I do wrong? How should I proceed?

Thanks again for hints…

Daniel

The first time that I tried an LVM, I did it that way. And it worked, because I was willing to allow the installer to use all free space for the LVM.

I have never been able to do it in a controlled way during an install.

What has worked for me, is booting the live media. I normally use the live KDE for that, though for 12.3, I used the live rescue media.

Once I have created the LVM, and created the root, home, swap volumes in it, then a regular install with the DVD is happy to use those (I choose expert partitioning).

You did not do anything wrong and it appears to be installer limitation. As you obviously know more about using encrypted filesystems, could you answer question on opensuse ML you were asked - is loopback mount indeed required for encrypted filesystems?

But at least we now know for sure that you can create LVM during installation. :slight_smile:

OK, I briefly tested once more and I was able to

  • edit partition, set it to “Do not format” and Encrypted and selected partition type “Linux LVM”
  • then I was able to add this partition to Volume Group, add Logical Volume on this partition and set mount point of this logical volume to “/”
  • then added more volumes like swap etc

This gives you one big encrypted container with multiple volumes inside.

I did not proceed further to actually install it, but it is something you could try.

I am not sure how well it will work in case of multiple different encrypted partitions in the volume group, but as long as having single encrypted container is OK, it should do what you need.

On 2013-03-29 09:36, arvidjaar wrote:
> is loopback mount indeed required for encrypted filesystems?

AFAIK, if it is a partition, no. If it is a file, yes.

And the default for an encrypted home is a loop-mounted file as
filesystem, so that one needs loop.

An LVM encrypted system with “partitions” should not need it.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Hello everybody,

So after struggling a lot, it is finally solved. I omit all the attempts that did not work, and don’t know if everything I did really was necessary (as double install), but that’s how it worked finally…:

It’s about installing encrypted OS 12.3 on a dual boot Mac Powerbook 8.1.

First of all I downloaded and installed rEFIT, then I used Max OSX Disk-Utility to resize Mac’s partition (to 100 GB) and created two new partitions (1 GB [which is the smallest this “intelligent” partitioner allows] to later become /boot, and the rest, approx. 400 GB, to later take the LVM.

Restarted the MacBook and let rEFIt -> Partition tool adjust it’s table.

  • dowloaded and burned OS 12.3 installation dvd
  • downloaded and burned KDE Live CD, started KDE-Live (to start the dvd, pushing “c” when pushing the “on”-button until the dvd seems working)
  • used the Yast Partitioner to re-format the partitions that I prepared in OSX:
    /dev/sda3 and /dev/sda4 to ext2 without giving them mountpoints
  • started Yast -> misc -> Live Installer
  • on “suggested Partitioning” checked “Create LVM Based Proposal” and “Propose separate Home” (NOT checked “Encrypt”)
  • clicked “edit Partition setup”
  • clicked “rescan Devices”
  • added mount-point /boot to /dev/sda3
  • with “Volume Management” -> add -> Volume Group I added a new volume group
  • again with “Volume Management” and add -> Locical Volume I added 3 logical volumes (I named them “root” 20 GB, “sys” all the rest - 2 GB, and “swap” 2 GB)
  • Let the installation run
  • in the “Summary” clicked on “boot system” and selected “GRUB” (not GRUB 2), to boot from /boot (and NOT MBR)
  • allowed the reboot (choosed the now appearing “Linux” in the rEFit screen at startup) and let the installation complete. Removed the Live CD, shut down.
  • Inserted the OS 12.3 installation DVD and started it (again with holding down “c”)
  • going thru the first steps, and when reaching “Suggested Partitioning” this time checked Create LVM, Enrypt, and Propose separate home
  • clicked “Create Partition setup”
  • checked “1: IDE Disk, xxx GB, /dev/sda/, id…” (and NOT Custom Partitioning - this did not lead to useful results in other tries)
  • under “Preparing Hard Disk” right below “Use Entire…” I unchecked what was proposed and checked ONLY my previous /boot and /LVM partitions
  • below under “Proposal settings” left the proposal as is (checked “create LVM”, “Encrypt” and “Propose home”, UNchecked “Use Btrfs”
  • clicked “next”
  • Now appears again "Suggested Partitioning, it suggests to delete my formerly created sda3 and sda 4, create a new boot volume on sda3 (smaller now) and a new Volume Group System on sda4
  • checked “Edit” to adjust the sizes and select “reiser” as filesystem for the /home and /root/ LVM-Partitions
  • clicked accept
  • let install finish (again in the “Summary” clicked on “boot system” and selected “GRUB”), rebooted into Linux, let the rest of the installation process finish - and VOILA!

What remains is to adjust the wifi driver and several other things (some about to discover, I guess), but these are other topics…

Hope this helps to anybody with similar problems…

Daniel

I got curious and tested install. It worked just fine.
Encrypted partition:

Name:              cr_ata-QEMU_HARDDISK_QM00001-part2
State:             ACTIVE
Read Ahead:        256
Tables present:    LIVE
Open count:        2
Event number:      0
Major, minor:      253, 0
Number of targets: 1
UUID: CRYPT-LUKS1-37faa1ad374d4a05b5baf75df3ba457e-cr_ata-QEMU_HARDDISK_QM00001-part2

LVM

  PV                                             VG   Fmt  Attr PSize PFree
  /dev/mapper/cr_ata-QEMU_HARDDISK_QM00001-part2 12.3 lvm2 a--  4.89g 4.00m
  LV   VG   Attr      LSize   Pool Origin Data%  Move Log Copy%  Convert
  root 12.3 -wi-ao---   4.00g                                           
  swap 12.3 -wi-ao--- 912.00m                                           

fstab


/dev/12.3/swap       swap                 swap       defaults              0 0
/dev/12.3/root       /                    ext4       acl,user_xattr        1 1
/dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part1 /boot                ext2       

And to round it off - I tested /boot on the same encrypted container and it works just fine. Of course it means two password requests, one from grub2 and one from initrd. But I do not think we can do any better so far, without explicit handover protocol between bootloader and kernel to pass passphrase.

It means you can have your system fully encrypted if desired.