All posts tagged luks


Last time I posted about this topic I had planned to support tuxonice for suspend to RAM and disk. However since then I’ve decided to drop that aspect for two reasons.

1 TOI is way behind in terms of kernel versions

2 The default in kernel suspend to RAM/disk seems to work just fine

Instead of just continuing from the last post I wanted to create a new one that is hopefully a bit more clear. Again we will start at the part of the Gentoo handbook installation where we partition our disks.

Normally we’d create partitions for boot, swap, and root. Instead we will create two partitions. One for boot and the other for encrypted LVM. This LVM partition will use logical volume management to contain an arbitrary number of logical volumes which in our case will be used for swap and root.

Creating your encrypted partition

As before using fdisk (or whatever partition tool you prefer) create to partitions.



sda1 above is set to bootable and is of filesystem type 83 (linux). sda2 is of the same filesystem type.

I normally use ext2 for my boot partition but you can use whatever you like.

mkfs.ext2 /dev/sda1

Now we will prepare our encrypted partition. Load the following modules if they aren’t already available.

modprobe dm-crypt
modprobe aes
modprobe sha256

Now format the partition with cryptsetup.

cryptsetup luksFormat /dev/sda2

Create your password and be sure to memorize it.

Now open the encrypted partition.

cryptsetup luksOpen /dev/sda2 main

Enter your password.

You will now have access to your partition in /dev/mapper/main. Keep in mind the name “main” was chosen randomly and is just the name of the file that will represent the unlocked partition. You can change it every time you unlock it if you want.

Now create the physical volume and volume group.

pvcreate /dev/mapper/main
vgcreate [vgname] /dev/mapper/main

Now we create two logical volumes in our new volume group [vgname].

lvcreate -L 1G -n swap [vgname]
lvcreate -L XG -n root [vgname]

Here I chose 1G for the swap partition size. X is just the size of the remaining space available to be for the root partition. You can find the remaining space available with the following command.


If you look at the value for the field “PE Total” you will see how much space is available for allocation. Other fields can also be helpful to such as “allocated” and “free”.

At this point you now have two logical volumes for swap and root respectively. You can now format them as you normally would.

mkswap /dev/vg/vg-swap
mkfs.ext4 /dev/vg/vg-root

At this point the rest of the gentoo handbook applies as normal. The exception is that you will need an initramfs to perform the unlocking of your encrypted partition. After you create your initramfs you will need to make sure to reference it in your grub config or whatever you use to bootstrap your OS installation.

Creating the initramfs

Now onto creating the minifilesystem loaded by the kernel first. This is necessary to decrypt your encrypted partition to allow the boot process to continue.

Create a directory to work under, as we’ll be creating a filesystem.

mkdir initramfs
cd initramfs

Now create the directories with the following.

mkdir -p bin lib dev etc mnt/root proc root sbin sys

Now copy of the usual device nodes from your existing filesystem into your initramfs.

cp -a /dev/{null,console,tty,sda1,sda2} .

Feel free to copy other devices as needed. Also if your drive is not sdaX change it accordingly.

You will want to copy over various utilities that you might want to use as well. Just be sure they are compiled with the “static” use flag as any dependencies binaries have will also need to be copied. To avoid copying over huge chains of dependencies just compile the files you want statically so you won’t have to worry about this.

Since we are using cryptsetup and lvm we will need to copy our cryptsetup and lvm binaries (built statically)  onto the filesystem.

Once you build them statically just copy them into the ./sbin directory.

Its also typical to build busybox and add it to ./bin so feel free to customize.

The main part of the initramfs is the init script in the root of the initramfs. It is what gets executed immediately after the kernel boots and then it, once the real root partition is decrypted, calls the main init script.

Below is part of my initramfs init script. This is the minimum requirement to accomplish the decryption and booting we need.

#mount proc and sys filesystems

mount  -t proc none /proc

mount -t sysfs none /sys

echo 0 > /proc/sys/kernel/printk

# decrypt

/sbin/cryptsetup luksOpen /dev/sda2 main

/sbin/lvm vgscan –mknodes

/sbin/lvm lvchange -aly vg/swap

/sbin/lvm lvchange -aly vg/root


mount /dev/mapper/vg-root /mnt/root


umount /proc

umount /sys

# and we continue

exec switch_root /mnt/root /sbin/init

Save this into your init script.

chmod u+x init

Some of the things I put in here could use a bit of explanation.

The echo 0 disables kernel printk debug messages. I did this because these kernel messages come up a lot, even during typing of my password. I found it irritating so I disabled it during the initramfs process.

The cryptsetup line is pretty straightforward as it lets us unlock our encrypted partition. The following lvm lines are to enable our logical volumes and make the representative device nodes in /dev/mapper.

The final part is where the script hands off control to the decrypted init script on the root partition. Keep in mind that there is a space between the /mnt/root and /sbin/init.

Once you’ve created the filesystem to your needs you must build this mini filesystem into an initrd gzipped cpio type file to be included along with your kernel. To build the initramfs file you can issue the following command.

find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/my-initramfs.cpio.gz

Name your initramfs.cpio.gz file however you like and make sure to include it in your bootloader. For grub it would look something like the following.

title=My Linux

root (hd0,0)

kernel /boot/my-kernel

initrd /boot/my-initramfs.cpio.gz

At this point you can reboot your system and test your setup. Your initramfs should load and allow you to enter your encrypted partition password. After that bootup should continue as usual. You can of course make your init script smarter by checking for a correct login or spawning a busybox shell if you need to. These options are left to you.

LVM device nodes

Another thing you might want to do is add a startup script to be executed by your system during boot that will re-create the lvm device nodes as they will no longer exist when the initramfs is removed from memory after it is done. If you use swap your system won’t be able to find /dev/vg/swap since the node for it wouldn’t have been created. I’m not sure why lvm doesn’t automatically see this but I added a simple script to my /etc/local.d/ called 40_fixlvmnodes.start that has the following contents.


echo “creating lvm nodes”

/sbin/lvm vgscan –mknodes

echo “enabling swap”

swapon /dev/vg/swap

Don’t forget to make this script executable too.

chmod u+x 40_fixlvmnodes.start

Be sure to update your /etc/fstab with your root and swap filesystems with the appropriate device paths. Mine looks like this.

/dev/vg/root / ext4 noatime 0 1

/dev/vg/swap none swap sw 0 0

Additional LVM usage

It is useful to become more familiar with lvm as it can be needed if you have to make any changes. For example when I did this on my new laptop I had created the root logical volume too small. It was using only 172G leaving over 500G unallocated! Using lvextend you can add unallocated space to a logical volume provided the physical volume can accommodate it.

lvextend -L+500G /dev/vg/root

Using lvextend I was able to use the full free space for my root partition as I had originally intended. The filesystem used for my root partition is ext4. In order for this already existing filesystem to see the available space I had to expand the filesystem as well.

I was able to do this, after resizing the logical volume above, with the following.

resize2fs /dev/mapper/vg-root

Keep in mind I did this from my livecd so the filesystem was not mounted during these operations. I’ve read that ext4 can be resized during runtime however I prefer not to chance potential filesystem corruption.

Once this was done I just rebooted and verified that my root partition was as large as it should be. All was good.

Final notes on full disk encryption

Other notes are that this is not entirely full disk encryption. The boot partition is obviously left unencrypted. If you truly want your entire disk to be encrypted you would have to perform the same operations but for all things involving the /boot partition you would use a USB drive of some kind. You will need this USB disk to boot your system. This offers more protection but managing a physical item is overkill for me. I just want to mention it in case someone is interested in doing this.

Now your root and swap partitions are fully encrypted at rest! Once your system is on however the disk is obviously unencrypted so disk encryption is only really useful “at rest”. This means if you shut down your system your content is safe. However once you boot up your filesystem is available if you are, say, nabbed while your system is on. In addition to this your crypto key is in memory at a probably known location (cryptsetup/dm-crypt are open source afterall). Its unlikely you will be in a scenario where this matters as only feds and those with some fun tools can make use of this information. I just want to be complete with this article so you are more aware. Knowing the ins and outs of security is very important.

That said, enjoy!



tuxonice-sources 2.6.38-r2
hibernate-scripts 2.0
tuxonice_userui 1.0

One of the interesting configs needed for toi when using an initramfs, which we will due to crypto, is that you must enable

Otherwise when linux boots up it will attempt to resume before the initramfs. Obviously this is undesirable as since we are encrypting our filesystems it won’t find the resume file. This config basically tells it not to attempt it just yet. However, after initramfs is done TOI will not resume. It actually expects you to manually call the tuxonice /sys interface telling it exactly when its ok to resume. For our purposes we want to make this call in our initramfs after the user has successfully decrypted the filesystem.

What we use for encrypting our partition

dm-crypt – backend for our crypted filesystem
cryptsetup – frontend for performing initial formatting, opening and closing of encrypted filesystems.
lvm – the reason for using this in addition to our encrypted filesystem is to allow the swap partition to also be encrypted.
Essentially we are using one encrypted partition which LVM will recognize, once decrypted, as 2 logical partitions. In our case
swap and root. Using LVM you can have as many partitions as you’d like and they would all benefit from being encrypted as they are
physically one partition.

Make sure that your kernel has either built in support or modules for dm-crypt. If the latter is used make sure initramfs will load
modules you require. Personally for the Crypto APIs I build that all into the kernel for simplicity.

The initial setup of your Gentoo system is the same as the gentoo-handbook guide until the part where you are creating the filesystem partitions. Here we will deviate. Create two partitions. One for /boot and the other which will be our encrypted container partition.
For our example these partitions will be /dev/sda1 and /dev/sda2.

modprobe modules dm-crypt, aes, and sha256. At this point we can encrypt the /dev/sda2 partition.

cryptsetup luksFormat /dev/sda2
— here you can setup your password.

Now to open(decrypt) the partition just created.

cryptsetup luksOpen /dev/sda2 root — root in this case is the name of our luks device. just make sure this is consistant.

LVM – here we will create the logical drives from our now accessible partition.

pvcreate /dev/mapper/root
vgcreate vg /dev/mapper/root

Now create the logical drives as you see fit. Here we will create two logical drives (partitions). One for root and one for swap.

lvcreate -L 40G -n root vg  — here vg is the volumegroup we created before and -L specifies the size of the partition. This is /
lvcreate -L 1G -n swap vg   — and this one is for swap.

Now we continue setting up our drives as normal according to the gentoo-handbook installation guide.

mke2fs -j -L root /dev/vg/root  — just note the device path is now a bit different due to LVM. They behave as any block device tho.
mkswap -L swap /dev/vg/swap

After this part you continue the Gentoo installation as per the usual

The next thing to note is that to properly boot up you will need an initramfs with cryptsetup and tools built statically and available on the initramfs itself. Also for tux on ice you will need to copy the tuxoniceui_text and or tuxoniceui_fbsplash as well. The details of configuring the initial ram fs will be detailed in Part 2 along with tux on ice configuration setup.


Part 2 – Creating the initramfs (Coming Soon)