-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CRYPT+RAID HOWTO Version 0.2 2016/10/09 by Marco Predicatori # ACNOWLEDGEMENTS # # This howto is largely based on # README_CRYPT.TXT by Eric Hameleers # (ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/README_CRYPT.TXT) # and README_RAID.TXT by Amritpal Bath # (ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/README_RAID.TXT) # Introduction # The purpose of this howto is to put together in the proper # sequence the steps for setting up a Slackware system which is both # fully encrypted and has the hardware redundancy of a RAID1 array. # If any step isn't clear enough, I suggest that you read the original # howtos by Eric Hameleers and Amritpal Bath. ################################################################################ PART 1: Installing Slackware on RAID+CRYPT ################################################################################ # Boot your machine using a Slackware dvd. This procedure starts at the boot # prompt. # Disk partitioning # Create any partition you wish. For this howto you will use a small unencrypted # array for the /boot partition and the rest of the disk for all the other # encrypted logical volumes. This is what you want to achieve: # Boot array, unencrypted, bootable, /dev/md1 = /dev/sda1 + /dev/sdb1 # Encrypted array, /dev/md2 = /dev/sda2 + /dev/sdb2 # Both disk partitions will have to be type fd (Linux raid autodetect). # The size of /dev/sda1 can be of 100MB, /dev/sda2 will take up the remaining # space, leaving about 100MB of free space, to allow you to replace a failed # disk with one with a slightly different dimension. # Let's start by partitioning the first disk: fdisk /dev/sda # or cfdisk /dev/sda # Follow the [c]fdisk instructions to create the desired partitions. # Check the result: fdisk -l /dev/sda # You must come up with a situation like this: Device Boot Start End Sectors Size Id Type /dev/sda1 * 63 192779 192717 94.1M fd Linux raid autodetect /dev/sda2 192780 156007214 155814435 74.3G fd Linux raid autodetect # Now let's replicate the partitioning on the second disk: sfdisk -d /dev/sda | sfdisk /dev/sdb # Create the raid array for the unencrypted /boot partition: mdadm --create /dev/md1 --level 1 --raid-devices 2 \ /dev/sda1 /dev/sdb1 --metadata=0.90 # Create the raid array for the encrypted partition: mdadm --create /dev/md2 --level 1 --raid-devices 2 \ /dev/sda2 /dev/sdb2 # Encrypt md2: cryptsetup -y -v -s 512 -c aes-xts-plain64 -h sha512 --use-random \ luksFormat /dev/md2 # Open the encrypted device you've created in the previous step: cryptsetup -v luksOpen /dev/md2 slackluks # Create a Physical Volume (PV) on device'/dev/mapper/slackluks', # a Volume Group (VG) called 'cryptvg' (any name will do) on the PV pvcreate /dev/mapper/slackluks vgcreate cryptvg /dev/mapper/slackluks # Create your partition root partition. 50 GB is way more than slackware needs, # but leaves plenty of space for any further software you might want to install # in the future: lvcreate -L 50G -n root cryptvg # If you need a swap space of X GB, let's create it now. Skip this step if you # have enough RAM to make a swap space useless: lvcreate -L XG -n swap cryptvg # Now, with or without a swap partition, let's use the remaining space # for your home partition: lvcreate -l 100%FREE -n home cryptvg # With the system properly prepared, you can launch 'setup'. The 'setup' # program will identify the LV swap volume and activate it. When appointing # the partitions to use for your filesystems, select '/dev/cryptvg/root' for the # root partition, next select '/dev/cryptvg/home' to be used for your /home . # And lastly, assign the array /dev/md1 to a /boot filesystem. This # '/boot' filesystem will be the only unencrypted part of your computer. # When asked about LILO, choose the "simple" setup. # When asked about additional "append=" parameters, you # should type in "root=/dev/cryptvg/root", to ensure that the proper device # is mounted on / at bootup. # When asked about where to install LILO, choose MBR. # Install lilo. It's ok for now. You will tweak it again an reinstall later. # Complete your installation. # After exiting the installer, you have just a few settings to tweak. # The Slackware setup has mounted the new system's root partition on /mnt/. # Chroot into it: chroot /mnt/ ########## FROM NOW ON, YOU MUST REMAIN IN A CHROOTED ENVIRONMENT ########## # Edit /etc/lilo.conf using vi: vi /etc/lilo.conf # - add a new line (add it anywhere, but don't indent it): raid-extra-boot = mbr-only # - Look for the following line: # boot = # - Change it to: boot = /dev/md1 # The linux part of #'/etc/lilo.conf' should end up looking somewhat like this: image = /boot/vmlinuz initrd = /boot/initrd.gz root = /dev/cryptvg/root label = linux read-only # Now let's create a customized /etc/mdadm.conf for your system: mdadm -Es > /etc/mdadm.conf # Switch into the /boot directory: cd /boot # Delete these links, you will replace them: rm -v System.map rm -v config rm -v vmlinuz rm -v vmlinuz-generic rm -v vmlinuz-huge # Recreate the links pointing to the generic kernel. # Adjust version numbers for later versions: ln -s -v System.map-generic-4.4.14 System.map ln -s -v config-generic-4.4.14 config ln -s -v vmlinuz-generic-4.4.14 vmlinuz # Next, edit (create, if necessary) /etc/mkinitrd.conf: vi /etc/mkinitrd.conf # Add: MODULE_LIST="ext4" RAID="1" # Edit /etc/lilo.conf, and find the line at the very end that says: # image = /boot/vmlinuz # Add a new line after it that says: initrd = /boot/initrd.gz # In this case, be sure to indent the line you've added! # Run the mkinitrd helper script. You might find it useful to # redirect its output to a file (ex.: /root/mkin), # so that you can tweak it later if needed. /usr/share/mkinitrd/mkinitrd_command_generator.sh -r > /root/mkin # Now /root/mkin contains the command that needs to be launched to create # your /boot/initrd.gz, which will be used by your boot loader. # Add support for your keyboard to the initrd image using this additional # parameter to /root/mkin: "-l ". The string is the # same as the one you select in the installer when your keyboard is # non-US. Example for a dutch keyboard: "-l nl". # If you fail to specify your keyboard layout, you might not be able # to insert the password to unlock your encrypted device at boot. # Edit /root/mkin and add your "-l xx" parameter # Now you just need to make /root/mkin executable and launch it: chmod -v u+x /root/mkin /root/mkin # /boot/initrd.gz has been created. Check what lilo would do: lilo -t -v -b /dev/md1 # If everything looks fine launch lilo: lilo -v -b /dev/md1 ####### YOU MAY SKIP THIS ############# # This is a little trick, which you can skip. This trick will help you # to identify your most recent surviving disk/partition during a RAID recovery. # This command makes the shutdown script mark with a timestamp # the root partition. In case of a RAID recovery, reading the content # of /timestamp will guarantee that you are truly recovering from the right disk. echo "date --rfc-3339=seconds > /timestamp" >> /etc/rc.d/rc.local_shutdown chmod -v u+x /etc/rc.d/rc.local_shutdown ####### STOP SKIPPING ################## # You can now exit the chrooted environment: exit ########## YOU ARE NO LONGER IN A CHROOTED ENVIRONMENT ########## # You are done, you can remove the installation media # and restart your workstation: reboot # Especially if you are not familiar with RAID and cryptsetup operations, # it is strongly recommended that you simulate immediately a disk failure. # Being a first timer on a real, production disk failure can lead to nasty # surprises. Pull out one of the disks, wipe it clean with dd or any other tool # and try PART 2: ################################################################################ PART 2: recovering after a disk failure ################################################################################ # In order to replace a failed disk, you need to boot from a media which is not # part of your failed RAID array. A Slackware CD will do. Insert a clean hard # disk, a Slackware CD, turn the computer on and get to the root prompt. # First of all, check the situation. cat /proc/mdstat # The output will look like this if the RAID array is healthy: Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4] md2 : active raid1 sdb2[2] sda2[3] 243138560 blocks super 1.2 [2/2] [UU] bitmap: 2/2 pages [8KB], 65536KB chunk md1 : active raid1 sdb1[1] sda1[0] 102336 blocks [2/2] [UU] unused devices: # If a disk or partition has failed, you will see a [U_] instead of a [UU], # with an "_" representing the failed unit. # In /proc/mdstat it is important to identify, for each failed array, # the healthy disk/partition, in order not to destroy the last surviving one. # Let's assume that you still have /dev/sda, and you have a brand new disk in # /dev/sdb. Just like you did on the RAID installation, you need to # replicate the partitions of /dev/sda onto /dev/sdb. # WARNING! # WARNING! # WARNING! # At this point, you are destroying all the data in /dev/sdb. # You must be sure that you are not destroying your good disk. sfdisk -d /dev/sda | sfdisk /dev/sdb # Invert ...sda and ...sdb, if you are recovering from a failure of /dev/sda. # It is better to change the identifier of the new disk to something different, # because two RAID units with the same disk identifier can cause errors # at boot time. Use this command: fdisk /dev/sdb # Follow the instructions inside fdisk to change the disk identifier. # Now you are ready to include the new, empty disk partitions into the RAID # arrays: mdadm --manage /dev/md1 --add /dev/sdb1 mdadm --manage /dev/md2 --add /dev/sdb2 # and so on, if you have more arrays/partitions. It's better to always restore # the boot array first, because it's very small and it will be restored in few # seconds. Restoring the large, encrypted array can take very long, but you # won't need to wait for it to complete before rebooting, as you will see later. # You can check the progress of the RAID arrays restoration using again cat /proc/mdstat # So far, there has been no need to open the encrypted volume on /dev/md2. you # will do this now, because you need to refresh the boot sector with lilo. You # can do this regardless of the /dev/md2 restoration progress. It will go on # in background. cryptsetup -v luksOpen /dev/md2 cryptvg vgscan --mknodes vgchange -ay # Now you mount the encrypted logical volumes. You need to mount at least your # / (root) and /etc volumes. I assume that /etc is within the same volume # as / (root): mount -v /dev/cryptvg/root /mnt/ ####### YOU MAY SKIP THIS ############# # If at the end of part 1 you have implemented the timestamp trick, now it's # time tho check: cat /mnt/timestamp # It must contain the time of your last shutdown. If it doesn't, # you have mounted the wrong disk/partition. # Don't go any further with this procedure. # Unmount everything and shut down. Find the right disk and restart part 2. ####### STOP SKIPPING ################## # Now you mount the unencrypted boot array: mount -v /dev/md1 /mnt/boot/ # Some other directories needed in the chrooted environment: mount -Bv /dev/ /mnt/dev/ mount -Bv /proc/ /mnt/proc/ mount -Bv /sys/ /mnt/sys/ # You can now chroot into your encypted root array: chroot /mnt ########## FROM NOW ON, YOU MUST REMAIN IN A CHROOTED ENVIRONMENT ########## # Check what would lilo do: lilo -t -v # If there is anything wrong, edit /etc/lilo.conf, and check again. # Go ahead with lilo: lilo -v # You are done, you can leave the chrooted environment. exit ########## YOU ARE NO LONGER IN A CHROOTED ENVIRONMENT ########## # Before rebooting check again the status of your RAID arrays. # It is absolutely mandatory that the recovery of your boot array (/dev/md1) # has finished. You must see [UU] in /proc/mdstat for the /dev/md1 array. # Other arrays may be still in the recovering phase. It's no problem, you don't # need them to reboot, and their recovery will continue after the next boot. cat /proc/mdstat # If everything is fine, eject the Slackware disk. # Reboot, only if you have [UU] on your /dev/md1 boot array. reboot # Good luck! :-) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJX+ypVAAoJEB/R9oFxDPMwr6gQANKLYLp3QSNgfBrm3Mb5OkEF UeahGY7Vgmb93R+h6TRsXBj1HDyJUPsqcD4ZkX4SH0exSQ1Ydde6LpYUf/rkLg4/ 96cWmza5BwPjWYC+t5oO9BGzHkm6k82j/i+uC5Alzs+x1rMKh+YzZkRdUVDqxU4W 5/a4+BIB2dj0+Iv1wO99XhuLzX8eoGdsPlisckVSwlPd38GxvtHGhumZKyD7i8eh W+bBa1LeJpeZK61zHzvXqZQaxkcDVbkLV5YCTvFLui/heHbtoEc7C1q2PnezWeHh hF4YPVezXQUuqTaq82/rthb5D9dZOrXjv6jUago+GRJOY3lFjwN28+t1GxqeQvYB o5f80rjh2xhOzJes1hQyp3u6jIhWT1nJrJwqC/Am4nGoQuPEDEy1N8pxNO18wZDh BCFhGAKh2nmG3JHlE2vD57jGUGAP88G3ekGXLPNLSVpk602YMus501H+MC2P2J+w I66zETZWxQ9TLHTjaisgjIeaAfhz9gzFgByLa4SgPk41goRBuvgR6FKLOqUsGtWI HIkN5vLBWIxyqsz3a7J4caWcUnXCS9fRwUA1tab/T6ePSEj1DqLUP6wO651zya/X Z32jmzhof99Td3gfaOPi72Suxb4jJvSlrCHMUK4znSMGG1VNBSacPW9Uoh07iIrQ Ob2/JEStgOHZbi/VH38o =0j2t -----END PGP SIGNATURE-----