The officially official Devuan Forum!

You are not logged in.

#1 Re: Installation » Problem booting encrypted LVM » 2019-01-13 22:30:00

I've got into trouble with the installer too. It expects you to set up lvm volumes which are then subsequently encrypted.

What I do on an UEFI system is to create two GPT partitions  - the first is a non-encrypted EFI System Partition (ESP) and the second is the rest of the disk. This second GPT partition is then LUKS encrypted. I then create lvm volumes inside (or on top of, depending on your way of looking at it) the encrypted partition, creating separate lvm volumes, including one for swap.

The downside of doing this is that you need to enter the encryption key twice on booting: once when GRUB2* opens the initial ramdisk stored on the encrypted boot volume, and once again when the inital startup hands over to the full-fat system. It is a fair amount of manual set up. It is possible to embed a keyfile into the inital ram disk (which is stored in the encrypted /boot partition), so you need only enter the encryption password once, but I have not done that, partly out of laziness.

As I said, it is a pretty manual process, and getting the standard installer** to do this would require a major rewrite, so it is unlikely to occur in the near future, if at all.

For me, the benefit is effectively having full disk encryption, including an encrypted swap file, and any new volumes I create while experimenting are automatically encrypted without me having to think about it, and without me having to juggle multiple different encryption passphrases.

Simplicio

*GRUB2 has a module that can open LUKS1 (not LUKS2) format encrypted volumes, and a module that can open LVM volumes. It also has modules that understand enough of many different filesystem layouts to boot. One of the bits needed to be done is ensuring GRUB2 has all the necessary modules to hand. Similarly initramfs needs to have all the necessary capabilities included.

**fsmithred's refracta installer looks like it makes the process a great deal easier. Details here: Refracta:RAID - LUKS - LVM

#2 Re: Installation » Feature Request:Include a loopback.cfg in the iso » 2018-08-30 09:58:53

Just checked - that is the grub2 script that works. Posting from Lubuntu 18.04.1 now.

lubuntu@lubuntu:~$ uname -a
Linux lubuntu 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
lubuntu@lubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.1 LTS
Release:	18.04
Codename:	bionic

To my mind, that means that there probably ought to be a script that works for Devuan, I just haven't got it right yet. On the other hand, the Devuan startup might be different to (L)ubuntu in a way that is significant. It's this need to tweak scripts that made me wish for loopback.cfg.

What I'm aiming on doing is building a USB memory drive with multiple ISOs on it so that I can invoke DBAN, SuperGrub2, rEFInd, SystemResueCD, and others, including Devuan, (and possibly even a Puppy Linux setup) to use as a 'Swiss Army Knife' when installing Linux on recalcitrant laptops (like the Infamous Acer ES1-132 series), and rescuing other people's data (or deleting data before disposal of hardware). At the moment, I have a resealable freezer bag with 'a number' of USB memory drives in it.

As I said in the previous posting, installing Devuan would likely not be a problem, this was triggered by me wishing to do a quick suck-it-and-see to see if Devuan booted nicely on my hardware. It would have been faster for me to walk to the nearest store selling USB memory drives, buy one, and write the ISO out to that, but there's no challenge in that, and it costs money. :-)

Simplicio

#3 Re: Installation » Feature Request:Include a loopback.cfg in the iso » 2018-08-30 07:35:09

Thank-you for that.

Unfortunately, the way that I have my system set up[1] means the grub script you kindly gave as an example doesn't work for me. It fails in initramfs with a message about not being able to find some media (I didn't write down the details). The odd thing is, something very similar does work for a (L)ubuntu ISO - 18.04.1, which inhabits the same partition as the Devuan ISO. It would have been quicker to write out a USB memory drive - but the itch I have is: 'Huh? Why doesn't this work?'.

menuentry "Lubuntu 18.04.1 ISO" {
insmod iso9660
insmod ext2
insmod udf
insmod part_gpt
set root='hd1,gpt5'
set isofile="/lubuntu-18.04.1-desktop-amd64.iso"
loopback loop (hd1,gpt5)$isofile
linux (loop)/casper/vmlinuz boot=casper iso-scan/filename=$isofile noprompt noeject toram --
initrd (loop)/casper/initrd.lz
}

I can't swear the above is the correct script: I was modifying scripts on-the-fly in the grub command line, so I'll have to go back and double check and see if I can validate the above.

It's not preventing me from booting an installer from a USB memory drive, so no reply is needed - there are more valuable things to do with your time.

The reason I'm doing this is to allow me to do a quick check that my hardware is supported by Devuan, which is why loading it up in a virtual machine is not what I'm after - otherwise that would be another way of doing this, as you say, without the inconvenience of a reboot.

I wasn't aware of the lua requirement, and a quick look with Internet searches didn't give me any clue as to whether it is compiled into the Debian grub - although I did find a conversation with a grub developer who did not want it as part of standard grub, but in 'grub-extras'. SuperGrub2 disk has got me out of a couple of scrapes with poor UEFI implementations before, but I've never looked deeply at how it does its magic.

Regards,

Simplicio

[1]My boot partition is on an LVM volume in a LUKS container. The EFI System Partition simply has the grub executable, which automagically finds the LUKS container, then prompts me for the password, which, if valid, allows grub to open the LUKS container, find the LVM volume and use the boot partition, so the environment that the iso finds itself in is somewhat non-standard. The ISOs are currently located on a non-encrypted partition that is not managed by LVM. This set up was simply done to see how much of the system could be made to be protected by full disk encryption. In principle, the ESP could be put onto a removable USB memory drive, and possibly LUKS could be set up in detached-header mode leaving the internal storage device appearing to be a random(ish) assemblage of bits. I have not tried to complete this proof-of-concept (yet).

#4 Installation » Feature Request:Include a loopback.cfg in the iso » 2018-08-29 10:10:50

Simplicio
Replies: 3

It would be nice if a maintainer could find the time to include a loopback.cfg as part of the iso build.

Details here: https://www.supergrubdisk.org/wiki/Loopback.cfg

Examples of its use are here: https://www.aioboot.com/en/boot-linux-iso/

The benefit is that it allows easy booting off a downloaded iso without needing to find a blank USB memory drive to write the ISO to.
Of course, there might be good reasons for not doing this that I am not aware of.

Simplicio

#5 Re: Installation » default packages » 2018-07-01 15:02:26

I would also say that the debian-installer doesn't appear to meet my wants*, although my rather extended workaround got me to where I wanted to be, eventually.

It would be nice™ if I could set up the discs the way I wanted beforehand with lvm, encryption, and the filesystem of my choice (and I dare say some people would want raid) and 'simply' point the installer at the already pre-prepared /, /boot, /home, /var, swap etc. The disc setup could be done by booting into the live-USB/CD/DVD, and having set up the discs the way you want them, either reboot with the installer, or invoke and install from the live-USB/CD/DVD.
In my case, I believe my wanted* filesystem (NILFS2) can't be incorporated into the standard installer as there is no fsck.nilfs implemented for NILFS2
I know that, in principle, one can shell out from the installer to do stuff, but in practice, this turns out to be slightly less flexible than one would wish, especially if one is missing a few packages (and network access is not always easy).
I am nowhere near the level of competence required to modify the installer. What I want* is an installer that can use a pre-prepared disc layout, and ideally have the necessary capability (all the necessary packages) within the installer environment so that I can shell out and build the disc layout manually, point the installer at it and light the blue touchpaper. I also want the-moon-onna-stick and a unicorn that farts rainbows.

I'm also of the opinion that for most users, full-disc encryption really ought to be the default because, absent evil maids, it is a good way of  making sure that theft of a computing device doesn't mean all your secrets are no longer secret.

OK. Rant over. If there is a way of influencing installer development in useful and creative ways that do not involve demanding someone else do lots of work at my whim I'd like to be able to use it.

*I know that wants are different to needs.

#6 Forum Feedback » Certificate expiry? » 2017-07-05 21:11:23

Simplicio
Replies: 3

Did someone forget to put a shilling in the meter on 4th July?

I got an expired certificate, and as HTTP Strict Transport Security (HSTS) was applied, no access to the forum for a while.

Is anyone admitting to an oops?

(By the way, well done for using HSTS)

#7 Re: Installation » Wi-Fi nonfunctional - Qualcom Atheros Device 0041 (rev 20) » 2017-06-28 14:28:22

Oh, I wasn't complaining - far from it - I genuinely appreciate being given step by step instructions. Primary school is good.

#8 Re: Installation » Wi-Fi nonfunctional - Qualcom Atheros Device 0041 (rev 20) » 2017-06-28 11:08:12

Thank-you PeteGozz. I'm not new to this, but I was last up to speed when I was running both Debian and OpenBSD on some Motorola 68k processors. That was 'a while' ago, so I'm rather rusty. I remember the frustrations of starting X-windows and having a grey screen with a centred black 'X', and no response to keyboard or mouse. I've run K/L/Ubuntu on Intel kit for the last <mumble> years, so haven't needed to fiddle/play much.

#9 Re: Installation » SLiM - failed to execute login command - bug? » 2017-06-28 06:33:12

Ugly but effective sounds like a realistic description of me. <grin>

#10 Re: Installation » Wi-Fi nonfunctional - Qualcom Atheros Device 0041 (rev 20) » 2017-06-28 06:31:16

Short answer: I don't know. And, I don't immediately know how to find out.

Foolish optimist that I am, I would have expected the installation process to have determined that it needed that package. I have this unrealistic expectation that the

apt install task-desktop

would have pulled in the relevant packages if they were absent, as it includes Wicd, and there is a Wi-Fi chipset visible on lspci.

Unfortunately, I have several major family events (some good, some bad) to deal with, so I don't have time to play right now.

Thank-you for the helpful follow-up - I do appreciate it, even if I can't act on it immediately.

#11 Re: Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-06-27 14:43:54

miroR, I'm sorry to say that, as far as I can tell, you can't do the same with MBR disks as I believe there is not enough room in the MBR for GRUB code installed to the MBR to have the capability of opening encrypted partitions. So on MBR-based systems, you will need to have a non-encrypted boot partition.

I'm very happy to be proved wrong.

#12 Re: Installation » SLiM - failed to execute login command - bug? » 2017-06-27 07:25:35

Thank-you PeteGozz - I shall try your suggestions 'when I get the time', which might not be for a while. I very much appreciate your reply.

#13 Installation » Wi-Fi nonfunctional - Qualcom Atheros Device 0041 (rev 20) » 2017-06-26 23:10:37

Simplicio
Replies: 8

Wicd sees no Wi-Fi network.

lspci shows Wi-Fi device is Qualcom Atheros Device 0041 (rev 20)

After a bit of searching, I think the device is an ath10K device, for which there is support via backports

https://wireless.wiki.kernel.org/en/use … /backports
and
http://drvbp1.linux-foundation.org/~mcg … backports/

before I crank my way through the above process, is there an automagic way of achieving the same using apt-get or Synaptic, as the backports process says Wi-Fi will stop working and need special handling each time there is a kernel upgrade.?

uname shows current kernel is 3.16.0-4-amd64 SMP #1 Debian 3.16.43-2+deb8u1 (2017-06-18) x86_64

Thanks

#14 Installation » SLiM - failed to execute login command - bug? » 2017-06-26 22:54:28

Simplicio
Replies: 10

After installing a minimal system using the net install, I wanted to get to a full desktop.

Tried

apt install task-desktop

No errors reported, but after rebooting, if I attempt to log in with a valid non-root username and password, I am not logged in, and I get

failed to execute login command

Tried installing LXDE

apt-get install LXDE

pressing F1 allows me to cycle between XFCE, Openbox, and LXDE as a window manager, but all give 'failed to execute login command' with valid non-root credentials

if I log in as root, it succeeds, but obviously, that's not a long term solution.

non-root user's home directory has no .xinitrc (neither has root's)

What obvious thing have I missed?

#15 Re: Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-06-26 22:38:52

Yes, I encrypt even /boot.

If you read my earlier posts carefully, you should be able to do it, especially if you follow the link to Pavel Kogan's post:

http://www.pavelkogan.com/2014/05/23/lu … ncryption/

Set up two partitions on the disk:

First: EFI System Partition
Second: Luks encrypted

Inside the LUKS encrypted partition run the Logical Volume Manager (lvm) and create as many volumes as you need.

Set up your chosen filesystem on each volume.

Make sure that GRUB2 includes the relevant encryption modules.
Make sure that the GRUB setup follows the recommendations given by Pavel Kogan above.

What Pavel goes on to do is give a set-up that allows you to enter the encryption password/phrase once, rather than twice when booting. I've not done that, as I don't mind typing in the passphrase twice. For now, at least.

So /boot and swap are encrypted, as well as everything else, apart from the EFI System Partition.

#16 Re: Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-06-26 20:00:43

OK, so I finally had the time to work my way through the issues I encountered.

The task I had set myself was to install Devuan onto an SSD that itself was installed as a replacement for the original hard disk in laptop with 4 Gbytes of memory, a 64-bit capable AMD processor, and UEFI boot firmware.

By the way, I'm lazy. All this was done while logged in as root, not using sudo.

Writing the net-install ISO to a USB flash memory drive and doing a minimal install worked fine, as documented above, so I had an SSD with two partitions: /dev/sda1 and /dev/sda2

/dev/sda1 is the EFI system partition, vFAT formatted
/dev/sda2 is a single, encrypted partition, which is opened at boot by GRUB2

It's probably a good idea to make sure the system is nicely up-to-date

apt-get update
apt-get upgrade

(Reboot if necessary if a new kernel has appeared)

After that interlude, once accessed through the device mapper, the encrypted sda2 (/dev/sda2_crypt) appears as a Linux Logical Volume Manager (lvm) physical device, in which I set up a single volume group (Volume Group Foo (vgf)), and a set of volumes. (If I had felt like it, I could have set up multiple Volume Groups, e.g. Volume Group Bar Volume Group Baz, but for now at least, it wasn't necessary). I chose to set up the following volumes (I'm sure there are different, better ways, but I had to start somewhere. I prefixed each name with an 'x' because I knew that later on I'd need a clearly different name for migration purposes).

Physical Volume
/dev/sda2_crypt
Volume Group: vgf
xroot
xboot
xhome
xtmp
xvar
xswap

If someone else is doing this, they could well have chosen a different name for their encrypted device. You can find out what encrypted devices are on your system by looking at the output of

dmsetup status --target crypt

which will list all of the devices where the device mapper is using encryption.

The logical volume manager also uses the device mapper, but rather than encryption it is doing some clever stuff that enables (for example) separate blocks of storage on different disks to looks as if they are a single device, and allows (relatively) easy expansion and contraction of those devices.

Anyway, you can list the physical devices being used by the logical volume manager by:

lvm pvs 

(physical device show)

You can see what volume groups are defined

lvm vgs 

(volume group show)

and you can see what volumes are define in each volume group

lvm lvs

(logical volume show)

Each logical volume can be treated as thought it were a disk partition. Expanding or contracting lvm volumes is a great deal easier than doing the same with partitions.

So, each lvm volume has its own filesystem. The Devuan installer does not support the NILFS2 filesystem, so what I did, as a temporary measure, is create an ext2 filesystem on each logical volume. I chose to use less than half of my available disk space for the logical volumes I created with ext2 filesystems, as I knew I would need to migrate them later, so I needed to leave space to migrate them into.

You can confirm this on your own system by looking at  /proc/mounts

cat /proc/mounts

or, in a slightly nicer format

findmnt

As I documented above, there were a couple of glitches to do with the way GRUB2 handles encrypted boot partitions, but I got that sorted out, so I had a system I could boot, GRUB would prompt me for the password/phrase for the encrypted partition which allowed it to access /boot and the initrd and initramfs, then the initial startup in the initramfs would re-prompt me for the password/phrase so the system could be brought up.

So, I then had to replace the ext2 filesystems with nilfs2 filesystems. I can't remember if the nilfs tools are included on the minimal net-install Devuan, but if they are not, it is a simple matter of

apt-get install nilfs-tools

I could then use the Logical Volume Manager to define some more volumes, which I put in the same volume group as the first set - they didn't need to be, but there was no pressing reason to define a new one.

yroot
yboot
yhome
ytmp
yvar
yswap

so I now had a whole new set of volumes defined with names that started with a 'y' instead of an 'x'. I could then format these volumes as NILFS2 filesystems as I wasn't using the installer: this was a normal system.

mkfs.nilfs2 /dev/mapper/vgf-yroot
mkfs.nilfs2 /dev/mapper/vgf-yboot
mkfs.nilfs2 /dev/mapper/vgf-yhome
mkfs.nilfs2 /dev/mapper/vgf-ytmp
mkfs.nilfs2 /dev/mapper/vgf-yvar

I left NILFS with all the defaults. Note that NILFS2 uses disk space in an unusual way, so you do NOT want to make the volume too small. This is especially true of the boot volume, which normally doesn't need to be very big at all. I used a sledgehammer to crack a nut and made yboot 4 Gbytes in size, which is probably way too big, but I should be able to reduce it down later, if necessary, as the NILFS2 filesystem is resizeable, and lvm volmes can be shrunk as well.

Now comes the fun bit: I needed to migrate (copy) all of the information from the ext2 volumes over to their corresponding nilfs volumes. If you try to do this on a running system, it probably wont work very well, so don't try it!

Instead, I got a copy of System Rescue CD and put it on a USB flash memory drive. I booted the laptop into System Rescue CD, so the root filesystem in use is on the USB drive. Then a 'fair amount' of typing is needed.

First of all, you need to connect the encrypted partition on the laptop to the device mapper. My laptop discovered the internal disk first, even when booted from the USB drive, so it remained as device /dev/sda, but other laptops may enumerate the USD drive first, so the internal disk might appear as /dev/sdb. The rest of this assumes it's /dev/sda.

cryptsetup luksOpen /dev/sda2  <your-chosen-cryptname>  #<-note, /dev/sda1 is the EFI system partition

You get prompted for the password/phrase, and assuming it's right, the device mapper swings into action, decrypting the partition on the fly/on demand as necessary. You can confirm this by

dmsetup status --target crypt

The logical volume manager will also have swung into action and discovered the volumes defined on the encrypted partiton - you can check this by

lvm pvs
lvm vgs
lvm lvs

We can now mount all the volumes and copy the data across. Because we booted from the USB drive, we don't have to worry about what happens if you copy a file system in use on a running system.

Create the mount points for the source (old) data

mkdir /mnt/old
mkdir /mnt/old/root
mkdir /mnt/old/boot
mkdir /mnt/old/home
mkdir /mnt/old/tmp
mkdir /mnt/old/var

mount the ext volumes (read-only, just for some pretence at safety - you do have backups, don't you?)

mount -o ro /dev/mapper/vgf-xroot  /mnt/old/root
mount -o ro /dev/mapper/vgf-xboot /mnt/old/boot
mount -o ro /dev/mapper/vgf-xhome /mnt/old/home
mount -o ro /dev/mapper/vgf-xtmp /mnt/old/tmp
mount -o ro /dev/mapper/vgf-xvar /mnt/old/var

Now do the destinations

mkdir /mnt/new
mkdir /mnt/new/root
mkdir /mnt/new/boot
mkdir /mnt/new/home
mkdir /mnt/new/tmp
mkdir /mnt/new/var

mount the nilfs2 volumes. These are the options I chose, they are probably not optimal. Shrug.

mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yroot  /mnt/new/root
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yboot /mnt/new/boot
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yhome /mnt/new/home
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-ytmp /mnt/new/tmp
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yvar /mnt/new/var

now do the copying

cp -ax /mnt/old/root/* /mnt/new/root
cp -ax /mnt/old/boot/* /mnt/new/boot
cp -ax /mnt/old/home/* /mnt/new/home
cp -ax /mnt/old/tmp/* /mnt/new/tmp
cp -ax /mnt/old/var/* /mnt/new/var

Now, the fstab we have copied across will still refer the OLD ext2 volumes, so we need to edit the fstab on the new nilfs2 volume

nano /mnt/new/root/etc/fstab

(I use nano, you can use whatever editor you are comfortable with)

The relevant entries will need to be modified to (a) point to the new lvm volumes (the ones prefixed by 'y') and (b) have mount options suitable for nilfs2 (as above).

You can't just reboot and have everything work now. The GRUB2 boot setup still points to all the old volumes, so we not only have to tell GRUB2 that we are using different lvm volumes, GRUB2 also has to understand nilfs2 and have the initial ram disk rebuilt, otherwise nothing will work. As I found out. Repeatedly.

Now, in principle, you can rebuild GRUB2 while you are booted from the System Rescue CD USB drive. In principle.

I ran out of patience, and used a chroot method instead.

So we shut down, and reboot back into Devuan on the ext2 volumes. This doesn't affect the data on the nilfs volumes.

We then set up the chroot environment which will allow us to run the GRUB2 setup for the changed environment.

First of all, create a mount point for the new volumes

mkdir /mnt/chr

now mount the nilfs volumes there

mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yroot  /mnt/chr/  #<-note difference to what we did above
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yboot /mnt/chr/boot
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yhome /mnt/chr/home
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-ytmp /mnt/chr/tmp
mount -o async,noatime,discard,order=strict /dev/mapper/vgf-yvar /mnt/chr/var

now you have a 'sort-of' copy of the familiar linux filesystem layout under /mnt/chr

We do some chroot setup magic

mount -t proc none /mnt/chr/proc
mount -t sysfs none /mnt/chr/sys #<-note sysfs, not sys
mount -o bind /dev /mnt/chr/dev
mount -o bind /run /mnt/chr/run

(The chroot environment wont work properly without the above. Depending on what you are doing, you can 'get away' without some of the above e.g. if you don't need network access while chrooted, but I'm documenting what worked for me. Wiser, better informed heads than me can improve things, I'm sure).

Now, finally we need to make the EFI system partition available while in the chroot environment. What I'm about to do is probably not recommended (Danger Will Robinson!), but it worked for me.
We unmount from it's proper place and remount it at /mnt/new, so we can access it later while chrooted. If a wiser head can advise a better way, please do tell me. (The uuid details can be found in /etc/fstab)

umount /boot/efi
mount -o umask=0077 UUID=<your-uuid> /mnt/chr/boot/efi

Now we chroot

chroot /mnt/chr /bin/bash

...and we are now in a chroot environment aka a chroot jail. In the context of this process, the filesystem layout has its root at /mnt/chr, not / . Wow.

Now, if we run the various GRUB utilities, they will update the new volumes, not the old ones.

There's a couple of things we need to do.
First of all, we need to tell GRUB that it should load the nilfs2 module so it can understand the filesystem on the new volumes. We do that by adding nilfs2 to /etc/initramfs-tools/modules. For good measure, I added lvm, crypto, and cryptodisk too.

nano /etc/initramfs-tools/modules

The other thing to check is that /etc/mtab is correct.

cat /etc/mtab

if it isn't (I didn't need to do this)  you can 'simply'

cat /proc/mounts > /etc/mtab  #<-this is another 'Danger Will Robinson! moment

This (apparently) is important, as GRUB gets some information from /etc/mtab when doing its setup fandango.

Now we can run grub-update, which will build a new initramfs, and rebuild the GRUB2 boot menu. As we are in the chroot environment which should be set up properly, and using the same kernel, we don't have to worry about passing target directories, or specifying processor architecture etc. It 'just works'

update-grub

Then we install it

grub-install

Don't reboot yet.

I'm told its a good idea to dismount volumes nicely, as what you've been doing in the chroot environment isn't visible to the normal system, so we leave the chroot

exit

Then we'd better put the EFI system partition back

umount /mnt/chr/boot/efi
mount -o umask=0077 UUID=<your-uuid> /boot/efi

unmount the pre-chroot magic

umount /mnt/chr/run
umount /mnt/chr/dev
umount /mnt/chr/sys 
umount /mnt/chr/proc

Now you can reboot.

And now, in theory, if I've documented my hurried scribblings properly, when the system comes back up again, it boots using the NILFS2 volumes, and I've achieved what I wanted to do. Use NILFS2 on my SSD, and have an encrypted boot, root and swap, as well as home and everything else.

Now to install/upgrade to a full desktop. Wish me luck...

[Note to self, will add BBCode formatting later, once I get sufficient time. I just wanted to get a rough draft out]

#17 Re: Installation » Installing devuan to lvm partitions within dm-crypt container » 2017-06-06 07:42:25

I confirm what fsmithred is saying. It is possible to achieve what you want with the Devuan installer: in my case, I know it can be done with the net installer, but I also confirm it is non-intuitive.

Once you get to the partition manager part of the install (partman), there is a list of options which, in order from the top down, places dealing with encryption after setting up lvm. The key to understanding this is that you don't have to follow the order of the menu.

What you do is create the partitions (/dev/sda1 and /dev/sda2) /dev/sda1 is your non-encrypted boot. Set up /dev/sda2 as encrypted, then once you have done that, you can set up lvm inside/on top of the encrypted partition, and having done that, create the filesystems (or swap) on the lvm volumes you have created. You might, at one point, need to ignore a dialogue that says you can't make further changes to the partitioning setup and use the <Go Back> function of the setup process.

I don't have the time to give step-by-step instructions, but I'm sure you can get there by experimenting with a minimal install. I've been aiming at a setup with encrypted boot, and using NILFS as the filesystem (not ext4), and while I've go the set-up of the encrypted root nailed, I need to work out and practice how to get everything onto NILFS. ext4 is supported by partman, but NILFS, unfortunately, isn't.

I hope that helps. Even knowing what you want to do is possible is useful, sometimes.

#18 Re: Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-05-31 14:25:39

Just a quick update to say that reading Pavel Kogan's blog allowed me to get one baby step further.

http://www.pavelkogan.com/2014/05/23/lu … ncryption/

In it he points out that /etc/default/grub needs to be edited to pass the cryptdevice as a kernel parameter. Modifying it for a (reasonably) default Devuan Jessie install (I downloaded the actual release rather than release candidate and redid things from scratch)

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:sda2_crypt"

you then need to update the grub installation (there's more to this than meets the eye, which I'll expand on when I have time).

My laptop now boots all the way into Devuan, with an encrypted boot/root  - the only unencrypted area of the disk is the EFI System Partition. The boot process requires you to type in the Luks password twice (Pavel Kogan provides a possible workaround for this).

Unfortunately, I couldn't install on the filesystem of my choice (NILFS), so as a temporary measure, I used ext2, but having got the encryption bit sorted, I'm pretty sure I can sort out creating some NILFS volumes in lvm, copy everything across, update fstab, do a chroot and a grub update (I've probably missed something) and get things set up the way I want. It's 'just' a question of finding the time.

#19 Re: Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-04-28 12:16:37

OK, getting there slowly.

By using Super GRUB2 disk to boot into the new installation, I can run grub-install. This fails with an error, which was roughly:

grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=1' in file `/etc/default/grub'.

Anyway, there is a slight misfeature in that you need to edit /etc/default/grub with -

GRUB_ENABLE_CRYPTODISK=y <<--note, not '1'

(This bug refers: https://savannah.gnu.org/bugs/?41524 ) The GRUB manual documents the actual behaviour: https://www.gnu.org/software/grub/manual/grub.html

‘GRUB_ENABLE_CRYPTODISK’

    If set to ‘y’, grub-mkconfig and grub-install will check for encrypted disks and generate additional commands needed to access them during boot. Note that in this case unattended boot is not possible because GRUB will wait for passphrase to unlock encrypted container.

Having done that, and added in GRUB_PRELOAD_MODULES="lvm" for good measure (probably not necessary, but I haven't checked to find out), I then re-run grub-install, this time with no errors.

Then, when I boot, I get presented with a prompt for the password for the encrypted partition. Yay!

But I subsequently get dumped into a GRUB> prompt (not Grub rescue). Boo.

However, if I look at the devices

GRUB> ls

I see all the lvm volumes.

so I set up the linux and initrd

GRUB> linux (lvm/vg1-root)/vmlinuz
GRUB> initrd (lvm/vg1-root)/initrd.img
GRUB> boot

And the boot fails, saying -

error: no suitable video mode found
Booting in blind mode.

However, after a bit of looking, if you add the following command in GRUB before booting

GRUB> insmod all_video

it boots successfully, asking (for the second time, as expected) for the password to the encrypted partition as part of the linux boot sequence.

So all I need to do now is automate the manual fix above. Which I know is possible, because Super GRUB2 disk works fine.

Which means I am one step closer to having Devuan with an unencrypted EFI System Partition, and one encrypted partition that holds LVM volumes providing swap, root, home, etc...

Simplicio

[edited to add BBCode quote and code markup]

#20 Re: Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-04-23 21:52:52

I tried the installer, rather than the live iso, using the Expert option and manual partitioning. This allows me to:

a) Create an EFI System partition (/dev/sda1) and a partition encompassing the rest of the disk (/dev/sda2);
b) Devote the (/dev/sda2) partition to the encryption layer (creating /dev/mapper/sda2_crypt);
c) Build LVM on top the the block device presented by the device mapper (/dev/mapper/sda2_crypt) - creating Volume group 1 (vg1);
d) Create a swap partition within LVM (vg1-swap); BUT
e) NOT use NILFS2 as the filesystem for the root (vg1-root) and other partitions (vg1-<foo,bar,baz>). The installer doesn't offer NILFS as a filesystem which is surely because it does not have mkfs.nilfs2. This debian bug/wishlist item may be relevant ( https://bugs.debian.org/cgi-bin/bugrepo … bug=655438 ).

As a temporary measure, I used ext2, just to see if the installation would complete nicely...

Everything worked fine until writing out the GRUB2 loader, which reported failure.

Booting from a SystemRescueCD USB drive, I can see the encryption, lvm setup, ext2 filesystems on root and other mount points have all been successfully created and populated, but apparently nothing written into the devuan directory created on the EFI System partition.

By using a Super GRUB2 disk ( http://www.supergrubdisk.org/super-grub2-disk/ ) on a USB drive, I can boot the newly-installed Devuan system - this involves enabling the luks capability in GRUB2 to mount the encrypted partition, followed by enabling the lvm-aware capability, at which point SuperGRUB2 finds the initial ramdisk on the root volume and booting works without a problem. This demonstrates that encrypting all except the EFI System partition is achievable...there are 'just' a few details to be worked on.

Personally, I think that encrypting all but the EFI System Partition should be, if not the default, at least a standard option offered to everyone.

One thing I have learnt from this is that it is entirely possible to have your EFI System partition on a separate USB drive to the internal disk on a laptop, which might be useful to some people.

#21 Re: Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-04-22 17:01:47

Ah, thank-you. Yes, I was using the live iso, which includes an experimental installer. I'll try an appropriate one from the ones you linked to, when I get time away from other distractions again.

I'm not sure I'm up to remastering yet.

#22 Installation » Installing to existing partitions/mount? Full disk encrypt? Feedback. » 2017-04-21 18:59:47

Simplicio
Replies: 15

Hi,

I downloaded the Jessie Release Candidate iso and wrote it to a USB stick. It booted on my new laptop, which is great, but I don't seem to be able to set things up the way I wish.

The laptop is a UEFI laptop. I've formatted the internal disk as a GPT disk, and set up an EFI partition (/dev/sda1).

What I want to do is encrypt the rest of the disk* (/dev/sda2) so that there is no unencrypted boot partition. I know this is possible as GRUB2 can have the relevant modules** included (I'm rather impressed by GRUB2's versatility) . Using SystemRescueCD ( http://www.system-rescue-cd.org/ )  I have set up the rest of the disk as a second partition (/dev/sda2), added the dm-crypt layer, then LVM, then created a set of volumes: one for swap; and with the NILFS2 filesystem*** one for root, one for /home, and one for /var, using a modification for GPT instead of msdos partitions,  of the process described here:  http://www.pavelkogan.com/2014/05/23/lu … ncryption/.

The current Jessie rc installer is not LVM2 aware. Which is a shame. I did try pulling in LVM2 using Synaptic, and while I can get the encryption working and define all the volumes, and get them mounted, the installer apparently blithely ignores all this****.

What I would like, if possible, is an installer that can use an existing partition/lvm/filesystem set-up; and the icing on the cake would be supporting real full disk encryption.

This is only feedback, and can obviously be ignored. I think Devuan is a great idea, and I hope it succeeds. Obviously, one can always find unusual use-cases (like mine), so I can well understand if this is not addressed. On the other hand, I think full disk encryption (even if not NILFS2 support) is important.

If you have done so, thanks for reading.

Simplicio

*The Microsoft implementation of full-disk encryption is very convenient to set up and use. The Linux approach, while extremely flexible, isn't quite so convenient. I'm not looking for so-called deniable encryption: just a way of ensuring that if my laptop is lost or stolen that there is no easy way to get at the information on it. It should be/is possible to avoid having a non-encrypted boot partition, it's just slightly ... difficult.
**GRUB2 supports both dm-crypt and lvm.
***the internal drive is an SSD. This is not the main reason I want to use NILFS2 - the snapshotting capabilites look to be just what I want. While I'll probably lose a bit in performance compared to ext4, the SSD should make up for that compared to the spinning rust in my existing 8-year-old laptop, which works almost adequately for my purposes.
****It is always possible I have missed something embarrassingly obvious. If so, please point it out.

Board footer

Forum Software