jeffsharpe/arch-luks-on-lvm.sh

## arch-luks-on-lvm.sh
#
#  Using LUKS on LVM is different than LVM on LUKS
#
# idea is to create the root encrypted system, then use a password file to mount the others
# so for the initial install, do this instead of the above
#
# load this module
modprobe dm-mod
#
pvcreate /dev/sda3
vgcreate lvm /dev/sda3
lvcreate -l 100%FREE -n root lvm
cryptsetup —verify-passphrase luksFormat /dev/lvm/root
cryptsetup open —type luks /dev/lvm/root lvm
mkfs.ext4 /dev/lvm/root
mount /dev/lvm/root /mnt
# a bit different on mkinitcpio, on the HOOK, use “lvm2 encrypt” (instead of the reverse)
vi /etc/mkinitcpio.conf
# your boot loader is also a bit different GRUB_CMDLINE_LINUX=“cryptdevice=/dev/lvm/root:root root=/dev/mapper/root”
vi /etc/default/grub
# once you reboot, lets create a new encrypted /home partition
# lets make the home password file
mkdir -m 700 /etc/luks-keys
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256
# now create the partition
pvcreate /dev/sdb1
vgextend lvm /dev/sdb1
lvcreate -l 100%FREE -n home lvm
# now encrypt it
cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home
cryptsetup -d /etc/luks-keys/home open —type luks /dev/lvm/home home
mkfs.ext4 /dev/mapper/home
mount /dev/mapper/home /home
# now add “home    /dev/lvm/home      /etc/luks-keys/home”
vi /etc/crypttab
# finally, add it to stab
blkid /dev/mapper/home
# take the UUID and create the line `UUID=“SOMENUMBERS”  /home   ext4    defaults   0 2”
vi /etc/fstab
reboot
	#
	# Using LUKS on LVM is different than LVM on LUKS
	#
	# idea is to create the root encrypted system, then use a password file to mount the others
	# so for the initial install, do this instead of the above
	#
	# load this module
	modprobe dm-mod
	#
	pvcreate /dev/sda3
	vgcreate lvm /dev/sda3
	lvcreate -l 100%FREE -n root lvm
	cryptsetup —verify-passphrase luksFormat /dev/lvm/root
	cryptsetup open —type luks /dev/lvm/root lvm
	mkfs.ext4 /dev/lvm/root
	mount /dev/lvm/root /mnt
	# a bit different on mkinitcpio, on the HOOK, use “lvm2 encrypt” (instead of the reverse)
	vi /etc/mkinitcpio.conf
	# your boot loader is also a bit different GRUB_CMDLINE_LINUX=“cryptdevice=/dev/lvm/root:root root=/dev/mapper/root”
	vi /etc/default/grub
	# once you reboot, lets create a new encrypted /home partition
	# lets make the home password file
	mkdir -m 700 /etc/luks-keys
	dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256
	# now create the partition
	pvcreate /dev/sdb1
	vgextend lvm /dev/sdb1
	lvcreate -l 100%FREE -n home lvm
	# now encrypt it
	cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home
	cryptsetup -d /etc/luks-keys/home open —type luks /dev/lvm/home home
	mkfs.ext4 /dev/mapper/home
	mount /dev/mapper/home /home
	# now add “home /dev/lvm/home /etc/luks-keys/home”
	vi /etc/crypttab
	# finally, add it to stab
	blkid /dev/mapper/home
	# take the UUID and create the line `UUID=“SOMENUMBERS” /home ext4 defaults 0 2”
	vi /etc/fstab
	reboot