Partitions¶

Physical¶

wipe all hard drives¶

parted /dev/sda mktable gpt
parted /dev/sdb mktable gpt

make raid partitions for luks¶

parted /dev/sda unit mib mkpart luks1 1 3807222
parted /dev/sdb unit mib mkpart luks2 1 3807222

make raid partitions for boot¶

parted /dev/sda unit mib mkpart boot1 3807222 3815414
parted /dev/sdb unit mib mkpart boot2 3807222 3815414

make and set BIOS_GRUB¶

parted /dev/sda unit mib mkpart bios 3815414 3815447
parted /dev/sda set 3 bios_grub on

make and set ESP¶

parted /dev/sdb unit mib mkpart esp 3815414 3815447
parted /dev/sdb set 3 esp on

RAID¶

make raid device for boot¶

mdadm --create /dev/md/boot \
--name boot \
--uuid 6234a0eb:29a3a847:1dbd5ec4:bada5579 \
--metadata 1 \
--level 0 \
--raid-devices 2 /dev/sd[ab]2

make raid device for luks¶

mdadm --create /dev/md/luks \
--name luks \
--uuid 006234a0:eb29a3a8:471dbd5e:c4bada55 \
--metadata 1 \
--level 0 \
--raid-devices 2 /dev/sd[ab]1

display current configuration¶

mdadm --detail --brief --scan

make device names persistent¶

/etc/mdadm/mdadm.conf

ARRAY /dev/md/boot UUID=6234a0eb:29a3a847:1dbd5ec4:bada5579
ARRAY /dev/md/luks UUID=006234a0:eb29a3a8:471dbd5e:c4bada55

rebuild initial RAM disk

update-initramfs -u

Encryption¶

choose cipher algorithm¶

cryptsetup benchmark

initialize¶

cryptsetup \
--verbose \
--verify-passphrase \
--type luks2 \
--pbkdf argon2i \
--cipher aes-xts-plain64 \
--iter-time 4000 \
--key-size 512 \
--hash sha512 \
--use-random \
luksFormat \
/dev/md/luks

open¶

cryptsetup luksOpen /dev/md/luks luks

zeroize¶

dd if=/dev/zero of=/dev/mapper/luks \
status=progress bs=512M

close¶

cryptsetup luksClose luks

reinitialize¶

check information¶

cryptsetup \
luksDump \
/dev/md/luks

reopen¶

LVM¶

create physical volume¶

pvcreate /dev/mapper/luks

create volume group¶

vgcreate luks /dev/mapper/luks

create logical volumes¶

lvcreate --name swap --size 68719476736b luks
lvcreate --name data --extents 100%FREE luks

deactivate volume group¶

vgchange --activate n luks

reactivate volume group¶

vgchange --activate y luks

File systems¶

format ESP¶

mkfs.vfat -n esp \
-i BADA5579 \
/dev/sdb3

format boot¶

mkfs.ext4 -L boot \
-U 6234a0eb-29a3-a847-1dbd-5ec4bada5579 \
/dev/md/boot

mount /dev/md/boot /mnt
chmod 700 /mnt
umount /mnt

format swap¶

mkswap --label swap \
-U 06234a0e-b29a-3a84-71db-d5ec4bada557 \
/dev/mapper/luks-swap

format data¶

mkfs.ext4 -L data \
-U 006234a0-eb29-a3a8-471d-bd5ec4bada55 \
/dev/mapper/luks-data