Partitions¶
Physical¶
wipe all hard drives¶
parted /dev/sda mktable gpt
parted /dev/sdb mktable gpt
make raid partitions for luks¶
parted /dev/sda mkpart luks1 1 3992593
parted /dev/sdb mkpart luks2 1 3992593
make raid partitions for boot¶
parted /dev/sda mkpart boot1 3992593 4000785
parted /dev/sdb mkpart boot2 3992593 4000785
make and set BIOS_GRUB¶
parted /dev/sda mkpart bios 4000785 4000787
parted /dev/sda set 3 bios_grub on
make and set ESP¶
parted /dev/sdb mkpart esp 4000785 4000787
parted /dev/sdb set 3 esp on
RAID¶
make raid device for boot¶
mdadm --create /dev/md/boot \
--name boot \
--uuid 6234a0eb:29a3a847:1dbd5ec4:bada5579 \
--metadata 1 \
--level 0 \
--raid-devices 2 /dev/sd[ab]2
make raid device for luks¶
mdadm --create /dev/md/luks \
--name luks \
--uuid 006234a0:eb29a3a8:471dbd5e:c4bada55 \
--metadata 1 \
--level 0 \
--raid-devices 2 /dev/sd[ab]1
display current configuration¶
mdadm --detail --brief --scan
make device names persistent¶
/etc/mdadm/mdadm.conf
ARRAY /dev/md/boot UUID=6234a0eb:29a3a847:1dbd5ec4:bada5579
ARRAY /dev/md/luks UUID=006234a0:eb29a3a8:471dbd5e:c4bada55
rebuild initial RAM disk
update-initramfs -u
Encryption¶
choose cipher algorithm¶
cryptsetup benchmark
initialize¶
cryptsetup \
--verbose \
--verify-passphrase \
--type luks2 \
--cipher aes-xts-plain64 \
--iter-time 4000 \
--key-size 512 \
--hash sha512 \
--use-random \
luksFormat \
/dev/md/luks
open¶
cryptsetup luksOpen /dev/md/luks luks
zeroize¶
dd if=/dev/zero of=/dev/mapper/luks \
status=progress bs=512M
close¶
cryptsetup luksClose luks
reinitialize¶
check information¶
cryptsetup \
luksDump \
/dev/md/luks
reopen¶
LVM¶
create physical volume¶
pvcreate /dev/mapper/luks
create volume group¶
vgcreate luks /dev/mapper/luks
create logical volumes¶
lvcreate --name swap --size 32G luks
lvcreate --name data --extents 100%FREE luks
deactivate volume group¶
vgchange --activate n luks
reactivate volume group¶
vgchange --activate y luks
File systems¶
format ESP¶
mkfs.vfat -n esp \
-i BADA5579 \
/dev/sdb3
format boot¶
mkfs.ext4 -L boot \
-U 6234a0eb-29a3-a847-1dbd-5ec4bada5579 \
/dev/md/boot
mount /dev/md/boot /mnt
chmod 700 /mnt
umount /mnt
format swap¶
mkswap --label swap \
-U 06234a0e-b29a-3a84-71db-d5ec4bada557 \
/dev/mapper/luks-swap
format data¶
mkfs.ext4 -L data \
-U 006234a0-eb29-a3a8-471d-bd5ec4bada55 \
/dev/mapper/luks-data