Partitions

Physical

wipe all hard drives

parted /dev/sda mktable gpt
parted /dev/sdb mktable gpt
parted /dev/sdc mktable gpt
parted /dev/sdd mktable gpt

make raid partitions for luks

parted /dev/sda mkpart luks1 1 1998000
parted /dev/sdb mkpart luks2 1 1998000
parted /dev/sdc mkpart luks3 1 1998000
parted /dev/sdd mkpart luks4 1 1998000

make raid partitions for boot

parted /dev/sda mkpart boot1 1998000 2000390
parted /dev/sdb mkpart boot2 1998000 2000390
parted /dev/sdc mkpart boot3 1998000 2000390
parted /dev/sdd mkpart boot4 1998000 2000390

make and set ESP

parted /dev/sdd mkpart esp 2000390 2000399
parted /dev/sdd set 3 esp on

RAID

make raid device for boot

mdadm --create /dev/md/boot \
--name boot \
--metadata 1 \
--level 0 \
--raid-devices 4 /dev/sd[abcd]2

make raid device for luks

mdadm --create /dev/md/luks \
--name luks \
--metadata 1 \
--level 0 \
--raid-devices 4 /dev/sd[abcd]1

display current configuration

mdadm --detail --brief --scan

make device names persistent

• /etc/mdadm/mdadm.conf

ARRAY /dev/md/boot UUID=c1970d43:8a774de8:540f4291:ad0dfafe
ARRAY /dev/md/luks UUID=5fab8ff8:1d92d3fe:d3f8a49e:ae28112b

• rebuild initial RAM disk

update-initramfs -u

Encryption

choose cipher algorithm

cryptsetup benchmark

initialize

cryptsetup \
--verbose \
--verify-passphrase \
--type luks2 \
--cipher aes-xts-plain64 \
--iter-time 4000 \
--key-size 512 \
--hash sha512 \
--use-random \
luksFormat \
/dev/md/luks

open

cryptsetup luksOpen /dev/md/luks luks

zeroize

dd if=/dev/zero of=/dev/mapper/luks \
status=progress bs=512M

close

cryptsetup luksClose luks

reinitialize

check information

cryptsetup \
luksDump \
/dev/md/luks

reopen

LVM

create physical volume

pvcreate /dev/mapper/luks

create volume group

vgcreate luks /dev/mapper/luks

create logical volumes

lvcreate --name swap --size 32G luks
lvcreate --name data --extents 100%FREE luks

File systems

format ESP

mkfs.vfat -n esp \
-i BADA5579 \
/dev/sdd3

format boot

mkfs.ext4 -L boot \
-U 6234a0eb-29a3-a847-1dbd-5ec4bada5579 \
/dev/md/boot

format swap

mkswap --label swap \
-U 06234a0e-b29a-3a84-71db-d5ec4bada557 \
/dev/mapper/luks-swap

format data

mkfs.ext4 -L data \
-U 006234a0-eb29-a3a8-471d-bd5ec4bada55 \
/dev/mapper/luks-data