Clear Linux install LVM on LUKS

Hello,

I want to share quick guide how to create following setup with Clear Linux:

/dev/vda1 #boot partition
/dev/vda2 #LUKS encrypted root partition
/dev/vda3 #LUKS encrypted LVM containing swap, home and win logical volumes

Here /dev/vda1 is systemd-boot partition. Root file system resides on /dev/vda2 (as far as I know in CL the rootfs can not be on LVM). Home and swap reside on /dev/vda3 on LVM logical volumes. Win is the LVM logical volume which I use to install Windows VM. Both partitions /dev/vda2 and /dev/vda3 are encrypted with LUKS. What are advantages of these scheme? You can easily resize (except for root fs) and manage LVM volumes according to your needs and all of this is secured with LUKS.

To create this setup you first should boot CL live iso and start terminal. Execute following commands with sudo:

#vda is block device where I'll install CL
gdisk /dev/vda

#using the gdisk create 3 partitions:
#/dev/vda1 - size 256M, type ef00 - EFI System
#/dev/vda2 - size 40GB, type 8304 - Linux 86-64 root (/)
#/dev/vda3 - remaining size of device, type 8309 - Linux LUKS

#create boot fs
mkfs.vfat -F32 /dev/vda1

#create LUKS encrypted volumes on /dev/vda2 and /dev/vda3, you should enter the same password for both
cryptsetup luksFormat /dev/vda2 --type luks2
cryptsetup luksFormat /dev/vda3 --type luks2`

#it is good idea to backup luks headers
cryptsetup luksHeaderBackup /dev/vda2 --header-backup-file root-header.backup
cryptsetup luksHeaderBackup /dev/vda3 --header-backup-file lvm-header.backup

#open LUKS volumes, they can be accessed under /dev/mapper/root and /dev/mapper/lvm
cryptsetup open /dev/vda2 root
cryptsetup open /dev/vda3 lvm

#create fs on root
mkfs.ext4 /dev/mapper/root

#create LVM device on /dev/vda3
pvcreate /dev/mapper/lvm

#create LVM group clr
vgcreate clr /dev/mapper/lvm

#create logical volumes for swap, win and home
lvcreate -C y -L 244M -n swap clr
lvcreate -L 160G -n win clr
lvcreate -l 100%FREE -n home clr

#create file system on home and swap
mkfs.ext4 /dev/mapper/clr-home
mkswap /dev/mapper/clr-swap

#mount root, boot and home  
mount /dev/mapper/root /mnt
mkdir /mnt/boot
mount /dev/vda1 /mnt/boot
mkdir /mnt/home
mount /dev/mapper/clr-home /mnt/home

#install CL
swupd os-install /mnt --bundles=os-core,os-core-update,kernel-native,NetworkManager,bootloader-extras,boot-encrypted --statedir=/mnt/var/lib/swupd

#create crypttab to decrypt /dev/vda3 on boot and map it to /dev/mapper/lvm
echo "lvm /dev/vda3" > /mnt/etc/crypttab

#create fstab to mount home and swap on boot
echo "/dev/mapper/clr-home /home ext4 defaults 0 2" > /mnt/etc/fstab
echo "/dev/mapper/clr-swap none  swap defaults 0 0" >> /mnt/etc/fstab

#unmount
umount /mnt/boot
umount /mnt/home
umount /mnt

#close root LUKS volume
cryptsetup close root

#deactivate LVM group
vgchange -a n clr

#close lvm LUKS volume
cryptsetup close lvm

Thats it. Now you can boot your new CL install and login as root.
Now you can further setup your CL install. You can change hostname with hostnamectl set-hostname . Install GNOME with swupd add-bundle desktop and run it with systemctl start gdm.service. You can install Windows VM on /dev/clr/win.

Hope this will be useful for someone.

3 Likes

Thanks for sharing. It would help make it easier to read if you format the commands in your post with the backtick (`) for single line or triple backticks (```) for a codeblock.

Thank you for this easy to follow guide. I was able to use this to make a non-traditional install with a separate USB boot partition.

I used gparted and followed the “Advanced Installation” part of the install guide to prepare the USB thumb drive for a fat32 CLR_BOOT /boot partition on sda1 and a second ext2 partition with the remaining space that is mounted as /usb. (I wanted to use a keyfile there and will try that next)

Then I used gparted to make a gpt CLR_ROOT partition on my entire nvme0n1 and left the filesystem unallocated.

Then I followed your luksFormat and luksHeaderBackup examples for your /dev/vda2 and then did my own command to enable trim on my cryptsetup:

sudo cryptsetup --allow-discards --persistent open --type luks2 /dev/nvme0n1p1 root

next I was able to add the encrypt option to the F2FS file system with the -O encrypt option:

sudo mkfs.f2fs -O encrypt /dev/mapper/root

Then I mounted / and /boot and /usb

I was able to get most bundles needed from the install live environment from this command I ran to see what I needed:

sudo swupd bundle-list > my-bundles.txt

Then ran your swup os-install command to /mnt and added the bundles that I needed for a desktop install.

and then finished just like your instructions with root passwd, hostnamectl and then root useradd -m “my-name” and then passwd “my-name”.

This worked for me and my clearlinux install is blazing fast and feels great, but I am having problems with my intel HDA soundcard and I’m not sure if my hardware is too new or if I screwed up something. Everything is listed with lspci and other command line tools… just no sound at 100% and no mute.

UPDATE: I have now done this install a second time and did this one kde plasma. Sound is still not working, and when using alsamixer it does not show an analog option when pressing F6. But the speakers still pop when booting or messing around with settings, but no analog sound. I think I’ll figure it out soon.

UPDATE #2: The intel NUC10 has a common problem with the analog sound not working from the headphone jack on the NUC10. But if you use the hdmi2 sound from your monitor using displayport or hdmi it works for me. Otherwise you get dummy output. I found this out when I realized that my dell monitor had a headphone jack on the back that I had never used and did not know was there. Sound works good through the monitor now.

Any particular reason you went with 8304 for the root rather than 8309 (given that it gets LUKS encrypted)?

Any advantage one way or the other that you know of?
Perhaps 8309 might reduce the risk of LUKS headers being overwritten, or 8304 might help Clear’s installer recognise the root partition? (though I believe the CLR_ROOT partition label is all that’s needed for that…)

Thanks for your info either way, I’m going try it this afternoon.

EDIT:

I’m still finding this is hanging on boot for some reason. I’m using an external SSD and formatted the root as F2FS, but it’s hitting the luks passphrase prompt for root on boot (so I don’t think either of those are the issue). It hangs after entering the password for root.

I removed the ‘quiet’ kernel parameter but there is nothing obviously suspicious showing up. After entering the password I get two lines from F2FS-fs (dm-0):
`Found nat_bits in checkpoint
Mounted with checkpoint version = 642dc649)

The last line is a systemd entry about receiving a client request to relinquish access to a hideously long filename in /var/log/journal/.

I might try again without the encrypted root and see if it makes a difference.