doc: Document encrypted root partitions.

This is a followup to f7f292d359.

* doc/guix.texi (Preparing for Installation): Give commands for
encrypted root installation.
(Proceeding with the Installation): Add item about mapped devices.
(File Systems): Mention that 'dependencies' can list <mapped-device>
objects.
* gnu/system/examples/desktop.tmpl (mapped-devices): New field.
(file-systems): Add 'dependencies' field.
This commit is contained in:
Ludovic Courtès 2016-11-24 23:03:04 +01:00
parent cbf1024e99
commit 13fb1bd94e
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
2 changed files with 43 additions and 24 deletions

View File

@ -6665,27 +6665,26 @@ partition lives at @file{/dev/sda1}, a file system with the label
mkfs.ext4 -L my-root /dev/sda1 mkfs.ext4 -L my-root /dev/sda1
@end example @end example
@c FIXME: Uncomment this once GRUB fully supports encrypted roots. @cindex encrypted disk
@c A typical command sequence may be: If you are instead planning to encrypt the root partition, you can use
@c the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
@c @example @uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
@c # fdisk /dev/sdX @code{man cryptsetup}} for more information.) Assuming you want to
@c @dots{} Create partitions etc.@dots{} store the root partition on @file{/dev/sda1}, the command sequence would
@c # cryptsetup luksFormat /dev/sdX1 be along these lines:
@c # cryptsetup open --type luks /dev/sdX1 my-partition
@c # mkfs.ext4 -L my-root /dev/mapper/my-partition
@c @end example
In addition to e2fsprogs, the suite of tools to manipulate
ext2/ext3/ext4 file systems, the installation image includes
Cryptsetup/LUKS for disk encryption.
Once that is done, mount the target root partition under @file{/mnt}
with a command like (again, assuming @file{/dev/sda1} is the root
partition):
@example @example
mount /dev/sda1 /mnt cryptsetup luksFormat /dev/sda1
cryptsetup open --type luks /dev/sda1 my-partition
mkfs.ext4 -L my-root /dev/mapper/my-partition
@end example
Once that is done, mount the target root partition under @file{/mnt}
with a command like (again, assuming @code{my-root} is the label of the
root partition):
@example
mount LABEL=my-root /mnt
@end example @end example
Finally, if you plan to use one or more swap partitions (@pxref{Memory Finally, if you plan to use one or more swap partitions (@pxref{Memory
@ -6748,6 +6747,10 @@ Be sure that your partition labels match the value of their respective
@code{device} fields in your @code{file-system} configuration, assuming @code{device} fields in your @code{file-system} configuration, assuming
your @code{file-system} configuration sets the value of @code{title} to your @code{file-system} configuration sets the value of @code{title} to
@code{'label}. @code{'label}.
@item
If there are encrypted or RAID partitions, make sure to add a
@code{mapped-devices} field to describe them (@pxref{Mapped Devices}).
@end itemize @end itemize
Once you are done preparing the configuration file, the new system must Once you are done preparing the configuration file, the new system must
@ -6992,7 +6995,9 @@ desired configuration. In particular, notice how we use @code{inherit}
to create a new configuration which has the same values as the old to create a new configuration which has the same values as the old
configuration, but with a few modifications. configuration, but with a few modifications.
The configuration for a typical ``desktop'' usage, with the X11 display @cindex encrypted disk
The configuration for a typical ``desktop'' usage, with an encrypted
root partition, the X11 display
server, GNOME and Xfce (users can choose which of these desktop server, GNOME and Xfce (users can choose which of these desktop
environments to use at the log-in screen by pressing @kbd{F1}), network environments to use at the log-in screen by pressing @kbd{F1}), network
management, power management, and more, would look like this: management, power management, and more, would look like this:
@ -7317,13 +7322,16 @@ errors before being mounted.
When true, the mount point is created if it does not exist yet. When true, the mount point is created if it does not exist yet.
@item @code{dependencies} (default: @code{'()}) @item @code{dependencies} (default: @code{'()})
This is a list of @code{<file-system>} objects representing file systems This is a list of @code{<file-system>} or @code{<mapped-device>} objects
that must be mounted before (and unmounted after) this one. representing file systems that must be mounted or mapped devices that
must be opened before (and unmounted or closed after) this one.
As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is
a dependency of @file{/sys/fs/cgroup/cpu} and a dependency of @file{/sys/fs/cgroup/cpu} and
@file{/sys/fs/cgroup/memory}. @file{/sys/fs/cgroup/memory}.
Another example is a file system that depends on a mapped device, for
example for an encrypted partition (@pxref{Mapped Devices}).
@end table @end table
@end deftp @end deftp

View File

@ -1,5 +1,6 @@
;; This is an operating system configuration template ;; This is an operating system configuration template
;; for a "desktop" setup with GNOME and Xfce. ;; for a "desktop" setup with GNOME and Xfce where the
;; root partition is encrypted with LUKS.
(use-modules (gnu) (gnu system nss)) (use-modules (gnu) (gnu system nss))
(use-service-modules desktop) (use-service-modules desktop)
@ -13,11 +14,21 @@
;; Assuming /dev/sdX is the target hard disk, and "my-root" ;; Assuming /dev/sdX is the target hard disk, and "my-root"
;; is the label of the target root file system. ;; is the label of the target root file system.
(bootloader (grub-configuration (device "/dev/sdX"))) (bootloader (grub-configuration (device "/dev/sdX")))
;; Specify a mapped device for the encrypted root partition.
;; The UUID is that returned by 'cryptsetup luksUUID'.
(mapped-devices
(list (mapped-device
(source (uuid "12345678-1234-1234-1234-123456789abc"))
(target "the-root-device")
(type luks-device-mapping))))
(file-systems (cons (file-system (file-systems (cons (file-system
(device "my-root") (device "my-root")
(title 'label) (title 'label)
(mount-point "/") (mount-point "/")
(type "ext4")) (type "ext4")
(dependencies mapped-devices))
%base-file-systems)) %base-file-systems))
(users (cons (user-account (users (cons (user-account