doc: Document encrypted root partitions.
This is a followup to f7f292d359
.
* doc/guix.texi (Preparing for Installation): Give commands for
encrypted root installation.
(Proceeding with the Installation): Add item about mapped devices.
(File Systems): Mention that 'dependencies' can list <mapped-device>
objects.
* gnu/system/examples/desktop.tmpl (mapped-devices): New field.
(file-systems): Add 'dependencies' field.
This commit is contained in:
parent
cbf1024e99
commit
13fb1bd94e
|
@ -6665,27 +6665,26 @@ partition lives at @file{/dev/sda1}, a file system with the label
|
||||||
mkfs.ext4 -L my-root /dev/sda1
|
mkfs.ext4 -L my-root /dev/sda1
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
@c FIXME: Uncomment this once GRUB fully supports encrypted roots.
|
@cindex encrypted disk
|
||||||
@c A typical command sequence may be:
|
If you are instead planning to encrypt the root partition, you can use
|
||||||
@c
|
the Cryptsetup/LUKS utilities to do that (see @inlinefmtifelse{html,
|
||||||
@c @example
|
@uref{https://linux.die.net/man/8/cryptsetup, @code{man cryptsetup}},
|
||||||
@c # fdisk /dev/sdX
|
@code{man cryptsetup}} for more information.) Assuming you want to
|
||||||
@c @dots{} Create partitions etc.@dots{}
|
store the root partition on @file{/dev/sda1}, the command sequence would
|
||||||
@c # cryptsetup luksFormat /dev/sdX1
|
be along these lines:
|
||||||
@c # cryptsetup open --type luks /dev/sdX1 my-partition
|
|
||||||
@c # mkfs.ext4 -L my-root /dev/mapper/my-partition
|
|
||||||
@c @end example
|
|
||||||
|
|
||||||
In addition to e2fsprogs, the suite of tools to manipulate
|
|
||||||
ext2/ext3/ext4 file systems, the installation image includes
|
|
||||||
Cryptsetup/LUKS for disk encryption.
|
|
||||||
|
|
||||||
Once that is done, mount the target root partition under @file{/mnt}
|
|
||||||
with a command like (again, assuming @file{/dev/sda1} is the root
|
|
||||||
partition):
|
|
||||||
|
|
||||||
@example
|
@example
|
||||||
mount /dev/sda1 /mnt
|
cryptsetup luksFormat /dev/sda1
|
||||||
|
cryptsetup open --type luks /dev/sda1 my-partition
|
||||||
|
mkfs.ext4 -L my-root /dev/mapper/my-partition
|
||||||
|
@end example
|
||||||
|
|
||||||
|
Once that is done, mount the target root partition under @file{/mnt}
|
||||||
|
with a command like (again, assuming @code{my-root} is the label of the
|
||||||
|
root partition):
|
||||||
|
|
||||||
|
@example
|
||||||
|
mount LABEL=my-root /mnt
|
||||||
@end example
|
@end example
|
||||||
|
|
||||||
Finally, if you plan to use one or more swap partitions (@pxref{Memory
|
Finally, if you plan to use one or more swap partitions (@pxref{Memory
|
||||||
|
@ -6748,6 +6747,10 @@ Be sure that your partition labels match the value of their respective
|
||||||
@code{device} fields in your @code{file-system} configuration, assuming
|
@code{device} fields in your @code{file-system} configuration, assuming
|
||||||
your @code{file-system} configuration sets the value of @code{title} to
|
your @code{file-system} configuration sets the value of @code{title} to
|
||||||
@code{'label}.
|
@code{'label}.
|
||||||
|
|
||||||
|
@item
|
||||||
|
If there are encrypted or RAID partitions, make sure to add a
|
||||||
|
@code{mapped-devices} field to describe them (@pxref{Mapped Devices}).
|
||||||
@end itemize
|
@end itemize
|
||||||
|
|
||||||
Once you are done preparing the configuration file, the new system must
|
Once you are done preparing the configuration file, the new system must
|
||||||
|
@ -6992,7 +6995,9 @@ desired configuration. In particular, notice how we use @code{inherit}
|
||||||
to create a new configuration which has the same values as the old
|
to create a new configuration which has the same values as the old
|
||||||
configuration, but with a few modifications.
|
configuration, but with a few modifications.
|
||||||
|
|
||||||
The configuration for a typical ``desktop'' usage, with the X11 display
|
@cindex encrypted disk
|
||||||
|
The configuration for a typical ``desktop'' usage, with an encrypted
|
||||||
|
root partition, the X11 display
|
||||||
server, GNOME and Xfce (users can choose which of these desktop
|
server, GNOME and Xfce (users can choose which of these desktop
|
||||||
environments to use at the log-in screen by pressing @kbd{F1}), network
|
environments to use at the log-in screen by pressing @kbd{F1}), network
|
||||||
management, power management, and more, would look like this:
|
management, power management, and more, would look like this:
|
||||||
|
@ -7317,13 +7322,16 @@ errors before being mounted.
|
||||||
When true, the mount point is created if it does not exist yet.
|
When true, the mount point is created if it does not exist yet.
|
||||||
|
|
||||||
@item @code{dependencies} (default: @code{'()})
|
@item @code{dependencies} (default: @code{'()})
|
||||||
This is a list of @code{<file-system>} objects representing file systems
|
This is a list of @code{<file-system>} or @code{<mapped-device>} objects
|
||||||
that must be mounted before (and unmounted after) this one.
|
representing file systems that must be mounted or mapped devices that
|
||||||
|
must be opened before (and unmounted or closed after) this one.
|
||||||
|
|
||||||
As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is
|
As an example, consider a hierarchy of mounts: @file{/sys/fs/cgroup} is
|
||||||
a dependency of @file{/sys/fs/cgroup/cpu} and
|
a dependency of @file{/sys/fs/cgroup/cpu} and
|
||||||
@file{/sys/fs/cgroup/memory}.
|
@file{/sys/fs/cgroup/memory}.
|
||||||
|
|
||||||
|
Another example is a file system that depends on a mapped device, for
|
||||||
|
example for an encrypted partition (@pxref{Mapped Devices}).
|
||||||
@end table
|
@end table
|
||||||
@end deftp
|
@end deftp
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
;; This is an operating system configuration template
|
;; This is an operating system configuration template
|
||||||
;; for a "desktop" setup with GNOME and Xfce.
|
;; for a "desktop" setup with GNOME and Xfce where the
|
||||||
|
;; root partition is encrypted with LUKS.
|
||||||
|
|
||||||
(use-modules (gnu) (gnu system nss))
|
(use-modules (gnu) (gnu system nss))
|
||||||
(use-service-modules desktop)
|
(use-service-modules desktop)
|
||||||
|
@ -13,11 +14,21 @@
|
||||||
;; Assuming /dev/sdX is the target hard disk, and "my-root"
|
;; Assuming /dev/sdX is the target hard disk, and "my-root"
|
||||||
;; is the label of the target root file system.
|
;; is the label of the target root file system.
|
||||||
(bootloader (grub-configuration (device "/dev/sdX")))
|
(bootloader (grub-configuration (device "/dev/sdX")))
|
||||||
|
|
||||||
|
;; Specify a mapped device for the encrypted root partition.
|
||||||
|
;; The UUID is that returned by 'cryptsetup luksUUID'.
|
||||||
|
(mapped-devices
|
||||||
|
(list (mapped-device
|
||||||
|
(source (uuid "12345678-1234-1234-1234-123456789abc"))
|
||||||
|
(target "the-root-device")
|
||||||
|
(type luks-device-mapping))))
|
||||||
|
|
||||||
(file-systems (cons (file-system
|
(file-systems (cons (file-system
|
||||||
(device "my-root")
|
(device "my-root")
|
||||||
(title 'label)
|
(title 'label)
|
||||||
(mount-point "/")
|
(mount-point "/")
|
||||||
(type "ext4"))
|
(type "ext4")
|
||||||
|
(dependencies mapped-devices))
|
||||||
%base-file-systems))
|
%base-file-systems))
|
||||||
|
|
||||||
(users (cons (user-account
|
(users (cons (user-account
|
||||||
|
|
Loading…
Reference in New Issue