LVM on LUKS

This post outlines how to take a blank system and end up with an encrypted EFI-boot LVM-partitioned Linux system. In reality, this isn’t a tutorial and more a note to self not to forget what I did, but perhaps it will benefit you too.

This can be done side-by-side with another system e.g. Windows, but you might need to repair the Windows installation afterwards so it’s aware of the new EFI partition you’ll make below.

Get yourself into a root shell.

sudo su -

Ensure you’re booted in EFI mode.

apt-get install efibootmgr
efibootmgr

Run gparted.

Create a gpt partition table.

  • /dev/sda1: A 128MB EFI partition. This will be /boot/efi.
  • /dev/sda2: A 512MB ext2 partition. This will be /boot.
  • /dev/sda3: Fill up the rest of the space with an unformatted partition. This will be LUKS-encrypted, and contain our LVM volumes.

(BIOS adjustments: make it msdos, not gpt, and don’t make the EFI partition.)

Encrypt the partition.

cryptsetup luksFormat /dev/sda3

Open it up.

cryptsetup open /dev/sda3 sda3

This creates /dev/mapper/sda3. You can treat this as though it were /dev/sda3. Effectively, this is now how you refer to what was /dev/sda3.

Now for the LVM fun.

Create a physical volume on this partition.

pvcreate /dev/mapper/sda3

Run pvscan to see your physical volume.

It now needs a volume group that we’ll call vg00.

vgcreate vg00 /dev/mapper/sda3

Run vgscan to see your volume group.

Add logical volumes for root (/), home (/home), and swap.

lvcreate -L 10G -n root vg00
lvcreate -L 2G -n swap vg00
lvcreate -l 100%FREE -n home vg00

If you plan on using sleep/hibernate, ensure the swap partition is at least as big as your RAM.

Run lvscan to see your logical volumes. These can be thought of as partitions. You can access them in two ways.

  1. Under /dev/vg00/ with the names you gave them (e.g. root).
  2. Under /dev/mapper/ with the volume group (vg00) prefixing the name you gave them (e.g. vg00-root).

Both of these are just symlinks to /dev/dm-*.

Run the Linux installer. Map it up as follows:

  • /dev/mapper/vg00-root as / (ext4)
  • /dev/mapper/vg00-home as /home (ext4)
  • /dev/mapper/vg00-swap as swap
  • /dev/sda1 as /boot/efi (fat32 or efi). Note that when selecting efi you might not be able to choose a mount point. This is fine.
  • /dev/sda2 as /boot (ext2)
  • Device for bootloader installation: /dev/sda2

Finish the installation.

At this point, rebooting won’t give you a working system. The initrd image needs to be told that it needs to unlock your hard disk. To do this we’ll use /etc/crypttab.

Mount everything and get yourself into a chrooted environment.

cryptsetup open /dev/sda3 sda3 # if not already opened
touch /mnt
mount /dev/vg00/root /mnt
mount /dev/vg00/home /mnt/home
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
cd /mnt
mount -t proc proc proc/
mount -t sysfs sys sys/
mount -o bind /dev dev/
chroot .

Use blkid to get the encrypted partition’s UUID.

blkid /dev/sda3

Edit your /etc/crypttab.

sda3 UUID=XXX none luks

where XXX is the UUID from blkid.

Alternatively, automate it with this:

echo "sda3 UUID=$(blkid -o value -s UUID /dev/sda3) none luks" >> /etc/crypttab

Use cryptdisks_start to test whether the file is correct, by passing it the mapped device name you want to start e.g.,

cryptdisks_start sda3

Update the initrd image.

update-initramfs -uk all

Reboot.


Gandi won't remember my device when I use 2-step authentication

Gandi only remembers you’re logged in for the current session. The solution I came up with was a userscript, Gandi 2-step fixer, which generates the code on-the-fly and automatically fills it in when Gandi requests it. It requires storing your secret (which you can extract from the QR code if you kept it) in the file. I suppose you could prompt() for it instead, but if you encrypt your hard disks then you’ll be fine storing it in a file.

I’ve since discovered Authy, which makes my userscript less useful, though personally I still use it as it takes away the manual step.


disabling Instapaper's reading-optimised view

Instapaper is great, and the recent redesign made it even better. They have a reading-optimised view that shows you parsed article content, however I use it mostly as a link saver so most of my links are unparseable (i.e., videos, PDFs, websites) and I don’t use the reading view at all. A while ago they updated the website and stopped sending you directly to the original URL when you clicked the article title, and made it more difficult (impossible, even) to click through to the original site when viewing it in compact view. If you want to revert back to the old behaviour, you can use Instapaper fixer to revert it. It will make the article title link to the original URL, effectively removing the reading view feature.

Now if only it were that easy to fix the Android app.


broken sites in Chrome 34

Using the latest version of Chrome you may find some websites like Facebook or GitHub aren’t working properly. Most JavaScript-powered functionality won’t work, which leaves them next to unusable.

If you look at the console you’ll see an error like this:

Uncaught SecurityError: Failed to set the ‘cssText’ property on ‘CSSStyleDeclaration’: Refused to evaluate a string as CSS because ‘unsafe-eval’ is not an allowed source of style in the following Content Security Policy directive: “style-src ‘self’ ‘unsafe-inline’”.

This seems to be caused by Chrome’s experimental implementation of CSP 1.1. If you’ve enabled “Enable experimental Web Platform features” in chrome://flags, then that’s why this is happening to you.

The solution is simply to disable that flag.


moving your Steam games to another drive (Windows)

Steam recently added a feature that lets you add additional game libraries, letting you store your games on a different drive. This is a long-sought-after feature that many would consider pretty basic, however, even though it’s now available in the client, it’s not great: it only works for games without shared content which means anything that uses the Source engine (for example) can’t be installed in any library but the primary one.

Not good enough. You’re better off using a symlink to get around it and put the entire steamapps folder on the drive of your choice.

  1. Close Steam.
  2. Go to your Steam installation folder.
    • 64-bit: C:\Program Files (x86)\Steam.
    • 32-bit: C:\Program Files\Steam.
    • If not, you should probably know where it is already.
  3. Move the steamapps folder somewhere else. For example: D:\steamapps.
  4. Open the command prompt. Either Start -> Run -> cmd.exe and navigate to the folder or hold shift when right-clicking the empty background of your Steam folder and click Open command window here.
  5. Run the following:

    mklink /D "C:\Program Files (x86)\Steam\steamapps" "D:\steamapps"
    

    Adjust the paths according to your configuration.

  6. Open Steam.

netscape-format cookies file generator

Sometimes I need a Netscape-format cookies file for use with wget. When I do, this comes in handy.


more...