Received: from poseidon.malbolge.net (hera.malbolge.net [185.232.68.32])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 889CF782CC3
	for <~alpine/users@lists.alpinelinux.org>; Mon, 19 Jul 2021 19:52:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=_domainkey; bh=gGJTBeDhx
	T5SoYvSU2HvYMK3UVhkojcB/z4T6MYS7Kw=; h=subject:to:from:date;
	d=mail.malbolge.net; b=UFxdv/0v6u29vVH/d59GxBiQdWVEsYkOP29nIXbsqCQdT73
	g+YGsADZvzxpN7niA0uTuqRETWjBZLkP+HyDs7GxiogmATUUuRkc9qrqpuN98u+7c91iti
	LpXbyKF0O9+mKttKOfqPn2jKMEZzWIVhh0drMeRAxlkcUIV+azKCSA=
Received: from hermes.malbolge.net (hermes.malbolge.net [192.168.123.201])
	by poseidon.malbolge.net (OpenSMTPD) with ESMTP id 949dc7f8
	for <~alpine/users@lists.alpinelinux.org>;
	Mon, 19 Jul 2021 21:52:45 +0200 (CEST)
Received: from moon (hera.malbolge.net [10.0.11.1])
	by hermes.malbolge.net (Postfix) with ESMTPSA id B092C1C06A3
	for <~alpine/users@lists.alpinelinux.org>; Mon, 19 Jul 2021 21:52:44 +0200 (CEST)
Date: Mon, 19 Jul 2021 21:51:14 +0200
From: Michael Siegel <msi@malbolge.net>
To: ~alpine/users@lists.alpinelinux.org
Subject: "LVM on LUKS" wiki page: Questions and suggestions
Message-ID: <20210719215114.531515a2@moon>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello,

I've been doing some test runs installing Alpine with full disk
encryption in order to put together a stripped-down how-to document
for my own use case.

I mainly followed

  https://wiki.alpinelinux.org/wiki/LVM_on_LUKS

for the procedure.

Now, there seem to be a few issues with that page.

# 1. Wiping disks/partitions

The section titled "Preparing the Temporary Installation Environment"
mentions the possibility of wiping the whole disk, using `haveged` as
input, but then doesn't say how to actually wipe the disk. It only
provides instructions on how to set up `haveged`.

Later, there is a section titled "Optional: Overwrite LUKS Partition
with Random Data" that instructs the reader to wipe the LUKS partition
with the following command:

  haveged -n 0 | dd of=3D/dev/sda2

I see several problems with that.

First, it seems to me that wiping only the partition that is going to be
used for the LUKS container =E2=80=93 after and because you have already cr=
eated
partitions =E2=80=93 is not a good idea. Just wiping the whole disk before
creating partitions is probably what should be done instead.

Then, when using dd(1), going with the default block size will take
ages to complete. Adding `bs=3D1M` is generally much faster, in my
experience.

So, I suggest the following:

  * Add instructions on how to overwrite the whole disk with random
    data to section "Preparing the Temporary Installation Environment"
    and add `bs=3D1M` to the `dd` command's arguments.
  * Remove section "Optional: Overwrite LUKS Partition with Random
    Data" entirely.


# 2. "Unmounting the Volumes and Partitions"

This section is obviously specific to the case of using GRUB with UEFI.

The version for Syslinux with BIOS would have to look like this, if I'm
not mistaken:

  # cd
  # umount /mnt/boot
  # swapoff /dev/vg0/swap
  # umount /mnt
  # vgchange -a n
  # cryptsetup luksClose lvmcrypt
  # reboot

So, there should be two sub-sections here:

  * "Syslinux with BIOS", containing the above command block.
  * "Grub with UEFI", containing what's already there.


If there are no objections to all of this, I'd be happy to go
ahead and edit the page accordingly.

And before I forget: That page does not show up in the results when
you search for "full disk encryption" on the wiki. Maybe there's a way
to change that.


--
Michael