2016-11-26 04:16:49 -08:00
---
2021-06-24 16:10:26 +02:00
advanced: true
2021-03-13 19:06:18 +01:00
lang: en
2016-11-26 04:16:49 -08:00
layout: doc
2021-06-16 19:56:25 -07:00
permalink: /doc/custom-install/
2016-11-26 04:16:49 -08:00
redirect_from:
2021-03-13 18:42:50 +01:00
- /doc/encryption-config/
2021-03-13 19:06:18 +01:00
ref: 152
2021-07-09 01:06:41 +00:00
title: Custom installation
2016-11-26 04:16:49 -08:00
---
2019-01-14 00:14:00 -06:00
In the present context, "custom installation" refers to things like manual partitioning, setting up LVM and RAID, and manual LUKS encryption configuration.
2016-11-26 04:16:49 -08:00
2019-04-06 18:44:36 -05:00
## Installer Defaults
2019-01-12 15:26:37 -06:00
2019-01-14 00:14:00 -06:00
For reference, these are the typical defaults for a single disk with legacy boot:
2019-01-12 15:26:37 -06:00
~~~
Mount Point: /boot
Desired Capacity: 1024 MiB
Device Type: Standard Partition
File System: ext4
Name: (none)
Mount Point: /
Desired Capacity: (your choice)
Device Type: LVM Thin Provisioning
Volume Group: qubes_dom0
File System: ext4
Name: root
Mount Point: (none)
2019-01-14 00:14:00 -06:00
Desired Capacity: 10 GiB
2019-01-12 15:26:37 -06:00
Device Type: LVM
Volume Group: qubes_dom0
File System: swap
Name: swap
~~~
~~~
SUMMARY OF CHANGES
Order Action Type Device Mount point
1 Destroy Format Unknown Disk (sda)
2 Create Format partition table (MSDOS) Disk (sda)
3 Create Device partition sda1 on Disk
4 Create Format ext4 sda1 on Disk /boot
5 Create Device partition sda2 on Disk
6 Create Format LUKS sda2 on Disk
7 Create Device luks/dm-crypt luks-sda2
2019-01-12 15:35:51 -06:00
8 Create Format physical volume (LVM) luks-sda2
2019-01-12 15:26:37 -06:00
9 Create Device lvmvg qubes_dom0
10 Create Device lvmthinpool qubes_dom0-pool00
11 Create Device lvmthinlv qubes_dom0-root
12 Create Device lvmlv qubes_dom0-swap
13 Create Format swap qubes_dom0-swap
14 Create Format ext4 qubes_dom0-root /
~~~
2019-04-06 18:44:36 -05:00
## Typical Partition Schemes
2019-01-12 15:26:37 -06:00
2019-01-14 00:14:00 -06:00
If you want your partition/LVM scheme to look like the Qubes default but with a few tweaks, follow this example.
With a single disk, the result should look something like this:
2019-01-12 15:26:37 -06:00
~~~
NAME SIZE TYPE MOUNTPOINT
sda disk
├──sda1 1G part /boot
└──sda2 part
└──luks-< UUID > crypt
├──qubes_dom0-pool00_tmeta lvm
├──qubes_dom0-pool00_tdata lvm
└──qubes_dom0-swap lvm [SWAP]
~~~
2019-04-06 18:44:36 -05:00
## Encryption Defaults
2019-01-12 15:26:37 -06:00
By default, `cryptsetup 1.7.5` will create a LUKS/dm-crypt volume as follows:
~~~
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
~~~
~~~
$ cryptsetup --help
[...]
Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripdemd160
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
~~~
This means that, by default, Qubes inherits these upstream defaults:
2021-04-11 00:09:05 +02:00
- AES-128 [[1]](https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions)[[2]](https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption)[[3]](https://github.com/dyne/Tomb/issues/238)
2021-03-13 18:03:23 +01:00
- SHA-256
- `/dev/urandom`
- probably an `iter-time` of one second
2019-01-12 15:26:37 -06:00
2019-01-14 00:14:00 -06:00
If, instead, you'd like to use AES-256, SHA-512, `/dev/random` , and a longer `iter-time` , for example, you can configure encryption manually by following the instructions below.
2019-01-12 15:26:37 -06:00
2019-04-06 18:44:36 -05:00
## Example: Custom LUKS Configuration
2019-01-12 15:26:37 -06:00
Boot into the Qubes installer, then press `ctrl` +`alt` +`F2` to get a virtual console.
1. (Optional) Wipe the disk:
2021-03-13 18:03:23 +01:00
```
# dd if=/dev/zero of=/dev/sda bs=1M status=progress & & sync
```
2019-01-12 15:26:37 -06:00
2019-01-14 00:14:00 -06:00
2. Create partitions:
2019-01-12 15:26:37 -06:00
2021-03-13 18:03:23 +01:00
```
# fdisk /dev/sda
```
2019-01-14 00:14:00 -06:00
Follow the steps to create two partitions:
- ~500MiB-1GiB for `/boot`
- The rest for `/` (might want to leave some for overprovisioning if it's an SSD)
2019-01-12 15:26:37 -06:00
4. Create LUKS encrypted volume:
2021-03-13 18:03:23 +01:00
```
# cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 10000 --verify-passphrase luksFormat /dev/sda2
```
2019-01-12 15:26:37 -06:00
5. Open encrypted volume:
2021-03-13 18:03:23 +01:00
```
# cryptsetup open /dev/sda2 luks
```
2019-01-12 15:26:37 -06:00
6. Create LVM volumes:
2021-03-13 18:03:23 +01:00
```
# pvcreate /dev/mapper/luks
# vgcreate qubes_dom0 /dev/mapper/luks
# lvcreate -n swap -L 10G qubes_dom0
# lvcreate -T -l +100%FREE qubes_dom0/pool00
# lvcreate -V1G -T qubes_dom0/pool00 -n root
# lvextend -L < size_of_pool00 > /dev/qubes_dom0/root
```
2019-01-12 15:26:37 -06:00
2019-11-07 11:54:11 -03:00
8. Proceed with the installer. You can do that either by pressing `ctrl` +`alt` +`F6` , or by rebooting and restarting the installation.
2019-01-12 15:26:37 -06:00
At the disk selection screen, select:
2021-03-13 18:03:23 +01:00
```
[x] I will configure partitioning.
[ ] Encrypt my data.
```
2019-01-12 15:26:37 -06:00
2019-11-07 11:54:11 -03:00
9. Decrypt your partition. After decrypting you may assign mount points:
Open the Unknown list and select `qubes_dom0-root` . Check the reformat box to the right and choose `ext4` as a filesystem. Enter `/` into the Mount Point field at the top.
Repeat the process for `sda1` and `qubes_dom0-swap` . Those should be assigned to `/boot` and `swap` respectively.
The default file systems are ext4 for `/boot` and `/` , and swap for `swap` .
When you are finished, the Unknown list should go away, and all three mount points should be assigned. Proceed normally with the installation from there.