This reverts commit 24e6a8a616bfba80534d5d700b2f6b02745561fe. https://github.com/QubesOS/qubes-issues/issues/6701#issuecomment-862060759
5.3 KiB
lang | layout | redirect_from | ref | title | ||
---|---|---|---|---|---|---|
en | doc |
|
152 | Custom Installation |
Custom Installation
In the present context, "custom installation" refers to things like manual partitioning, setting up LVM and RAID, and manual LUKS encryption configuration.
Installer Defaults
For reference, these are the typical defaults for a single disk with legacy boot:
Mount Point: /boot
Desired Capacity: 1024 MiB
Device Type: Standard Partition
File System: ext4
Name: (none)
Mount Point: /
Desired Capacity: (your choice)
Device Type: LVM Thin Provisioning
Volume Group: qubes_dom0
File System: ext4
Name: root
Mount Point: (none)
Desired Capacity: 10 GiB
Device Type: LVM
Volume Group: qubes_dom0
File System: swap
Name: swap
SUMMARY OF CHANGES
Order Action Type Device Mount point
1 Destroy Format Unknown Disk (sda)
2 Create Format partition table (MSDOS) Disk (sda)
3 Create Device partition sda1 on Disk
4 Create Format ext4 sda1 on Disk /boot
5 Create Device partition sda2 on Disk
6 Create Format LUKS sda2 on Disk
7 Create Device luks/dm-crypt luks-sda2
8 Create Format physical volume (LVM) luks-sda2
9 Create Device lvmvg qubes_dom0
10 Create Device lvmthinpool qubes_dom0-pool00
11 Create Device lvmthinlv qubes_dom0-root
12 Create Device lvmlv qubes_dom0-swap
13 Create Format swap qubes_dom0-swap
14 Create Format ext4 qubes_dom0-root /
Typical Partition Schemes
If you want your partition/LVM scheme to look like the Qubes default but with a few tweaks, follow this example. With a single disk, the result should look something like this:
NAME SIZE TYPE MOUNTPOINT
sda disk
├──sda1 1G part /boot
└──sda2 part
└──luks-<UUID> crypt
├──qubes_dom0-pool00_tmeta lvm
├──qubes_dom0-pool00_tdata lvm
└──qubes_dom0-swap lvm [SWAP]
Encryption Defaults
By default, cryptsetup 1.7.5
will create a LUKS/dm-crypt volume as follows:
Version: 1
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha256
$ cryptsetup --help
[...]
Default compiled-in device cipher parameters:
loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripdemd160
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom
This means that, by default, Qubes inherits these upstream defaults:
If, instead, you'd like to use AES-256, SHA-512, /dev/random
, and a longer iter-time
, for example, you can configure encryption manually by following the instructions below.
Example: Custom LUKS Configuration
Boot into the Qubes installer, then press ctrl
+alt
+F2
to get a virtual console.
-
(Optional) Wipe the disk:
# dd if=/dev/zero of=/dev/sda bs=1M status=progress && sync
-
Create partitions:
# fdisk /dev/sda
Follow the steps to create two partitions:
- ~500MiB-1GiB for
/boot
- The rest for
/
(might want to leave some for overprovisioning if it's an SSD)
- ~500MiB-1GiB for
-
Create LUKS encrypted volume:
# cryptsetup -v --hash sha512 --cipher aes-xts-plain64 --key-size 512 --use-random --iter-time 10000 --verify-passphrase luksFormat /dev/sda2
-
Open encrypted volume:
# cryptsetup open /dev/sda2 luks
-
Create LVM volumes:
# pvcreate /dev/mapper/luks # vgcreate qubes_dom0 /dev/mapper/luks # lvcreate -n swap -L 10G qubes_dom0 # lvcreate -T -l +100%FREE qubes_dom0/pool00 # lvcreate -V1G -T qubes_dom0/pool00 -n root # lvextend -L <size_of_pool00> /dev/qubes_dom0/root
-
Proceed with the installer. You can do that either by pressing
ctrl
+alt
+F6
, or by rebooting and restarting the installation. At the disk selection screen, select:[x] I will configure partitioning. [ ] Encrypt my data.
-
Decrypt your partition. After decrypting you may assign mount points: Open the Unknown list and select
qubes_dom0-root
. Check the reformat box to the right and chooseext4
as a filesystem. Enter/
into the Mount Point field at the top. Repeat the process forsda1
andqubes_dom0-swap
. Those should be assigned to/boot
andswap
respectively. The default file systems are ext4 for/boot
and/
, and swap forswap
. When you are finished, the Unknown list should go away, and all three mount points should be assigned. Proceed normally with the installation from there.