Is a rewrite of my old notes, Qubes OS Installation - Detached encrypted boot and header
Thank you @kaizer and @dum0 for donating to qubes so that I could rewrite this guide.
I'd recommend that you try in VM first, before doing it on your machine, so that you can also learn and understand too.
This is UEFI based only.
2 Drives for separated Root and Boot/EFI Partition, and we would call them with :
After booting into installation in language section, press ctrl + alt + f2 to enter tty2
Format drive we would use for the installation.
> dd if=/dev/urandom of=/dev/sda bs=1M status=progress
Create Boot, EFI, Root Header, Swap Header Partition.
Boot Partition * > sgdisk -n 0:0:+200MiB -t 0:ef02 /dev/sda
EFI Partition * > sgdisk -n 0:0:+200MiB -t 0:ef00 /dev/sda
Root Header Partition * > sgdisk -n 0:0:+16MiB -t 0:8309 /dev/sda
If you want to use BTRFS also add swap header, another FS is not needed.
Swap Header Partition * > sgdisk -n 0:0:+16MiB -t 0:8309 /dev/sda
You may want to use -i 1 (iterations 1ms) to speed up decrypting process for practice.
Of course you can choose another -c (chiper) -h (hash size) -s (key size) * > cryptsetup luksOpen /dev/nvme0n1 luks-root * > pvcreate /dev/mapper/luks-root * > vgcreate qubes_dom0 /dev/mapper/luks-root * > lvcreate -L 8G -n swap qubes_dom0
You might want to read 8.2. Recommended system swap space if you're not sure about swap space * > lvcreate -T -L 40G qubes_dom0/root-pool * > lvcreate -T -l +90%FREE qubes_dom0/vm-pool
SSD would perform badly if all of the space is used, so we leave 10% of the total to maintain the best performance. * > lvcreate -V30G -T qubes_dom0/root-pool -n root-pool
You should leave at least 10% in total of Thin Pool space so it could tell you if your drive will out of space. * > lvs
To see how much space you have in the VM pool, and use it to create VM lv. * > lvcreate -V800G -T qubes_dom0/vm-pool -n vm
XFS * > mkfs.xfs /dev/qubes_dom0/vm * > mkswap /dev/qubes_dom0/swap
EXT4 * > mkfs.ext4 /dev/qubes_dom0/vm * > mkswap /dev/qubes_dom0/swap
Swap Partition * > sgdisk -n 0:0:+8GiB -t 0:8200 /dev/nvme0n1
Root Partition * > sgdisk -n 0:0:0 -t 0:8304 /dev/nvme0n1
You can use another -csum (checksum) and may want to read this if you want to learn another Checksum Algorithms * > mkswap /dev/mapper/swap
Begin installation.
After installation go back to tty2
> cp -r /usr/lib/grub/x86_64-efi /mnt/sysroot/boot/efi/EFI/qubes/
> umount /boot
Reformat Boot Partition
> cryptsetup -c twofish-xts-plain64 -h sha512 -s 512 -y -i 1 --use-random --type luks1 luksFormat /dev/sda1
Create Alias
uuidB = /boot partition
uuidR = /root partition
uuidS = swap partition
XFS / EXT4 * > uuidR="$(blkid -o value -s UUID /dev/nvme0n1)"
BTRFS * > uuidS="$(blkid -o value -s UUID /dev/nvme0n1p1) * > uuidR="$(blkid -o value -s UUID /dev/nvme0n1p2)"
Reopen luks boot partition
> cryptsetup luksOpen /dev/sda1 luks-$uuidB
XFS * > mkfs.xfs /dev/mapper/luks-$uuidB * > xfs_admin -U $uuidB /dev/mapper/luks-$uuidB
EXT4 / BTRFS * > mkfs.ext2 -m0 -U $uuidB /dev/mapper/luks-$uuidB
Replace QUBE with the First 4 UUID Numbers of /dev/sda1
XFS / EXT4 * > sed -i 's?/dev/qubes-dom0-root?/dev/mapper/luks-'$uuidR'?g' /etc/fstab
BTRFS * > sed -i 's?UUID=QUBE[^ ]*?/dev/mapper/luks-'$uuidR'?g' /etc/fstab * > echo -e "/dev/mapper/luks-$uuidS none swap defaults 0 0" >> /etc/fstab
Remount Boot and EFI partition * > mount -v /boot * > tar -C /boot --acls --xattrs -xf /tmp/boot.tar * > mount /dev/sda1 /boot/efi
BTRFS also create swap key * > ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/swap.key conv=excl,fsync )
> dd if=/header of=/dev/sda3 bs=16M count=1 status=progress
Configure LUKS for BTRFS
> dd if=/swap-header of=/dev/sda4 bs=16M count=1 status=progress
Remove unnecessary files
> shred -uvz /tmp/boot.tar
Configure Crypttab
XFS / EXT4 * > echo -e “luks-$uuidR /dev/nvme0n1 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sda3\nluks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1” > /etc/crypttab
BTRFS * > echo -e “luks-$uuidR /dev/nvme0n1p2 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sda3\nluks-$uuidS /dev/nvme0n1p1 /etc/keys/swap.key luks,key-slot=1,header=/dev/sda4\nluks-$uuidB UUID=$uuidB /etc/keys/boot.key luks,key-slot=1” > /etc/crypttab
> grub2-mkconfig -o /boot/efi/EFI/qubes.cfg
Rewrite uuid map and crypttab
XFS / EXT4 * > sed -i 's?block_uuid.map"?block_uuid.map"\necho “/dev/nvme0n1 '$uuidR'\n/dev/disk/by-uuid/'$uuidB' '$uuidB'" > “${initdir}/etc/block_uuid.map”?g' /usr/lib/dracut/modules.d/90crypt/module-setup.sh * > sed -i 's?$initdir/etc/crypttab?$initdir/etc/crypttab\necho “luks-'$uuidR' /dev/nvme0n1 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sda3\nluks-'$uuidB' UUID='$uuidB' /etc/keys/boot.key luks,key-slot=1” > $initdir/etc/crypttab?g' /usr/lib/dracut/modules.d/90crypt/module-setup.sh
BTRFS * > sed -i 's?block_uuid.map"?block_uuid.map"\necho “/dev/nvme0n1p2 '$uuidR'\n/dev/nvme0n1p1 '$uuidS'\n/dev/disk/by-uuid/'$uuidB' '$uuidB'" > “${initdir}/etc/block_uuid.map”?g' /usr/lib/dracut/modules.d/90crypt/module-setup.sh * > sed -i 's?$initdir/etc/crypttab?$initdir/etc/crypttab\necho “luks-'$uuidR' /dev/nvme0n1p2 /etc/keys/root.key luks,discard,key-slot=1,header=/dev/sda3\nluks-'$uuidS' /dev/nvme0n1p1 /etc/keys/swap.key luks,discard,key-slot=1,header=/dev/sda4\nluks-'$uuidB' UUID='$uuidB' /etc/keys/boot.key luks,key-slot=1” > $initdir/etc/crypttab?g' /usr/lib/dracut/modules.d/90crypt/module-setup.sh
XFS / EXT4 * > swapoff /dev/qubes_dom0/swap * > vgchange -a n qubes_dom0 * > cryptsetup luksClose /dev/mapper/luks-root * > cryptsetup luksClose /dev/mapper/luks-* * > wipefs -a /dev/nvme0n1 * > reboot
BTRFS * > swapoff /dev/mapper/luks-swap * > cryptsetup luksClose /dev/mapper/luks-root * > cryptsetup luksClose /dev/mapper/luks-swap * > cryptsetup luksClose /dev/mapper/luks-* * > wipefs -a /dev/nvme0n1p1 * > wipefs -a /dev/nvme0n1p2 * > reboot
Please remember that we do Detached Boot, so if you plan to use sys-usb (well you should), don't forget to edit the kernel parameter in the grub menu if you want to update kernel, and add qubes_skip.autostart to prevent sys-usb starting and detaching our /boot partition.