Please watch out any space, slash, periode in command issue / files IT REALLY MATTERS
/dev/nvme0n1 = system /dev/sda = flashdrive
[anaconda /] dd if=/dev/urandom of=/dev/nvme0n1 bs=1M status=progress [anaconda /] dd if=/dev/urandom of=/dev/sda bs=1M status=progress
Using /dev/urandom will take longer than /dev/zero but more secure. - Create 3 partition in usb drive, just follow below command as i need the rest of space (i need around 20mb) for luks header.
[anaconda /] gdisk /dev/sda ---# efi partition n 1 2048 1230845 EF00 ---# boot partition n 2 1230848 3278842 8300 ---# header partition n 3 (enter) (enter) (enter)
w Y ---# I use iter time 1 for speeding up decrypt process you should increase it in real installation, see luks iter-time for details. [anaconda /] cryptsetup -c aes-xts-plain64 -h sha512 -s 512 -y -i 1 --use-random luksFormat /dev/nvme0n1 [luks prompt /] YES [luks prompt /] (enter password) [luks prompt /] (verify password) ---# [anaconda /] cryptsetup luksOpen /dev/nvme0n1 luks [luks prompt /] (enter password) ---# [anaconda /] pvcreate /dev/mapper/luks [anaconda /] vgcreate qubes_dom0 /dev/mapper/luks [anaconda /] lvcreate -n swap -L 4G qubes_dom0 [anaconda /] lvcreate -T -L 20G qubes_dom0/root-pool [anaconda /] lvcreate -T -l +100%FREE qubes_dom0/vm-pool [anaconda /] lvs ---# root-pool 20.00g swap 4.00g vm-pool 55.83g ---# [anaconda /] lvcreate -V20G -T qubes_dom0/root-pool -n root [anaconda /] lvcreate -V55.83G -T qubes_dom0/vm-pool -n vm [anaconda /] mkfs.xfs /dev/qubes_dom0/vm ---# I use xfs because it much faster than ext4 when boot up, btw i dont do benchmark it's just My Life Experience based on using qubes. Otherwise : [anaconda /] mkfs.ext4 /dev/qubes_dom0/vm ---# - Back to gui with ctrl + alt + f6. - Choose language, timezone, user, and lastly storage. - Click refresh on bottom right and rescan disk. - Select disk nvme0n1 and sda, storage configuration is Custom.
Your disk tree is must same with the picture below and should have UNKNOWN fs except qubes_dom0-vm (if you not wipe your disk clearly, it's okay (caution for security do full wipe i did not do so i can make it quick in vvmware) and there'll maybe some system extension left)
---#
qubes_dom0-root, reformat, ext4, /, update settings.
qubes-dom0-swap, reformat, swap, update settings.
sda1, reformat, Efi System Partition, /boot/efi, update settings.
sda2, reformat, ext2, /boot, update settings.
---#
- Leave qubes_dom0-vm and sda3 untouched.
What we are doing before is Custom Installation with detached boot you may reboot after complete install if you think this is enough. - After completion, switch back to shell with ctrl + alt + f2
---# [anaconda /] cp -r /usr/lib/grub/x86_64-efi /mnt/sysroot/boot/efi/EFI/qubes/ [anaconda /] chroot /mnt/sysroot/ [anaconda /] mount -oremount,ro /boot [anaconda /] install -m0600 /dev/null /tmp/boot.tar [anaconda /] tar -C /boot --acls --xattrs --one-file-system -cf /tmp/boot.tar . [anaconda /] umount /boot/efi [anaconda /] umount /boot [anaconda /] exit ---# [anaconda /] dd if=/dev/urandom of=/dev/sda2 bs=1M status=progress [anaconda /] cryptsetup -c twofish-xts-plain64 -h sha512 -s 512 -y -i 1 --use-random --type luks1 luksFormat /dev/sda2 [luks prompt /] YES [luks prompt /] (enter password) [luks prompt /] (verify password) ---# [anaconda /] uuid="$(blkid -o value -s UUID /dev/sda2)" [anaconda /] cryptsetup luksOpen /dev/sda2 luks-$uuid [anaconda /] mkfs.ext2 -m0 -U $uuid /dev/mapper/luks-$uuid ---# [anaconda /] vi /mnt/sysroot/etc/fstab ---# Change UUID=..on boot line to ( check your sda2 uuid )
/dev/mapper/luks-5f4a8efe-a2cd-41ab-889b-d8c759fa8db7 /boot ext2 defaults 1 2
add_dracutmodules+=" crypt "
install_items+=" /etc/keys/root.key /etc/keys/boot.key /sbin/cryptsetup "
use_fstab="yes"
KERNEL==”sd?”, SUBSYSTEM==”block”, ENV{ID_SERIAL_SHORT}==”<value>”, ENV{ID_FS_TYPE}=”crypto_LUKS”
[anaconda /] umount -l /mnt/sysroot [anaconda /] umount -l /mnt/sysimage [anaconda /] swapoff /dev/qubes_dom0/swap [anaconda /] vgchange -a n qubes_dom0 [anaconda /] cryptsetup luksClose /dev/mapper/luks [anaconda /] cryptsetup luksClose /dev/mapper/luks-$uuid [anaconda /] cryptsetup luksErase /dev/nvme0n1 [luks prompt /] YES [anaconda /] wipefs -a /dev/nvme0n1 [anaconda /] reboot
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
loop0
loop1
loop2
sda
├─sda1 vfat FAT32 3F62-7E87 587.5M 2% /boot/efi
├─sda2 crypto_LUKS 1 5f4a8efe-a2cd-41ab-889b-d8c759fa8db7
│ └─luks-5f4a8efe-a2cd-41ab-889b-d8c759fa8db7 ext2 1.0 5f4a8efe-a2cd-41ab-889b-d8c759fa8db7 925.4M 6% /boot
└─sda3 crypto_LUKS 2 85773448-fa03-44b7-a643-b2b3ec7b9984
sr0 iso9660 Joliet Extension QUBES-R4-1-0-BETA1-X86-64 2021-07-10-17-09-38-00
nvme0n1
└─luks-85773448-fa03-44b7-a643-b2b3ec7b9984 LVM2_member LVM2 001 Tsmi04-XlVi-2nfi-FoDA-3nsM-ZHz5-awCWzQ
├─qubes_dom0-root--pool_tmeta
│ └─qubes_dom0-root--pool-tpool
│ ├─qubes_dom0-root ext4 1.0 e511dfeb-541f-4beb-a188-937c58e85928 14.9G 19% /
│ └─qubes_dom0-root--pool
├─qubes_dom0-root--pool_tdata
│ └─qubes_dom0-root--pool-tpool
│ ├─qubes_dom0-root ext4 1.0 e511dfeb-541f-4beb-a188-937c58e85928 14.9G 19% /
│ └─qubes_dom0-root--pool
├─qubes_dom0-swap swap 1 a629f9ea-9cd2-4a19-bf41-95b43b5d24bb [SWAP]
├─qubes_dom0-vm--pool_tmeta
│ └─qubes_dom0-vm--pool-tpool
│ ├─qubes_dom0-vm--pool
│ ├─qubes_dom0-vm xfs 2433e2e5-64de-4830-af4d-4b0e371b3941
│ ├─qubes_dom0-vm--fedora--34--root--1631021717--back
│ ├─qubes_dom0-vm--fedora--34--dvm--private
│ ├─qubes_dom0-vm--fedora--34--root--1631021777--back
│ ├─qubes_dom0-vm--fedora--34--root
│ ├─qubes_dom0-vm--default--mgmt--dvm--private
│ ├─qubes_dom0-vm--fedora--34--private
│ ├─qubes_dom0-vm--sys--net--private
│ ├─qubes_dom0-vm--sys--firewall--private
│ ├─qubes_dom0-vm--sys--net--private--snap
│ ├─qubes_dom0-vm--sys--net--volatile
│ ├─qubes_dom0-vm--sys--net--root--snap
│ ├─qubes_dom0-vm--sys--firewall--private--snap
│ ├─qubes_dom0-vm--sys--firewall--volatile
│ └─qubes_dom0-vm--sys--firewall--root--snap
└─qubes_dom0-vm--pool_tdata
└─qubes_dom0-vm--pool-tpool
├─qubes_dom0-vm--pool
├─qubes_dom0-vm xfs 2433e2e5-64de-4830-af4d-4b0e371b3941
├─qubes_dom0-vm--fedora--34--root--1631021717--back
├─qubes_dom0-vm--fedora--34--dvm--private
├─qubes_dom0-vm--fedora--34--root--1631021777--back
├─qubes_dom0-vm--fedora--34--root
├─qubes_dom0-vm--default--mgmt--dvm--private
├─qubes_dom0-vm--fedora--34--private
├─qubes_dom0-vm--sys--net--private
├─qubes_dom0-vm--sys--firewall--private
├─qubes_dom0-vm--sys--net--private--snap
├─qubes_dom0-vm--sys--net--volatile
├─qubes_dom0-vm--sys--net--root--snap
├─qubes_dom0-vm--sys--firewall--private--snap
├─qubes_dom0-vm--sys--firewall--volatile
└─qubes_dom0-vm--sys--firewall--root--snap
Linux dom0 5.10.47-1.fc32.qubes.x86_64 #1 SMP Sun Jul 4 10:29:16 CEST 2021 x86_64 x86_64 x86_64 GNU/Linux