Encrypted LVM/LUKS Linux Install

Encrypted LVM/LUKS Linux Install

This is a basic procedure for setting up a linux system my preferred way.

By no means is this a tutorial or a full guide to installing Linux. There are many parts that have been excluded, since this mainly focuses on the disk layout and partitioning.

Many parts are optional, and many partitions are not strictly required. For example, the ESP partition can be shared with the /boot partition. I don’t like to do that, since that requires that the kernel be stored on FAT32 which is icky, but it does reduce the complexity of the install. Also, LVM volumes for /var and /tmp can also be safely excluded.

This setup works great for Arch Linux and Gentoo, and likely for Debian as well.

Set up disks

Assuming /dev/sda is our primary disk.

Disk Layout:

Partition Purpose Label Size
/dev/sda1 GRUB2 Bootloader grub 1 MB
/dev/sda2 EFI System Partition efi 128 MB
/dev/sda3 initramfs + kernel boot 500 MB
/dev/sda4 LUKS + LVM lvm 500 GB

The rest of the volumes will be set up using LVM slices inside the LUKS container.

Build Partitions

parted -a optimal /dev/sda
	mklabel GPT
	mkpart primary 1 3 
	name 1 grub 
	set 1 bios_grub on 
	mkpart primary 3 131
	name 2 efi 
	set 2 boot on

	mkpart primry 131 631
	name 3 boot

	mkpart primary 631 100%
	name 4 lvm 

Create LUKS volume

cryptsetup luksFormat --type luks2 /dev/sda4
cryptsetup open /dev/sda4 cryptlvm

Create LVM device

pvcreate /dev/mapper/cryptlvm
vgcreate stor /dev/mapper/cryptlvm

LVM Config

LVM is flexible, and more or less containers can be added. Note: I like to have a separate /var/log mount point to improve system stability.

Volume Name Mount Point Size
swap [swap] 4 GB
root / 60 GB
var /var 20 GB
log /var/log 5 GB
tmp /tmp 2 GB
home /home 360 GB

Create Volumes

lvcreate -L 4G  stor -n swap
lvcreate -L 60G stor -n root
lvcreate -L 20G stor -n var
lvcreate -L 5G  stor -n log
lvcreate -L 2G  stor -n tmp
lvcreate -l 100%FREE stor -n home

View LVM config

vgs - show volume groups
lvs - show logical volumes

Format & Mount Volumes

Partition Path Mount Point Filesystem
/dev/sda2 n/a fat32
/dev/sda3 /boot ext2
/dev/stor/swap [swap] swap
/dev/stor/root / ext4
/dev/stor/var /var ext4
/dev/stor/log /var/log ext4
/dev/stor/tmp /tmp ext4
/dev/stor/home /home ext4

Initialize Filesystems

mkfs.fat -F 32 /dev/sda2
mkfs.ext2 /dev/sda3
mkfs.ext4 /dev/stor/{root,var,log,tmp,home}

Set up Swap

mkswap /dev/stor/swap
swapon /dev/stor/swap

Mount Filesystems

Substitue the mount point with where your distribution targets the install. Example, gentoo uses /mnt/gentoo/

Root filesystem:

mount /dev/stor/root /mnt/

Var and Log filesystems:

mkdir -p /mnt/var/log
mount /dev/stor/var /mnt/var/
mount /dev/stor/log /mnt/var/log

Temp filesystem

 mkdir -p /mnt/tmp
 mount -o nodev,noexec /dev/stor/tmp /mnt/tmp

Home filesystem

 mkdir -p /mnt/home
 mount /dev/stor/home /mnt/home

Bootloader and Initramfs

I prefer grub because it’s boring. Other bootloaders can be used as well.


Afer building/installing the grub2 binaries on the target systems, the ESP partition can be set up.

 mkdir -p /boot/efi
 mount /dev/sda2 /boot/efi

Then grub2 can be installed into the ESP.

 grub-install -target=x86_64-efi --efi-directory=/boot/efi

The ESP can be unmounted after this. It generally does not need to be mounted.

umount /boot/efi

GRUB config

Edit the /etc/default/grub and add cryptlvm to the boot.

This may vary based on GRUB version and distribution. For Arch linux:

 GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda4:cryptlvm rw quiet"

Or, for Gentoo:

 GRUB_CMDLINE_LINUX="crypt_root=/dev/sda4 init=/lib/systemd/systemd dolvm"

Then, the config is set up.

  grub-mkconfig -o /boot/grub/grub.cfg

Archlinux initcpio

For Arch, the simplest way to go is to use initcpio.


HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)

And then generate the initramfs:

mkinitcpio -p linux

Genkernel intramfs

Make sure that genkernel-next is installed. The cryptsetup USE flag must also be used.


 sys-kernel/genkernel-next  cryptsetup

Then genkernel is reconfigured.



And a new initramfs is compiled and installed.

  genkernel initramfs


Make sure that UDEV and LVMETAD are running on boot.


systemctl enable lvm2-lvmetad


rc-update add lvmetad boot

System Rescue

If the system doesn’t boot correctly, you can get back in from the grub emergency shell.

   cryptsetup open /dev/sda4 cryptlvm

   > luks passphrase...

   mount /dev/stor/root /new_root

Then the kernel will pick up from where it left off, and start the init system… Hopefully getting you back up and running.