How to install CRUX with encryption

Encrypted CRUX installation
encrypted crux encryption luks lvm encrypted laptop source based distros

How to install fully encrypted CRUX

This post is for crux users who wanna secure their crux installation.


I’m gonna use two partitions. First boot partition will be unencrypted which holds kernel. I use secure boot with my own keys. You can find a post in my blog how to do that. and I have some ports too for secure boot.

Unencrypted Boot Partition

Create a partition more than 200 Mbs for boot ESP with gdisk code ef00.

Let’s create a FAT filesystem on it for EFI.

mkfs.fat -F32 /dev/sda1

Encrypted Partition

Create an encrypted LUKS container

cryptsetup luksFormat /dev/sda2

Type uppercase “YES” and then enter passphrase two times.

Open the encrypted container.

cryptsetup open /dev/sda2 crux 

Now the encrypted container is available at /dev/mapper/crux so lets create some lvm stuff and create filesystems and a swap partition.

pvcreate /dev/mapper/crux
vgcreate ak /dev/mapper/crux
lvcreate -L 8G ak -n swap
lvcreate -L 50G ak -n root
lvcreate -l 100%FREE ak -n home
mkfs.ext4 /dev/ak/root -L crux-root
mkfs.ext4 /dev/ak/home -L crux-home
mkswap /dev/ak/swap -L crux-swap

Mount the partitions and start installations.

mount /dev/mapper/ak-root /mnt
mkdir /mnt/{boot,home}
mount /dev/mapper/ak-home /mnt/home
mount /dev/sda1 /mnt/boot
swapon /dev/mapper/ak-swap

Base system installation

Start installation. Type “setup” and select “YES”. Install all packages. Make sure you get no error messages once installation is finished.



Enter chroot.



Check fstab by going to /etc/fstab. Open it with vim. You’ll see two uncommented entries there. Leave them as it is. In vim prompt mode just type :r! blkid and you’ll get UUIDs of all partitions. Add them there for root, home, boot and swap partitions.


Generate locales.

localedef -i en_US -f ISO-8859-1 en_US
localedef -i en_US -f ISO-8859-1 en_US.ISO-8859-1
localedef -i en_US -f UTF-8 en_US.UTF-8 


Edit rc.conf. Mine looks like this.

vim /etc/rc.conf

# /etc/rc.conf: system configuration

SERVICES=(crond wifi acpid )

# End of file


Edit /etc/resolv.conf. I’m using OpenDNS nameserver here.

vim /etc/resolv.conf


For wireless connection, you can use wpa_supplicant. For example if your interface is wlp3s0 and SSID is nix, add passphrase to it using wpa_passphrase like this.

wpa_passphrase nix >> /etc/wpa_supplicant.conf
Reading from STDIN  # Type your passphrase.
wpa_supplicant -i wlp3s0 -B -c /etc/wpa_supplicant.conf
dhcpcd wlp3s0


Compile the kernel now. Go to the /usr/src/linux directory. Configure the kernel config. Since we are gonna have an encrypted installation, we need some extra drivers. Invoke ‘make menuconfig’ and enable these options. And also enable what is needed for your hardware. I’ll add only options needed for encryption here.

General setup --->

  [*] Initial RAM filesystem and RAM disk (iniramfs/initrd) support

Device Drivers --->

  Multiple devices driver support (RAID and LVM) --->
    [*] Device mapper support
    [*] Crypt target support

Cryptographic API ---> 
  -*- CBC support
  <*> SHA224 and SHA256 digest algorithm
  <*> AES cipher algorithms

You can get my kernel config from by using wget and then edit it as per your hardware. This one is for Thinkpad with SSD.

wget > .config 

After you’re done with configuring kernel, compile it. Once it’s compiled, copy it to /boot directory and install modules.

make -j8
make modules_install
cp arch/x86/boot/bzImage /boot/vmlinuz
cp /boot

Users and package management

Root password and a normal user

Set root password. Create our first user. And then we will create a second user for package management.

useradd -G wheel,audio,video -m -U abdullah
passwd abdullah

Give new user sudo access

Add new created user to sudoers. Uncomment this line in /etc/sudoers.

%wheel ALL=(ALL) ALL

User for creating packages

Now let’s create a user for package management.

groupadd pkgmk
useradd -m -g pkgmk pkgmk

Add our user to this newly created group.

usermod -aG pkgmk abdullah


Edit /etc/prt-get.conf to set up fakeroot building.

makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk

Edit /etc/pkgmk.conf.

vim /etc/pkgmk.conf

Create those directories.

mkdir /home/pkgmk/{distfiles,packages,work}
chown pkgmk:pkgmk /home/pkgmk/*
chmod 775 /home/pkgmk/*

Enable contrib repository.

mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync

Add my custom ports repository.

echo "ROOT_DIR=/usr/ports/ak\nURL=" > /etc/ports/ak.httpup


Enable contrib and my repository by editing /etc/prt-get.conf. Uncomment the line which says “prtdir /usr/ports/contrib” and add this line on top of the other port directories path. “prtdir /usr/ports/ak”. Also don’t forget to uncomment the line which says, “runscripts yes”. After editing the file, it should be look like this.

### prt-get conf

# note: the order matters: the package found first is used
prtdir /usr/ports/ak
prtdir /usr/ports/core
prtdir /usr/ports/opt
prtdir /usr/ports/xorg

# the following line enables the multilib compat-32 collection
#prtdir /usr/ports/compat-32

# the following line enables the user maintained contrib collection
prtdir /usr/ports/contrib

### use mypackage form local directory
# prtdir /home/packages/build:mypackage

### log options:
# writelog enabled         # (enabled|disabled)
# logmode  overwrite       # (append|overwrite)
# rmlog_on_success yes     # (no|yes)
logfile  /var/log/pkgbuild/%n.log
                           # path, %p=path to port dir, %n=port name
                           #       %v=version, %r=release

### use alternate cache file (default: /var/lib/pkg/prt-get.cache
# cachefile /mnt/nfs/cache

### print README information:
# readme verbose           # (verbose|compact|disabled)

### prefer higher versions in sysup / diff
# preferhigher no      # (yes|no)

### use regexp search
# useregex no        # (yes|no)

### run pre- and post-installs scripts; yes is equivalent to the
### --install-scripts option
runscripts yes            # (no|yes)


### alternative commands
# makecommand      pkgmk
# addcommand       pkgadd
# removecommand    pkgrm
# runscriptcommand sh
makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk

Sync ports now.

ports -u

Get fakeroot installed if you don’t have yet.

prt-get install fakeroot


Get dracut and create an initramfs.

prt-get depinst dracut
dracut initramfs.img


I’m using EFISTUB. If you’re using some other boot manager like grub, consult their wiki. There are some dracut related variables in this example. I’d recommand, create a new file with vim, and then in prompt mode, type :r! blkid so you’ll get all UUIDs there in the file. Just copy them in the new file, delete other lines and save it. Then redirect this file’s output to shell like this, ‘cat newCreatedFile | sh’. It will create a new entry. root-UUID=, rd.luks.uuid=, and For EFISTUB, create an entry like this.

efibootmgr --create --disk /dev/sda --part 1 --label 'CRUX-Encrypted' --loader /vmlinuz --unicode "root=UUID=XXXX-XXXX-XXXX-XXX rw resume=UUID=XXXX-XXXX-XXXX-XXXX rd.luks.uuid=XXXX-XXXX-XXXX-XXXX" --verbose


Congrats! You have now a fully encrypted system. Reboot now. If you have some problems, just send me an email and I’ll be glad to help.