[Howto] - How to install Fedora 31 with LVM on LUKS2

Requirements:

  • A good internet connection, we will be downloading around 2 GB.

  • A Linux system with xorriso or VirtualBox Linux installation with xorriso.

  • Fedora Server NetInstall Image (This is because Live Images don’t support Kickstart installs like Fedora-Workstation-Live)

  • Patience !!!

Problem Statement:

The current Anaconda installer allows the configuration of LVM on LUKS, but the LUKS version will be LUKS1, there is no way to instruct the graphical installer to use LUKS2. The only way to do this is via Kickstart, where you can specify the LUKS version to be 2. But the problem is that you will be downloading the whole installation, which is why a good internet connection is required.

Instructions:

  1. First create you Kickstart file. My advise is not to write it from scratch but use the one in your own installation which is found under /root named anaconda-ks.cfg. This provides a good starting point.

  2. I will be mainly concentrating on the partitioning portion of the Kickstart file, where you can specify the LUKS version. This is what I had used for my laptop:

# Disk partitioning information
part pv.961 --fstype="lvmpv" --ondisk=sda --size=952332 --encrypted --luks-version=luks2 --passphrase=YOUR_PASSPHRASE
part /boot/efi --fstype="efi" --ondisk=sda --size=512 --fsoptions="umask=0077,shortname=winnt"
part /boot --fstype="ext4" --ondisk=sda --size=1024
volgroup vgfedora --pesize=4096 pv.961
logvol / --fstype="ext4" --size=716800 --name=fedora --vgname=vgfedora
So just a brief explanation of what this is doing is partitioning my 1TB HDD into 3 partitions 
    /dev/sda1 `       Mount Point /boot/efi`
    /dev/sda2 `       Mount Point /boot`
    /dev/sda3 `       Mount Point /`

/dev/sda1 = This is my EFI System Partition, where my bootloader will reside.
/dev/sda2 = This is my /boot partition where my kernels will reside. It needs to be unencrypted.
/dev/sda3 = This is my root partition. This is will fist be formatted as LUKS2 device. LUKS2 because notice we have specified LUKS2 in the above config. And then the create an LVM on top of with Volume Group vgfedora and logical volume fedora.

Note to MBR+BIOS users:
This partitioning style refers to an UEFI+GPT system, if you are using the older MBR+BIOS systems you do not need the /boot/efi partition, you just need the /boot and other partitions you might create.

You can create more complex partitions and that is upto you, you can find more information about Kickstart partitioning here: https://docs.fedoraproject.org/en-US/fedora/rawhide/install-guide/appendixes/Kickstart_Syntax_Reference/#sect-kickstart-commands-storage

You may note that there is no swap partition. that’s because I prefer using a SwapFile instead of a partition. But again that’s just my personal preference.

Next you may want to select the packages you want in your installation, but please note, adding more packages will just increase the download size.

This is what I used:

%packages
@^workstation-product-environment
@admin-tools
@authoring-and-publishing
@c-development
@container-management
@d-development
@development-tools
@editors
@headless-management
@libreoffice
@mate-applications
@network-server
@office
@rpm-development-tools
@sound-and-video
@system-tools
@window-managers

Lastly, this may not be good advice but if you find it difficult to create the Kickstart file, then you might try installing Fedora on VirtualBox and copy the Kickstart file from its installation. I know its inefficient but this is what I did when I was in doubt as to whether an option would work or not.

  1. So now you have finalized you Kickstart file and its time to add it to the Fedora Image. Sadly, most tutorials on Youtube or on the net do not describe in detail how to use the Kickstart file in a local install, without a NFS/Network install.

I don’t know if this is the best method but it worked for me. You need to add the kickstart file into the ISO image via multisession, this is were xorrison comes in:

The command to do this is:

xorriso -indev Fedora-Server-netinst-x86_64-31-1.9.iso \
          -outdev test.iso \
          -compliance no_emul_toc \
          -map "kickstart_file" "/EFI/BOOT/ks.cfg" \
          -boot_image any replay

A brief explanation of what this command does is open your original disk image add the kickstart file in the EFI/BOOT folder with the name ks.cfg, this is the -map command. The -compliance no_emul_toc removes all multisession history, and the command -boot_image any replay rebuilds the boot equipment to match the new disk. Lastly, -outdev test.iso just writes to a file called test.iso.

The credit for the above xorriso command goes to none other but the creator of xorriso itself - Thomas Schmitt. Thanks for all your help, could not have done this without your help.

So you should have a file called test.iso in your directory.

  1. Now you are almost done, just transfer your image to a USB using dd or ImageWriter if you are Windows and boot into Fedora. Now the kickstart configiration needs to be specified at the boot time. Depending on whether you are using MBR or UEFI to boot you will be greeted with ISOLINUX for MBR and GRUB2 for UEFI.

The method is only slightly different for them:

ISOLINUX: At the bootscreen press Tab after selecting the Start Fedora option. Append the following line:

ks=hd:LABEL=Fedora-S-dvd-x86_64-31:/EFI/BOOT/ks.cfg

It will look something like:
isolinux

All this is doing is pointing to the Kickstart file that we added. Press Enter to boot.

GRUB: Just select Start Fedora and press e then add in the same line to startup parameters. It will be something like:

Press Ctrl-x to boot.

If all goes well you should boot into a Kickstart installation, you might need to configure your network adapters as needed, but don’t touch the partitioning info as selecting it will break the LUKS2 config.

Final Thoughts:
I am new to Fedora and Linux in general so I hope if I have made any mistakes you will let me know in the comments rather than insulting me :frowning_face:

Having said that I would like to voice my criticisms of the Anaconda installer and its shortcomings.

Firstly, I don’t understand why a Kickstart file needs to be specified at the boot-time for Anaconda, why can’t there just be a simple command line switch ? Imagine if you had to specify your VIMRC at boot time.

Secondly, I really could not find any documentation of running Anaconda from the command line only, Arch variants like Manjaro have a much more sane install. Anaconda really gives you very little flexibility.

Thirdly, I don’t understand why this bug has not been fixed in the Anaconda installer, some people point out its because of booting problems from LUKS2, but I am on an UEFI+GPT system and I have not faced any such issues. Who knows, maybe I will be facing them in the future.

Hope this helps,
Thanks.

3 Likes

Good day!
There is a lot of topics regarding your post I would like to comment on and add some information. However, I just don’t have the time right now but will try to follow up.

Regarding the setup of a LUKS2 volume using the graphical Anaconda, I just had a F32 beta release in front of me and simulated your case. Looks like this is a very easy task. (I haven’t tried this with F31 though).

Let me know if you have further questions regarding this setup…

Cheers!

PS: Also, on the more standard LUKS on LVM setup, the default is luks2 (Fedo32). Maybe this feature didn’t make it for F31 (initially planned for F30)

2 Likes

To automate installations…?! (unattended)

I think in your approach you took a little detour. You don’t have to create an entire new .iso live image to kickstart an installation. You can take a “regular” Workstation Live image and append the inst.ks= <location to your ks.cfg> to the boot line. Did you try that?
Maybe take another look at:

You can find quite a few examples for kickstart installations online, here is one: https://github.com/sinner-/kickstart-fedora-workstation

Thanks for taking the time from your busy schedule and commenting on my post.

I am particularly talking about Fedora 31.

I don’t want to run beta Fedora on my laptop hence I needed this to work on the latest stable Fedora.

I have tried you method and it does not work. It creates a LUKS2 on LVM setup as described below:

The LVM container is first created and then LUKS2 is used on top of it. This is not what I want.

I want the LUKS2 container to created first then LVM.

Hence LVM on LUKS2.

I have no clue if they have changed this on Fedora 32 beta but I will believe it once you share the output of lsblk -f.

Well my question would be have you tried that ?

This was the first thing I tried, and I wish Fedora made it that simple. Fedora Workstation fails with the message:

Again, I hope they change this future releases.

I understand. I said I haven’t tried this with F31 (and I am not going to).

I believe this is what is happening when you follow the route of my first screenshot.

You can test it - I am not interested.

No, I am not interested in such things - I was just trying to help by pointing to the documentation. If kickstart is not supported by your live media, take the netinstall it (it has many advantages anyway). Or use pykickstart from your live system…

‘They’ is ‘the community’.

No its not, it first creates the LVM and then the LUKS, not the same as creating the LUKS2 fist and then LVM. I have tested it on Fedora 31 and it does not do what you say.

I not going to use Fedora 32 while it is in beta, so I will guess we will know only when it becomes stable.

If you see I am already using the NetInstall image in my tutorial and I had to use that.

Yup, the bug is already filed, maybe stop using Anaconda all together ?