From 9726accb0e23f2a6d7ecfd7bc18fd975da9c0d2b Mon Sep 17 00:00:00 2001 From: AlexBocken Date: Sat, 1 Jul 2023 15:03:43 +0200 Subject: [PATCH] auto-mounting additional hard-drives added --- docs/luks2.md | 116 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 77 insertions(+), 39 deletions(-) diff --git a/docs/luks2.md b/docs/luks2.md index e7800da..c62d2eb 100644 --- a/docs/luks2.md +++ b/docs/luks2.md @@ -27,7 +27,7 @@ lvcreate -L 32G vg -n root lvcreate -l 100%FREE vg -n home ``` and mkfs them: -``` +```sh mkfs.ext4 /dev/vg/root mkfs.ext4 /dev/vg/home mkswap /dev/vg/swap @@ -59,7 +59,7 @@ passwd ## Edit /etc/mkinitcpio.conf to support encryption In `/etc/mkinitcpio.conf` edit the HOOKS to include these highlighted ones as well: -``` +```/etc/mkinitcpio.conf HOOKS=(base __udev__ autodetect modconf kms keyboard keymap consolefont block __encrypt__ __lvm2__ filesystems fsck) ``` and rebuild initramfs: @@ -68,13 +68,13 @@ mkinitcpio -P ``` ## Create new user, download AUR helper, and install grub-improved-luks2-git -``` +```sh useradd -m -G wheel alex passwd alex ``` Give him sudo permissions: in `/etc/sudoers` add: -``` +```/etc/sudoers %wheel ALL=(ALL) ALL ``` Now install paru or equivalent AUR helper: @@ -94,11 +94,11 @@ Get encrypted partition UUID into the /etc/default/grub via ls -l /dev/disk/by-uuid >> /etc/default/grub ``` and adjust two things in the file: -``` +```/etc/default/grub GRUB_ENABLE_CRYPTODISK=y ``` and add to `GRUB_CMDLINE_LINUX`: (can have multiple, space-separated arguments so don't delete anything if it's there, just add.) -``` +```/etc/default/grub GRUB_CMDLINE_LINUX="cryptdevice=UUID=device-UUID:cryptlvm" ``` and replace "device-UUID" with the uuid we got for `/dev/sda3` from the previous `ls` command. Of course remove all the trailing `ls` output. @@ -110,7 +110,8 @@ grub-mkconfig -o /boot/grub/grub.cfg ## LUKS2 support Now create an additional file in `/boot/grub/grub-pre.cfg` with the follwing content: -``` + +```/boot/grub/grub-pre.cfg set crypto_uuid=device-UUID cryptomount -u $crypto_uuid set root=lvm/vg-root @@ -121,25 +122,90 @@ normal and replace device-UUID with the same device-UUID as before, (again, a `ls -l /dev/disk/by-uuid >> /boot/grub/grub-pre.cfg` can help here to get the UUID for `/dev/sda3`) Now we can overwrite our previously generated grubx64.efi with a luks2 compatible one: -``` +```sh grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2 install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi ``` We should now be done. `exit`, `umount -R /mnt`, and `reboot` into GRUB to see whether everything worked. This still requires you to enter your passphrase twice but can be alleviated just as with the LUKS1 case: -https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs +## Only enter the password once +Create a keyfile: +```sh +dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock +chmod 600 /crypto_keyfile.bin +cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin +``` +Add this to the initramfs: +```/etc/mkinitcpio.conf +FILES=("/crypto_keyfile.bin") +``` +And rebuld via +```sh +mkinitcpio -P +``` + +And add this file to the `GRUB_CMDLINE_LINUX` in `/etc/default/grub`: +```/etc/default/grub +GRUB_CMDLINE_LINE="... cryptkey=rootfs:/crypto_keyfile.bin" +``` +And again rebuild GRUB +```sh +grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck +grub-mkconfig -o /boot/grub/grub.cfg +grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2 +install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi +``` + +# Auto-decrypt additional encrypted hard-drives on bootup +You can decrypt additional hard-drives automatically. For this we will use `/etc/crypttab` as well as `/etc/fstab`. This requires systemd to work. + +Create your additional encrypted hard-drives if not already existant: +```sh +cryptsetup luksFormat /dev/sdX +cryptsetup open /dev/sdX YourDiskNameHere +mkfs.ext4 /dev/mapper/YourDiskNameHere +``` +If you do not wish to have to enter the additional password on boot-up you will have to create a keyfile like we did for our /dev/sda3 above. +Of course this will lessen security as any additional hard-drives can also be decrypted if `/dev/sda3` has been decrypted or cracked. + +Systemd can autodetec keys in `/etc/cryptsetup-keys.d` if they have the pattern `YourDiskNameHere.key`. Create this directory if not already present: +```sh +mkdir /etc/cryptsetup-keys.d +``` +Add an additional keyfile to your newly created encrypted hard-drive: +```sh +dd bs=512 count=4 if=/dev/random of=/etc/cryptsetup-keys.d/YourDiskNameHere.key iflag=fullblock +chmod 600 /etc/cryptsetup-keys.d/YourDiskNameHere.key +cryptsetup luksAddKey /dev/sdX /etc/cryptsetup-keys.d/YourDiskNameHere.key +``` + +Get the UUID of your new hard-drive via `ls -l /dev/disk/by-uuid` and edit `/etc/crypttab`: +```/etc/crypttab +YourDiskNameHere UUID=TheUUIDYouJustGot /etc/crypsetp-keys.d/YourDiskNameHere.key +``` +If you use `/etc/cryptsetup-keys.d` and name your keys `YourDiskNameHere.key` you could leave out the third column as this is automatically tested for. + +after a `systemctl daemon-reload` you should now be able to start a service called `systemd-cryptsetup@YourDiskNameHere`. +You can verify this via a `systemctl start systemd-cryptsetup@YourDiskNameHere`. +You should not require to enter a password now. + +If everything works we can now modify the `/etc/fstab` for the automatic mounting. This is done like any unencrypted hard-drive by appending: +```/etc/fstab +/dev/mapper/YourDiskNameHere /YourMountPoint ext4 defaults 0 2 +``` +Your encrypted drive should now automount on boot-up without an additional password-prompt. # NOT TESTED, assumed to be the same as the LUKS1 case ## Use swap for hibernations Add the `resume` hook in `/etc/mkinitcpio.conf`: -``` +```/etc/mkinitcpio.conf HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 __resume__ filesystems fsck) ``` and rebuild via `mkinitcpio -P`. Then: add to the `GRUB_CMDLINE_LINUX` in `/etc/default/grub`: -``` +```/etc/default/grub GRUB_CMDLINE_LINUX="... resume=/dev/vg/swap" ``` and rebuild GRUB. @@ -150,31 +216,3 @@ grub-mkconfig -o /boot/grub/grub.cfg grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2 install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi ``` - -## Only enter the password once -Create a keyfile: -```sh -dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock -chmod 600 /crypto_keyfile.bin -cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin -``` -Add this to the initramfs: -``` -FILES=("/crypto_keyfile.bin") -``` -And rebuld via -```sh -mkinitcpio -P -``` - -And add this file to the `GRUB_CMDLINE_LINUX` in `/etc/default/grub`: -``` -GRUB_CMDLINE_LINE="... cryptkey=rootfs:/crypto_keyfile.bin" -``` -And again rebuild GRUB -```sh -grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck -grub-mkconfig -o /boot/grub/grub.cfg -grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2 -install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi -```