mirror of
https://github.com/AlexBocken/mykb.git
synced 2024-11-24 12:12:18 +01:00
auto-mounting additional hard-drives added
This commit is contained in:
parent
9a1a652e44
commit
9726accb0e
116
docs/luks2.md
116
docs/luks2.md
@ -27,7 +27,7 @@ lvcreate -L 32G vg -n root
|
|||||||
lvcreate -l 100%FREE vg -n home
|
lvcreate -l 100%FREE vg -n home
|
||||||
```
|
```
|
||||||
and mkfs them:
|
and mkfs them:
|
||||||
```
|
```sh
|
||||||
mkfs.ext4 /dev/vg/root
|
mkfs.ext4 /dev/vg/root
|
||||||
mkfs.ext4 /dev/vg/home
|
mkfs.ext4 /dev/vg/home
|
||||||
mkswap /dev/vg/swap
|
mkswap /dev/vg/swap
|
||||||
@ -59,7 +59,7 @@ passwd
|
|||||||
|
|
||||||
## Edit /etc/mkinitcpio.conf to support encryption
|
## Edit /etc/mkinitcpio.conf to support encryption
|
||||||
In `/etc/mkinitcpio.conf` edit the HOOKS to include these highlighted ones as well:
|
In `/etc/mkinitcpio.conf` edit the HOOKS to include these highlighted ones as well:
|
||||||
```
|
```/etc/mkinitcpio.conf
|
||||||
HOOKS=(base __udev__ autodetect modconf kms keyboard keymap consolefont block __encrypt__ __lvm2__ filesystems fsck)
|
HOOKS=(base __udev__ autodetect modconf kms keyboard keymap consolefont block __encrypt__ __lvm2__ filesystems fsck)
|
||||||
```
|
```
|
||||||
and rebuild initramfs:
|
and rebuild initramfs:
|
||||||
@ -68,13 +68,13 @@ mkinitcpio -P
|
|||||||
```
|
```
|
||||||
|
|
||||||
## Create new user, download AUR helper, and install grub-improved-luks2-git
|
## Create new user, download AUR helper, and install grub-improved-luks2-git
|
||||||
```
|
```sh
|
||||||
useradd -m -G wheel alex
|
useradd -m -G wheel alex
|
||||||
passwd alex
|
passwd alex
|
||||||
```
|
```
|
||||||
Give him sudo permissions:
|
Give him sudo permissions:
|
||||||
in `/etc/sudoers` add:
|
in `/etc/sudoers` add:
|
||||||
```
|
```/etc/sudoers
|
||||||
%wheel ALL=(ALL) ALL
|
%wheel ALL=(ALL) ALL
|
||||||
```
|
```
|
||||||
Now install paru or equivalent AUR helper:
|
Now install paru or equivalent AUR helper:
|
||||||
@ -94,11 +94,11 @@ Get encrypted partition UUID into the /etc/default/grub via
|
|||||||
ls -l /dev/disk/by-uuid >> /etc/default/grub
|
ls -l /dev/disk/by-uuid >> /etc/default/grub
|
||||||
```
|
```
|
||||||
and adjust two things in the file:
|
and adjust two things in the file:
|
||||||
```
|
```/etc/default/grub
|
||||||
GRUB_ENABLE_CRYPTODISK=y
|
GRUB_ENABLE_CRYPTODISK=y
|
||||||
```
|
```
|
||||||
and add to `GRUB_CMDLINE_LINUX`: (can have multiple, space-separated arguments so don't delete anything if it's there, just add.)
|
and add to `GRUB_CMDLINE_LINUX`: (can have multiple, space-separated arguments so don't delete anything if it's there, just add.)
|
||||||
```
|
```/etc/default/grub
|
||||||
GRUB_CMDLINE_LINUX="cryptdevice=UUID=device-UUID:cryptlvm"
|
GRUB_CMDLINE_LINUX="cryptdevice=UUID=device-UUID:cryptlvm"
|
||||||
```
|
```
|
||||||
and replace "device-UUID" with the uuid we got for `/dev/sda3` from the previous `ls` command. Of course remove all the trailing `ls` output.
|
and replace "device-UUID" with the uuid we got for `/dev/sda3` from the previous `ls` command. Of course remove all the trailing `ls` output.
|
||||||
@ -110,7 +110,8 @@ grub-mkconfig -o /boot/grub/grub.cfg
|
|||||||
|
|
||||||
## LUKS2 support
|
## LUKS2 support
|
||||||
Now create an additional file in `/boot/grub/grub-pre.cfg` with the follwing content:
|
Now create an additional file in `/boot/grub/grub-pre.cfg` with the follwing content:
|
||||||
```
|
|
||||||
|
```/boot/grub/grub-pre.cfg
|
||||||
set crypto_uuid=device-UUID
|
set crypto_uuid=device-UUID
|
||||||
cryptomount -u $crypto_uuid
|
cryptomount -u $crypto_uuid
|
||||||
set root=lvm/vg-root
|
set root=lvm/vg-root
|
||||||
@ -121,25 +122,90 @@ normal
|
|||||||
and replace device-UUID with the same device-UUID as before, (again, a `ls -l /dev/disk/by-uuid >> /boot/grub/grub-pre.cfg` can help here to get the UUID for `/dev/sda3`)
|
and replace device-UUID with the same device-UUID as before, (again, a `ls -l /dev/disk/by-uuid >> /boot/grub/grub-pre.cfg` can help here to get the UUID for `/dev/sda3`)
|
||||||
|
|
||||||
Now we can overwrite our previously generated grubx64.efi with a luks2 compatible one:
|
Now we can overwrite our previously generated grubx64.efi with a luks2 compatible one:
|
||||||
```
|
```sh
|
||||||
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2
|
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2
|
||||||
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
|
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
|
||||||
```
|
```
|
||||||
We should now be done. `exit`, `umount -R /mnt`, and `reboot` into GRUB to see whether everything worked.
|
We should now be done. `exit`, `umount -R /mnt`, and `reboot` into GRUB to see whether everything worked.
|
||||||
This still requires you to enter your passphrase twice but can be alleviated just as with the LUKS1 case:
|
This still requires you to enter your passphrase twice but can be alleviated just as with the LUKS1 case:
|
||||||
https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs
|
|
||||||
|
|
||||||
|
## Only enter the password once
|
||||||
|
Create a keyfile:
|
||||||
|
```sh
|
||||||
|
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
|
||||||
|
chmod 600 /crypto_keyfile.bin
|
||||||
|
cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin
|
||||||
|
```
|
||||||
|
Add this to the initramfs:
|
||||||
|
```/etc/mkinitcpio.conf
|
||||||
|
FILES=("/crypto_keyfile.bin")
|
||||||
|
```
|
||||||
|
And rebuld via
|
||||||
|
```sh
|
||||||
|
mkinitcpio -P
|
||||||
|
```
|
||||||
|
|
||||||
|
And add this file to the `GRUB_CMDLINE_LINUX` in `/etc/default/grub`:
|
||||||
|
```/etc/default/grub
|
||||||
|
GRUB_CMDLINE_LINE="... cryptkey=rootfs:/crypto_keyfile.bin"
|
||||||
|
```
|
||||||
|
And again rebuild GRUB
|
||||||
|
```sh
|
||||||
|
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck
|
||||||
|
grub-mkconfig -o /boot/grub/grub.cfg
|
||||||
|
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2
|
||||||
|
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
|
||||||
|
```
|
||||||
|
|
||||||
|
# Auto-decrypt additional encrypted hard-drives on bootup
|
||||||
|
You can decrypt additional hard-drives automatically. For this we will use `/etc/crypttab` as well as `/etc/fstab`. This requires systemd to work.
|
||||||
|
|
||||||
|
Create your additional encrypted hard-drives if not already existant:
|
||||||
|
```sh
|
||||||
|
cryptsetup luksFormat /dev/sdX
|
||||||
|
cryptsetup open /dev/sdX YourDiskNameHere
|
||||||
|
mkfs.ext4 /dev/mapper/YourDiskNameHere
|
||||||
|
```
|
||||||
|
If you do not wish to have to enter the additional password on boot-up you will have to create a keyfile like we did for our /dev/sda3 above.
|
||||||
|
Of course this will lessen security as any additional hard-drives can also be decrypted if `/dev/sda3` has been decrypted or cracked.
|
||||||
|
|
||||||
|
Systemd can autodetec keys in `/etc/cryptsetup-keys.d` if they have the pattern `YourDiskNameHere.key`. Create this directory if not already present:
|
||||||
|
```sh
|
||||||
|
mkdir /etc/cryptsetup-keys.d
|
||||||
|
```
|
||||||
|
Add an additional keyfile to your newly created encrypted hard-drive:
|
||||||
|
```sh
|
||||||
|
dd bs=512 count=4 if=/dev/random of=/etc/cryptsetup-keys.d/YourDiskNameHere.key iflag=fullblock
|
||||||
|
chmod 600 /etc/cryptsetup-keys.d/YourDiskNameHere.key
|
||||||
|
cryptsetup luksAddKey /dev/sdX /etc/cryptsetup-keys.d/YourDiskNameHere.key
|
||||||
|
```
|
||||||
|
|
||||||
|
Get the UUID of your new hard-drive via `ls -l /dev/disk/by-uuid` and edit `/etc/crypttab`:
|
||||||
|
```/etc/crypttab
|
||||||
|
YourDiskNameHere UUID=TheUUIDYouJustGot /etc/crypsetp-keys.d/YourDiskNameHere.key
|
||||||
|
```
|
||||||
|
If you use `/etc/cryptsetup-keys.d` and name your keys `YourDiskNameHere.key` you could leave out the third column as this is automatically tested for.
|
||||||
|
|
||||||
|
after a `systemctl daemon-reload` you should now be able to start a service called `systemd-cryptsetup@YourDiskNameHere`.
|
||||||
|
You can verify this via a `systemctl start systemd-cryptsetup@YourDiskNameHere`.
|
||||||
|
You should not require to enter a password now.
|
||||||
|
|
||||||
|
If everything works we can now modify the `/etc/fstab` for the automatic mounting. This is done like any unencrypted hard-drive by appending:
|
||||||
|
```/etc/fstab
|
||||||
|
/dev/mapper/YourDiskNameHere /YourMountPoint ext4 defaults 0 2
|
||||||
|
```
|
||||||
|
Your encrypted drive should now automount on boot-up without an additional password-prompt.
|
||||||
|
|
||||||
# NOT TESTED, assumed to be the same as the LUKS1 case
|
# NOT TESTED, assumed to be the same as the LUKS1 case
|
||||||
## Use swap for hibernations
|
## Use swap for hibernations
|
||||||
Add the `resume` hook in `/etc/mkinitcpio.conf`:
|
Add the `resume` hook in `/etc/mkinitcpio.conf`:
|
||||||
```
|
```/etc/mkinitcpio.conf
|
||||||
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 __resume__ filesystems fsck)
|
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 __resume__ filesystems fsck)
|
||||||
```
|
```
|
||||||
and rebuild via `mkinitcpio -P`.
|
and rebuild via `mkinitcpio -P`.
|
||||||
|
|
||||||
Then: add to the `GRUB_CMDLINE_LINUX` in `/etc/default/grub`:
|
Then: add to the `GRUB_CMDLINE_LINUX` in `/etc/default/grub`:
|
||||||
```
|
```/etc/default/grub
|
||||||
GRUB_CMDLINE_LINUX="... resume=/dev/vg/swap"
|
GRUB_CMDLINE_LINUX="... resume=/dev/vg/swap"
|
||||||
```
|
```
|
||||||
and rebuild GRUB.
|
and rebuild GRUB.
|
||||||
@ -150,31 +216,3 @@ grub-mkconfig -o /boot/grub/grub.cfg
|
|||||||
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2
|
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2
|
||||||
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
|
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
|
||||||
```
|
```
|
||||||
|
|
||||||
## Only enter the password once
|
|
||||||
Create a keyfile:
|
|
||||||
```sh
|
|
||||||
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
|
|
||||||
chmod 600 /crypto_keyfile.bin
|
|
||||||
cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin
|
|
||||||
```
|
|
||||||
Add this to the initramfs:
|
|
||||||
```
|
|
||||||
FILES=("/crypto_keyfile.bin")
|
|
||||||
```
|
|
||||||
And rebuld via
|
|
||||||
```sh
|
|
||||||
mkinitcpio -P
|
|
||||||
```
|
|
||||||
|
|
||||||
And add this file to the `GRUB_CMDLINE_LINUX` in `/etc/default/grub`:
|
|
||||||
```
|
|
||||||
GRUB_CMDLINE_LINE="... cryptkey=rootfs:/crypto_keyfile.bin"
|
|
||||||
```
|
|
||||||
And again rebuild GRUB
|
|
||||||
```sh
|
|
||||||
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck
|
|
||||||
grub-mkconfig -o /boot/grub/grub.cfg
|
|
||||||
grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi lvm luks2 part_gpt cryptodisk gcry_rijndael argon2 gcry_sha256 ext2
|
|
||||||
install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
|
|
||||||
```
|
|
||||||
|
Loading…
Reference in New Issue
Block a user