Alexander/mykb
1
0
Fork 0
mirror of https://github.com/AlexBocken/mykb.git synced 2024-09-19 23:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

remove references to sda3

Browse Source
This commit is contained in:
Alexander Bocken 2023-10-17 15:09:34 +02:00
parent e17201e8e9
commit d9e33fc1de
Signed by: Alexander
GPG Key ID: 1D237BE83F9B05E8
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/luks2.md
View File

@ -15,8 +15,8 @@ Note: for BIOS systems a dummy 1M parition would be also required. For UEFI this
## Create LVM
```sh
cryptsetup luksFormat /dev/sda3
cryptsetup open /dev/sda3 cryptlvm
cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 cryptlvm
pvcreate /dev/mapper/cryptlvm
vgcreate vg /dev/mapper/crypylvm
```
@ -102,7 +102,7 @@ and add to `GRUB_CMDLINE_LINUX`: (can have multiple, space-separated arguments s
```/etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=device-UUID:cryptlvm"
```
and replace "device-UUID" with the uuid we got for `/dev/sda3` from the previous `ls` command. Of course remove all the trailing `ls` output.
and replace "device-UUID" with the uuid we got for `/dev/sda2` from the previous `ls` command. Of course remove all the trailing `ls` output.
```sh
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck
@ -120,7 +120,7 @@ set prefix=($root)/boot/grub
insmod normal
normal
```
and replace device-UUID with the same device-UUID as before, (again, a `ls -l /dev/disk/by-uuid >> /boot/grub/grub-pre.cfg` can help here to get the UUID for `/dev/sda3`)
and replace device-UUID with the same device-UUID as before, (again, a `ls -l /dev/disk/by-uuid >> /boot/grub/grub-pre.cfg` can help here to get the UUID for `/dev/sda2`)
Now we can overwrite our previously generated grubx64.efi with a luks2 compatible one:
```sh
@ -135,7 +135,7 @@ Create a keyfile:
```sh
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
```
Add this to the initramfs:
```/etc/mkinitcpio.conf
@ -167,8 +167,8 @@ cryptsetup luksFormat /dev/sdX
cryptsetup open /dev/sdX YourDiskNameHere
mkfs.ext4 /dev/mapper/YourDiskNameHere
```
If you do not wish to have to enter the additional password on boot-up you will have to create a keyfile like we did for our /dev/sda3 above.
Of course this will lessen security as any additional hard-drives can also be decrypted if `/dev/sda3` has been decrypted or cracked.
If you do not wish to have to enter the additional password on boot-up you will have to create a keyfile like we did for our /dev/sda2 above.
Of course this will lessen security as any additional hard-drives can also be decrypted if `/dev/sda2` has been decrypted or cracked.
Systemd can autodetec keys in `/etc/cryptsetup-keys.d` if they have the pattern `YourDiskNameHere.key`. Create this directory if not already present:
```sh