Differences

This shows you the differences between two versions of the page.

--- scratch [2019/03/09 15:07] – [LUKS] admin
+++ scratch [2019/03/09 17:38] – [LUKS] admin
@@ Line 191: / Line 191: @@
   ###############################
   ########### Encrypt ###########
   # Shrink root filesystem (NOT the partition)
   sudo e2fsck -f $ROOTPART
   sudo resize2fs -M $ROOTPART
-  ===============================================================================
+  # Encrypt
-  # A) Using luksipc
-  #
-  # Copy luksipc-master.zip to your home dir. If you have internet connection,
-  # you can directly download it (wget), else copy it manually.
-  #
-  # cd ~
-  # wget https://github.com/johndoe31415/luksipc/archive/master.zip
-  # or:
-  # wget https://confluence.opt01.net/download/attachments/5637570/luksipc-master.zip?version=1&modificationDate=1551682022444&api=v2
-  # or copy manually:
-  cp luksipc-master.zip ~
-  cd ~
-  # If you have no unzip, uncompress it with the GUI
-  unzip luksipc-master.zip
-  cd luksipc-master
-  make
-  sudo ./luksipc -d $ROOTPART
-  # Add keyphrase (and remember it!)
-  sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin
-  # Let’s check this worked (slot 0 and 1 are populated)
-  sudo cryptsetup luksDump $ROOTPART
-  # Let’s scrub the initial keyslot so the initial keyfile becomes useless
-  sudo cryptsetup luksKillSlot $ROOTPART 0
-  # And check again (slot 1 is empty now)
-  sudo cryptsetup luksDump $ROOTPART
-  ===============================================================================
-  # B) or using cryptsetup-reencrypt:
   sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 8M $ROOTPART   # or --type=luks1
-  ===============================================================================
   # resize the filesystem to its original size
   sudo cryptsetup luksOpen $ROOTPART newcryptofs
@@ Line 250: / Line 217: @@
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
+  # Backup old config files and create new ones
-  # Set the content of the file /boot/loader/loader.conf:
+  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done
   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf
-  # and /boot/loader/entries/arch.conf:
   echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf
-  # and /boot/loader/entries/arch-fallback.conf:
   echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
-  # You might want to delete all entries in /mnt/boot/loader/entries/ except
-  # arch.conf and arch-fallback.conf as they won't boot anymore anyway.
-  ls /mnt/boot/loader/entries
   sudo chroot /mnt
@@ Line 281: / Line 241: @@
   ===============================================================================
-  # change luks1 to luks2 (or vice versa)
+  # Convert luks1 to luks2 (or vice versa)
   sudo cryptsetup convert --type=luks2 $ROOTPART