scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
scratch [2019/03/09 12:36] – [LUKS] adminscratch [2019/03/10 13:03] (current) – [LUKS] admin
Line 168: Line 168:
 ====== LUKS ====== ====== LUKS ======
   https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption   https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
 +  
   #################################   #################################
   ########## Preparation ##########   ########## Preparation ##########
Line 178: Line 178:
   ### Find the right partitions ###   ### Find the right partitions ###
   lsblk -o name,fstype,size   lsblk -o name,fstype,size
-   +  
   # nvme0n1                477G   # nvme0n1                477G
   # ├─nvme0n1p1 vfat       512M  <== boot   # ├─nvme0n1p1 vfat       512M  <== boot
   # ├─nvme0n1p2 ext4     437,4G  <== root   # ├─nvme0n1p2 ext4     437,4G  <== root
   # └─nvme0n1p3 swap      39,1G   # └─nvme0n1p3 swap      39,1G
-   +  
   # Set boot and root partition names according to above output!   # Set boot and root partition names according to above output!
   BOOTPART=/dev/nvme0n1p1   BOOTPART=/dev/nvme0n1p1
   ROOTPART=/dev/nvme0n1p2   ROOTPART=/dev/nvme0n1p2
-    +   
-   +  
   ###############################   ###############################
   ########### Encrypt ###########   ########### Encrypt ###########
      
-  =============================================================================== 
-  # A) Using luksipc 
- 
   # Shrink root filesystem (NOT the partition)   # Shrink root filesystem (NOT the partition)
-  BLKCNT=$(sudo tune2fs -l $ROOTPART | grep "Block count:" | awk '{print $3}') 
-  BLKCNT_SHRINK=$(($BLKCNT - 32768)) 
-  echo "Blockcount original: $BLKCNT, shrinked: $BLKCNT_SHRINK" 
-    
   sudo e2fsck -f $ROOTPART   sudo e2fsck -f $ROOTPART
-  sudo resize2fs $ROOTPART $BLKCNT_SHRINK+  sudo resize2fs -M $ROOTPART
      
-  # +  # Encrypt 
-  # Copy luksipc-master.zip to your home dir. If you have internet connection, +  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 4M $ROOTPART   or --type=luks1
-  # you can directly download it (wget), else copy it manually. +
-  #+
        
-  # cd ~ 
-  # wget https://github.com/johndoe31415/luksipc/archive/master.zip 
-  # or: 
-  # wget https://confluence.opt01.net/download/attachments/5637570/luksipc-master.zip?version=1&modificationDate=1551682022444&api=v2 
-  # or copy manually: 
-  cp luksipc-master.zip ~ 
-  cd ~ 
-    
-  # If you have no unzip, uncompress it with the GUI 
-  unzip luksipc-master.zip 
-  cd luksipc-master 
-  make 
-  sudo ./luksipc -d $ROOTPART 
-   
-  # Add keyphrase (and remember it!) 
-  sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin 
-  # Let’s check this worked (slot 0 and 1 are populated) 
-  sudo cryptsetup luksDump $ROOTPART 
-  # Let’s scrub the initial keyslot so the initial keyfile becomes useless 
-  sudo cryptsetup luksKillSlot $ROOTPART 0 
-  # And check again (slot 1 is empty now) 
-  sudo cryptsetup luksDump $ROOTPART 
-   
-  ===============================================================================  
-  # B) or using cryptsetup-reencrypt: 
-  sudo cryptsetup-reencrypt --type=luks2 -N --reduce-device-size 4MiB $ROOTPART   # or --type=luks1 
-   
-  ===============================================================================  
-   
   # resize the filesystem to its original size   # resize the filesystem to its original size
   sudo cryptsetup luksOpen $ROOTPART newcryptofs   sudo cryptsetup luksOpen $ROOTPART newcryptofs
   sudo resize2fs /dev/mapper/newcryptofs   sudo resize2fs /dev/mapper/newcryptofs
-    +   
-   +  
   ##########################################################   ##########################################################
   ### Make the system boot from the encrypted filesystem ###   ### Make the system boot from the encrypted filesystem ###
-   +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
   sudo mount $BOOTPART /mnt/boot   sudo mount $BOOTPART /mnt/boot
-   +  
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
   sudo nano /mnt/etc/mkinitcpio.conf   sudo nano /mnt/etc/mkinitcpio.conf
Line 254: Line 216:
   # set HOOKS to   # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
-    +   
-    +  # Backup old config files and create new ones 
-  # Set the content of the file /boot/loader/loader.conf:+  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done
   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf
-  # and /boot/loader/entries/arch.conf: 
   echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \   echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \   /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf   root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf
-  # and /boot/loader/entries/arch-fallback.conf: 
   echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \   echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \   /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf   root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
-    +  
-  # You might want to delete all entries in /mnt/boot/loader/entries/ except +
-  # arch.conf and arch-fallback.conf as they won't boot anymore anyway. +
-  ls /mnt/boot/loader/entries +
-    +
-   +
   sudo chroot /mnt   sudo chroot /mnt
   mount -t proc proc /proc   mount -t proc proc /proc
   mount -t sysfs sys /sys   mount -t sysfs sys /sys
   mount -t devtmpfs udev /dev   mount -t devtmpfs udev /dev
-   +  
   mkinitcpio -p linux   mkinitcpio -p linux
   exit  # leave chroot   exit  # leave chroot
-   +  
   # reboot   # reboot
   sudo reboot   sudo reboot
Line 285: Line 240:
  
  
-  Not sure if this works: 
   ===============================================================================    =============================================================================== 
-  # change luks1 to luks2 (or vice versa)+  # Convert luks1 to luks2 (or vice versa)
   sudo cryptsetup convert --type=luks2 $ROOTPART   sudo cryptsetup convert --type=luks2 $ROOTPART
      
  • scratch.1552131371.txt.gz
  • Last modified: 2019/03/09 12:36
  • by admin