scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
scratch [2019/03/03 19:41] – [LUKS] adminscratch [2019/03/09 17:21] – [LUKS] admin
Line 167: Line 167:
  
 ====== LUKS ====== ====== LUKS ======
-  See: +  https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
-  https://www.johannes-bauer.com/linux/luksipc/ +
-  https://johndoe31415.github.io/luksipc/ +
-  https://github.com/johndoe31415/luksipc+
      
-  # Find the right partition+  ################################# 
 +  ########## Preparation ########## 
 +  # - Boot a Linux from a USB stick or CD / DVD 
 +  # - Open a terminal 
 +    
 +    
 +  ################################# 
 +  ### Find the right partitions ###
   lsblk -o name,fstype,size   lsblk -o name,fstype,size
      
-  nvme0n1                477G +  nvme0n1                477G 
-  ├─nvme0n1p1 vfat       512M +  ├─nvme0n1p1 vfat       512M  <== boot 
-  ├─nvme0n1p2 ext4     437,4G  <== +  ├─nvme0n1p2 ext4     437,4G  <== root 
-  └─nvme0n1p3 swap      39,1G+  └─nvme0n1p3 swap      39,1G
      
-  # Shrink filesystem (NOT the partition) +  # Set boot and root partition names according to above output! 
-  tune2fs -l /dev/nvme0n1p2 +  BOOTPART=/dev/nvme0n1p1 
-  # Block count:              114655232  <== subtract 32768 (128 MB)+  ROOTPART=/dev/nvme0n1p2
      
-  e2fsck -f /dev/nvme0n1p2 
-  sudo resize2fs /dev/nvme0n1p2 114622464  # Block count - 32768 
      
-  # Encrypt +  ############################### 
-  wget https://github.com/johndoe31415/luksipc/archive/master.zip +  ########### Encrypt ########### 
-  unzip master.zip + 
-  cd luksipc-master +  # Shrink root filesystem (NOT the partition) 
-  make +  sudo e2fsck -f $ROOTPART 
-  sudo ./luksipc -d /dev/nvme0n1p2+  sudo resize2fs -M $ROOTPART
      
-  # Add keyphrase +  # Encrypt 
-  sudo cryptsetup luksAddKey /dev/nvme0n1p2 --key-file=/root/initial_keyfile.bin +  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 8M $ROOTPART   or --type=luks1 
-  Let’s check this worked (slot 0 and 1 are populated) +   
-  cryptsetup luksDump /dev/nvme0n1p2 +
-  # Let’s scrub the initial keyslot so the initial keyfile becomes useless +
-  cryptsetup luksKillSlot /dev/nvme0n1p2 0 +
-  # And check again (slot 1 is empty) +
-  cryptsetup luksDump /dev/nvme0n1p2+
   # resize the filesystem to its original size   # resize the filesystem to its original size
-  sudo cryptsetup luksOpen /dev/nvme0n1p2 newcryptofs +  sudo cryptsetup luksOpen $ROOTPART newcryptofs 
-  resize2fs /dev/mapper/newcryptofs+  sudo resize2fs /dev/mapper/newcryptofs
      
      
-  # Make the system boot from the encrypted filesystem+  ########################################################## 
 +  ### Make the system boot from the encrypted filesystem ### 
 +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
-  sudo mount /dev/nvme0n1p1 /mnt/boot           # nvme0n1p1 is the boot partiton +  sudo mount $BOOTPART /mnt/boot
-  +
      
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
Line 216: Line 214:
   # change MODULES=() to   # change MODULES=() to
   MODULES=(nvidia_uvm nvidia_drm)   MODULES=(nvidia_uvm nvidia_drm)
-  # set HOOKS to +  # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
      
 +  # Backup old config files
 +  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done
      
-  sudo su +  # Set the content of the file /boot/loader/loader.conf, arch.conf and arch-fallback.conf: 
-  # Set the content of the file /boot/loader/loader.conf to +  echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf 
-  echo -e "default arch\ntimeout 5\nconsole-mode max\n" /mnt/boot/loader/loader.conf +  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd 
-  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd /initramfs-linux.img\noptions rd.luks.name=$(lsblk /dev/nvme0n1p2 -o UUID -n -d)=cryptroot root=/dev/mapper/cryptroot nvidia-drm.modeset=1" /mnt/boot/loader/entries/arch.conf +  /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot 
-  exit+  root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf 
 +  echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \ 
 +  /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \ 
 +  root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
      
   sudo chroot /mnt   sudo chroot /mnt
-   
   mount -t proc proc /proc   mount -t proc proc /proc
   mount -t sysfs sys /sys   mount -t sysfs sys /sys
Line 233: Line 235:
      
   mkinitcpio -p linux   mkinitcpio -p linux
-  # leave chroot +  exit  # leave chroot
-  exit+
      
   # reboot   # reboot
 +  sudo reboot
  
 +
 +
 +  =============================================================================== 
 +  # Convert luks1 to luks2 (or vice versa)
 +  sudo cryptsetup convert --type=luks2 $ROOTPART
 +  
 +  =============================================================================== 
 +
 +  
  • scratch.txt
  • Last modified: 2019/03/10 13:03
  • by admin