scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
scratch [2019/03/03 19:41] – [LUKS] adminscratch [2019/03/10 13:03] (current) – [LUKS] admin
Line 167: Line 167:
  
 ====== LUKS ====== ====== LUKS ======
-  See: +  https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
-  https://www.johannes-bauer.com/linux/luksipc/ +
-  https://johndoe31415.github.io/luksipc/ +
-  https://github.com/johndoe31415/luksipc+
      
-  # Find the right partition+  ################################# 
 +  ########## Preparation ########## 
 +  # - Boot a Linux from a USB stick or CD / DVD 
 +  # - Open a terminal 
 +    
 +    
 +  ################################# 
 +  ### Find the right partitions ###
   lsblk -o name,fstype,size   lsblk -o name,fstype,size
      
-  nvme0n1                477G +  nvme0n1                477G 
-  ├─nvme0n1p1 vfat       512M +  ├─nvme0n1p1 vfat       512M  <== boot 
-  ├─nvme0n1p2 ext4     437,4G  <== +  ├─nvme0n1p2 ext4     437,4G  <== root 
-  └─nvme0n1p3 swap      39,1G+  └─nvme0n1p3 swap      39,1G
      
-  # Shrink filesystem (NOT the partition) +  # Set boot and root partition names according to above output! 
-  tune2fs -l /dev/nvme0n1p2 +  BOOTPART=/dev/nvme0n1p1 
-  # Block count:              114655232  <== subtract 32768 (128 MB)+  ROOTPART=/dev/nvme0n1p2
      
-  e2fsck -f /dev/nvme0n1p2 
-  sudo resize2fs /dev/nvme0n1p2 114622464  # Block count - 32768 
      
-  # Encrypt +  ############################### 
-  wget https://github.com/johndoe31415/luksipc/archive/master.zip +  ########### Encrypt ###########
-  unzip master.zip +
-  cd luksipc-master +
-  make +
-  sudo ./luksipc -d /dev/nvme0n1p2+
      
-  # Add keyphrase +  # Shrink root filesystem (NOT the partition) 
-  sudo cryptsetup luksAddKey /dev/nvme0n1p2 --key-file=/root/initial_keyfile.bin +  sudo e2fsck -f $ROOTPART 
-  # Let’s check this worked (slot 0 and 1 are populated) +  sudo resize2fs -M $ROOTPART 
-  cryptsetup luksDump /dev/nvme0n1p2 +   
-  # Let’s scrub the initial keyslot so the initial keyfile becomes useless +  # Encrypt 
-  cryptsetup luksKillSlot /dev/nvme0n1p2 0 +  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 4M $ROOTPART   or --type=luks1 
-  And check again (slot 1 is empty) +   
-  cryptsetup luksDump /dev/nvme0n1p2+
   # resize the filesystem to its original size   # resize the filesystem to its original size
-  sudo cryptsetup luksOpen /dev/nvme0n1p2 newcryptofs +  sudo cryptsetup luksOpen $ROOTPART newcryptofs 
-  resize2fs /dev/mapper/newcryptofs+  sudo resize2fs /dev/mapper/newcryptofs
      
      
-  # Make the system boot from the encrypted filesystem+  ########################################################## 
 +  ### Make the system boot from the encrypted filesystem ### 
 +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
-  sudo mount /dev/nvme0n1p1 /mnt/boot           # nvme0n1p1 is the boot partiton +  sudo mount $BOOTPART /mnt/boot
-  +
      
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
Line 216: Line 214:
   # change MODULES=() to   # change MODULES=() to
   MODULES=(nvidia_uvm nvidia_drm)   MODULES=(nvidia_uvm nvidia_drm)
-  # set HOOKS to +  # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
      
-   +  # Backup old config files and create new ones 
-  sudo su +  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done 
-  # Set the content of the file /boot/loader/loader.conf to +  echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf 
-  echo -e "default arch\ntimeout 5\nconsole-mode max\n" /mnt/boot/loader/loader.conf +  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd 
-  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd /initramfs-linux.img\noptions rd.luks.name=$(lsblk /dev/nvme0n1p2 -o UUID -n -d)=cryptroot root=/dev/mapper/cryptroot nvidia-drm.modeset=1" /mnt/boot/loader/entries/arch.conf +  /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot 
-  exit+  root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf 
 +  echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \ 
 +  /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \ 
 +  root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
      
   sudo chroot /mnt   sudo chroot /mnt
-   
   mount -t proc proc /proc   mount -t proc proc /proc
   mount -t sysfs sys /sys   mount -t sysfs sys /sys
Line 233: Line 233:
      
   mkinitcpio -p linux   mkinitcpio -p linux
-  # leave chroot +  exit  # leave chroot
-  exit+
      
   # reboot   # reboot
 +  sudo reboot
  
 +
 +
 +  =============================================================================== 
 +  # Convert luks1 to luks2 (or vice versa)
 +  sudo cryptsetup convert --type=luks2 $ROOTPART
 +  
 +  =============================================================================== 
 +
 +  
  • scratch.txt
  • Last modified: 2019/03/10 13:03
  • by admin