scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
scratch [2019/03/03 20:17] – [LUKS] adminscratch [2019/03/09 15:07] – [LUKS] admin
Line 167: Line 167:
  
 ====== LUKS ====== ====== LUKS ======
-  See: +  https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
-  https://www.johannes-bauer.com/linux/luksipc/ +
-  https://johndoe31415.github.io/luksipc/ +
-  https://github.com/johndoe31415/luksipc+
      
-  # Find the right partition+  ################################# 
 +  ########## Preparation ########## 
 +  # - Boot a Linux from a USB stick or CD / DVD 
 +  # - Open a terminal 
 +    
 +    
 +  ################################# 
 +  ### Find the right partitions ###
   lsblk -o name,fstype,size   lsblk -o name,fstype,size
      
-  nvme0n1                477G +  nvme0n1                477G 
-  ├─nvme0n1p1 vfat       512M  <== boot +  ├─nvme0n1p1 vfat       512M  <== boot 
-  ├─nvme0n1p2 ext4     437,4G  <== root +  ├─nvme0n1p2 ext4     437,4G  <== root 
-  └─nvme0n1p3 swap      39,1G+  └─nvme0n1p3 swap      39,1G
      
-  # Set boot and root partition names, change to your setup!+  # Set boot and root partition names according to above output!
   BOOTPART=/dev/nvme0n1p1   BOOTPART=/dev/nvme0n1p1
   ROOTPART=/dev/nvme0n1p2   ROOTPART=/dev/nvme0n1p2
      
 +  
 +  ###############################
 +  ########### Encrypt ###########
   # Shrink root filesystem (NOT the partition)   # Shrink root filesystem (NOT the partition)
-  tune2fs -$ROOTPART +  sudo e2fsck -$ROOTPART 
-  # Block count:              114655232  <== subtract 32768 (128 MB)+  sudo resize2fs -M $ROOTPART 
 +   
 +  =============================================================================== 
 +  # A) Using luksipc 
 +   
 +  # 
 +  # Copy luksipc-master.zip to your home dir. If you have internet connection, 
 +  # you can directly download it (wget), else copy it manually. 
 +  #
      
-  e2fsck -f $ROOTPART +  # cd ~ 
-  sudo resize2fs $ROOTPART 114622464  # Block count 32768+  # wget https://github.com/johndoe31415/luksipc/archive/master.zip 
 +  # or: 
 +  # wget https://confluence.opt01.net/download/attachments/5637570/luksipc-master.zip?version=1&modificationDate=1551682022444&api=v2 
 +  # or copy manually: 
 +  cp luksipc-master.zip ~ 
 +  cd ~
      
-  # Encrypt +  # If you have no unzip, uncompress it with the GUI 
-  wget https://github.com/johndoe31415/luksipc/archive/master.zip +  unzip luksipc-master.zip
-  unzip master.zip+
   cd luksipc-master   cd luksipc-master
   make   make
   sudo ./luksipc -d $ROOTPART   sudo ./luksipc -d $ROOTPART
      
-  # Add keyphrase+  # Add keyphrase (and remember it!)
   sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin   sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin
   # Let’s check this worked (slot 0 and 1 are populated)   # Let’s check this worked (slot 0 and 1 are populated)
-  cryptsetup luksDump $ROOTPART+  sudo cryptsetup luksDump $ROOTPART
   # Let’s scrub the initial keyslot so the initial keyfile becomes useless   # Let’s scrub the initial keyslot so the initial keyfile becomes useless
-  cryptsetup luksKillSlot $ROOTPART 0 +  sudo cryptsetup luksKillSlot $ROOTPART 0 
-  # And check again (slot 1 is empty) +  # And check again (slot 1 is empty now
-  cryptsetup luksDump $ROOTPART+  sudo cryptsetup luksDump $ROOTPART 
 +   
 +  ===============================================================================  
 +  # B) or using cryptsetup-reencrypt: 
 +  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 8M $ROOTPART   # or --type=luks1 
 +   
 +  ===============================================================================  
 +  
   # resize the filesystem to its original size   # resize the filesystem to its original size
   sudo cryptsetup luksOpen $ROOTPART newcryptofs   sudo cryptsetup luksOpen $ROOTPART newcryptofs
-  resize2fs /dev/mapper/newcryptofs+  sudo resize2fs /dev/mapper/newcryptofs
      
      
-  # Make the system boot from the encrypted filesystem+  ########################################################## 
 +  ### Make the system boot from the encrypted filesystem ### 
 +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
   sudo mount $BOOTPART /mnt/boot   sudo mount $BOOTPART /mnt/boot
-     
      
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
Line 220: Line 247:
   # change MODULES=() to   # change MODULES=() to
   MODULES=(nvidia_uvm nvidia_drm)   MODULES=(nvidia_uvm nvidia_drm)
-  # set HOOKS to +  # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
      
      
-  sudo su +  # Set the content of the file /boot/loader/loader.conf: 
-  # Set the content of the file /boot/loader/loader.conf to +  echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf 
-  echo -e "default arch\ntimeout 5\nconsole-mode max\n" /mnt/boot/loader/loader.conf +  # and /boot/loader/entries/arch.conf: 
-  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot root=/dev/mapper/cryptroot nvidia-drm.modeset=1" /mnt/boot/loader/entries/arch.conf +  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd 
-  exit+  /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot 
 +  root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf 
 +  # and /boot/loader/entries/arch-fallback.conf: 
 +  echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \ 
 +  /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \ 
 +  root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf 
 +   
 +  # You might want to delete all entries in /mnt/boot/loader/entries/ except 
 +  # arch.conf and arch-fallback.conf as they won't boot anymore anyway. 
 +  ls /mnt/boot/loader/entries 
 +  
      
   sudo chroot /mnt   sudo chroot /mnt
Line 239: Line 276:
      
   # reboot   # reboot
 +  sudo reboot
  
 +
 +
 +  =============================================================================== 
 +  # change luks1 to luks2 (or vice versa)
 +  sudo cryptsetup convert --type=luks2 $ROOTPART
 +  
 +  =============================================================================== 
 +
 +  
  • scratch.txt
  • Last modified: 2019/03/10 13:03
  • by admin