scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Last revisionBoth sides next revision
scratch [2019/03/03 22:50] – [LUKS] adminscratch [2019/03/09 17:38] – [LUKS] admin
Line 167: Line 167:
  
 ====== LUKS ====== ====== LUKS ======
-  See: +  https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
-  https://www.johannes-bauer.com/linux/luksipc/ +
-  https://johndoe31415.github.io/luksipc/ +
-  https://github.com/johndoe31415/luksipc+
      
-  # Find the right partition+  ################################# 
 +  ########## Preparation ########## 
 +  # - Boot a Linux from a USB stick or CD / DVD 
 +  # - Open a terminal 
 +    
 +    
 +  ################################# 
 +  ### Find the right partitions ###
   lsblk -o name,fstype,size   lsblk -o name,fstype,size
      
-  nvme0n1                477G +  nvme0n1                477G 
-  ├─nvme0n1p1 vfat       512M  <== boot +  ├─nvme0n1p1 vfat       512M  <== boot 
-  ├─nvme0n1p2 ext4     437,4G  <== root +  ├─nvme0n1p2 ext4     437,4G  <== root 
-  └─nvme0n1p3 swap      39,1G+  └─nvme0n1p3 swap      39,1G
      
   # Set boot and root partition names according to above output!   # Set boot and root partition names according to above output!
Line 184: Line 188:
   ROOTPART=/dev/nvme0n1p2   ROOTPART=/dev/nvme0n1p2
      
-  # Shrink root filesystem (NOT the partition) 
-  BLKCNT=$(sudo tune2fs -l $ROOTPART | grep "Block count:" | awk '{print $3}') 
-  BLKCNT_SHRINK=$(expr $BLKCNT - 32768) 
-  echo "Blockcount original: $BLKCNT, shrinked: $BLKCNT_SHRINK" 
      
-  e2fsck -f $ROOTPART +  ############################### 
-  sudo resize2fs $ROOTPART $BLKCNT_SHRINK+  ########### Encrypt ###########
      
-  # Encrypt +  # Shrink root filesystem (NOT the partition) 
-  wget https://github.com/johndoe31415/luksipc/archive/master.zip +  sudo e2fsck -f $ROOTPART 
-  unzip master.zip +  sudo resize2fs -$ROOTPART
-  cd luksipc-master +
-  make +
-  sudo ./luksipc -$ROOTPART+
      
-  # Add keyphrase +  # Encrypt 
-  sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin +  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 8M $ROOTPART   or --type=luks1 
-  # Let’s check this worked (slot 0 and 1 are populated) +   
-  cryptsetup luksDump $ROOTPART +
-  Let’s scrub the initial keyslot so the initial keyfile becomes useless +
-  cryptsetup luksKillSlot $ROOTPART 0 +
-  # And check again (slot 1 is empty) +
-  cryptsetup luksDump $ROOTPART+
   # resize the filesystem to its original size   # resize the filesystem to its original size
   sudo cryptsetup luksOpen $ROOTPART newcryptofs   sudo cryptsetup luksOpen $ROOTPART newcryptofs
-  resize2fs /dev/mapper/newcryptofs+  sudo resize2fs /dev/mapper/newcryptofs
      
      
-  # Make the system boot from the encrypted filesystem+  ########################################################## 
 +  ### Make the system boot from the encrypted filesystem ### 
 +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
   sudo mount $BOOTPART /mnt/boot   sudo mount $BOOTPART /mnt/boot
-     
      
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
Line 221: Line 214:
   # change MODULES=() to   # change MODULES=() to
   MODULES=(nvidia_uvm nvidia_drm)   MODULES=(nvidia_uvm nvidia_drm)
-  # set HOOKS to +  # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
      
-   +  # Backup old config files and create new ones 
-  # Set the content of the file /boot/loader/loader.conf to+  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done
   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf
-  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf+  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd 
 +  /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot 
 +  root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf 
 +  echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \ 
 +  /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \ 
 +  root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
      
   sudo chroot /mnt   sudo chroot /mnt
Line 238: Line 236:
      
   # reboot   # reboot
 +  sudo reboot
  
 +
 +
 +  =============================================================================== 
 +  # Convert luks1 to luks2 (or vice versa)
 +  sudo cryptsetup convert --type=luks2 $ROOTPART
 +  
 +  =============================================================================== 
 +
 +  
  • scratch.txt
  • Last modified: 2019/03/10 13:03
  • by admin