scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Last revisionBoth sides next revision
scratch [2019/03/08 21:55] – [LUKS] adminscratch [2019/03/09 17:38] – [LUKS] admin
Line 168: Line 168:
 ====== LUKS ====== ====== LUKS ======
   https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption   https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
 +  
   #################################   #################################
   ########## Preparation ##########   ########## Preparation ##########
Line 178: Line 178:
   ### Find the right partitions ###   ### Find the right partitions ###
   lsblk -o name,fstype,size   lsblk -o name,fstype,size
-   +  
   # nvme0n1                477G   # nvme0n1                477G
   # ├─nvme0n1p1 vfat       512M  <== boot   # ├─nvme0n1p1 vfat       512M  <== boot
   # ├─nvme0n1p2 ext4     437,4G  <== root   # ├─nvme0n1p2 ext4     437,4G  <== root
   # └─nvme0n1p3 swap      39,1G   # └─nvme0n1p3 swap      39,1G
-   +  
   # Set boot and root partition names according to above output!   # Set boot and root partition names according to above output!
   BOOTPART=/dev/nvme0n1p1   BOOTPART=/dev/nvme0n1p1
   ROOTPART=/dev/nvme0n1p2   ROOTPART=/dev/nvme0n1p2
-    +   
-  # Shrink root filesystem (NOT the partition) +  
-  BLKCNT=$(sudo tune2fs -l $ROOTPART | grep "Block count:" | awk '{print $3}'+
-  BLKCNT_SHRINK=$(($BLKCNT - 32768)) +
-  echo "Blockcount original: $BLKCNT, shrinked: $BLKCNT_SHRINK" +
-    +
-  sudo e2fsck -f $ROOTPART +
-  sudo resize2fs $ROOTPART $BLKCNT_SHRINK +
-   +
   ###############################   ###############################
   ########### Encrypt ###########   ########### Encrypt ###########
      
-  =============================================================================== +  # Shrink root filesystem (NOT the partition) 
-  AUsing luksipc+  sudo e2fsck -f $ROOTPART 
 +  sudo resize2fs -M $ROOTPART
      
-  # +  # Encrypt 
-  # Copy luksipc-master.zip to your home dir. If you have internet connection, +  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 8M $ROOTPART   or --type=luks1
-  # you can directly download it (wget), else copy it manually. +
-  #+
        
-  # cd ~ 
-  # wget https://github.com/johndoe31415/luksipc/archive/master.zip 
-  # or: 
-  # wget https://confluence.opt01.net/download/attachments/5637570/luksipc-master.zip?version=1&modificationDate=1551682022444&api=v2 
-  # or copy manually: 
-  cp luksipc-master.zip ~ 
-  cd ~ 
-    
-  # If you have no unzip, uncompress it with the GUI 
-  unzip luksipc-master.zip 
-  cd luksipc-master 
-  make 
-  sudo ./luksipc -d $ROOTPART 
-   
-  # Add keyphrase (and remember it!) 
-  sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin 
-  # Let’s check this worked (slot 0 and 1 are populated) 
-  sudo cryptsetup luksDump $ROOTPART 
-  # Let’s scrub the initial keyslot so the initial keyfile becomes useless 
-  sudo cryptsetup luksKillSlot $ROOTPART 0 
-  # And check again (slot 1 is empty now) 
-  sudo cryptsetup luksDump $ROOTPART 
-   
-  ===============================================================================  
-  # B) or using cryptsetup-reencrypt: 
-  sudo cryptsetup-reencrypt --type=luks2 -N --reduce-device-size 4MiB $ROOTPART   # or --type=luks1 
-   
-  ===============================================================================  
-   
   # resize the filesystem to its original size   # resize the filesystem to its original size
   sudo cryptsetup luksOpen $ROOTPART newcryptofs   sudo cryptsetup luksOpen $ROOTPART newcryptofs
   sudo resize2fs /dev/mapper/newcryptofs   sudo resize2fs /dev/mapper/newcryptofs
-    +   
-   +  
   ##########################################################   ##########################################################
   ### Make the system boot from the encrypted filesystem ###   ### Make the system boot from the encrypted filesystem ###
-   +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
   sudo mount $BOOTPART /mnt/boot   sudo mount $BOOTPART /mnt/boot
-   +  
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
   sudo nano /mnt/etc/mkinitcpio.conf   sudo nano /mnt/etc/mkinitcpio.conf
Line 253: Line 216:
   # set HOOKS to   # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
-    +   
-    +  # Backup old config files and create new ones 
-  # Set the content of the file /boot/loader/loader.conf:+  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done
   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf
-  # and /boot/loader/entries/arch.conf: 
   echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \   echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \   /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf   root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf
-  # and /boot/loader/entries/arch-fallback.conf: 
   echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \   echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \   /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf   root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
-    +  
-  # You might want to delete all entries in /mnt/boot/loader/entries/ except +
-  # arch.conf and arch-fallback.conf as they won't boot anymore anyway. +
-  ls /mnt/boot/loader/entries +
-    +
-   +
   sudo chroot /mnt   sudo chroot /mnt
   mount -t proc proc /proc   mount -t proc proc /proc
   mount -t sysfs sys /sys   mount -t sysfs sys /sys
   mount -t devtmpfs udev /dev   mount -t devtmpfs udev /dev
-   +  
   mkinitcpio -p linux   mkinitcpio -p linux
   exit  # leave chroot   exit  # leave chroot
-   +  
   # reboot   # reboot
   sudo reboot   sudo reboot
Line 284: Line 240:
  
  
-  Not sure if this works: 
   ===============================================================================    =============================================================================== 
-  # change luks1 to luks2 (or vice versa)+  # Convert luks1 to luks2 (or vice versa)
   sudo cryptsetup convert --type=luks2 $ROOTPART   sudo cryptsetup convert --type=luks2 $ROOTPART
      
  • scratch.txt
  • Last modified: 2019/03/10 13:03
  • by admin