scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
scratch [2019/03/09 14:47] – [LUKS] adminscratch [2019/03/09 17:21] – [LUKS] admin
Line 168: Line 168:
 ====== LUKS ====== ====== LUKS ======
   https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption   https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
 +  
   #################################   #################################
   ########## Preparation ##########   ########## Preparation ##########
Line 191: Line 191:
   ###############################   ###############################
   ########### Encrypt ###########   ########### Encrypt ###########
 +
   # Shrink root filesystem (NOT the partition)   # Shrink root filesystem (NOT the partition)
   sudo e2fsck -f $ROOTPART   sudo e2fsck -f $ROOTPART
   sudo resize2fs -M $ROOTPART   sudo resize2fs -M $ROOTPART
      
-  =============================================================================== +  # Encrypt 
-  # A) Using luksipc+  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 8M $ROOTPART   or --type=luks1
        
-  # 
-  # Copy luksipc-master.zip to your home dir. If you have internet connection, 
-  # you can directly download it (wget), else copy it manually. 
-  # 
-   
-  # cd ~ 
-  # wget https://github.com/johndoe31415/luksipc/archive/master.zip 
-  # or: 
-  # wget https://confluence.opt01.net/download/attachments/5637570/luksipc-master.zip?version=1&modificationDate=1551682022444&api=v2 
-  # or copy manually: 
-  cp luksipc-master.zip ~ 
-  cd ~ 
-    
-  # If you have no unzip, uncompress it with the GUI 
-  unzip luksipc-master.zip 
-  cd luksipc-master 
-  make 
-  sudo ./luksipc -d $ROOTPART 
-   
-  # Add keyphrase (and remember it!) 
-  sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin 
-  # Let’s check this worked (slot 0 and 1 are populated) 
-  sudo cryptsetup luksDump $ROOTPART 
-  # Let’s scrub the initial keyslot so the initial keyfile becomes useless 
-  sudo cryptsetup luksKillSlot $ROOTPART 0 
-  # And check again (slot 1 is empty now) 
-  sudo cryptsetup luksDump $ROOTPART 
-   
-  ===============================================================================  
-  # B) or using cryptsetup-reencrypt: 
-  sudo cryptsetup-reencrypt --type=luks2 -N --reduce-device-size 8M $ROOTPART   # or --type=luks1 
-   
-  ===============================================================================  
-   
   # resize the filesystem to its original size   # resize the filesystem to its original size
   sudo cryptsetup luksOpen $ROOTPART newcryptofs   sudo cryptsetup luksOpen $ROOTPART newcryptofs
   sudo resize2fs /dev/mapper/newcryptofs   sudo resize2fs /dev/mapper/newcryptofs
-    +   
-   +  
   ##########################################################   ##########################################################
   ### Make the system boot from the encrypted filesystem ###   ### Make the system boot from the encrypted filesystem ###
-   +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
   sudo mount $BOOTPART /mnt/boot   sudo mount $BOOTPART /mnt/boot
-   +  
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
   sudo nano /mnt/etc/mkinitcpio.conf   sudo nano /mnt/etc/mkinitcpio.conf
Line 249: Line 216:
   # set HOOKS to   # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
-    +   
-    +  # Backup old config files 
-  # Set the content of the file /boot/loader/loader.conf:+  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done 
 +   
 +  # Set the content of the file /boot/loader/loader.conf, arch.conf and arch-fallback.conf:
   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf
-  # and /boot/loader/entries/arch.conf: 
   echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \   echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \   /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf   root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf
-  # and /boot/loader/entries/arch-fallback.conf: 
   echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \   echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \
   /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \   /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \
   root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf   root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
-    +  
-  # You might want to delete all entries in /mnt/boot/loader/entries/ except +
-  # arch.conf and arch-fallback.conf as they won't boot anymore anyway. +
-  ls /mnt/boot/loader/entries +
-    +
-   +
   sudo chroot /mnt   sudo chroot /mnt
   mount -t proc proc /proc   mount -t proc proc /proc
   mount -t sysfs sys /sys   mount -t sysfs sys /sys
   mount -t devtmpfs udev /dev   mount -t devtmpfs udev /dev
-   +  
   mkinitcpio -p linux   mkinitcpio -p linux
   exit  # leave chroot   exit  # leave chroot
-   +  
   # reboot   # reboot
   sudo reboot   sudo reboot
Line 280: Line 242:
  
  
-  Not sure if this works: 
   ===============================================================================    =============================================================================== 
-  # change luks1 to luks2 (or vice versa)+  # Convert luks1 to luks2 (or vice versa)
   sudo cryptsetup convert --type=luks2 $ROOTPART   sudo cryptsetup convert --type=luks2 $ROOTPART
      
  • scratch.txt
  • Last modified: 2019/03/10 13:03
  • by admin