scratch

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
scratch [2019/03/03 23:01] – [LUKS] adminscratch [2019/03/10 13:03] (current) – [LUKS] admin
Line 167: Line 167:
  
 ====== LUKS ====== ====== LUKS ======
-  See: +  https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption
-  https://www.johannes-bauer.com/linux/luksipc/ +
-  https://johndoe31415.github.io/luksipc/ +
-  https://github.com/johndoe31415/luksipc+
      
-  # Find the right partition+  ################################# 
 +  ########## Preparation ########## 
 +  # - Boot a Linux from a USB stick or CD / DVD 
 +  # - Open a terminal 
 +    
 +    
 +  ################################# 
 +  ### Find the right partitions ###
   lsblk -o name,fstype,size   lsblk -o name,fstype,size
      
-  nvme0n1                477G +  nvme0n1                477G 
-  ├─nvme0n1p1 vfat       512M  <== boot +  ├─nvme0n1p1 vfat       512M  <== boot 
-  ├─nvme0n1p2 ext4     437,4G  <== root +  ├─nvme0n1p2 ext4     437,4G  <== root 
-  └─nvme0n1p3 swap      39,1G+  └─nvme0n1p3 swap      39,1G
      
   # Set boot and root partition names according to above output!   # Set boot and root partition names according to above output!
Line 184: Line 188:
   ROOTPART=/dev/nvme0n1p2   ROOTPART=/dev/nvme0n1p2
      
-  # Shrink root filesystem (NOT the partition) 
-  BLKCNT=$(sudo tune2fs -l $ROOTPART | grep "Block count:" | awk '{print $3}') 
-  BLKCNT_SHRINK=$(($BLKCNT - 32768)) 
-  echo "Blockcount original: $BLKCNT, shrinked: $BLKCNT_SHRINK" 
      
-  e2fsck -f $ROOTPART +  ############################### 
-  sudo resize2fs $ROOTPART $BLKCNT_SHRINK+  ########### Encrypt ###########
      
-  # Encrypt +  # Shrink root filesystem (NOT the partition) 
-  wget https://github.com/johndoe31415/luksipc/archive/master.zip +  sudo e2fsck -f $ROOTPART 
-  unzip master.zip +  sudo resize2fs -$ROOTPART
-  cd luksipc-master +
-  make +
-  sudo ./luksipc -$ROOTPART+
      
-  # Add keyphrase +  # Encrypt 
-  sudo cryptsetup luksAddKey $ROOTPART --key-file=/root/initial_keyfile.bin +  sudo cryptsetup-reencrypt --type=luks2 --new --reduce-device-size 4M $ROOTPART   or --type=luks1 
-  # Let’s check this worked (slot 0 and 1 are populated) +   
-  cryptsetup luksDump $ROOTPART +
-  Let’s scrub the initial keyslot so the initial keyfile becomes useless +
-  cryptsetup luksKillSlot $ROOTPART 0 +
-  # And check again (slot 1 is empty) +
-  cryptsetup luksDump $ROOTPART+
   # resize the filesystem to its original size   # resize the filesystem to its original size
   sudo cryptsetup luksOpen $ROOTPART newcryptofs   sudo cryptsetup luksOpen $ROOTPART newcryptofs
-  resize2fs /dev/mapper/newcryptofs+  sudo resize2fs /dev/mapper/newcryptofs
      
      
-  # Make the system boot from the encrypted filesystem+  ########################################################## 
 +  ### Make the system boot from the encrypted filesystem ### 
 +  
   sudo mount /dev/mapper/newcryptofs /mnt   sudo mount /dev/mapper/newcryptofs /mnt
   sudo mount $BOOTPART /mnt/boot   sudo mount $BOOTPART /mnt/boot
-     
      
   # Edit /etc/mkinitcpio.conf   # Edit /etc/mkinitcpio.conf
Line 221: Line 214:
   # change MODULES=() to   # change MODULES=() to
   MODULES=(nvidia_uvm nvidia_drm)   MODULES=(nvidia_uvm nvidia_drm)
-  # set HOOKS to +  # set HOOKS to
   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)   HOOKS=(base systemd autodetect keyboard keymap sd-vconsole modconf block sd-encrypt filesystems fsck)
      
-   +  # Backup old config files and create new ones 
-  # Set the content of the file /boot/loader/loader.conf:+  for f in /mnt/boot/loader/entries/*.conf; do sudo mv $f $f.bak; done
   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf   echo -e "default arch\ntimeout 5\nconsole-mode max\n" | sudo dd of=/mnt/boot/loader/loader.conf
-  # and /boot/loader/entries/arch.conf: +  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd \ 
-  echo -e "title Arch Linux\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf+  /initramfs-linux.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot \ 
 +  root=/dev/mapper/cryptroot nvidia-drm.modeset=1" | sudo dd of=/mnt/boot/loader/entries/arch.conf 
 +  echo -e "title Arch Linux Fallback\nlinux /vmlinuz-linux\ninitrd /intel-ucode.img\ninitrd 
 +  /initramfs-linux-fallback.img\noptions rd.luks.name=$(lsblk $ROOTPART -o UUID -n -d)=cryptroot 
 +  root=/dev/mapper/cryptroot" | sudo dd of=/mnt/boot/loader/entries/arch-fallback.conf
      
   sudo chroot /mnt   sudo chroot /mnt
Line 239: Line 236:
      
   # reboot   # reboot
 +  sudo reboot
  
 +
 +
 +  =============================================================================== 
 +  # Convert luks1 to luks2 (or vice versa)
 +  sudo cryptsetup convert --type=luks2 $ROOTPART
 +  
 +  =============================================================================== 
 +
 +  
  • scratch.1551650495.txt.gz
  • Last modified: 2019/03/03 23:01
  • by admin