Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted.




  1. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data.



    Device Start End Sectors Size Type
    /dev/sda1 2048 32767 30720 15M BIOS boot
    /dev/sda2 32768 442367 409600 200M Linux filesystem
    /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem


  2. Encrypt partitions number 2 and 3, and open them



    cryptsetup luksFormat /dev/sda2
    cryptsetup luksFormat /dev/sda3
    cryptsetup luksOpen /dev/sda2 crypt_boot
    cryptsetup luksOpen /dev/sda3 crypt_data


  3. Format the boot partition



    mkfs.btrfs /dev/mapper/crypt_boot


  4. Prepare LVM for the rest, and format the top level



    vgcreate vg0 /dev/mapper/crypt_data
    lvcreate -l 100%FREE -n data vg0
    mkfs.btrfs /dev/vg0/data


  5. Mount and set up any subvolumes



    mount /dev/vg0/data /mnt/gentoo
    btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home
    umount /mnt/gentoo


  6. Now mount the chroot



    mount /dev/vg0/data -o subvol=@ /mnt/gentoo
    install -d -m 01000 /mnt/gentoo/home
    mount /dev/vg0/data -o subvol=@home /mnt/gentoo/home


  7. Install Gentoo as usual (unpack the stage)


  8. Add a file-based key so you can autodecrypt on boot



    mkdir /mnt/gentoo/etc/luks
    dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/data.key
    dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/boot.key
    cryptsetup luksAddKey /dev/sda2 /mnt/gentoo/etc/luks/boot.key
    cryptsetup luksAddKey /dev/sda3 /mnt/gentoo/etc/luks/data.key


  9. Fix the configuration files





  • /etc/fstab




  1. Enable crypto grub



    echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub


  2. Automount the crypto disks on boot:



    cat > /etc/dracut.conf.d/crypto.conf <<EOF
    install_items+=" /etc/luks/boot.key"
    install_items+=" /etc/luks/data.key"
    EOF
    dracut -f '' 4.4.1-generic


Comments

Post a Comment

Popular posts from this blog

LVM metadata corruption

I had the biggest PC related scare a couple of days ago. After I had two disks in my RAID5 fail in a very short amount of time and only pure luck saved my data I moved to RAID6 and I felt safer. That was, until two days ago I ran: # pvs -v pvs Scanning for physical volume names pvs Incorrect metadata area header checksum pvs Incorrect metadata area header checksum pvs WARNING: Volume Group vg0 is not consistent pvs Incorrect metadata area header checksum pvs Incorrect metadata area header checksum pvs PV VG Fmt Attr PSize PFree DevSize PV UUID pvs /dev/md2 vg0 lvm2 a- 1.80T 922.19G 1.80T Y9naEo-OKG6-0ZyX-qmZX-u3JP-uCPg-cE1hVX Ooops. Not looking good. # vgs -v vgs Finding all volume groups vgs Incorrect metadata area header checksum vgs Finding volume group "vg0" vgs Incorrect metadata area header checksum vgs Incorrect metadata area header checksum vgs VG Attr Ext #PV #LV #SN VSize VFree VG UUID vgs vg0 wz--n- 4.00M 1 15
Read more

Google webmaster tools refuse to verify a Wordpress blog

Google webmaster tools will not verify a site by the file upload method if it does not return a proper 404 code on missing pages. With Wordpress and permalinks enabled, everything is redirected to index.php, which does exist and unless the PHP code itself overrides the return code, the response would be 200. The solution is to simply edit headers.php in the theme and add the following to the beginning of the file: <?php if (is_404()) { header('HTTP/1.1 404 Not Found'); } ?>
Read more

Compiling rsync with -Os

I have been trying to figure out why rsync was Segfault-ing when trying to transfer several hundred gigabytes from the old server to the new one. It was working fine but I interrupted it a few times. And then, when I was down to 5-6 gigabytes it would transfer a file or two (small files at that) and just spit out a weird message, like rsync error: errors with program diagnostics or it would complain about a timeout (I am copying from an NFS volume, what timeout?), or simply receive a Segfault. In a desperate attempt to figure out at least when the problem was occurring I decided to rebuild it with debugging symbols enabled. env CFLAGS=-ggdb3 emerge -av rsync I then fired up gdb an ran the problematic commands gdb run -avPAH /remote/... /var/.... and it worked fine . Since I had -Os in my CFLAGS, I tried using -O2 instead and still, there were no problems. Lesson learned, -Os does break stuff. Update: Well, -O2 saved the day for a while but rsync again started segfaulting when I tri
Read more