Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted.




  1. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data.



    Device Start End Sectors Size Type /dev/sda1 2048 32767 30720 15M BIOS boot /dev/sda2 32768 442367 409600 200M Linux filesystem /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem


  2. Encrypt partitions number 2 and 3, and open them



    cryptsetup luksFormat /dev/sda2 cryptsetup luksFormat /dev/sda3 cryptsetup luksOpen /dev/sda2 crypt_boot cryptsetup luksOpen /dev/sda3 crypt_data


  3. Format the boot partition



    mkfs.btrfs /dev/mapper/crypt_boot


  4. Prepare LVM for the rest, and format the top level



    vgcreate vg0 /dev/mapper/crypt_data lvcreate -l 100%FREE -n data vg0 mkfs.btrfs /dev/vg0/data


  5. Mount and set up any subvolumes



    mount /dev/vg0/data /mnt/gentoo btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home umount /mnt/gentoo


  6. Now mount the chroot



    mount /dev/vg0/data -o subvol=@ /mnt/gentoo install -d -m 01000 /mnt/gentoo/home mount /dev/vg0/data -o subvol=@home /mnt/gentoo/home


  7. Install Gentoo as usual (unpack the stage)


  8. Add a file-based key so you can autodecrypt on boot



    mkdir /mnt/gentoo/etc/luks dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/data.key dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/boot.key cryptsetup luksAddKey /dev/sda2 /mnt/gentoo/etc/luks/boot.key cryptsetup luksAddKey /dev/sda3 /mnt/gentoo/etc/luks/data.key


  9. Fix the configuration files





  • /etc/fstab




  1. Enable crypto grub



    echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub


  2. Automount the crypto disks on boot:



    cat > /etc/dracut.conf.d/crypto.conf <<EOF install_items+=" /etc/luks/boot.key" install_items+=" /etc/luks/data.key" EOF dracut -f '' 4.4.1-generic


Comments

Post a Comment

Popular posts from this blog

LVM metadata corruption

I had the biggest PC related scare a couple of days ago. After I had two disks in my RAID5 fail in a very short amount of time and only pure luck saved my data I moved to RAID6 and I felt safer. That was, until two days ago I ran: # pvs -v pvs Scanning for physical volume names pvs Incorrect metadata area header checksum pvs Incorrect metadata area header checksum pvs WARNING: Volume Group vg0 is not consistent pvs Incorrect metadata area header checksum pvs Incorrect metadata area header checksum pvs PV VG Fmt Attr PSize PFree DevSize PV UUID pvs /dev/md2 vg0 lvm2 a- 1.80T 922.19G 1.80T Y9naEo-OKG6-0ZyX-qmZX-u3JP-uCPg-cE1hVX Ooops. Not looking good. # vgs -v vgs Finding all volume groups vgs Incorrect metadata area header checksum vgs Finding volume group "vg0" vgs Incorrect metadata area header checksum vgs Incorrect metadata area header checksum vgs VG Attr Ext #PV #LV #SN VSize VFree VG UUID vgs vg0 wz--n- 4.00M 1 15
Read more

ADSL Router Model CT-5367 user and pass (VIVACOM)

Writing down the username and password for the vivacom ADSL router, in case I need it again. user: root pass: warmWLspot Useful to telnet 192.168.1.1 and then reboot . Originally found at Neo2SHYAlien blog . And here I found passwords for other models, just in case. ZTE ZXDSL 832 username: root password: GSrootaccess ZTE ZXDSL 831 username: root password: GSrootaccess ZTE username: root password: 831access Huawei SmartAX MT882 username: root password: MT882rootaccess ZTE ZXDSL-531b username: root password: rootWLaccess Pirelli – DRG – A124G username: root password: warmWLspot Comtrend CT-5367 username: root password: warmWLspot HG530 Home Gateway username: root password: warmWLspot
Read more
Removing replica (FreeIPA in containers) Running FreeIPA in containers, and a few notes on the replicas: replica=replica.domain sudo podman exec -it ipa-replica-manage del $replica sudo podman exec -it ipa-csreplica-manager del $replica sudo podman exec -it freeipa pki securitydomain-show sudo podman exec -it freeipa pki -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' -C /etc/pki/pki-tomcat/alias/pwdfile.txt securitydomain-host-del "CA $replica 443"
Read more