System Encryption with LUKS
I'm trying to encrypt my /root partition, however I keep getting an odd error message and I can't seem to figure out why. I'll enter:
# cryptsetup -c aes-plain -y -s 256 luksFormat /dev/sda2
And I'll get a message telling me:
Command failed: Failed to setup dm-crypt key mapping.
Check kernal for support for the aes-plain cipher spec and verify that /dev/sda2 contains at least 258 sectors
Kernal version is 2.6.30. Anyone know how to fix this?
modprobe dm-mod
https://wiki.archlinux.org/index.php/Sy … nd_mapping
Similar Messages
-
System encryption using LUKS and GPG encrypted keys for arch linux
Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
Update: 2013-01-13: Updated the hook files using the corrections by Deth.
Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
Intro
Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
Conventions
In this short guide, I use the following disk/partition names:
/dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
/dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
/dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
Credits
Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
Guide
1. Boot the arch live cd
I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
2. Set keymap
Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
3. Wipe your discs
ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
shred -v /dev/sda
shred -v /dev/sdb
4. Partitioning
Fire up fdisk and create the following partitions:
/dev/sda1, type linux swap.
/dev/sda2: type linux
/dev/sda3: type linux
/dev/sdb1, type linux
Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
5. Format and mount the usb stick
Create an ext2 filesystem on /dev/sdb1:
mkfs.ext2 /dev/sdb1
mkdir /root/usb
mount /dev/sdb1 /root/usb
cd /root/usb # this will be our working directory for now.
Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
6. Configure the network (if not already done automatically)
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route add default gw 192.168.0.1
echo "nameserver 192.168.0.1" >> /etc/resolv.conf
(this is just an example, your mileage may vary)
7. Install gnupg
pacman -Sy
pacman -S gnupg
Verify that gnupg works by launching gpg.
8. Create the keys
Just to be sure, make sure swap is off:
cat /proc/swaps
should return no entries.
Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
Choose a strong password!!
Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
Note that the default cipher for gpg is cast5, I just chose to use a different one.
9. Create the encrypted devices with cryptsetup
Create encrypted swap:
cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
Important: From the Cryptsetup 1.1.2 Release notes:
Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
as normal binary file and no new line is interpreted.
if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
stop after new line is detected.
If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
Check for any errors.
10. Open the luks devices
gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
11. Start the installer /arch/setup
Follow steps 1 to 3.
At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
Select DONE to start formatting.
At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
Start step 6 (Install packages).
Go to step 7 (Configure System).
By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
Edit /etc/fstab:
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/var /var ext4 defaults 0 1
# /dev/sdb1 /boot ext2 defaults 0 1
Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
Go to step 8 (install boot loader).
Be sure to change the kernel line in menu.lst:
kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
Don't forget the :root suffix in cryptdevice!
Also, my root line was set to (hd1,0). Had to change that to
root (hd0,0)
Install grub to /dev/sdb (the usb stick).
Now, we can exit the installer.
12. Install mkinitcpio with the etwo hook.
Create /mnt/lib/initcpio/hooks/etwo:
#!/usr/bin/ash
run_hook() {
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
if [ -e "/sys/class/misc/device-mapper" ]; then
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile"
usegpg="n"
if [ "x${cryptkey}" != "x" ]; then
ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
if poll_device "${ckdev}" ${rootdelay}; then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
if [ "${ckarg2#*.}" = "gpg" ]; then
ckeyfile="${ckeyfile}.gpg"
usegpg="y"
fi
mkdir /ckey
mount -r -t ${ckarg1} ${ckdev} /ckey
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
umount /ckey
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
DEPRECATED_CRYPT=0
cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
else
DEPRECATED_CRYPT=1
cryptdev="${root}"
cryptname="root"
fi
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
if poll_device "${cryptdev}" ${rootdelay}; then
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if [ "${usegpg}" = "y" ]; then
# gpg tty fixup
if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
cp -a /dev/console /dev/tty
while [ ! -e /dev/mapper/${cryptname} ];
do
sleep 2
/usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
dopassphrase=0
done
rm /dev/tty
if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
else
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
elif [ -n "${crypto}" ]; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
msg "Non-LUKS encrypted device found..."
if [ $# -ne 5 ]; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
tmp=$(echo "${crypto}" | cut -d: -f1)
[ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f2)
[ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f3)
[ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f4)
[ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f5)
[ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
if [ -f ${ckeyfile} ]; then
exe="${exe} --key-file ${ckeyfile}"
else
exe="${exe} --verify-passphrase"
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "${exe} ${CSQUIET}"
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
exit 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
fi
fi
rm -f ${ckeyfile}
fi
Create /mnt/lib/initcpio/install/etwo:
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_dir "/dev/mapper"
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "/usr/bin/gpg"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
help ()
cat<<HELPEOF
This hook allows for an encrypted root device with support for gpg encrypted key files.
To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
to your BINARIES var in /etc/mkinitcpio.conf.
HELPEOF
Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
MODULES=”ext2 ext4” # not sure if this is really nessecary.
BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
Copy the initcpio stuff over to the live cd:
cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
cp /mnt/etc/mkinitcpio.conf /etc/
Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
Now reinstall the initcpio:
mkinitcpio -g /mnt/boot/kernel26.img
Make sure there were no errors and that all hooks were included.
13. Decrypt the "var" key to the encrypted root
mkdir /mnt/keys
chmod 500 /mnt/keys
gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
chmod 400 /mnt/keys/var
14. Setup crypttab
Edit /mnt/etc/crypttab:
swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
var /dev/sda2 /keys/var
15. Reboot
We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names. I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
Last edited by fabriceb (2013-01-15 22:36:23)I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
any idea ?
#!/bin/bash
# This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
# prereqs:
# EFI "BIOS" set to boot *only* from EFI
# successful EFI boot of Archboot USB
# mount /dev/sdb1 /src
set -o nounset
#set -o errexit
# Host specific configuration
# this whole script needs to be customized, particularly disk partitions
# and configuration, but this section contains global variables that
# are used during the system configuration phase for convenience
HOSTNAME=daniel
USERNAME=user
# Globals
# We don't need to set these here but they are used repeatedly throughout
# so it makes sense to reuse them and allow an easy, one-time change if we
# need to alter values such as the install target mount point.
INSTALL_TARGET="/install"
HR="--------------------------------------------------------------------------------"
PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
FILE_URL="file:///packages/core-$(uname -m)/pkg"
FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
# Functions
# I've avoided using functions in this script as they aren't required and
# I think it's more of a learning tool if you see the step-by-step
# procedures even with minor duplciations along the way, but I feel that
# these functions clarify the particular steps of setting values in config
# files.
SetValue () {
# EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
sed -i "s+^#\?\(${VALUENAME}\)=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
CommentOutValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^\(${VALUENAME}.*\)$/#\1/" "${FILEPATH}"
UncommentValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^#\(${VALUENAME}.*\)$/\1/" "${FILEPATH}"
# Initialize
# Warn the user about impending doom, set up the network on eth0, mount
# the squashfs images (Archboot does this normally, we're just filling in
# the gaps resulting from the fact that we're doing a simple scripted
# install). We also create a temporary pacman.conf that looks for packages
# locally first before sourcing them from the network. It would be better
# to do either *all* local or *all* network but we can't for two reasons.
# 1. The Archboot installation image might have an out of date kernel
# (currently the case) which results in problems when chrooting
# into the install mount point to modprobe efivars. So we use the
# package snapshot on the Archboot media to ensure our kernel is
# the same as the one we booted with.
# 2. Ideally we'd source all local then, but some critical items,
# notably grub2-efi variants, aren't yet on the Archboot media.
# Warn
timer=9
echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
while [[ $timer -gt 0 ]]
do
sleep 1
let timer-=1
echo -en "$timer seconds..."
done
echo "STARTING"
# Get Network
echo -n "Waiting for network address.."
#dhclient eth0
dhcpcd -p eth0
echo -n "Network address acquired."
# Mount packages squashfs images
umount "/packages/core-$(uname -m)"
umount "/packages/core-any"
rm -rf "/packages/core-$(uname -m)"
rm -rf "/packages/core-any"
mkdir -p "/packages/core-$(uname -m)"
mkdir -p "/packages/core-any"
modprobe -q loop
modprobe -q squashfs
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
# Create temporary pacman.conf file
cat << PACMANEOF > /tmp/pacman.conf
[options]
Architecture = auto
CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
CacheDir = /packages/core-$(uname -m)/pkg
CacheDir = /packages/core-any/pkg
[core]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
[extra]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
#Uncomment to enable pacman -Sy yaourt
[archlinuxfr]
Server = http://repo.archlinux.fr/\$arch
PACMANEOF
# Prepare pacman
[[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
[[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
${PACMAN} -Sy
${TARGET_PACMAN} -Sy
# Install prereqs from network (not on archboot media)
echo -e "\nInstalling prereqs...\n$HR"
#sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
# Configure Host
# Here we create three partitions:
# 1. efi and /boot (one partition does double duty)
# 2. swap
# 3. our encrypted root
# Note that all of these are on a GUID partition table scheme. This proves
# to be quite clean and simple since we're not doing anything with MBR
# boot partitions and the like.
echo -e "format\n"
# shred -v /dev/sda
# disk prep
sgdisk -Z /dev/sda # zap all on disk
#sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
#sgdisk -a 2048 -o /dev/mmcb1k0
# create partitions
sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
#sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
# set partition types
sgdisk -t 1:ef00 /dev/sda
sgdisk -t 2:8200 /dev/sda
sgdisk -t 3:8300 /dev/sda
#sgdisk -t 1:0700 /dev/mmcb1k0
# label partitions
sgdisk -c 1:"UEFI Boot" /dev/sda
sgdisk -c 2:"Swap" /dev/sda
sgdisk -c 3:"LUKS" /dev/sda
#sgdisk -c 1:"Key" /dev/mmcb1k0
echo -e "create gpg file\n"
# create gpg file
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
echo -e "format LUKS on root\n"
# format LUKS on root
gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
echo -e "open LUKS on root\n"
gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
# NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
# NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
# make filesystems
# following swap related commands not used now that we're encrypting our swap partition
#mkswap /dev/sda2
#swapon /dev/sda2
#mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
echo -e "\nCreating Filesystems...\n$HR"
# make filesystems
mkfs.ext4 /dev/mapper/root
mkfs.vfat -F32 /dev/sda1
#mkfs.vfat -F32 /dev/mmcb1k0p1
echo -e "mount targets\n"
# mount target
#mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
mount /dev/mapper/root ${INSTALL_TARGET}
# mount target
mkdir ${INSTALL_TARGET}
# mkdir ${INSTALL_TARGET}/key
# mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
mkdir ${INSTALL_TARGET}/boot
mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
# Install base, necessary utilities
mkdir -p ${INSTALL_TARGET}/var/lib/pacman
${TARGET_PACMAN} -Sy
${TARGET_PACMAN} -Su base
# curl could be installed later but we want it ready for rankmirrors
${TARGET_PACMAN} -S curl
${TARGET_PACMAN} -S libusb-compat gnupg
${TARGET_PACMAN} -R grub
rm -rf ${INSTALL_TARGET}/boot/grub
${TARGET_PACMAN} -S grub2-efi-x86_64
# Configure new system
SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
sed -i "s/^\(127\.0\.0\.1.*\)$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
#following replaced due to netcfg
#SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
# write fstab
# You can use UUID's or whatever you want here, of course. This is just
# the simplest approach and as long as your drives aren't changing values
# randomly it should work fine.
cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
# /etc/fstab: static file system information
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs nodev,nosuid 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/cryptswap none swap defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
FSTAB_EOF
# write etwo
mkdir -p /lib/initcpio/hooks/
mkdir -p /lib/initcpio/install/
cp /src/etwo_hooks /lib/initcpio/hooks/etwo
cp /src/etwo_install /lib/initcpio/install/etwo
mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
# write crypttab
# encrypted swap (random passphrase on boot)
echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
# copy configs we want to carry over to target from install environment
mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
mkdir -p ${INSTALL_TARGET}/tmp
cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
# mount proc, sys, dev in install root
mount -t proc proc ${INSTALL_TARGET}/proc
mount -t sysfs sys ${INSTALL_TARGET}/sys
mount -o bind /dev ${INSTALL_TARGET}/dev
echo -e "umount boot\n"
# we have to remount /boot from inside the chroot
umount ${INSTALL_TARGET}/boot
# Create install_efi script (to be run *after* chroot /install)
touch ${INSTALL_TARGET}/install_efi
chmod a+x ${INSTALL_TARGET}/install_efi
cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
echo -e "mount boot\n"
# remount here or grub et al gets confused
mount -t vfat /dev/sda1 /boot
# mkinitcpio
# NOTE: intel_agp drm and i915 for intel graphics
SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
mkinitcpio -p linux
# kernel modules for EFI install
modprobe efivars
modprobe dm-mod
# locale-gen
UncommentValue de_AT /etc/locale.gen
locale-gen
# install and configure grub2
# did this above
#${CHROOT_PACMAN} -Sy
#${CHROOT_PACMAN} -R grub
#rm -rf /boot/grub
#${CHROOT_PACMAN} -S grub2-efi-x86_64
# you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
# even omit the cryptdevice altogether, though it will wag a finger at you for using
# a deprecated syntax, so we're using the correct form here
# NOTE: take out i915.modeset=1 unless you are on intel graphics
SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
# set output to graphical
SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
# install the actual grub2. Note that despite our --boot-directory option we will still need to move
# the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
# create our EFI boot entry
# bug in the HP bios firmware (F.08)
efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
# copy font for grub2
cp /usr/share/grub/unicode.pf2 /boot/grub
# generate config file
grub-mkconfig -o /boot/grub/grub.cfg
exit
EFI_EOF
# Install EFI using script inside chroot
chroot ${INSTALL_TARGET} /install_efi
rm ${INSTALL_TARGET}/install_efi
# Post install steps
# anything you want to do post install. run the script automatically or
# manually
touch ${INSTALL_TARGET}/post_install
chmod a+x ${INSTALL_TARGET}/post_install
cat > ${INSTALL_TARGET}/post_install <<POST_EOF
set -o errexit
set -o nounset
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
# root password
echo -e "${HR}\\nNew root user password\\n${HR}"
passwd
# add user
echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
groupadd sudo
useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
passwd ${USERNAME}
# mirror ranking
echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
# temporary fix for locale.sh update conflict
mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
# yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
# additional groups and utilities
pacman --noconfirm -Syu
pacman --noconfirm -S base-devel
pacman --noconfirm -S yaourt
# sudo
pacman --noconfirm -S sudo
cp /etc/sudoers /tmp/sudoers.edit
sed -i "s/#\s*\(%wheel\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
sed -i "s/#\s*\(%sudo\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
# power
pacman --noconfirm -S acpi acpid acpitool cpufrequtils
yaourt --noconfirm -S powertop2
sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
# following requires my acpi handler script
echo "/etc/acpi/handler.sh boot" > /etc/rc.local
# time
pacman --noconfirm -S ntp
sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
# wireless (wpa supplicant should already be installed)
pacman --noconfirm -S iw wpa_supplicant rfkill
pacman --noconfirm -S netcfg wpa_actiond ifplugd
mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
# make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
# sound
pacman --noconfirm -S alsa-utils alsa-plugins
sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
mv /etc/asound.conf /etc/asound.conf.orig || true
#if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
# video
pacman --noconfirm -S base-devel mesa mesa-demos
# x
#pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
#yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
#TODO: cut down the install size
#pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
# TODO: wacom
# environment/wm/etc.
#pacman --noconfirm -S xfce4 compiz ccsm
#pacman --noconfirm -S xcompmgr
#yaourt --noconfirm -S physlock unclutter
#pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
#pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
#pacman --noconfirm -S ghc
# note: try installing alex and happy from cabal instead
#pacman --noconfirm -S haskell-platform haskell-hscolour
#yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
#yaourt --noconfirm -S xmobar-git
# TODO: edit xfce to use compiz
# TODO: xmonad, but deal with video tearing
# TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
# switching to cabal
# fonts
pacman --noconfirm -S terminus-font
yaourt --noconfirm -S webcore-fonts
yaourt --noconfirm -S fontforge libspiro
yaourt --noconfirm -S freetype2-git-infinality
# TODO: sed infinality and change to OSX or OSX2 mode
# and create the sym link from /etc/fonts/conf.avail to conf.d
# misc apps
#pacman --noconfirm -S htop openssh keychain bash-completion git vim
#pacman --noconfirm -S chromium flashplugin
#pacman --noconfirm -S scrot mypaint bc
#yaourt --noconfirm -S task-git stellarium googlecl
# TODO: argyll
POST_EOF
# Post install in chroot
#echo "chroot and run /post_install"
chroot /install /post_install
rm /install/post_install
# copy grub.efi file to the default HP EFI boot manager path
mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
cp /root/root.gpg ${INSTALL_TARGET}/boot/
# NOTES/TODO -
Two form factor authentification for encryption with luks ?
Hello arch forum'
I plan to move to arch til' 2 weeks but i'am looking to do a 2 form factor authentification for a LUKS encrypted system.
Actually, i have read the whole page at >https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Adding_Additional_Passphrases_or_Keyfiles_to_a_LUKS_Encrypted_Partition
But i dont understand if its possible to do a passphrase + keyfile strategy, by the way, if one of the both condition are not completed, the partition is unreadable/stay encrypted.
Keyfile only strategy is useless in my plan, since i need do have my laptop secured Even if someone have physical access to it.
The ideal will be to have the passphrase to enter at boot + keyfile on a USB key
Sincerely
SptnazYeah i will try on a Vmware vm before ..
So after i read this > https://bbs.archlinux.org/viewtopic.php … 38#p943338
Tell me if i'am wrong :
1/ The drive/os is encrypted with AES256-XTS512
2/ The "Keyfile" is GPG/OpenSSL encrypted , can be stored on external media
3/ After all the change done like in the how to, i will need to enter a passphrase (longer is better) FOR the KEYFILE , then the KEYFILE will be unlocked and the encrypted contant on the OS too.
By the way, did ARCH need to put somes data to the MBR of the drive ? I'am using multi-boot system on a 940GB Crucial M5 ssd, with
1/ Windows 7 os for home
2/ Windows 7 os for work
3/ Penetration testing live CD of BT5
4/ > Encrypted OS (Arch)
I think its more likely a clean-partitoning affair but tell me if i'am wrong. -
Mounting external drive encrypted with Luks
Hello guys,
since I'm using Luks for my whole system I'd like to backup it on my external hard drive that should be encrypted too.
So I used the following commands:
cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb external
mkfs.ext4 /dev/mapper/external
I'm then able to mount it with
mount -t ext4 /dev/mapper/external /media/external
But I want to automise that, means my external drive should be mounted automatically by system (I guess it's only via udev possible?) after it was plugged in, without any passphrase scan and with complete user access, not just root.
How could I achieve that?
Thank you for your help.2go drives are always bound to a user login when used with the "automatic unlock" option. That means, they get unlocked when you logon. As the server service starts before logon, the device is not ready to be shared, yet. Normal and expected.
You can only setup a scheduled task that restarts the server service after logon (trigger: "at logon"), that would work. -
System encryption :: Luks on lvm or Lvm on Luks?
Hello,
I was reading up about lvm and luks and decided I want to encrypt my system. Until now I have been using truecrypt to encrypt a data partition which get mounted during boot. I recently bought myself a netbook and since then I've been pondering how to make the most use of HD space and keeping it secure should it get stolen.
I have 3 Harddrives in my tower. One of the HDs is my backup drive. The other two are for OSs. What I would like to do is
1) Create an encrypted volume group on HD 1 (has about 650 Gb).
2) Create 2 LVs for /root /home on HD1
3) Rsync /root and /home to the LVs HD2 -> HD1
4) HD2 secure erase
5) create VG on HD2 and add it to VG on HD1
*** My Question ***
While reading up on lvm and luks I came upon this article and I'm not quite sure which one is better suited for my situation. I don't know how easy it is to grow/add to an encrypted vg or lg.
There are two ways of setting up an encrypted disk using LVM:
1. Create the LVM and encrypt every volume separately
2. Set up LVM on top of an encrypted partition
source :: http://www.pindarsign.de/webblog/?p=767
Update : Using badblocks on /dev/sda4 didn't work as intended. It completely wiped /dev/sda. One way of going Windows free.
Luckily enough windows 7 was still able to boot without a partition table (scratches head), so I was able to copy some saved games and the downloads folder.
Last edited by whitethorn (2011-09-19 15:12:12)Dieter@be wrote:
AFAIK you cannot resize luks/dm_crypt devices, so you lose a lot of the flexibility if you put luks on top. of lvm.
personally i do full disk encryption with luks/dm_crypt, then lvm on top of that.
btw the arch installer supports both scenarios out of the box.
Sounds like what I'm doing right now. I encrypted my first HD then added lvm on top of that. It took a little while to get a seperate boot working and chroot to get all the files setup how I want. At the moment I'm randomizing a 2 Tb harddrive 10 hours 85%. Once it finishes encrypt the drive and add lvm on top. I'm not quite sure if I can grow my /home with the space from the 2nd drive and how to decrypt it during boot -
[SOLVED] Setting up system encryption... cannot boot!
I have been trying to set up system encryption with an existing Arch install. I have taken the following steps (based on the Wiki article), but for some reason can no longer boot.
Steps:
* Backed everything up
* Overwrote /dev/sda with random data
* Created three partitions on /dev/sda: a boot partition (/dev/sda1), a swap partition (/dev/sda2), and a root partition (/dev/sda3)
* Set up swap on /dev/sda2
* Set up LUKS on /dev/sda3
* Moved my original /boot directory over to /sda1
When I power on, grub does not start. Instead, I see only a flashing underscore. Any ideas?
Thanks in advance for all of the help (and for being one of the best communities out there).
Last edited by jalu (2011-04-15 14:32:53)jnguyen wrote:As a side note, you probably want to encrypt your swap as well. User data may get swapped out and thus become accessible. There are instructions for this on the LUKS arch wiki page.
Yes, I did set up swap encryption as the LUKS wiki page describes. Thanks for the important note.
JackH79 wrote:Did you go through this?
Not completely. Running grub-install did seem to help though -- right now, the grub shell does appear upon boot. I'll try to work through the whole process and report back as soon as possible.
Otherwise, does it seem that I'm mostly on the right path? This is my first time playing with encryption, so I hope this to be a learning experience more than anything. -
Installation with LUKS encryption--ok to grub, then black screen
I'm trying to install ArchLinux onto an existing Luks encrypted HDD, formerly dual boot with Fedora 17.
First,I left the Windows partition unchanged and erased the root partition. Then I booted to the ArchLinux, mounted and decrypted the LVM encrypted volume group partitions and followed along with the Beginner's Guide Installation Instructions. This progressed without a hitch; near as I can tell. I can boot to grub select kernel interface, but no further.
So I forgot something...the encrypted volume. I found the archLinux page dm-crypt with LUKS and tried my best to follow along encouraged by the first line, "The installation of a LUKS-encrypted system is largely the same as installing an unencrypted system."
And that's where I stand. I edited the grub.cfg to boot to run level 3, but the kernel doesn't seem to load at all and never starts to give me the chance to enter the password. So now I'm not sure if its the LUKS encryption after all. (maybe its my _next_ problem)
Any ideas?
Last edited by xtian (2013-09-17 22:03:48)Sure, here's the layout,
# lsblk -fa
NAME FSTYPE LABEL UUID MOUNTPOINT
sda
├─sda1 vfat xxxx-xxxx
├─sda2 ext4 xxxxxxxxxxxxxxxxxxxxx /boot
└─sda3 crypto_L xxxxxxxxxxxxxxxxxxxx
└─luks-93xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (dm-0) LVM2_mem xxxxxxxxxxxxxxxxxxxxxxx
├─cryptVG-root (dm-1) ext4 xxxxxxxxxxxxxxxxxxxxxxxxxxxx /
├─cryptVG-swap (dm-2) swap xxxxxxxxxxxxxxxxxxxxxxxxxxxx [SWAP]
├─cryptVG-home (dm-3) ext4 home xxxxxxxxxxxxxxxxxxxxxxxxxxxx /home
└─cryptVG-local (dm-4) ext4 local xxxxxxxxxxxxxxxxxxxxxxxxxxxx /usr/local
I left sda1 alone. Reinstalled on sda2 (/boot) and sda3 (cryptVG-root). I also remade swap. I didn't see an opportunity to set /usr/local, so I may simply free up this space after copying the data. But for home I set up a sub directory for the new install and left the old user in place (something I've been wanting to accomplish for some time as anaconda is not so nice to old user files). -
I have my iPhone 4s backed up on my mac but it seems it was encrypted with a password which i do not remember is there any other option to retrieve to the backup without restoring the device as a new one. Also I do not have access to a windows system.
Sorry no, if you don't knnow the encrypted password, then you can't use that backjup.
-
Cryptsetup: Swap encryption with supend-to-disk doesn't work
Hello Community,
i'm trying to get swap encryption with suspend-to-disk support to a working state.
On my system only the /home partition is encrypted with cryptsetup-LUKS.
I'm using the howto on "Using a swap file" (with /home/swapfile as swap file) in the wiki: https://wiki.archlinux.org/index.php/Dm … sk_support
I followed exactly the given instructions:
From /etc/mkinitcpio.conf
HOOKS="base udev autodetect encrypt block resume filesystems keymap fsck"
From /etc/default/grub
GRUB_CMDLINE_LINUX="pcie_aspm=force pcie_aspm.policy=powersave pcie_port=native ipv6.disable=1 init=/usr/lib/systemd/systemd resume=/dev/mapper/crypthome resume_offset=16721572"
From /etc/fstab:
/home/swapfile none swap defaults 0 0
The swapfile is working. Suspend-to-disk also works. But when resuming, I always get:
ERROR: failed to open encryption mapping
The device UUID=... is not a LUKS volume and the crypto= parameter was not specified
running hook [resume]
Waiting 10 seconds for /dev/mapper/crypthome
ERROR: resume: hibernation device /dev/mapper/crypthome not found
Then the system recovers the filesystem of / and later after the passphrase input of /dev/mapper/home it is forced to recover the filesystem of /home.
Shouldn't I get a passphrase input when running the [resume] hook?
Where is the problem I have missed?
Thanks in advance!
Last edited by indianahorst (2014-01-23 17:39:31)ball wrote:It seems that you've specified your home partition for the resume parameter, that is wrong. It should be the swap partition: https://wiki.archlinux.org/index.php/Su … parameters
No. Have you read my posting completely?
I don't use a swap partition. I'm using a Swapfile on my encrypted home partition. See the link in the first posting and go to "Using a swap file". -
Trouble with luks non root partition
hello,
today i struggled with creating an encryptet archlinux installation.
what i want is to encrypt my root and all other partitions with luks.
basically i used the guide on the archwiki ( https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS ),
but iam always failing at the same point.
my setup is a bit more complex, but to describe my problem i want to use a simple testcase
/dev/sda with 2 partitions
/dev/sda1 as /boot
/dev/sda2 as crypto_LUKS
/dev/sdb with 1 partition
/dev/sdb1 as crypto_LUKS
/dev/sda2 should be / and /dev/sdb1 f.eks. /home
iam using passphrases for both partitions.
i edited the HOOKS line in mkinitcpio.conf and added "encrypt" before "filesystems",
and i also edited the crypttab to somethink like this:
sdb1_crypt /dev/sdb1 none luks
my fstab entry for /home looks like
/dev/mapper/sdb1_crypt /home ext4 rw,relatime,data=ordered 0 1
so far so good, when iam booting iam prompted for passphrases 2 times. first time to encrypt and mount the root-partition, which works fine.
second time for the /home partition, but then the boot process stucks and systemd times out
[ OK ] Found device /dev/mapper/sdb1_crypt
[ OK ] Started Cryptography Setup for sdb1_crypt
[ OK ] Reached target Encryptet Volumes
[ TIME ] Timed out waiting for device dev-mapper/sdb1_crypt
[ DEPEND ] Dependency failed for /home
[ DEPEND ] Dependency failed for Local File Systems
iam thrown to emergency shell then.
/dev/mapper/sdb1_crypt exists, but when iam trying to mount it with
mount /dev/mapper/sdb1_crypt /mnt
it says
mount: special device /dev/mapper/sdb1_crypt does not exist
cryptsetyp says , that /dev/mapper/sdb1_crypt is inactive.
anyway i can luksOpen it manually with
cryptsetup luksOpen /dev/sdb1 foo
enter passphrase again and now iam able to mount /dev/mapper/foo
what am i missing in my here?
thanks for helping !
inebI just worte this. It dose not cover the LVM part. However, you do not need to do anything for that.
Just add this between "keymap encrypt" and "filesystems" in the HOOKS= array
lvm2
Also, becuase you have more then mone parition that is encrypted and needs to be decrypted at boot, you may need to have this the the /etc/default/grub instead of what what I put in the post I linked to.
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root cryptdevice=/dev/sdb1:home"
The `grub-mkconfig -o /boot/grub/grub.cfg` command WILL find all your LVM2 lv's with no problem and configure grub.cfg correctly. You just need to edit /etc/default/grub and use that command to rebuild the grub.cfg
Other then that this post should solve your problems.
https://bbs.archlinux.org/viewtopic.php … 2#p1209702
Last edited by hunterthomson (2012-12-25 02:40:23) -
Simplest possible system encryption setup?
I've been trying to install using the System Encryption wiki and having some difficulty. Here's what I'm looking for:
4 partitions: /boot, and encrypted /, /home and /var.
No LVM (to eliminate complication)
No swap
No suspend
A single passphrase during boot
My plan was to use a passphrase for /, and then store keyfiles for /home and /var under that (so they'd be encrypted with the system off).
I got as far as unlocking /, but when I got into executing /etc/crypttab it failed unlocking /var and /home. I generated those keyfiles but when I was in the installer it asked for passphrases for all my partitions, not just for /. Although I generated those keyfiles using /dev/urandom (for some reason /dev/random didn't work) I have a feeling I missed the step whereby /home and /var was encrypted using them.
Can I re-apply the encryption to them somehow? I'm guessing I have to re-do the install.
Also I'm a bit doubtful about how my fstab turned out. If someone without LVM has an fstab and crypttab he can post here that I can look at, I'd appreciate it. Not sure how to post mine since I don't have internet up on the arch system and don't even know how to put stuff on a flash drive (I've been spoiled by Puppy Linux)..
Perhaps I'm missing part of the big picture about how the device mapper works. I will have to poke around the internet to see if I can find an explanation.
The wiki mentioned TRIM being supported after kernel version 3.1 so I guess I'm out of luck on that for a while (it's an ssd).hmm... honestly I don't know about /var which might be a special case, but what you're trying to do should be doable (without LVM, just LUKS). Certainly is for home. Obviously to decrypt your root you'll need to enter a passphrase on boot, but then you can have on said partition keyfiles to be used to decrypt other partitions.
I do have a setup like that myself, although not for my home (nor /var), but for a backups partition. I don't know how to do it all from the installer, as what I did was to just install Arch, and once that was done I manually added my /backups. But I'm guessing it might be doable.
You'll need to create your keyfiles before running the installer, and during the partition setup it should ask you for (extra) parameters to use with crypsetup, so you can then add something like: --key-file /path/to/home.key
After that, you'll have to set up your crypttab, there are examples but it should be something like this:
luks-home /dev/whatever /path/to/home.key
Of course you need to keep those keyfiles, and make sure to put them somewhere on / (as indicated on crypttab) after the installer is done and before rebooting. (I would also recommend to add another key (a passphrase that is, in addition to the keyfile), just so that in case the keyfile gets lost, corrupted or something, you can still decrypt your partition.)
And just in case you haven't, you should check the great wiki: https://wiki.archlinux.org/index.php/LUKS -
Hello All,
Seem to be having a problem recently. Whenever I attach any external drive to my Desktop I receive the following error in Even Viewer. I never encrypted any of the drives in question with bitlocker.
Encrypted volume check: Volume information on \\?\Volume{7cc70383-5d6b-11e0-855c-001c25a5a540} cannot be read.
Event ID: 24620
And I cannot access my drive information. At first i thought it may be an issue with one of the drives I have partially encrypted with TrueCrypt but I tried several other unencrypted drives and I receive the same error and I cannot access the
data on my drives.
I tried to access the Bit Locker Recovery tool program (downloaded the VISTA Version since there was no Windows 7 Version that I could find), but it did not allow me to install the recovery tool to attempt some kind of fixing.
The strange thing is that I do not have Windows 7 Ultimate installed (which from what I understand is the only way to have Bitlocker). I have windows 7 professional and I never encrypted my drives with bitlocker, 1 out of the 3 drives is partially
encrypted with TrueCrypt, the other 2 are not encrypted with anything.
The stranger thing is that I can plug the external drives to another laptop and I can access the data fine with no problem or errors. I searched the forum for simliar problems, but did not see any responses with fixes to this issue.
The only thing I can think of is that my Desktop downloaded and installed a bunch of Windows Updates within the last 4-5 days.
heres is the update list
http://farm6.static.flickr.com/5304/5890096650_431b0f3627_b.jpg
Any assistance in attempting to figure this out would be appreciated.Hi,
According to the error message, it should use
BitLocker Repair Tool to fix it, refer:
http://technet.microsoft.com/en-us/library/cc734057(WS.10).aspx
What error message did you receive when you use BitLocker repair Tool?
I notice one drive is encrypted with TrueCrypt, please use that program to unencrypt the drive for test.
If it doesn’t work, since the issue didn’t appear before, you can try to perform a system restore to see the result.
Hope that helps.
Regards,
Leo
Huang
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
How can I retrieve the password hint of an external drive encrypted with FileVault 2?
Hi,
I'm running on 10.7.3, I have an external HDD that is fully encrypted with FileVault 2. When encrypting an external drive, FileVault 2 doesn't provide a recovery key, but it gives you the opportunity to give a hint at the time you enter the password. My question is: how can I get this hint?
I'm asking because I can't mount the drive anymore. I keep getting prompted to enter the password, and although I believe I'm sure what the password is, it keeps getting refused. The weird thing is that I have never been asked this password because the drive has always been automatically mounted after reboots, I guess because the password was in my Keychain. I have no idea why it no longer auto-mounts and none of the passwords I tried worked.
In Disk Utility, when I tried to "verify" the locked volume, Disk Utility logs an error in system.log with no other user visible action. I filed a bug with Apple about this (#11286871) but I'm still waiting to hear back from them. The error logged is:
Apr 20 22:53:17 nowwhat Disk Utility[1508]: -[__NSCFDictionary setObject:forKey:]: attempt to insert nil value (key: diskIdentifier)
Apr 20 22:53:17 nowwhat Disk Utility[1508]: (
0 CoreFoundation 0x00007fff915bffc6 __exceptionPreprocess + 198
1 libobjc.A.dylib 0x00007fff87a37d5e objc_exception_throw + 43
2 CoreFoundation 0x00007fff915bfdfa +[NSException raise:format:arguments:] + 106
3 CoreFoundation 0x00007fff915bfd84 +[NSException raise:format:] + 116
4 CoreFoundation 0x00007fff9157cf3b -[__NSCFDictionary setObject:forKey:] + 219
5 DFA 0x000000010a1aa1b8 DFA + 25016
6 DFA 0x000000010a1ad701 DFA + 38657
7 DFA 0x000000010a1a61de DFA + 8670
8 CoreFoundation 0x00007fff915af75d -[NSObject performSelector:withObject:] + 61
9 AppKit 0x00007fff8e507cb2 -[NSApplication sendAction:to:from:] + 139
10 AppKit 0x00007fff8e507be6 -[NSControl sendAction:to:] + 88
11 AppKit 0x00007fff8e507b11 -[NSCell _sendActionFrom:] + 137
12 AppKit 0x00007fff8e506fd4 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 2014
13 AppKit 0x00007fff8e586d04 -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 489
14 AppKit 0x00007fff8e505bde -[NSControl mouseDown:] + 786
15 AppKit 0x00007fff8e4d06e0 -[NSWindow sendEvent:] + 6306
16 AppKit 0x00007fff8e46916d -[NSApplication sendEvent:] + 5593
17 AppKit 0x00007fff8e3ff1f2 -[NSApplication run] + 555
18 AppKit 0x00007fff8e67db88 NSApplicationMain + 867
19 Disk Utility 0x0000000104c4e475 Disk Utility + 9333
20 Disk Utility 0x0000000104c4e270 Disk Utility + 8816Even if you succeed with the difficult instructions to do this, if you are running Mavericks (10.9.x) on your Mac, count on it to start over with a whole new backup of your Mac, so you will have two separate backup files for the Mac on the Time Capsule.
Realistically, few of us ever need to go back months or years to retrieve a file from Time Machine. My recommendation would be to keep the external hard drive around for a few months until you have a good backup history established for the Mac....and then delete the backups from the drive and use it as a spare hard drive. -
After encrypting with filevault 2 on mountain lion, safari is extremely slow
after encrypting with filevault2 on mountain lion, safari is running extremely slow.
it's taking more than 45 seconds (sometimes a full minute) to load pages.
my internet speeds are 35 mbps download and 6.35 mpbs upload, so it's not my internet connection.
i have deleted the cache files and the system preferences.
i'm finding that chrome is faster, but i'm seeing slowness there too.
in encrypted using filevault 2.0 yesterday, all software is up to date.
can anyone please help me with this? i don't want to have to turn off filevault.
thanks!Problems such as yours are sometimes caused by files that should belong to you but are locked or have a wrong owner. This procedure will check for such files. It makes no changes and therefore will not, in itself, solve your problem.
Launch the Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.
Triple-click anywhere in the line below to select it, then drag or copy it — do not type — into the Terminal window:
find . $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID \) -ls
Press return. The command may take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear.
Post any lines of output that appear below what you entered — the text, please, not a screenshot.
If any personal information appears in the output, edit before posting, but don’t remove the context. -
I want to dual boot Chrome OS and Arch on a Chromebook. More importantly, I want to run Arch with full system encryption, such as with dm-crypt.
As I understand it, in order to use full disk encryption, /boot must be a non-encrypted partition. If I didn't want to dual boot CrOS, this wouldn't be a problem. If I change the partitioning, it's unlikely that CrOS will boot.
Has anyone successfully dual booted Chrome OS and Arch with full-disk encryption? And, if so, I'd appreciate your guidance. Thanks!!
[edit] yes. Very straightforward, just read the Wiki
Last edited by Watney (2015-05-26 03:21:50)What is your threat model?
Owe, and no you can not have hidden-volume with dm-crypt.
If you really want to have a secure OS to boot to.
You should make a small partition on your drive.
Put the tails linux OS .iso on it
https://tails.boum.org/
Then configure GRUB2 to boot the .iso file.
https://tails.boum.org/forum/LiveUSB__4 … __feature/
Now get a micro SD card and encrypt that for keeping data on.
Then if you have to destroy the data, you just snap the micro SD card in a few pieces, but if you don't have time to destroy it then it is at least encrypted.
If you are really worried about like the NSA or FBI getting your data... You probaly should not even have the data in the USA at all.
Instead, rent a VPS in like Malaysia, Russia, Hong Kong, bla, bla bla...
Pay for the VPS with BitCoin, Bitcoin you bought on #bitcoin-otc freenode IRC channel, that you connected to though the freenode TOR-HIdden Service IRC server. You will also want to do some bitcoin Tumbling before you use it. To tumble the bitcoin. You could simply transfer the bitcoin to an account on silkroadvb5piz3r.onion then transfer the bitcoin back to you.
.... OWE, and configure your bitcoin client to connect to the bitcoin network through TOR.
Only connect to the VPS through TOR.
Create a TOR-Hidden service to host SSH on the VPS
Then use like sshfs to mount a remote directory on that VPS.
Then create a TrueCrypt volume on that sshfs mounted directory, and keep your data in that.
===========
How far down the rabbit hole do you want to go?
Last edited by hunterthomson (2012-11-13 01:48:12)
Maybe you are looking for
-
Hi Can any one help me how to correct JVM time.. when we run interface at 14.00 hrs, file has been created with date and time stamp like 20090112-020012 this way.. however i would be expecting 20090112-140012 . here if you see the difference, 12 hrs
-
Can't access firefox anymore because "it does not have a program associated with it"
Suddenly today I was unable to launch firefox as normal. Told that "this file does not have a program associated with it for performing this action" And that I should create an association in the Folder Option control panel. I have not been able to w
-
Propagation of Content Management in Weblogic Portal
Hi, Can anyone please provide me with the step-by-step procedure of propagating BEA Repository Content management data from one environment to another(Local to Dev or Dev to UAT) using Weblogic Workshop or using Ant. In the following URL http://edocs
-
Delete group increase file size
In LabVIEW I create a TDMS file using DAQmx Configure Logging. Since my users want to control when data is being written to the file, I make use of the Loggingause property. Very often two groups of data are created in the TDMS file; one containing
-
Shell Creation after SAPINST Error: Graphics profile STRW, SWBOCUSTOMIZ
Hi all we had finisehd Shell Creation and SAP live but now we had some graphical problems Graphics profile STRW, SWBOCUSTOMIZ. Do we have create some error or has somebody a idea what we could do ? OBJECTS_OBJREF_NOT_ASSIGNED_NO CX_SY_REF_IS_INITIAL