Two form factor authentification for encryption with luks ?

Hello arch forum'
I plan to move to arch til' 2 weeks but i'am looking to do a 2 form factor authentification for a LUKS encrypted system.
Actually, i have read the whole page at >https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Adding_Additional_Passphrases_or_Keyfiles_to_a_LUKS_Encrypted_Partition
But i dont understand if its possible to do a passphrase + keyfile strategy, by the way, if one of the both condition are not completed, the partition is unreadable/stay encrypted.
Keyfile only strategy is useless in my plan, since i need do have my laptop secured Even if someone have physical access to it.
The ideal will be to have the passphrase to enter at boot + keyfile on a USB key
Sincerely
Sptnaz

Yeah i will try on a Vmware vm before ..
So after i read this > https://bbs.archlinux.org/viewtopic.php … 38#p943338
Tell me if i'am wrong :
1/ The drive/os is encrypted with AES256-XTS512
2/ The "Keyfile" is GPG/OpenSSL encrypted , can be stored on external media
3/ After all the change done like in the how to, i will need to enter a passphrase (longer is better) FOR the KEYFILE , then the KEYFILE will be unlocked and the encrypted contant on the OS too.
By the way, did ARCH need to put somes data to the MBR of the drive ? I'am using multi-boot system on a 940GB Crucial M5 ssd, with
1/ Windows 7 os for home
2/ Windows 7 os for work
3/ Penetration testing live CD of BT5
4/ > Encrypted OS (Arch)
I think its more likely a clean-partitoning affair but tell me if i'am wrong.

Similar Messages

How do i sync calendar form outlook 2011 for MAC with my nokia lumia 1020?

How do I sync the calendar info etc from outlook 2011 for MAC with my nokia lumia 1020 - I assume there's a way through outlook.com but I can't find the answer anywhere. Thank you!

So you are using an Outlook.com account?
Please take a look at this article and see if it is helpful to you:
http://www.windowsphone.com/en-us/how-to/wp7/people/sync-calendars-and-to-dos
When you set up an account from Outlook or Windows Live, the calendar associated with that account will be synced to your phone and will automatically stay in sync.
By the way, this is the forum to discuss questions and feedback for Windows-based Microsoft Office client. Since your query is directly related to Windows Phone, I would suggest you to post in the community of Windows Phone, where you can get more experienced
responses:
http://answers.microsoft.com/en-us/winphone
The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
Regards,
Ethan Hua
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs.

PKGBUILDSs for Thunar with LUKS support

Hi,
I've made some PKGBUILDs for exo-svn, thunar-svn and thunar-volman which use patches to provide support for LUKS encrypted devices in Thunar.
I didn't upload them to AUR, cause I will not use the packages. I only wanted to see if it works already and will wait until it's integrated in the stable release of Thunar.
exo-svn-luks
# $Id: PKGBUILD 356 2008-04-18 22:56:27Z aaron $
# Maintainer: aurelien <[email protected]>
# Contributor: Aurelien Foret <[email protected]>
pkgname=exo-svn-luks
pkgver=27155
pkgrel=1
pkgdesc="Extensions to Xfce by os-cillation - patched for LUKS support"
arch=(i686)
license=('GPL2' 'LGPL2')
url="http://www.os-cillation.com/article.php?sid=40"
groups=('xfce4')
depends=('libxfce4util>=4.4.2' 'gtk2>=2.12.1' 'hal' 'perl-uri')
makedepends=('pygtk>=2.12.0' 'pkgconfig' 'xfce-mcs-manager>=4.4.2 xfce4-dev-tools')
options=('!libtool')
provides=('exo')
conflicts=('exo')
install=${pkgname}.install
source=(http://bugzilla.xfce.org/attachment.cgi?id=1689)
md5sums=('7a1af943b1df32b6f89ae91823118a22' '22738e04b61e407b583c49ea661b9c63')
_svntrunk=http://svn.xfce.org/svn/xfce/libexo/trunk/
_svnmod=libexo
build() {
cd $startdir/src
# Get Latest Source Code
svn co $_svntrunk $_svnmod
msg "SVN checkout done or server timeout"
msg "Starting make..."
cd $_svnmod
patch -Np0 -i ../attachment.cgi?id=1689 || return 1
./autogen.sh --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib/xfce4 \
--localstatedir=/var --disable-static \
--enable-mcs-plugin --enable-python
make || return 1
make DESTDIR=${startdir}/pkg install
thunar-svn-luks
# $Id: PKGBUILD 356 2008-04-18 22:56:27Z aaron $
# Contributor: Andrew Simmons <[email protected]>
pkgname=thunar-svn-luks
pkgver=27155
pkgrel=1
pkgdesc="new modern file manager for Xfce - patched for LUKS support"
arch=(i686)
license=('GPL2' 'LGPL2')
url="http://thunar.xfce.org"
groups=('xfce4')
depends=('exo-svn-luks' 'shared-mime-info' 'pcre' \
'desktop-file-utils' 'libexif' 'hal' 'fam' \
'startup-notification')
makedepends=('intltool' 'pkgconfig' 'xfce4-dev-tools')
provides=('thunar')
conflicts=('thunar')
options=('!libtool')
install=${pkgname}.install
source=(http://bugzilla.xfce.org/attachment.cgi?id=1690)
md5sums=('7f381d597d9c34e7f427fe65b011709b')
_svntrunk=http://svn.xfce.org/svn/xfce/thunar/trunk/
_svnmod=thunar
build() {
cd $startdir/src
# Get Latest Source Code
svn co $_svntrunk $_svnmod
msg "SVN checkout done or server timeout"
msg "Starting make..."
cd $_svnmod
patch -Np0 -i ../attachment.cgi?id=1690 || return 1
./autogen.sh --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib/xfce4 \
--localstatedir=/var --disable-static \
--disable-gnome-thumbnailers --enable-exif --enable-pcre
make || return 1
make DESTDIR=${startdir}/pkg install
sed -i 's:x-directory/gnome-default-handler;::' ${startdir}/pkg/usr/share/applications/Thunar-folder-handler.desktop
thunar-volman-luks
# $Id: PKGBUILD 356 2008-04-18 22:56:27Z aaron $
# Contributor: Tobias Kieslich <tobias (at) archlinux.org>
pkgname=thunar-volman-luks
pkgver=0.2.0
pkgrel=1
pkgdesc="automatic management for removeable devices in thunar - patched for LUKS support"
arch=(i686)
license=('GPL2')
url="http://foo-projects.org/~benny/projects/thunar-volman"
groups=('xfce4-goodies')
depends=('thunar-svn-luks')
makedepends=('intltool' 'pkgconfig')
provides=('thunar-volman')
conflicts=('thunar-volman')
options=('!libtool')
install=${pkgname}.install
source=(http://download.berlios.de/xfce-goodies/thunar-volman-${pkgver}.tar.bz2 \
http://bugzilla.xfce.org/attachment.cgi?id=1691
md5sums=('e4587967fe3b3858d93735fee3edb2fc' 'a5590137233af36fbccf721562312161')
build() {
cd ${startdir}/src/thunar-volman-${pkgver}
patch -Np0 -i ../attachment.cgi?id=1691 || return 1
./configure --prefix=/usr --sysconfdir=/etc --libexecdir=/usr/lib/xfce4 \
--localstatedir=/var --disable-static
make || return 1
make DESTDIR=${startdir}/pkg install
The .install files are just renamed copies from the .install files in the ABS tree.

Thanks for the help so far. I decided against using a keyfile and tailored a set of instructions for my goal (LVM on LUKS, passphrase, non-efi). Is this procedure correct?
Partitioning
# cfdisk
-sda1 - Boot - Primary - Linux - 200 (MB)
-sda2 - - Primary - Linux -
Load the encryption module
# modprobe dm-mod
Configuring LUKS and formating paritions with a passphrase
Format LUKS
# cryptsetup -h SHA512 -i 5000 -c aes-xts-plain -y -s 512 luksFormat /dev/sda2
Check results
# cryptsetup luksDump /dev/sda2
Unlocking/Mapping LUKS Partitions with the Device Mapper
# cryptsetup luksOpen /dev/sda2 lvm
Initialize physical volume
# lvm pvcreate /dev/mapper/lvm
Create volume group
# lvm vgcreate vgroup /dev/mapper/lvm
Add logical volumes to volume group
# lvm lvcreate -L 20G -n root vgroup
# lvm lvcreate -l 100%FREE -n home vgroup
Make filesystems and mount partitions
# mkfs.ext4 /dev/mapper/vgroup-root
# mount /dev/mapper/vgroup-root /mnt
# mkfs.ext4 /dev/mapper/vgroup-home
# mkdir /mnt/home
# mount /dev/mapper/vgroup-home /mnt/home
# mkfs.ext2 /dev/sda1
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot
Backup cryptheader
# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /mnt/<backup>/<file>.img
Create an initial ramdisk environment
# nano /etc/mkinitcpio.conf
HOOKS="base udev autodetect block encrypt lvm2 filesystems shutdown"
# mkinitcpio -p linux
Syslinux
# pacman -S syslinux
# syslinux-install_update -i -a -m
Configure syslinux.cfg to point to the right root partition
# nano /boot/syslinux/syslinux.cfg
LABEL arch
APPEND root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro
Last edited by Divinorum (2013-01-22 16:02:13)

Mounting external drive encrypted with Luks

Hello guys,
since I'm using Luks for my whole system I'd like to backup it on my external hard drive that should be encrypted too.
So I used the following commands:
cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sdb
cryptsetup luksOpen /dev/sdb external
mkfs.ext4 /dev/mapper/external
I'm then able to mount it with
mount -t ext4 /dev/mapper/external /media/external
But I want to automise that, means my external drive should be mounted automatically by system (I guess it's only via udev possible?) after it was plugged in, without any passphrase scan and with complete user access, not just root.
How could I achieve that?
Thank you for your help.

2go drives are always bound to a user login when used with the "automatic unlock" option. That means, they get unlocked when you logon. As the server service starts before logon, the device is not ready to be shared, yet. Normal and expected.
You can only setup a scheduled task that restarts the server service after logon (trigger: "at logon"), that would work.

Why doesn't two-finger scrolling work for me with Yosemite?

MacBook Pro from 2010, upgraded to Yosemite and now none of my two-finger scrolling works with the Trackpad. Doesn't work on any application - Chrome, Safari, Word, anything. It's super annoying. Tried messing around with Trackpad options in system preferences, didn't help.

Hi thekidcanada,
Welcome to the Apple Support Communities!
I understand that this type of situation can be very frustrating. One troubleshooting step I would recommend would be to reset the PRAM on your computer. I know the article is written for Mavericks but the steps will be the same for Yosemite.
OS X Mavericks: Reset your computer’s PRAM
Cheers,
Joe

Volume Correction Factor Procedure for Installs With Gauge Corrected Meters

I am trying to set-up a VCF for installations meters that self correct for guage pressure. However, the installations do not correct for altitude/air pressure, i.e. they are not absolute pressure corrected.
Therefore, I need a procedure that converts for air pressure but not guage/absolute pressure.
An example would be that the installations air pressure is 1.000 Bar, with the Gauge Pressure being 0.50 Bar. Therefore, the total pressure correction factor should 1/1.0135, NOT 1.5/1.0135.
Can anyone tell me what the VCF set-up should be?
Note I realise there's also temperature and super compressiblity involved in the VCF, however this is immaterial for my question.

We have a solution.
For the Volume Correction Factor Procedure to be used for gauge corrected meters, we've ticked Air Pressure Correction.
And then for the gauge corrected meters, we've populated the Air Pressure Correction value as being the negative value of the gauge pressure.
So, therefore for the relevant installation at say 0.6 Bar gauge pressure at an air pressure area that is 1 Bar, the pressure calcuation becomes
= (Air Pressure + Gauge Pressure + Air Pressure Correction)/(Standard Air Pressure)
= (1 + 0.6 + -0.6)/1.01325
= (1)/1.01325
= 0.9878
The number of gauge corrected meters we have is very small (<100), therefore using the Air Pressure Correction as a way of stoppping gauge pressure being double applied (once by the meter, and then by SAP) is a suitable solution.

System Encryption with LUKS

I'm trying to encrypt my /root partition, however I keep getting an odd error message and I can't seem to figure out why. I'll enter:
# cryptsetup -c aes-plain -y -s 256 luksFormat /dev/sda2
And I'll get a message telling me:
Command failed: Failed to setup dm-crypt key mapping.
Check kernal for support for the aes-plain cipher spec and verify that /dev/sda2 contains at least 258 sectors
Kernal version is 2.6.30. Anyone know how to fix this?

modprobe dm-mod
https://wiki.archlinux.org/index.php/Sy … nd_mapping

System encryption using LUKS and GPG encrypted keys for arch linux

Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
Update: 2013-01-13: Updated the hook files using the corrections by Deth.
Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
Intro
Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
Conventions
In this short guide, I use the following disk/partition names:
/dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
/dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
/dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
Credits
Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
Guide
1. Boot the arch live cd
I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
2. Set keymap
Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
3. Wipe your discs
ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
shred -v /dev/sda
shred -v /dev/sdb
4. Partitioning
Fire up fdisk and create the following partitions:
/dev/sda1, type linux swap.
/dev/sda2: type linux
/dev/sda3: type linux
/dev/sdb1, type linux
Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
5. Format and mount the usb stick
Create an ext2 filesystem on /dev/sdb1:
mkfs.ext2 /dev/sdb1
mkdir /root/usb
mount /dev/sdb1 /root/usb
cd /root/usb # this will be our working directory for now.
Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
6. Configure the network (if not already done automatically)
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route add default gw 192.168.0.1
echo "nameserver 192.168.0.1" >> /etc/resolv.conf
(this is just an example, your mileage may vary)
7. Install gnupg
pacman -Sy
pacman -S gnupg
Verify that gnupg works by launching gpg.
8. Create the keys
Just to be sure, make sure swap is off:
cat /proc/swaps
should return no entries.
Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
Choose a strong password!!
Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
Note that the default cipher for gpg is cast5, I just chose to use a different one.
9. Create the encrypted devices with cryptsetup
Create encrypted swap:
cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
Important: From the Cryptsetup 1.1.2 Release notes:
Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
as normal binary file and no new line is interpreted.
if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
stop after new line is detected.
If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
Check for any errors.
10. Open the luks devices
gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
11. Start the installer /arch/setup
Follow steps 1 to 3.
At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
Select DONE to start formatting.
At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
Start step 6 (Install packages).
Go to step 7 (Configure System).
By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
Edit /etc/fstab:
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/var /var ext4 defaults 0 1
# /dev/sdb1 /boot ext2 defaults 0 1
Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
Go to step 8 (install boot loader).
Be sure to change the kernel line in menu.lst:
kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
Don't forget the :root suffix in cryptdevice!
Also, my root line was set to (hd1,0). Had to change that to
root (hd0,0)
Install grub to /dev/sdb (the usb stick).
Now, we can exit the installer.
12. Install mkinitcpio with the etwo hook.
Create /mnt/lib/initcpio/hooks/etwo:
#!/usr/bin/ash
run_hook() {
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
if [ -e "/sys/class/misc/device-mapper" ]; then
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile"
usegpg="n"
if [ "x${cryptkey}" != "x" ]; then
ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
if poll_device "${ckdev}" ${rootdelay}; then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
if [ "${ckarg2#*.}" = "gpg" ]; then
ckeyfile="${ckeyfile}.gpg"
usegpg="y"
fi
mkdir /ckey
mount -r -t ${ckarg1} ${ckdev} /ckey
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
umount /ckey
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
DEPRECATED_CRYPT=0
cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
else
DEPRECATED_CRYPT=1
cryptdev="${root}"
cryptname="root"
fi
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
if poll_device "${cryptdev}" ${rootdelay}; then
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if [ "${usegpg}" = "y" ]; then
# gpg tty fixup
if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
cp -a /dev/console /dev/tty
while [ ! -e /dev/mapper/${cryptname} ];
do
sleep 2
/usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
dopassphrase=0
done
rm /dev/tty
if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
else
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
elif [ -n "${crypto}" ]; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
msg "Non-LUKS encrypted device found..."
if [ $# -ne 5 ]; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
tmp=$(echo "${crypto}" | cut -d: -f1)
[ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f2)
[ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f3)
[ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f4)
[ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f5)
[ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
if [ -f ${ckeyfile} ]; then
exe="${exe} --key-file ${ckeyfile}"
else
exe="${exe} --verify-passphrase"
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "${exe} ${CSQUIET}"
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
exit 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
fi
fi
rm -f ${ckeyfile}
fi
Create /mnt/lib/initcpio/install/etwo:
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_dir "/dev/mapper"
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "/usr/bin/gpg"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
help ()
cat<<HELPEOF
This hook allows for an encrypted root device with support for gpg encrypted key files.
To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
to your BINARIES var in /etc/mkinitcpio.conf.
HELPEOF
Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
MODULES=”ext2 ext4” # not sure if this is really nessecary.
BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
Copy the initcpio stuff over to the live cd:
cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
cp /mnt/etc/mkinitcpio.conf /etc/
Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
Now reinstall the initcpio:
mkinitcpio -g /mnt/boot/kernel26.img
Make sure there were no errors and that all hooks were included.
13. Decrypt the "var" key to the encrypted root
mkdir /mnt/keys
chmod 500 /mnt/keys
gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
chmod 400 /mnt/keys/var
14. Setup crypttab
Edit /mnt/etc/crypttab:
swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
var /dev/sda2 /keys/var
15. Reboot
We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names. I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
Last edited by fabriceb (2013-01-15 22:36:23)

I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
any idea ?
#!/bin/bash
# This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
# prereqs:
# EFI "BIOS" set to boot *only* from EFI
# successful EFI boot of Archboot USB
# mount /dev/sdb1 /src
set -o nounset
#set -o errexit
# Host specific configuration
# this whole script needs to be customized, particularly disk partitions
# and configuration, but this section contains global variables that
# are used during the system configuration phase for convenience
HOSTNAME=daniel
USERNAME=user
# Globals
# We don't need to set these here but they are used repeatedly throughout
# so it makes sense to reuse them and allow an easy, one-time change if we
# need to alter values such as the install target mount point.
INSTALL_TARGET="/install"
HR="--------------------------------------------------------------------------------"
PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
FILE_URL="file:///packages/core-$(uname -m)/pkg"
FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
# Functions
# I've avoided using functions in this script as they aren't required and
# I think it's more of a learning tool if you see the step-by-step
# procedures even with minor duplciations along the way, but I feel that
# these functions clarify the particular steps of setting values in config
# files.
SetValue () {
# EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
sed -i "s+^#\?$${VALUENAME}$=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
CommentOutValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^$${VALUENAME}.*$$/#\1/" "${FILEPATH}"
UncommentValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^#$${VALUENAME}.*$$/\1/" "${FILEPATH}"
# Initialize
# Warn the user about impending doom, set up the network on eth0, mount
# the squashfs images (Archboot does this normally, we're just filling in
# the gaps resulting from the fact that we're doing a simple scripted
# install). We also create a temporary pacman.conf that looks for packages
# locally first before sourcing them from the network. It would be better
# to do either *all* local or *all* network but we can't for two reasons.
# 1. The Archboot installation image might have an out of date kernel
# (currently the case) which results in problems when chrooting
# into the install mount point to modprobe efivars. So we use the
# package snapshot on the Archboot media to ensure our kernel is
# the same as the one we booted with.
# 2. Ideally we'd source all local then, but some critical items,
# notably grub2-efi variants, aren't yet on the Archboot media.
# Warn
timer=9
echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
while [[ $timer -gt 0 ]]
do
sleep 1
let timer-=1
echo -en "$timer seconds..."
done
echo "STARTING"
# Get Network
echo -n "Waiting for network address.."
#dhclient eth0
dhcpcd -p eth0
echo -n "Network address acquired."
# Mount packages squashfs images
umount "/packages/core-$(uname -m)"
umount "/packages/core-any"
rm -rf "/packages/core-$(uname -m)"
rm -rf "/packages/core-any"
mkdir -p "/packages/core-$(uname -m)"
mkdir -p "/packages/core-any"
modprobe -q loop
modprobe -q squashfs
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
# Create temporary pacman.conf file
cat << PACMANEOF > /tmp/pacman.conf
[options]
Architecture = auto
CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
CacheDir = /packages/core-$(uname -m)/pkg
CacheDir = /packages/core-any/pkg
[core]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
[extra]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
#Uncomment to enable pacman -Sy yaourt
[archlinuxfr]
Server = http://repo.archlinux.fr/\$arch
PACMANEOF
# Prepare pacman
[[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
[[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
${PACMAN} -Sy
${TARGET_PACMAN} -Sy
# Install prereqs from network (not on archboot media)
echo -e "\nInstalling prereqs...\n$HR"
#sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
# Configure Host
# Here we create three partitions:
# 1. efi and /boot (one partition does double duty)
# 2. swap
# 3. our encrypted root
# Note that all of these are on a GUID partition table scheme. This proves
# to be quite clean and simple since we're not doing anything with MBR
# boot partitions and the like.
echo -e "format\n"
# shred -v /dev/sda
# disk prep
sgdisk -Z /dev/sda # zap all on disk
#sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
#sgdisk -a 2048 -o /dev/mmcb1k0
# create partitions
sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
#sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
# set partition types
sgdisk -t 1:ef00 /dev/sda
sgdisk -t 2:8200 /dev/sda
sgdisk -t 3:8300 /dev/sda
#sgdisk -t 1:0700 /dev/mmcb1k0
# label partitions
sgdisk -c 1:"UEFI Boot" /dev/sda
sgdisk -c 2:"Swap" /dev/sda
sgdisk -c 3:"LUKS" /dev/sda
#sgdisk -c 1:"Key" /dev/mmcb1k0
echo -e "create gpg file\n"
# create gpg file
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
echo -e "format LUKS on root\n"
# format LUKS on root
gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
echo -e "open LUKS on root\n"
gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
# NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
# NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
# make filesystems
# following swap related commands not used now that we're encrypting our swap partition
#mkswap /dev/sda2
#swapon /dev/sda2
#mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
echo -e "\nCreating Filesystems...\n$HR"
# make filesystems
mkfs.ext4 /dev/mapper/root
mkfs.vfat -F32 /dev/sda1
#mkfs.vfat -F32 /dev/mmcb1k0p1
echo -e "mount targets\n"
# mount target
#mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
mount /dev/mapper/root ${INSTALL_TARGET}
# mount target
mkdir ${INSTALL_TARGET}
# mkdir ${INSTALL_TARGET}/key
# mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
mkdir ${INSTALL_TARGET}/boot
mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
# Install base, necessary utilities
mkdir -p ${INSTALL_TARGET}/var/lib/pacman
${TARGET_PACMAN} -Sy
${TARGET_PACMAN} -Su base
# curl could be installed later but we want it ready for rankmirrors
${TARGET_PACMAN} -S curl
${TARGET_PACMAN} -S libusb-compat gnupg
${TARGET_PACMAN} -R grub
rm -rf ${INSTALL_TARGET}/boot/grub
${TARGET_PACMAN} -S grub2-efi-x86_64
# Configure new system
SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
sed -i "s/^$127\.0\.0\.1.*$$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
#following replaced due to netcfg
#SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
# write fstab
# You can use UUID's or whatever you want here, of course. This is just
# the simplest approach and as long as your drives aren't changing values
# randomly it should work fine.
cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
# /etc/fstab: static file system information
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs nodev,nosuid 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/cryptswap none swap defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
FSTAB_EOF
# write etwo
mkdir -p /lib/initcpio/hooks/
mkdir -p /lib/initcpio/install/
cp /src/etwo_hooks /lib/initcpio/hooks/etwo
cp /src/etwo_install /lib/initcpio/install/etwo
mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
# write crypttab
# encrypted swap (random passphrase on boot)
echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
# copy configs we want to carry over to target from install environment
mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
mkdir -p ${INSTALL_TARGET}/tmp
cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
# mount proc, sys, dev in install root
mount -t proc proc ${INSTALL_TARGET}/proc
mount -t sysfs sys ${INSTALL_TARGET}/sys
mount -o bind /dev ${INSTALL_TARGET}/dev
echo -e "umount boot\n"
# we have to remount /boot from inside the chroot
umount ${INSTALL_TARGET}/boot
# Create install_efi script (to be run *after* chroot /install)
touch ${INSTALL_TARGET}/install_efi
chmod a+x ${INSTALL_TARGET}/install_efi
cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
echo -e "mount boot\n"
# remount here or grub et al gets confused
mount -t vfat /dev/sda1 /boot
# mkinitcpio
# NOTE: intel_agp drm and i915 for intel graphics
SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
mkinitcpio -p linux
# kernel modules for EFI install
modprobe efivars
modprobe dm-mod
# locale-gen
UncommentValue de_AT /etc/locale.gen
locale-gen
# install and configure grub2
# did this above
#${CHROOT_PACMAN} -Sy
#${CHROOT_PACMAN} -R grub
#rm -rf /boot/grub
#${CHROOT_PACMAN} -S grub2-efi-x86_64
# you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
# even omit the cryptdevice altogether, though it will wag a finger at you for using
# a deprecated syntax, so we're using the correct form here
# NOTE: take out i915.modeset=1 unless you are on intel graphics
SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
# set output to graphical
SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
# install the actual grub2. Note that despite our --boot-directory option we will still need to move
# the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
# create our EFI boot entry
# bug in the HP bios firmware (F.08)
efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
# copy font for grub2
cp /usr/share/grub/unicode.pf2 /boot/grub
# generate config file
grub-mkconfig -o /boot/grub/grub.cfg
exit
EFI_EOF
# Install EFI using script inside chroot
chroot ${INSTALL_TARGET} /install_efi
rm ${INSTALL_TARGET}/install_efi
# Post install steps
# anything you want to do post install. run the script automatically or
# manually
touch ${INSTALL_TARGET}/post_install
chmod a+x ${INSTALL_TARGET}/post_install
cat > ${INSTALL_TARGET}/post_install <<POST_EOF
set -o errexit
set -o nounset
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
# root password
echo -e "${HR}\\nNew root user password\\n${HR}"
passwd
# add user
echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
groupadd sudo
useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
passwd ${USERNAME}
# mirror ranking
echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
# temporary fix for locale.sh update conflict
mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
# yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
# additional groups and utilities
pacman --noconfirm -Syu
pacman --noconfirm -S base-devel
pacman --noconfirm -S yaourt
# sudo
pacman --noconfirm -S sudo
cp /etc/sudoers /tmp/sudoers.edit
sed -i "s/#\s*$%wheel\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
sed -i "s/#\s*$%sudo\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
# power
pacman --noconfirm -S acpi acpid acpitool cpufrequtils
yaourt --noconfirm -S powertop2
sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
# following requires my acpi handler script
echo "/etc/acpi/handler.sh boot" > /etc/rc.local
# time
pacman --noconfirm -S ntp
sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
# wireless (wpa supplicant should already be installed)
pacman --noconfirm -S iw wpa_supplicant rfkill
pacman --noconfirm -S netcfg wpa_actiond ifplugd
mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
# make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
# sound
pacman --noconfirm -S alsa-utils alsa-plugins
sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
mv /etc/asound.conf /etc/asound.conf.orig || true
#if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
# video
pacman --noconfirm -S base-devel mesa mesa-demos
# x
#pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
#yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
#TODO: cut down the install size
#pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
# TODO: wacom
# environment/wm/etc.
#pacman --noconfirm -S xfce4 compiz ccsm
#pacman --noconfirm -S xcompmgr
#yaourt --noconfirm -S physlock unclutter
#pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
#pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
#pacman --noconfirm -S ghc
# note: try installing alex and happy from cabal instead
#pacman --noconfirm -S haskell-platform haskell-hscolour
#yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
#yaourt --noconfirm -S xmobar-git
# TODO: edit xfce to use compiz
# TODO: xmonad, but deal with video tearing
# TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
# switching to cabal
# fonts
pacman --noconfirm -S terminus-font
yaourt --noconfirm -S webcore-fonts
yaourt --noconfirm -S fontforge libspiro
yaourt --noconfirm -S freetype2-git-infinality
# TODO: sed infinality and change to OSX or OSX2 mode
# and create the sym link from /etc/fonts/conf.avail to conf.d
# misc apps
#pacman --noconfirm -S htop openssh keychain bash-completion git vim
#pacman --noconfirm -S chromium flashplugin
#pacman --noconfirm -S scrot mypaint bc
#yaourt --noconfirm -S task-git stellarium googlecl
# TODO: argyll
POST_EOF
# Post install in chroot
#echo "chroot and run /post_install"
chroot /install /post_install
rm /install/post_install
# copy grub.efi file to the default HP EFI boot manager path
mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
cp /root/root.gpg ${INSTALL_TARGET}/boot/
# NOTES/TODO

Need help with two-factor auth for windows logon using CSS

Hi all,
I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
I have uninstalled and reinstalled the above programs in the following order:
1) Install System Update and reboot
2) Install Solution Center and reboot
3) Install CSS and reboot
4) Install Fingerprint Software and reboot
Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
Candace

Hi all,
I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
I have uninstalled and reinstalled the above programs in the following order:
1) Install System Update and reboot
2) Install Solution Center and reboot
3) Install CSS and reboot
4) Install Fingerprint Software and reboot
Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
Candace

Does anyone know of a mini sterio with surround sound and optical input in Mac Mini form factor?

Does anyone know of a mini sterio with surround sound and optical input in Mac Mini form factor?
I use a Mini as the family media center and would like to have 5.1 or 7.1 sound for films but don't want a huge piece of eletronic equipment (I have one of those, but it isn't hooked up because it doesn't fit on the bookshelf). Years ago I used a PC and still use the Creative Audigy speaker system (Jimmy rigged to the Mini) that I ran from the PC. The Audigy PCI sound card obviously doesn't work on the Mini, so I just have two chanel plus sub. That has been fine since I switched to the Mini in 2007, but am updating to a new Mini in the summer and would like to upgrade my sound as well.
I also wouldn't be opposed to a USB soundcard that can drive the speakers. In fact, my wife would prefer smaller and less visible, ergo USB card hidden in the back.
Suggestions?

Hello John, I figured it was a signal issue. All the speakers fire and the sound is great. I was running the speakers thru a Dell PC with a Creative X-Fi Elite Pro, THX Certified, 7.1 soundcard using a fiber optic from the Mac Pro to the Z906's, it worked great until the Dell died!!! When I bought the soundcard from Creative I also bought the GigaWorks S750, THX Certified, 700 watt, 7.1 speaker system, used the speakers for 11 years and then the woofer/amp said "I QUIT" Creative quit making the speaker system and the sound card. The satellite speakers from the Creative GigaWorks speaker system still sound great (rated at 78 watt each) and are a little better speaker than the one's that came with the Z906 and the wattage from the 906 is sufficient to drive the satellites without any distortion. Thank you for addressing my issue, you confirmed what I suspected all along, just needed to hear it from someone with the same setup.
One last question, I purchased a Diamond Multimedia USB Soundcard, can't use the fiber optic(not supported by Mac) but the green, tan and black RCA's plug in and produces adequetly. When you plug your 906's into the Mac Pro using the fiber optic how do you set your speaker configuration? When I plug into the mac pro with fiber optic the 'Audio Midi Setup' does not seem to see the 5.1 configuration. Any thoughts there?
Carl

How to update firmware for HP Compaq DC small form factor

I have HP Compaq dc7700 small form factor, Windows xp pro. It was bought on ebay and works fine except for one thing. The Bios was upgraded but the firmware is not upgrading. the Bios was upgraded to V3.05 but the firmware remains 2.04
I downloaded al the updates and firmware and followed instructions but I seem to have problems updating the firmware. I would like to know how to do this step by step because the instructions I read seems to be missing some steps. my question is how to update the firmware. I did read the instructions but could not get it updated. either updating via windows or in dos, I can't seem to make it successful. There are two error messages,
1. ME BIOS Extension module has halted. Update BIOS or Management Engine firmware if problem persists.
2. Amt mamagement engine is disabled.

HP normally uses the term BIOS to refer to motherboard/CPU "firmware" updates and Firmware to refer to other device "firmware" updates... Below is a list of the two classes of firmware;
BIOS
Business Desktops BIOS Utilities 4.02 Rev. A
Microcode Update for HP 786E BIOS Family Computers with Intel Processors 1.06 Rev. A
HP Compaq Business Desktop ME Firmware Update and Utilities 2.2.30.1046 Rev. A
HP Compaq dc7700p Business Desktop System BIOS for Intel vPro Technology (786E1 BIOS) 3.05 Rev. A
HP Compaq Business Desktop System BIOS (786E1 BIOS) 1.15 Rev. A
Firmware
Western Digital 7200-rpm Hard Drive Firmware Update 3.03E03 Rev. A
Intel PRO/1000 Firmware 1.10 Rev. A
HP Optical Drive (TSST H353B DVD-ROM) Firmware Update BC08 Rev. A
HP Optical Drive (TSST H653N DVD-RW) Firmware Update HB02 Rev. A
Seagate Hard Drive Firmware Upgrade for 500-GB Barracuda 7200.11 HP13 Rev. A
ATI X1600XT Graphics Card Video BIOS Update S3A67124.104 Rev. A
Samsung Hard Drive Firmware Upgrade - SATA Drives 42_51 Rev. A
Please identify the exact device you wish to upgrade/update the firmware to.
Frank
Frank
{------------ Please click the "White Kudos" Thumbs Up to say THANKS for helping.
Please click the "Accept As Solution" on my post, if my assistance has solved your issue. ------------V
This is a user supported forum. I am a volunteer and I don't work for HP.
HP 15t-j100 (on loan from HP)
HP 13 Split x2 (on loan from HP)
HP Slate8 Pro (on loan from HP)
HP a1632x - Windows 7, 4GB RAM, AMD Radeon HD 6450
HP p6130y - Windows 7, 8GB RAM, AMD Radeon HD 6450
HP p6320y - Windows 7, 8GB RAM, NVIDIA GT 240
HP p7-1026 - Windows 7, 6GB RAM, AMD Radeon HD 6450
HP p6787c - Windows 7, 8GB RAM, NVIDIA GT 240

Random, excruciatingly slow load time with 7900 Elite small form factor desktops

Hi all, I have approx 300 HP 7900 Elite small form factor machines in my environment that were deployed just over two years ago. from the time of deployment we have experienced on about 50 occasions a random, excruciatingly slow load time that take about one hour for the user to login and open their programs. there has been no rhyme or reason for it, different floors, areas of the building, etc. I searched the forum for similar probs and didn't see one like this, I hope I'm not duplicating efforts from someone else's question... One thing we have noticed is that if we re-boot while it is going through the start-up process, it seems to "make it angry" and will lengthen the overall load time. We use the 32-bit Vista Enterprise OS. This is with a "stock" build, that is to say, our standard corporate build. our security policy does not allow users to install software, by the way. Thanks so much if you can help!

Hi,
How is the issue going? Usually, this error can be caused by missing third-party NIC driver. To solve the issue, we can download the missing network
driver and update the WDS boot image to include it.
In addition to the article provided by Chris, the following blog can also be referred to as reference.
http://askmetricks.blogspot.in/2013/03/solvedwdsclient-error-occurred-while.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this
information.
Best regards,
Frank Shen

Can i set up my drive as encrypted with different partitions for different versions of osx?

i have some questions about setting up an encrypted drive with different versions of osx installed on separate partitions, and how this choice effects time-machine and the emergency recovery disk.
I have a new/refurbished macbook pro with a SSD. it already has mavericks installed. i want to fully wipe the drive and reinstall everything my self because I'm odd like that.
first wiping the current drive
Does the recovery partition get wiped if i use disk-utility to reformat the drive. Even thought the recovery partition does not show up as a partition, when i look at it with disk-utility? i would like to know I've wiped all partitions so that no little bugger gets left with out me knowing. Disk-utility does not show the recovery partition and this makes me concerned it might not wipe it.
Does mavericks automatically make a recovery partition during the installation process? Or do i need to make a new 1gb partition for the recovery disk?
Can i have two different partitions on my drive with separate installations of OSX on it? (one for work that i don't update the system os till my current project is done, and the other for experimenting with new software.)
will time machine back up both of the partitions or just one?
can i accomplish all this from a bootable usb drive or do i need to do this in target disk mode?
do i need to use a more capable utility than the stock apple "disk-utility"?
when reformatting the drive should i format it as encrypted or let file vault do this after i install mavericks?
how much does encryption slow down performance for things like photo/video/music production?

Do a backup before you do anything.
Does the recovery partition get wiped if i use disk-utility to reformat the drive
It shouldn't
Does mavericks automatically make a recovery partition during the installation process?
Yes.
Can i have two different partitions on my drive with separate installations of OSX on it?
Yes.
will time machine back up both of the partitions or just one?
It will as long as one partition is not excluded in the Time Machine/Options.
do i need to use a more capable utility than the stock apple "disk-utility"?
No, just boot into the Recovery Volume (command - R on a restart).
file vault do this after i install mavericks?
I would let File Vault do that.

Required components for Forms&Reports 11.1.2 with SSO support

Hi.
Dont know if this is the right forum but I would like to know if any of you has an experience in integrating Forms&Reports 11.1.2 with Oracle Access manager.
I am in process of upgrading Oracle Forms&Reports 10g configured to use single sign-on to 11.1.2 with Identity and Access management for SSO support. As I read the installation manual I got confused by how to integrate Forms&reports with Access manager to be able to configure it to use single sign-on with MS Active Directory authentication. I am not sure is there enough just to install Access Manager or the installation also requires Identity Management component.
I would appreciate if one could point me to the right direction. Thanks.
Best regards.

I recommend starting with baby steps. First ensure that the FMw installation is working. Can you run a form, and report, and so on. Then add single-signon with OAM. Verify that it is working. Then add AD support. If you try to dive directly into making AD work and something before this step wasn't working, you will have a difficult time troubleshooting.
Generally speaking, if you have OAM and SSO installed prior to installing FMw, connecting the two is fairly easy because the FMw installation will prompt you during the process. However, even after the fact, linking up can be done from within the EM console even though some external steps may be needed. Once this is working, they you can investigate adding AD to the mix.
If you already have OAM installed, you are ready to dive into the Forms Deployment Guide.
http://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm
This part of the Deployment Guide will cover things like, which versions of the Identity Management components can be used with Forms/Reports 11.1.2. It will also discuss the functional information need in order to understand how it all works together. Also included are instructions on how to connect the FMw installation to sso. Be careful as you read any of the documents as it is easy to get confused when seeing references to "SSO". In some cases, the term "sso" means single signon and in others it is referring to the product, "Oracle SSO".
Information about using Active Directory is scattered around the IM documentation, but this is probably a good place to start:
http://docs.oracle.com/cd/E23943_01/oid.1111/e10031/odip_actdir.htm

How to make form field read only for users with certain permissions

We need to make two form fields read only for users with certain permissions. Kindly guide me on how to do this in Infopath. I searched and there is an option to disable to the column, but no option to select user permissions.
Please give your suggestion on this.
thanks.

Hi,
See the link below:
http://info.akgroup.com/blog-0/bid/69277/InfoPath-Restrict-visibility-to-users-in-a-SharePoint-Group
Here you can add the fomatting action on the field to disable the field if those users belong to certain Sharepoint group (does not matter the permission levels though). Hope it helps.
Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

Two form factor authentification for encryption with luks ?

Similar Messages

Maybe you are looking for