WPA2 AES encryption Key Sizes

Similar Messages

• Accept Certificate when connecting to an SSID with WPA2-AES encryption.

  When I try to Connect my Iphone to an SSID with WPA2-AES encryption,i need to accept the certificate and gets authenticated.When i switchover to different SSID and reconnect again to the same WPA2-AES SSID i do not get the Certificate accept page.
  When i click on the Forget Network and deisconnect from the SSID and re-connect again,i will be prompted to acept the certificate.Is this a normal behavior in Iphone.
  Any suggestions would be greatly appreciated.
  Thanks and regards,
  Sendhil Balakrishnan

  Hi
  with the config i have i seem to be able to login using either tkip or aes, but i don't think i have got mixed mode configured on the AP so it should only accept WPA2-AES encryption but it also accepts TKIP making me believe something is configured incorrectly.
  should i change anything in the config on the AP to only allow WPA2-AES encryption?
  many thanks
  rogier

• WPA2 Aes encryption on cisco 1121G AP

  hi
  i wanted to increase the security on my 1121G accesspoint by enabling wpa2 with aes encryption. in a test environment i set this up and i configured my wireless client to connect, my wireless client (ibm thinkpad t42p with 11a/b/g Wireless LAN Mini PCI Adapter II has the ability to either select WPA or WPA2 and whether you use TKIP or AES. i selected WPA2 and AES enter the encryption key which i had entered on the AP and i connected,
  i change the settings on the client to WPA and TKIP and entered the same encryption key and i managed to connect as well, which puzzles me, when i enter an incorrect encryption key it won't associate.
  is this normal behaviour or do you think i have configured something incorrectly on the 1121G AP?
  i have attached my config and have removed some personal data.
  many thanks
  rogier

  i have finally figured it out, it is the windows client or mac clients being very smart, if you configure your windows client to use WPA instead of WPA2 and select TKIP instead of AES encryption somehow it figures out this is incorrect and automatically sets the WPA to WPA2 settings and changes TKIP to AES encryption, i am amazed, i finally figured it out when a windows machine which did not have the windows patch to allow it to connect to WPA2 could not connect, only after installing the WPA2 patch would it connect. in the AP log it always showed as logging in with the WPA2 EAS encryption.
  i guess windows xp is a bit smarter than i originally thought

• Programmatically determine AES max key size?

  On a JRE that does not have the JCE unlimited strength jurisdiction policy files installed, I find that attempting to create an AES Cipher with a key size larger than 128 bits will throw an InvalidKeyException. Is there a better way to determine whether or not larger AES key sizes are permitted? Relying on the InvalidKeyException seems fragile, as there are other things that can cause that exception to be thrown.

  [Cipher.getMaxAllowedKeyLength()|http://java.sun.com/javase/6/docs/api/javax/crypto/Cipher.html#getMaxAllowedKeyLength(java.lang.String)]

• AES supported key sizes!

  Hi all,
  is there any function that specifies key size "secret key" used in AES cryptographic algorithm? if not which key size is supported?
  thanks alot.

  Hi again,
  i ve tried what you have told me but it gave me error ERROR: java.security.InvalidKeyException: Illegal key size or default parameters
  here is the code
  SecureRandom sprng = SecureRandom.getInstance("SHA1PRNG");
              KeyGenerator key = KeyGenerator.getInstance("AES");
              //key.init(sprng);
              key.init(192,  sprng);
              SecretKey encKey = key.generateKey();
              symmetricKey=encKey;
              Cipher encAES = Cipher.getInstance("AES");
              encAES.init(Cipher.ENCRYPT_MODE, encKey);
              encMsg=encAES.doFinal(message.getBytes());can any body help me plz!

• How do I read the browser encryption key size

  We currently have an architecture where browser request is passed
            to a WebLogic App Server via the Netscape Web Server by using the
            WebLogic NSAPI plugin. We maintain an SSL connection between the
            browser and the WebServer but WebLogic does not allow an SSL
            connection between the Netscape WebServer and the WebLogic App
            Server. We would like to check the browser encryption by looking
            at the HTTPS_KEYSIZE env variable. Is it possible to read this variable
            within a JSP page on WebLogic App Server, even though the WebLogic
            App server is getting an HTTP request from the Netscape WebServer.
            If not, then please advise on any workarounds.
            THANKS!
            Harjot
            

  I don't think you can.  I had the same issue, but I remembered my password finally.  I look in the iphone and theres no option to view the wpa network key.
  If you have a different computer hook to the wifi, you can view the network key. 
  If you don't have one, google on how to reset your network key for you router.

• Cannt connect to WPA2-AES encrypted wifi

  there is no issue with a WEP wifi. i googled this problem and none of them solved my problem. i updated IOS to 6.1.2. i reset my phone. however, it still does not work.
  thanks in advance

  Try http://archpi.dabase.com/#wireless. It worked like a charm for me with RPI2 + http://www.amazon.co.uk/Andoer-Wireless … B008IZQCGK which has the same chipset and it's using kernel module 'rt2x00' https://wireless.wiki.kernel.org/news/2011-07-22. USB ID: 148f:5370.
  Last edited by phedoreanu (2015-04-25 22:35:28)

• Maximum WPA2 key size for Apple TV (gen 2 & 3)

  Does anyone know the maximum key size for WPA2?  I am using a Airport Extreme with a key size of 63 characters and the Apple TV doesn't seem to accept it.  Before I reconfigure the whole network, I would like to know the max key size versus trial and error (kind of a pain to use the remote to input the characters).

  Ok.. in order to help other users i will post this..
  I have resolved the issue... it was rather simple and dumb...
  I never use windows media player ever.. i do not like it and can not stand it.. because in my case it was a brand new windows installation this fix will only apply to certain users..
  because it was a brand new windows installation.. i had never clicked on windows media player.. apparently streaming settings are embedded into windows media player for the windows 7 OS...    in past installations that i have used for years.. i simply never ever clicked on windows media player, as i never had a reason to.. i use itunes for my ipad, iphone etc.. etc... 
  by accident and shear luck i decided to click on windows media player.. and of course go through the express settings....  after i did this all of my streaming problems to my apple tv gen2 disapeared... HD movies now start almost instantly... so as i stated above apparently there are media streaming settings embedded into the OS through windows media player... doesnt make any sense to me as i never use the program.. but whatever that fixed my issue..
  so for any of you windows 7 people out there using a windows 7 pc as your itunes sync computer and using that itunes library to stream to your apple tv... make sure you have done the initial setup at min.. of windows media player.. i still left itunes as my default player....  everything now works flawlessly... infact for whatever reason.. even in an HD movie my network almost has half the movie synced now accross the bar before the movie starts so now my apple tv is blazing fast....
  i have been struggling with this for 2 days now and simply never gave it a thought that windows media player would ever have anything to do with itunes streaming a totally seperate program.. but it did..
  i hope this helps other people with similar problems.
  good luck

• How to config Autonomous AP 1242/1252 the WPA2 and AES encryption

  Hi Guys,
  Do you know how to configure the autonomous AP1242 and AP1252 use new authentication way: WPA2 and encryption as AES to support 11n ?
  right now, our AP only configure the SSID as WH001 as network access.
  dot11 ssid WH001
     authentication open eap ea1
     authentication network-eap ea1
     accounting ac1
  How about the new SSID WH003 (new 11n)
  dot11 ssid WH003
    authenticaion ?
    authentication?
    account?
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  encryption mode? 
  ssid WH001
  ssid WH003
  channel 2437

  Well the 1242 doesn't support 802.11n. Here is a link to configure 802.11n on an ap that supports 802.11n like the 1252.
  http://www.cisco.com/en/US/docs/wireless/access_point/12.4.25d.JA/Configuration/guide/scg12.4.25d.JA-chap6-radio.html
  Here is a link that shows how to setup WPA2/AES which is required for 802.11n, besides open authentication.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
  Sent from Cisco Technical Support iPhone App

• System encryption using LUKS and GPG encrypted keys for arch linux

  Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
  Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
  Update: 2013-01-13: Updated the hook files using the corrections by Deth.
  Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
  I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
  Intro
  Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
  Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
  Conventions
  In this short guide, I use the following disk/partition names:
  /dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
  /dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
  /dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
  Credits
  Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
  Guide
  1. Boot the arch live cd
  I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
  2. Set keymap
  Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
  3. Wipe your discs
  ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
  Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
  shred -v /dev/sda
  shred -v /dev/sdb
  4. Partitioning
  Fire up fdisk and create the following partitions:
  /dev/sda1, type linux swap.
  /dev/sda2: type linux
  /dev/sda3: type linux
  /dev/sdb1, type linux
  Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
  5. Format  and mount the usb stick
  Create an ext2 filesystem on /dev/sdb1:
  mkfs.ext2 /dev/sdb1
  mkdir /root/usb
  mount /dev/sdb1 /root/usb
  cd /root/usb # this will be our working directory for now.
  Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
  6. Configure the network (if not already done automatically)
  ifconfig eth0 192.168.0.2 netmask 255.255.255.0
  route add default gw 192.168.0.1
  echo "nameserver 192.168.0.1" >> /etc/resolv.conf
  (this is just an example, your mileage may vary)
  7. Install gnupg
  pacman -Sy
  pacman -S gnupg
  Verify that gnupg works by launching gpg.
  8. Create the keys
  Just to be sure, make sure swap is off:
  cat /proc/swaps
  should return no entries.
  Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
  Choose a strong password!!
  Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
  Note that the default cipher for gpg is cast5, I just chose to use a different one.
  9. Create the encrypted devices with cryptsetup
  Create encrypted swap:
  cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
  You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
  Important: From the Cryptsetup 1.1.2 Release notes:
  Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
      if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
        as normal binary file and no new line is interpreted.
      if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
        stop after new line is detected.
  If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
  gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
  gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
  Check for any errors.
  10. Open the luks devices
  gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
  gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
  If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
  11. Start the installer /arch/setup
  Follow steps 1 to 3.
  At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
  Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
  Select DONE to start formatting.
  At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
  Start step 6 (Install packages).
  Go to step 7 (Configure System).
  By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
  Edit /etc/fstab:
  /dev/mapper/root / ext4 defaults 0 1
  /dev/mapper/swap swap swap defaults 0 0
  /dev/mapper/var /var ext4 defaults 0 1
  # /dev/sdb1 /boot ext2 defaults 0 1
  Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
  Go to step 8 (install boot loader).
  Be sure to change the kernel line in menu.lst:
  kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
  Don't forget the :root suffix in cryptdevice!
  Also, my root line was set to (hd1,0). Had to change that to
  root (hd0,0)
  Install grub to /dev/sdb (the usb stick).
  Now, we can exit the installer.
  12. Install mkinitcpio with the etwo hook.
  Create /mnt/lib/initcpio/hooks/etwo:
  #!/usr/bin/ash
  run_hook() {
  /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
  if [ -e "/sys/class/misc/device-mapper" ]; then
  if [ ! -e "/dev/mapper/control" ]; then
  /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
  fi
  [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
  # Get keyfile if specified
  ckeyfile="/crypto_keyfile"
  usegpg="n"
  if [ "x${cryptkey}" != "x" ]; then
  ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
  ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
  ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
  if poll_device "${ckdev}" ${rootdelay}; then
  case ${ckarg1} in
  *[!0-9]*)
  # Use a file on the device
  # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
  if [ "${ckarg2#*.}" = "gpg" ]; then
  ckeyfile="${ckeyfile}.gpg"
  usegpg="y"
  fi
  mkdir /ckey
  mount -r -t ${ckarg1} ${ckdev} /ckey
  dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
  umount /ckey
  # Read raw data from the block device
  # ckarg1 is numeric: ckarg1=offset, ckarg2=length
  dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
  esac
  fi
  [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
  fi
  if [ -n "${cryptdevice}" ]; then
  DEPRECATED_CRYPT=0
  cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
  cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
  else
  DEPRECATED_CRYPT=1
  cryptdev="${root}"
  cryptname="root"
  fi
  warn_deprecated() {
  echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
  echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
  if poll_device "${cryptdev}" ${rootdelay}; then
  if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  dopassphrase=1
  # If keyfile exists, try to use that
  if [ -f ${ckeyfile} ]; then
  if [ "${usegpg}" = "y" ]; then
  # gpg tty fixup
  if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
  cp -a /dev/console /dev/tty
  while [ ! -e /dev/mapper/${cryptname} ];
  do
  sleep 2
  /usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
  dopassphrase=0
  done
  rm /dev/tty
  if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
  else
  if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
  dopassphrase=0
  else
  echo "Invalid keyfile. Reverting to passphrase."
  fi
  fi
  fi
  # Ask for a passphrase
  if [ ${dopassphrase} -gt 0 ]; then
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  #loop until we get a real password
  while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
  sleep 2;
  done
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  elif [ -n "${crypto}" ]; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  msg "Non-LUKS encrypted device found..."
  if [ $# -ne 5 ]; then
  err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
  err "Non-LUKS decryption not attempted..."
  return 1
  fi
  exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
  tmp=$(echo "${crypto}" | cut -d: -f1)
  [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f2)
  [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f3)
  [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f4)
  [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f5)
  [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
  if [ -f ${ckeyfile} ]; then
  exe="${exe} --key-file ${ckeyfile}"
  else
  exe="${exe} --verify-passphrase"
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  fi
  eval "${exe} ${CSQUIET}"
  if [ $? -ne 0 ]; then
  err "Non-LUKS device decryption failed. verify format: "
  err " crypto=hash:cipher:keysize:offset:skip"
  exit 1
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  else
  err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
  fi
  fi
  rm -f ${ckeyfile}
  fi
  Create /mnt/lib/initcpio/install/etwo:
  #!/bin/bash
  build() {
  local mod
  add_module dm-crypt
  if [[ $CRYPTO_MODULES ]]; then
  for mod in $CRYPTO_MODULES; do
  add_module "$mod"
  done
  else
  add_all_modules '/crypto/'
  fi
  add_dir "/dev/mapper"
  add_binary "cryptsetup"
  add_binary "dmsetup"
  add_binary "/usr/bin/gpg"
  add_file "/usr/lib/udev/rules.d/10-dm.rules"
  add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
  add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
  add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
  add_runscript
  help ()
  cat<<HELPEOF
  This hook allows for an encrypted root device with support for gpg encrypted key files.
  To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
  to your BINARIES var in /etc/mkinitcpio.conf.
  HELPEOF
  Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
  MODULES=”ext2 ext4” # not sure if this is really nessecary.
  BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
  HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
  Copy the initcpio stuff over to the live cd:
  cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
  cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
  cp /mnt/etc/mkinitcpio.conf /etc/
  Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
  Now reinstall the initcpio:
  mkinitcpio -g /mnt/boot/kernel26.img
  Make sure there were no errors and that all hooks were included.
  13. Decrypt the "var" key to the encrypted root
  mkdir /mnt/keys
  chmod 500 /mnt/keys
  gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
  chmod 400 /mnt/keys/var
  14. Setup crypttab
  Edit /mnt/etc/crypttab:
  swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
  var /dev/sda2 /keys/var
  15. Reboot
  We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names.  I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
  Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
  Last edited by fabriceb (2013-01-15 22:36:23)

  I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
  Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
  any idea ?
  #!/bin/bash
  # This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
  # prereqs:
  # EFI "BIOS" set to boot *only* from EFI
  # successful EFI boot of Archboot USB
  # mount /dev/sdb1 /src
  set -o nounset
  #set -o errexit
  # Host specific configuration
  # this whole script needs to be customized, particularly disk partitions
  # and configuration, but this section contains global variables that
  # are used during the system configuration phase for convenience
  HOSTNAME=daniel
  USERNAME=user
  # Globals
  # We don't need to set these here but they are used repeatedly throughout
  # so it makes sense to reuse them and allow an easy, one-time change if we
  # need to alter values such as the install target mount point.
  INSTALL_TARGET="/install"
  HR="--------------------------------------------------------------------------------"
  PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
  TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  FILE_URL="file:///packages/core-$(uname -m)/pkg"
  FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
  HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
  # Functions
  # I've avoided using functions in this script as they aren't required and
  # I think it's more of a learning tool if you see the step-by-step
  # procedures even with minor duplciations along the way, but I feel that
  # these functions clarify the particular steps of setting values in config
  # files.
  SetValue () {
  # EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
  VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
  sed -i "s+^#\?\(${VALUENAME}\)=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
  CommentOutValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^\(${VALUENAME}.*\)$/#\1/" "${FILEPATH}"
  UncommentValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^#\(${VALUENAME}.*\)$/\1/" "${FILEPATH}"
  # Initialize
  # Warn the user about impending doom, set up the network on eth0, mount
  # the squashfs images (Archboot does this normally, we're just filling in
  # the gaps resulting from the fact that we're doing a simple scripted
  # install). We also create a temporary pacman.conf that looks for packages
  # locally first before sourcing them from the network. It would be better
  # to do either *all* local or *all* network but we can't for two reasons.
  # 1. The Archboot installation image might have an out of date kernel
  # (currently the case) which results in problems when chrooting
  # into the install mount point to modprobe efivars. So we use the
  # package snapshot on the Archboot media to ensure our kernel is
  # the same as the one we booted with.
  # 2. Ideally we'd source all local then, but some critical items,
  # notably grub2-efi variants, aren't yet on the Archboot media.
  # Warn
  timer=9
  echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
  echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
  while [[ $timer -gt 0 ]]
  do
  sleep 1
  let timer-=1
  echo -en "$timer seconds..."
  done
  echo "STARTING"
  # Get Network
  echo -n "Waiting for network address.."
  #dhclient eth0
  dhcpcd -p eth0
  echo -n "Network address acquired."
  # Mount packages squashfs images
  umount "/packages/core-$(uname -m)"
  umount "/packages/core-any"
  rm -rf "/packages/core-$(uname -m)"
  rm -rf "/packages/core-any"
  mkdir -p "/packages/core-$(uname -m)"
  mkdir -p "/packages/core-any"
  modprobe -q loop
  modprobe -q squashfs
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
  # Create temporary pacman.conf file
  cat << PACMANEOF > /tmp/pacman.conf
  [options]
  Architecture = auto
  CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
  CacheDir = /packages/core-$(uname -m)/pkg
  CacheDir = /packages/core-any/pkg
  [core]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  [extra]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  #Uncomment to enable pacman -Sy yaourt
  [archlinuxfr]
  Server = http://repo.archlinux.fr/\$arch
  PACMANEOF
  # Prepare pacman
  [[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
  [[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
  ${PACMAN} -Sy
  ${TARGET_PACMAN} -Sy
  # Install prereqs from network (not on archboot media)
  echo -e "\nInstalling prereqs...\n$HR"
  #sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
  UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
  ${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
  # Configure Host
  # Here we create three partitions:
  # 1. efi and /boot (one partition does double duty)
  # 2. swap
  # 3. our encrypted root
  # Note that all of these are on a GUID partition table scheme. This proves
  # to be quite clean and simple since we're not doing anything with MBR
  # boot partitions and the like.
  echo -e "format\n"
  # shred -v /dev/sda
  # disk prep
  sgdisk -Z /dev/sda # zap all on disk
  #sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
  sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
  #sgdisk -a 2048 -o /dev/mmcb1k0
  # create partitions
  sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
  sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
  sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
  #sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
  # set partition types
  sgdisk -t 1:ef00 /dev/sda
  sgdisk -t 2:8200 /dev/sda
  sgdisk -t 3:8300 /dev/sda
  #sgdisk -t 1:0700 /dev/mmcb1k0
  # label partitions
  sgdisk -c 1:"UEFI Boot" /dev/sda
  sgdisk -c 2:"Swap" /dev/sda
  sgdisk -c 3:"LUKS" /dev/sda
  #sgdisk -c 1:"Key" /dev/mmcb1k0
  echo -e "create gpg file\n"
  # create gpg file
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
  echo -e "format LUKS on root\n"
  # format LUKS on root
  gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
  echo -e "open LUKS on root\n"
  gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
  # NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
  # NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
  # make filesystems
  # following swap related commands not used now that we're encrypting our swap partition
  #mkswap /dev/sda2
  #swapon /dev/sda2
  #mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
  echo -e "\nCreating Filesystems...\n$HR"
  # make filesystems
  mkfs.ext4 /dev/mapper/root
  mkfs.vfat -F32 /dev/sda1
  #mkfs.vfat -F32 /dev/mmcb1k0p1
  echo -e "mount targets\n"
  # mount target
  #mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
  mount /dev/mapper/root ${INSTALL_TARGET}
  # mount target
  mkdir ${INSTALL_TARGET}
  # mkdir ${INSTALL_TARGET}/key
  # mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
  mkdir ${INSTALL_TARGET}/boot
  mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
  # Install base, necessary utilities
  mkdir -p ${INSTALL_TARGET}/var/lib/pacman
  ${TARGET_PACMAN} -Sy
  ${TARGET_PACMAN} -Su base
  # curl could be installed later but we want it ready for rankmirrors
  ${TARGET_PACMAN} -S curl
  ${TARGET_PACMAN} -S libusb-compat gnupg
  ${TARGET_PACMAN} -R grub
  rm -rf ${INSTALL_TARGET}/boot/grub
  ${TARGET_PACMAN} -S grub2-efi-x86_64
  # Configure new system
  SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
  sed -i "s/^\(127\.0\.0\.1.*\)$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
  SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
  #following replaced due to netcfg
  #SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
  # write fstab
  # You can use UUID's or whatever you want here, of course. This is just
  # the simplest approach and as long as your drives aren't changing values
  # randomly it should work fine.
  cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  /dev/sda1 /boot vfat defaults 0 0
  /dev/mapper/cryptswap none swap defaults 0 0
  /dev/mapper/root / ext4 defaults,noatime 0 1
  FSTAB_EOF
  # write etwo
  mkdir -p /lib/initcpio/hooks/
  mkdir -p /lib/initcpio/install/
  cp /src/etwo_hooks /lib/initcpio/hooks/etwo
  cp /src/etwo_install /lib/initcpio/install/etwo
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
  cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
  cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
  # write crypttab
  # encrypted swap (random passphrase on boot)
  echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
  # copy configs we want to carry over to target from install environment
  mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
  cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
  mkdir -p ${INSTALL_TARGET}/tmp
  cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
  # mount proc, sys, dev in install root
  mount -t proc proc ${INSTALL_TARGET}/proc
  mount -t sysfs sys ${INSTALL_TARGET}/sys
  mount -o bind /dev ${INSTALL_TARGET}/dev
  echo -e "umount boot\n"
  # we have to remount /boot from inside the chroot
  umount ${INSTALL_TARGET}/boot
  # Create install_efi script (to be run *after* chroot /install)
  touch ${INSTALL_TARGET}/install_efi
  chmod a+x ${INSTALL_TARGET}/install_efi
  cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  echo -e "mount boot\n"
  # remount here or grub et al gets confused
  mount -t vfat /dev/sda1 /boot
  # mkinitcpio
  # NOTE: intel_agp drm and i915 for intel graphics
  SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
  SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
  SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
  mkinitcpio -p linux
  # kernel modules for EFI install
  modprobe efivars
  modprobe dm-mod
  # locale-gen
  UncommentValue de_AT /etc/locale.gen
  locale-gen
  # install and configure grub2
  # did this above
  #${CHROOT_PACMAN} -Sy
  #${CHROOT_PACMAN} -R grub
  #rm -rf /boot/grub
  #${CHROOT_PACMAN} -S grub2-efi-x86_64
  # you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
  # even omit the cryptdevice altogether, though it will wag a finger at you for using
  # a deprecated syntax, so we're using the correct form here
  # NOTE: take out i915.modeset=1 unless you are on intel graphics
  SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
  # set output to graphical
  SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
  SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
  SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
  # install the actual grub2. Note that despite our --boot-directory option we will still need to move
  # the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
  grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
  # create our EFI boot entry
  # bug in the HP bios firmware (F.08)
  efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
  # copy font for grub2
  cp /usr/share/grub/unicode.pf2 /boot/grub
  # generate config file
  grub-mkconfig -o /boot/grub/grub.cfg
  exit
  EFI_EOF
  # Install EFI using script inside chroot
  chroot ${INSTALL_TARGET} /install_efi
  rm ${INSTALL_TARGET}/install_efi
  # Post install steps
  # anything you want to do post install. run the script automatically or
  # manually
  touch ${INSTALL_TARGET}/post_install
  chmod a+x ${INSTALL_TARGET}/post_install
  cat > ${INSTALL_TARGET}/post_install <<POST_EOF
  set -o errexit
  set -o nounset
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  # root password
  echo -e "${HR}\\nNew root user password\\n${HR}"
  passwd
  # add user
  echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
  groupadd sudo
  useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
  passwd ${USERNAME}
  # mirror ranking
  echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
  cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
  mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
  sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
  rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
  # temporary fix for locale.sh update conflict
  mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
  # yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
  echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
  echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
  # additional groups and utilities
  pacman --noconfirm -Syu
  pacman --noconfirm -S base-devel
  pacman --noconfirm -S yaourt
  # sudo
  pacman --noconfirm -S sudo
  cp /etc/sudoers /tmp/sudoers.edit
  sed -i "s/#\s*\(%wheel\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  sed -i "s/#\s*\(%sudo\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
  # power
  pacman --noconfirm -S acpi acpid acpitool cpufrequtils
  yaourt --noconfirm -S powertop2
  sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
  sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
  # following requires my acpi handler script
  echo "/etc/acpi/handler.sh boot" > /etc/rc.local
  # time
  pacman --noconfirm -S ntp
  sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
  # wireless (wpa supplicant should already be installed)
  pacman --noconfirm -S iw wpa_supplicant rfkill
  pacman --noconfirm -S netcfg wpa_actiond ifplugd
  mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
  echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
  # make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
  sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
  sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
  echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
  echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
  echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
  # sound
  pacman --noconfirm -S alsa-utils alsa-plugins
  sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
  mv /etc/asound.conf /etc/asound.conf.orig || true
  #if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
  # video
  pacman --noconfirm -S base-devel mesa mesa-demos
  # x
  #pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
  #yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
  #TODO: cut down the install size
  #pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
  # TODO: wacom
  # environment/wm/etc.
  #pacman --noconfirm -S xfce4 compiz ccsm
  #pacman --noconfirm -S xcompmgr
  #yaourt --noconfirm -S physlock unclutter
  #pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
  #pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
  #pacman --noconfirm -S ghc
  # note: try installing alex and happy from cabal instead
  #pacman --noconfirm -S haskell-platform haskell-hscolour
  #yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
  #yaourt --noconfirm -S xmobar-git
  # TODO: edit xfce to use compiz
  # TODO: xmonad, but deal with video tearing
  # TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
  # switching to cabal
  # fonts
  pacman --noconfirm -S terminus-font
  yaourt --noconfirm -S webcore-fonts
  yaourt --noconfirm -S fontforge libspiro
  yaourt --noconfirm -S freetype2-git-infinality
  # TODO: sed infinality and change to OSX or OSX2 mode
  # and create the sym link from /etc/fonts/conf.avail to conf.d
  # misc apps
  #pacman --noconfirm -S htop openssh keychain bash-completion git vim
  #pacman --noconfirm -S chromium flashplugin
  #pacman --noconfirm -S scrot mypaint bc
  #yaourt --noconfirm -S task-git stellarium googlecl
  # TODO: argyll
  POST_EOF
  # Post install in chroot
  #echo "chroot and run /post_install"
  chroot /install /post_install
  rm /install/post_install
  # copy grub.efi file to the default HP EFI boot manager path
  mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
  mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
  cp /root/root.gpg ${INSTALL_TARGET}/boot/
  # NOTES/TODO

• WPA-TKIP WPA2-AES Connection speed

  Hi,
  My customer uses controller based wireless network. There is a connection speed problem between two SSID's. First SSID uses WPA(TKIP+AES) and WPA2(TKIP+AES) encryption method and dot1x authentication method. Second SSID uses open authentication (this is a guest SSID)
  802.11 a/n/ac is enable on WLC and client can connect with these methods. But clients connect to the first SSID with 802.11 b/g (54 Mbps) and connect to the second SSID with 802.11 a/n/ac. Customer wants to know why our clients connect with low speed to first SSID even if a/n/ac is enable.
  Sometimes WPA-TKIP encryption methods can reduce the connection speed. Do you have any idea about that and official document about this problem?
  Thanks,
  Burhan,

  TKIP and AES are two different types of encryption that can be used by a Wi-Fi network. TKIP stands for “Temporal Key Integrity Protocol.” It was a stopgap encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn’t be using it.
  AES stands for “Advanced Encryption Standard.” This was a more secure encryption protocol introduced with WPA2, which replaced the interim WPA standard. AES isn’t some creaky standard developed specifically for Wi-Fi networks; it’s a serious worldwide encryption standard that’s even been adopted by the US government. For example, when you encrypt a hard drive with TrueCrypt, it can use AES encryption for that. AES is generally considered quite secure, and the main weaknesses would be brute-force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
  The “PSK” in both names stands for “pre-shared key” — the pre-shared key is generally your encryption passphrase. This distinguishes it from WPA-Enterprise, which uses a RADIUS server to hand out unique keys on larger corporate or government Wi-Fi networks.
  In summary, TKIP is an older encryption standard used by the old WPA standard. AES is a newer Wi-Fi encryption solution used by the new-and-secure WPA2 standard. In theory, that’s the end of it. But, depending on your router, just choosing WPA2 may not be good enough.
  While WPA2 is supposed to use AES for optimal security, it also has the option to use TKIP for backward compatibility with legacy devices. In such a state, devices that support WPA2 will connect with WPA2 and devices that support WPA will connect with WPA. So “WPA2″ doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
  WPA and TKIP compatability options can also slow your Wi-Fi network down. Many modern Wi-Fi routers that support 802.11n and newer, faster standards will slow down to 54mbps if you enable WPA or TKIP in their options. They do this to ensure they’re compatible with these older devices.
  In comaprison, even 802.11n supports up to 300mbps — but, generally, only if you’re using WPA2 with AES. Theoretically, 802.11ac offers theoretical maximum speeds of 3.46 Gbps under optimum (read: perfect) conditions.
  In other words, WPA and TKIP will slow a modern Wi-Fi network down. It’s not all about security!

• AES Encryption for Windows Phone

  Hi,
  We are developing a windows phone app and the same app is also being developed in Android and IOS. All three platforms are using a JSON web service for data access. Parameters to be passed are encrypted using AES algorithm.
  The web service uses the Encryption and Decryption as shown in the following link : 
  https://msdn.microsoft.com/en-us/library/system.security.cryptography.aesmanaged(v=vs.110).aspx
  The same is Encryption is available in IOS and Android and working fine.
  I am unable to achieve the same encryption in Windows Phone as System.Security.Cryptography is not available in Windows Phone. I did browse around and found a few alternatives as shown below but i am not getting the desired result i.e. Encrypted data is
  not the same and hence Decryption is not giving the same result in server side.
  public static byte[] Encrypt(string plainText, string pw, string salt)
  IBuffer pwBuffer = CryptographicBuffer.ConvertStringToBinary(pw, BinaryStringEncoding.Utf8);
  IBuffer saltBuffer = CryptographicBuffer.ConvertStringToBinary(salt, BinaryStringEncoding.Utf16LE);
  IBuffer plainBuffer = CryptographicBuffer.ConvertStringToBinary(plainText, BinaryStringEncoding.Utf16LE);
  // Derive key material for password size 32 bytes for AES256 algorithm
  KeyDerivationAlgorithmProvider keyDerivationProvider = Windows.Security.Cryptography.Core.KeyDerivationAlgorithmProvider.OpenAlgorithm("PBKDF2_SHA1");
  // using salt and 1000 iterations
  KeyDerivationParameters pbkdf2Parms = KeyDerivationParameters.BuildForPbkdf2(saltBuffer, 1000);
  // create a key based on original key and derivation parmaters
  CryptographicKey keyOriginal = keyDerivationProvider.CreateKey(pwBuffer);
  IBuffer keyMaterial = CryptographicEngine.DeriveKeyMaterial(keyOriginal, pbkdf2Parms, 32);
  CryptographicKey derivedPwKey = keyDerivationProvider.CreateKey(pwBuffer);
  // derive buffer to be used for encryption salt from derived password key
  IBuffer saltMaterial = CryptographicEngine.DeriveKeyMaterial(derivedPwKey, pbkdf2Parms, 16);
  // display the buffers – because KeyDerivationProvider always gets cleared after each use, they are very similar unforunately
  string keyMaterialString = CryptographicBuffer.EncodeToBase64String(keyMaterial);
  string saltMaterialString = CryptographicBuffer.EncodeToBase64String(saltMaterial);
  SymmetricKeyAlgorithmProvider symProvider = SymmetricKeyAlgorithmProvider.OpenAlgorithm("AES_CBC_PKCS7");
  // create symmetric key from derived password key
  CryptographicKey symmKey = symProvider.CreateSymmetricKey(keyMaterial);
  // encrypt data buffer using symmetric key and derived salt material
  IBuffer resultBuffer = CryptographicEngine.Encrypt(symmKey, plainBuffer, saltMaterial);
  byte[] result;
  CryptographicBuffer.CopyToByteArray(resultBuffer, out result);
  return result;
  public static string Decrypt(byte[] encryptedData, string pw, string salt)
  IBuffer pwBuffer = CryptographicBuffer.ConvertStringToBinary(pw, BinaryStringEncoding.Utf8);
  IBuffer saltBuffer = CryptographicBuffer.ConvertStringToBinary(salt, BinaryStringEncoding.Utf16LE);
  IBuffer cipherBuffer = CryptographicBuffer.CreateFromByteArray(encryptedData);
  // Derive key material for password size 32 bytes for AES256 algorithm
  KeyDerivationAlgorithmProvider keyDerivationProvider = Windows.Security.Cryptography.Core.KeyDerivationAlgorithmProvider.OpenAlgorithm("PBKDF2_SHA1");
  // using salt and 1000 iterations
  KeyDerivationParameters pbkdf2Parms = KeyDerivationParameters.BuildForPbkdf2(saltBuffer, 1000);
  // create a key based on original key and derivation parmaters
  CryptographicKey keyOriginal = keyDerivationProvider.CreateKey(pwBuffer);
  IBuffer keyMaterial = CryptographicEngine.DeriveKeyMaterial(keyOriginal, pbkdf2Parms, 32);
  CryptographicKey derivedPwKey = keyDerivationProvider.CreateKey(pwBuffer);
  // derive buffer to be used for encryption salt from derived password key
  IBuffer saltMaterial = CryptographicEngine.DeriveKeyMaterial(derivedPwKey, pbkdf2Parms, 16);
  // display the keys – because KeyDerivationProvider always gets cleared after each use, they are very similar unforunately
  string keyMaterialString = CryptographicBuffer.EncodeToBase64String(keyMaterial);
  string saltMaterialString = CryptographicBuffer.EncodeToBase64String(saltMaterial);
  SymmetricKeyAlgorithmProvider symProvider = SymmetricKeyAlgorithmProvider.OpenAlgorithm("AES_CBC_PKCS7");
  // create symmetric key from derived password material
  CryptographicKey symmKey = symProvider.CreateSymmetricKey(keyMaterial);
  // encrypt data buffer using symmetric key and derived salt material
  IBuffer resultBuffer = CryptographicEngine.Decrypt(symmKey, cipherBuffer, saltMaterial);
  string result = CryptographicBuffer.ConvertBinaryToString(BinaryStringEncoding.Utf16LE, resultBuffer);
  return result;
  public static string AES_Encrypt(string input, string pass)
  SymmetricKeyAlgorithmProvider SAP = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesEcbPkcs7);
  CryptographicKey AES;
  HashAlgorithmProvider HAP = HashAlgorithmProvider.OpenAlgorithm(HashAlgorithmNames.Md5);
  CryptographicHash Hash_AES = HAP.CreateHash();
  string encrypted = "";
  try
  byte[] hash = new byte[32];
  Hash_AES.Append(CryptographicBuffer.CreateFromByteArray(System.Text.Encoding.UTF8.GetBytes(pass)));
  byte[] temp;
  CryptographicBuffer.CopyToByteArray(Hash_AES.GetValueAndReset(), out temp);
  Array.Copy(temp, 0, hash, 0, 16);
  Array.Copy(temp, 0, hash, 15, 16);
  AES = SAP.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(hash));
  IBuffer Buffer = CryptographicBuffer.CreateFromByteArray(System.Text.Encoding.UTF8.GetBytes(input));
  encrypted = CryptographicBuffer.EncodeToBase64String(CryptographicEngine.Encrypt(AES, Buffer, null));
  return encrypted;
  catch (Exception ex)
  return null;
  public static string AES_Decrypt(string input, string pass)
  SymmetricKeyAlgorithmProvider SAP = SymmetricKeyAlgorithmProvider.OpenAlgorithm(SymmetricAlgorithmNames.AesEcbPkcs7);
  CryptographicKey AES;
  HashAlgorithmProvider HAP = HashAlgorithmProvider.OpenAlgorithm(HashAlgorithmNames.Md5);
  CryptographicHash Hash_AES = HAP.CreateHash();
  string decrypted = "";
  try
  byte[] hash = new byte[32];
  Hash_AES.Append(CryptographicBuffer.CreateFromByteArray(System.Text.Encoding.UTF8.GetBytes(pass)));
  byte[] temp;
  CryptographicBuffer.CopyToByteArray(Hash_AES.GetValueAndReset(), out temp);
  Array.Copy(temp, 0, hash, 0, 16);
  Array.Copy(temp, 0, hash, 15, 16);
  AES = SAP.CreateSymmetricKey(CryptographicBuffer.CreateFromByteArray(hash));
  IBuffer Buffer = CryptographicBuffer.DecodeFromBase64String(input);
  byte[] Decrypted;
  CryptographicBuffer.CopyToByteArray(CryptographicEngine.Decrypt(AES, Buffer, null), out Decrypted);
  decrypted = System.Text.Encoding.UTF8.GetString(Decrypted, 0, Decrypted.Length);
  return decrypted;
  catch (Exception ex)
  return null;
  Both methods shown above are not giving the same result.
  I would require the following scenario :
  Plain Text : "login@123"
  Key : "0123456789abcdef"
  IV : "fedcba9876543210"
  Hex : 356F65678C82C137BDBB2A2C8F824A68
  Encrypted Text : 5oegåÇ¡7Ωª*,èÇJh
  Request you to please suggest alternative to obtain the same AES Encryption using a Key and IV in Windows Phone.
  Thanks in advance.
  Regards,
  Vinay D

  Hi,
  The encryption and decryption in : http://dotnetspeak.com/2011/11/encrypting-and-decrypting-data-in-winrt-2 is
  not giving me the desired result.
  I would require the following scenario :
  Plain Text : "login@123"
  Key : "0123456789abcdef"
  IV : "fedcba9876543210"
  Encrypted Text : 5oegåÇ¡7Ωª*,èÇJh
  But what i am getting from the above link is : 
  I would require the following scenario :
  Plain Text : "login@123"
  Key : "0123456789abcdef"
  IV : "fedcba9876543210"
  Encrypted Text : NW9lZ4yCwTe9uyosj4JKaA==
  As u can see the encrypted string is not the same and hence i would get a different decrypt string on the server.
  I cannot change the server as it is in production and working with Android and IOS.
  Regards,
  Vinay D

• Enable AES encryption on 1310 Wireless bridge

       Hi All,
      I have requirment to enable the AES encryption on the management VLAN  traffic  between connected root and non root bridges . can any one share the configuration guidelines please ??
  below is the network setup  .
  Router<---->SW1 ( main office)--> Root-bridge < ---------->non root-bride------SW2 ( remote end site)
  Apart from the specific configuration on the wireless bridge is any extra configuration required on the Switch interfaces??
  Regards
  Lerner

  Hello,
  1. Make sure you are running version 12.3(7)JA or later since WPA2/AES was not always available for the 1310.
  2. How do you currently have the root/non-root configured?
  Ideally, adding AES shoudl be fairly straight forward.  Keep in mind we recommend using WPA2 with AES.
  configured on your root AND non-root:
  dot11 ssid
  authentication open
  authentication key-management wpa version 2
  interface do1
  encryption mode ciphers aes-ccm

• AES Encryption - Encrypted value lengths

  HI all -
  I am attempting to use CF 8's AES encryption feature, and
  have not found a critical piece of info in the docs to enable me to
  progress.
  I am using the function to encrypt a password that can be
  from 6 to 16 characters long, which will be stored in a database. I
  am using generateSecretKey("AES"), and that gives me a 24 character
  key that I'm storing for future decryption use. I find that when I
  use the key to encrypt a 6 character password the resulting
  encrypted string is 32 characters long, but when I encrypt a 16
  character password I get a 64 character encrypted string. This is
  the case whether I specify "HEX" or "UU" as the encoding.
  Without knowing how the length of the resulting encoded
  string is determined, I cannot know how large to make my database
  column. (MySQL's AES encryption gives the formula 16 ×
  (trunc(string_length / 16) + 1) to arrive at the resulting string's
  length, but that formula doesn't yield the results I'm seeing in
  CFMX). Can anyone point me to a doc, or explain to me how to
  determine the column length for storing the resulting encrypted
  value?

  No. Only things like key, encoding and string size should
  matter. If the encoding is "hex", 1-15 characters should produce
  size 32, 16-31 characters should produce 64, etcetera. Unless space
  is at a premium, you could always increase the field size if that
  makes you feel more comfortable.
  Well, the results are dictated by the AES standard and basic
  string encoding rules, not CF. I highly doubt either one is going
  to change any time soon ;-) I agree documentation is good. However,
  unlike aes_encrypt, the encrypt function supports many different
  algorithms. Most of which have a distinct set of rules. So it would
  probably be difficult to provide accurate information about all of
  them. Especially as the specifications for each one alone probably
  spans volumes ;-)

• Does 7921 support WPA2+AES+PKC?

  Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.
  Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?
  VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?

  Ok first off the 7921G and 7925G are WPA/WPA2 certified.
  7921G
  http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040
  7925G
  http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945
  The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.
  As for the 792xG Deployment Guides, I am the one that wrote those docs. :)
  There is a statement there in regards to WPA2+CCKM on page 10.
  Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.
  But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during
  roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of
  key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.
  TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.