View previous topic :: View next topic |
Author |
Message |
oxensepp n00b
Joined: 01 May 2020 Posts: 42
|
Posted: Sat Nov 04, 2023 11:41 pm Post subject: how I installed gentoo with a full disk encryption |
|
|
Finally my gentoo with full disk encryption is running. Since I am not a nerd, computer scientist, programmer, security expert, ... it was a lot of learning and try-and-error for me.
I did like to show it, because I did not find a similar "guide", therefore it may be useful for others.
All kind of errors possible, you have been warned...! I worked a lot with copy and paste, so maybe I forgot something (hope not!). Apologies for any errors, however.
it provides a two factor authentification which I saw first from Sakaki (thank you very much!), but now without special changes to the system, all "out of the box".
Additionally, even /boot is encrypted.
Thanks also to gmpreussner, who set up an arch linux, see https://gmpreussner.com/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920. Basically I just adapted his really fine template for gentoo. So I have also the detached header, btrfs with subvolumes, ... Please see there for reference.
And it works just with usual gentoo tools, i.e. grub, genkernel, cryptsetup, .... It does not use dracut and gpg.
The computer has dual boot: Windows if you just press the power button and Linux, if you put in a boot stick before. This is done by the boot order and not part of my description. Also not described is the Windows installation, it took place before installing gentoo. A part of the sdd is occupied with windows, when the installation begins.
As usual, I have a gentoo installation image on USB and a second computer ('liszt', also linux) for more convenience. But lets start...
First, I prepare the boot stick for the target computer (that is the stick which later boots the encrypted system, do not confuse it with the gentoo installation stick, this is an USB stick with the gentoo installation iso image on it!)
Inset the boot stick into the helper computer -> /dev/sda.
Prepare EFI and (luks1-encrypted) boot partiton. I did that on the helper computer.
Code: |
[root@liszt ~]# fdisk /dev/sda
Welcome to fdisk (util-linux 2.39.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): n
Partition number (1-128, default 1):
First sector (34-15730654, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-15730654, default 15728639): +512M
Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.
Command (m for help): n
Partition number (2-128, default 2):
First sector (1050624-15730654, default 1050624):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-15730654, default 15728639): +5G
Created a new partition 2 of type 'Linux filesystem' and of size 5 GiB.
Command (m for help): t
Partition number (1,2, default 2): 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
[root@liszt ~]# mkfs.fat -n EFI -F32 /dev/sda1
mkfs.fat 4.2 (2021-01-31)
[root@liszt ~]# cryptsetup --type=luks1 luksFormat /dev/sda2
WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda2:
Verify passphrase:
root@liszt ~]# cryptsetup open /dev/sda2 luksboot
Enter passphrase for /dev/sda2:
[root@liszt ~]# mkfs.ext2 -L BOOT /dev/mapper/luksboot
mke2fs 1.47.0 (5-Feb-2023)
Creating filesystem with 1310208 4k blocks and 327680 inodes
Filesystem UUID: 8a73b562-f299-4828-83f9-aa6fd7213604
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
|
now, mount it to /mnt/bootstick, generate a keyfile
Code: |
[root@liszt ~]# mkdir /mnt/bootstick
[root@liszt ~]# mount /dev/mapper/luksboot /mnt/bootstick/
[root@liszt ~]# mkdir -p /mnt/bootstick/luks/mnt/header
[root@liszt ~]# mkdir -p /mnt/bootstick/luks/mnt/key
[root@liszt ~]# truncate -s 20M /mnt/bootstick/luks/mnt/header/nvme0n1p5.header
[root@liszt ~]# dd bs=8388608 count=1 if=/dev/urandom of=/mnt/bootstick/luks/mnt/key/nvme0n1p5.key
1+0 records in
1+0 records out
8388608 bytes (8.4 MB, 8.0 MiB) copied, 0.0370004 s, 227 MB/s
|
note: one MUST use the subdirectories mnt/header and mnt/key, because genkernel looks only there for header and key files. it is hardcoded in /usr/share/genkernel/default/initrd.scripts (later more).
nvme0n1p5 is the name of the partition with the luks container in it.
Unmount / close the USB key and pull it from the helper computer.
Insert the gentoo installation stick and power the computer on (and passwd root, start sshd, etc)
Insert the boot stick in the target computer.
SSH to the target computer.
Code: |
nico@liszt:~ > ssh -l root 192.168.1.82
The authenticity of host '192.168.1.82 (192.168.1.82)' can't be established.
ED25519 key fingerprint is SHA256:TBoLChNa1UP6pdtuz2rr8mE6KiicfwPu8rNR278yTgM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.82' (ED25519) to the list of known hosts.
(root@192.168.1.82) Password:
Welcome to the Gentoo Linux Minimal Installation CD!
The root password on this system has been auto-scrambled for security.
If any ethernet adapters were detected at boot, they should be auto-configured
if DHCP is available on your network. Type "net-setup eth0" to specify eth0 IP
address settings by hand.
Check /etc/kernels/kernel-config-* for kernel configuration(s).
The latest version of the Handbook is always available from the Gentoo web
site by typing "links https://wiki.gentoo.org/wiki/Handbook".
To start an ssh server on this system, type "/etc/init.d/sshd start". If you
need to log in remotely as root, type "passwd root" to reset root's password
to a known value.
Please report any bugs you find to https://bugs.gentoo.org. Be sure to include
detailed information about how to reproduce the bug you are reporting.
Thank you for using Gentoo Linux!
livecd ~ # cryptsetup open /dev/sdb2 luksboot
Enter passphrase for /dev/sdb2:
livecd ~ # mkdir /mnt/bootstick
livecd ~ # mount /dev/mapper/luksboot /mnt/bootstick/
livecd ~ # fdisk /dev/nvme0n1
Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
The backup GPT table is not on the end of the device. This problem will be corrected by
write.
Command (m for help): p
Command (m for help): p
Disk /dev/nvme0n1: 1.82 TiB, 2000398934016 bytes, 3907029168 sectors
Disk model: Seagate FireCuda 520 SSD ZP2000GM30002
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 477565AE-CB14-47F4-8552-5C03A6FF27EC
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 2099199 2097152 1G EFI System
/dev/nvme0n1p2 2099200 2361343 262144 128M Microsoft reserved
/dev/nvme0n1p3 2361344 493813759 491452416 234.3G Microsoft basic data
/dev/nvme0n1p4 493813760 500117503 6303744 3G Windows recovery environment
Command (m for help): n
Partition number (5-128, default 5):
First sector (500117504-3907029134, default 500117504): 500120000
Last sector, +/-sectors or +/-size{K,M,G,T,P} (500120000-3907029134, default 3907028991): +1500G
Created a new partition 5 of type 'Linux filesystem' and of size 1.5 TiB.
Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
livecd ~ # cryptsetup --key-size 512 luksFormat --align-payload 82000 /dev/nvme0n1p5 --key-file /mnt/bootstick/luks/mnt/key/nvme0n1p5.key --header /mnt/bootstick/luks/mnt/header/nvme0n1p5.header
WARNING!
========
This will overwrite data on /mnt/bootstick/luks/nvme0n1p5.header irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
|
note: this generates a luks container with detached header and a corresponding key file.
note: --align-payload is deprecated, use --offset instead, but be aware that the numeric attribute is calculated differently! See man page.
now create the lvm stuff and the filesystems. See gmpreussner's guide for reference.
Code: |
livecd ~ # cryptsetup --header=/mnt/bootstick/luks/nvme0n1p5.header --key-file=/mnt/bootstick/luks/nvme0n1p5.key luksOpen /dev/nvme0n1p5 luksroot
|
EDIT 2023-11-18: that's a typo! The pathes for key and header are incorrect. Use:
Code: |
cryptsetup --header=/mnt/bootstick/luks/mnt/header/nvme0n1p6.header --key-file=/mnt/bootstick/luks/mnt/key/nvme0n1p6.key luksOpen /dev/nvme0n1p6 luksroot
|
Code: |
livecd ~ # ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Nov 1 17:58 control
lrwxrwxrwx 1 root root 7 Nov 1 18:05 luksboot -> ../dm-0
lrwxrwxrwx 1 root root 7 Nov 1 18:18 luksroot -> ../dm-1
livecd ~ # pvcreate /dev/mapper/luksroot
Physical volume "/dev/mapper/luksroot" successfully created.
livecd ~ # vgcreate System /dev/mapper/luksroot
Volume group "System" successfully created
livecd ~ # lvcreate -L 40G System -n swap
Logical volume "swap" created.
livecd ~ # lvcreate -l 100%FREE System -n root
Logical volume "root" created.
livecd ~ # mkswap /dev/mapper/System-swap
Setting up swapspace version 1, size = 40 GiB (42949668864 bytes)
no label, UUID=a879d846-15d3-43c7-95b4-e8b6617634aa
livecd ~ # swapon -d /dev/mapper/System-swap
livecd ~ # mkfs.btrfs -L root /dev/mapper/System-root
[output snipped]
|
EDIT 2023-11-18: I deleted to much here, sorry for that. the mount was missing:
Code: |
livecd ~ # mount /dev/mapper/System-root /mnt/gentoo/
|
Code: | [
livecd ~ # btrfs subvolume create /mnt/gentoo/@
Create subvolume '/mnt/gentoo/@'
livecd ~ # btrfs subvolume create /mnt/gentoo/@home
Create subvolume '/mnt/gentoo/@home'
livecd ~ # btrfs subvolume create /mnt/gentoo/@snapshots
Create subvolume '/mnt/gentoo/@snapshots'
livecd ~ # umount /mnt/gentoo/
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@ /dev/mapper/System-root /mnt/gentoo/
livecd ~ # mkdir /mnt/gentoo/home
livecd ~ # mkdir /mnt/gentoo/.snapshots
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@home /dev/mapper/System-root /mnt/gentoo/home
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /mnt/gentoo/.snapshots
livecd ~ # mkdir /mnt/gentoo/var/
livecd ~ # btrfs subvolume create /mnt/gentoo/var/cache
Create subvolume '/mnt/gentoo/var/cache'
livecd ~ # btrfs subvolume create /mnt/gentoo/var/log
Create subvolume '/mnt/gentoo/var/log'
livecd ~ # btrfs subvolume create /mnt/gentoo/var/tmp
Create subvolume '/mnt/gentoo/var/tmp'
livecd ~ # umount /mnt/bootstick
|
note: umount /mnt/bootstick! we will need it again later, after chrooting.
now we can install the base system and some tooling.
Code: |
livecd ~ # chronyd -q
2023-11-01T20:56:53Z chronyd version 4.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP
+SCFILTER -SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2023-11-01T20:56:53Z Wrong owner of /run/chrony (UID != 0)
2023-11-01T20:56:53Z Disabled command socket /run/chrony/chronyd.sock
2023-11-01T20:56:53Z Running with root privileges
2023-11-01T20:56:58Z System clock wrong by 27.926950 seconds (step)
2023-11-01T20:57:26Z chronyd exiting
ivecd /mnt/gentoo # wget https://distfiles.gentoo.org/releases/amd64/autobuilds/20231029T164701Z/stage3-amd64-openrc-20231029T164701Z.tar.xz
[gpg checks snipped, see gentoo installation handbook]
livecd /mnt/gentoo # tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
[...]
[generating make.conf, etc snipped, see gentoo installation handbook]
|
Now, chroot and mount the bootstick again. Note sdb2, this is the boot stick.
Code: |
livecd /mnt/gentoo # arch-chroot /mnt/gentoo
livecd / # source /etc/profile
livecd / # export PS1="(chroot) ${PS1}"
(chroot) livecd / # mount /dev/mapper/luksboot /boot/
(chroot) livecd / # mkdir /boot/EFI
(chroot) livecd / # mount /dev/sdb1 /boot/EFI
(chroot) livecd / # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 425.1M 1 loop
sda 8:0 1 14.3G 0 disk
├─sda1 8:1 1 246K 0 part
├─sda2 8:2 1 2.8M 0 part
├─sda3 8:3 1 463.7M 0 part
└─sda4 8:4 1 300K 0 part
sdb 8:16 1 7.5G 0 disk
├─sdb1 8:17 1 512M 0 part /boot/EFI
└─sdb2 8:18 1 5G 0 part
└─luksboot 252:0 0 5G 0 crypt /boot
sr0 11:0 1 1024M 0 rom
zram0 253:0 0 0B 0 disk
nvme0n1 259:0 0 1.8T 0 disk
├─nvme0n1p1 259:1 0 1G 0 part
├─nvme0n1p2 259:2 0 128M 0 part
├─nvme0n1p3 259:3 0 234.3G 0 part
├─nvme0n1p4 259:4 0 3G 0 part
└─nvme0n1p5 259:5 0 1.5T 0 part
└─luksroot 252:1 0 1.5T 0 crypt
├─System-swap 252:2 0 40G 0 lvm [SWAP]
└─System-root 252:3 0 1.4T 0 lvm /.snapshots
/home
/
|
Now proceede as described in the installation handbook: emerge-webrsync, cpuid2cpuflags, locale. Then proceed with emergeing gentoo-sources, genkernel, grub, ...:
Code: |
(chroot) livecd / # emerge --ask sys-kernel/linux-firmware
[...]
(chroot) livecd / # emerge --ask sys-fs/cryptsetup
[...]
(chroot) livecd / # emerge --ask sys-kernel/gentoo-sources
[...]
(chroot) livecd / # emerge --ask sys-kernel/genkernel
[...]
(chroot) livecd / # cat > /etc/portage/package.use/grub2
sys-boot/grub:2 device-mapper
(chroot) livecd / # emerge --ask sys-boot/grub
[...]
(chroot) livecd / # emerge --ask net-misc/dropbear
[...]
(chroot) livecd / # mkdir /etc/dropbear
(chroot) livecd / # cat >> /etc/dropbear/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCFPT0BEhbpE7PQn+D3p8eMvDCfurs6SgCZHGMrESD8lviOcfWV1AfhJGdiYMNLEM0YerID4xPplmgN4X+o7IllDBnNzw3qbTF+GvVN+/vM/DdgsgJqQXOZcKDCez3ncymvzaMKGh/ESmSvUgGfRa4cpVmRH0kTqHo6XYK+OKwuy0gWv9KoJ76ocfZZu+pXq3MNkuT5BRpMT4yZwsL6sxCXALlBkZDWoXbNua5z81osPzVvSPipfJrQlfAkNnabpJjgO8zZifLmhANknUXEmbYWOrxI41JZBGf0cF+Kj48zsoYuT70XthG/FGwfmdmc7slvKomVKDfLXBPZg9UsjaM3lgiPZDcV9DaS1vQmXG9rX58CEdRkpcbh25bj97lA2oNXB8GzbgHn3s2AWCLAl8N7dZi0yDKrJP/2dTpUqvno9nseTrIIHlITHn0kM4x421u1TxFRKsuIF6MuaQ6R0trG/EO4zq/la0oWwmWtZpSEm6cWOqtY7QLt1p8pY0n2OE0= nico@liszt
(chroot) livecd / # eselect kernel list
Available kernel symlink targets:
[1] linux-6.1.57-gentoo
(chroot) livecd / # eselect kernel set 1
(chroot) livecd / # eselect kernel list
Available kernel symlink targets:
[1] linux-6.1.57-gentoo *
(chroot) livecd / # emerge --ask sys-fs/genfstab
[...]
(chroot) livecd / # genfstab -Up / >> /etc/fstab
(chroot) livecd / # nano /etc/fstab
[add 'noauto' to boot and boot/EFI]
|
note: do not forget to add the device-mapper USE flag to grub2.
note: dropbear and authorized_keys is optional (sshd while living in initramfs), I copy&pasted the key from my helper computer.
Code: |
(chroot) livecd / # blkid /dev/sdb2
/dev/sdb2: UUID="6c1be42b-7ef0-4f18-8d27-96eb65e53f60" TYPE="crypto_LUKS" PARTUUID="2c5491e0-24d7-4eec-826a-34106de9dadf"
(chroot) livecd / # cat >> /etc/crypttab
luksboot UUID="6c1be42b-7ef0-4f18-8d27-96eb65e53f60" none noauto,luks
|
note: is crypttab really mandatory? Dont know...
Now comes the interesting part: genkernel and grub.
Code: |
(chroot) livecd / # nano /etc/genkernel.conf
(chroot) livecd / # grep -v "^$\|#" /etc/genkernel.conf
NOCOLOR="false"
LVM="yes"
LUKS="yes"
SSH="yes"
BUSYBOX="yes"
BTRFS="yes"
KEYMAP="yes"
GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
CACHE_DIR="/var/cache/genkernel"
DISTDIR="${GK_SHARE}/distfiles"
LOGFILE="/var/log/genkernel.log"
LOGLEVEL=1
DEFAULT_KERNEL_SOURCE="/usr/src/linux"
INITRAMFS_OVERLAY="/boot/luks"
(chroot) livecd / # nano /etc/default/grub
(chroot) livecd / # grep -v "^$\|#" /etc/default/grub
GRUB_DISTRIBUTOR="Gentoo"
GRUB_DISABLE_LINUX_PARTUUID=false
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"
GRUB_ENABLE_CRYPTODISK=y
GRUB_TIMEOUT_STYLE=menu
GRUB_TERMINAL_INPUT=console
GRUB_CMDLINE_LINUX="keymap=de dosshd dolvm crypt_root=PARTUUID=25336fde-bb7c-e34d-9592-0af9ce086dd4 root_trim=yes root_key=nvme0n1p5.key root_header=nvme0n1p5.header resume=/dev/System/swap"
|
note:
Code: |
(chroot) livecd / # blkid /dev/nvme0n1p5
/dev/nvme0n1p5: PARTUUID="25336fde-bb7c-e34d-9592-0af9ce086dd4"
|
note the INITRAMFS_OVERLAY! The complete path for the luks header is /boot/luks/mnt/header/nvme0n1p5.header, the path for the key file is /boot/luks/mnt/key/nvme0n1p5.key
note: I have a german keyboard, therefore KEYMAP - you will notice more keymap/"de" stuff when proceeding.
note: in /etc/default/grub, do not omit the "root_header". If unset, the mechanism for cryptsetup with a detached header is not triggered, and you will not get the luks2 container opened. As mentioned, the path for the header and the key file is critical.
Now, compile the kernel nad generate the initramfs. --menuconfig lets you edit the kernel config. I did nothing special there, at least not for the cryptsetup/luks thing.
Code: |
(chroot) livecd / # genkernel --menuconfig --install --symlink --ramdisk-modules all
|
This should generate a kernel image and a initramfs in /boot, which is in the openend luks1 container. See disk layout above.
Now, install the boot loader:
Code: |
(chroot) livecd / # mkdir /boot/grub
(chroot) livecd / # grub-mkconfig -o /boot/grub/grub.cfg
GRUB-Konfigurationsdatei wird erstellt …
Linux-Abbild gefunden: /boot/vmlinuz-6.1.57-gentoo-x86_64
initrd-Abbild gefunden: /boot/initramfs-6.1.57-gentoo-x86_64.img
Warnung: Zur Erkennung anderer bootfähiger Partitionen wird os-prober nicht ausgeführt.
Die darauf befindlichen Systeme werden nicht zur GRUB-Bootkonfiguration hinzugefügt.
Schauen Sie in den Dokumentationseintrag GRUB_DISABLE_OS_PROBER.
Bootmenü-Eintrag für UEFI-Firmware-Einstellungen wird hinzugefügt …
abgeschlossen
(chroot) livecd / # grub-install --target=x86_64-efi --efi-directory=/boot/EFI --removable --bootloader-id="grub"
x86_64-efi wird für Ihre Plattform installiert.
installation beendet. Keine Fehler aufgetreten.
|
Now, set the console keymap (keymap="de-latin1-nodeadkeys") and, of course, dont forget to set a root password.
unmount, close, all filesystems and shutdown for the first boot of the new installation
Code: |
(chroot) livecd / # nano /etc/conf.d/keymaps
(chroot) livecd / # passwd
[...]
(chroot) livecd / # umount /boot/EFI/
(chroot) livecd / # umount /boot/
(chroot) livecd / # cryptsetup close /dev/mapper/luksboot
livecd /mnt/gentoo # umount /mnt/gentoo/.snapshots/
livecd /mnt/gentoo # umount /mnt/gentoo/home/
livecd /mnt/gentoo # cd ..
livecd /mnt # umount /mnt/gentoo/
livecd /mnt # swapoff /dev/mapper/System-swap
livecd /mnt # cryptsetup luksClose /dev/mapper/System-swap
livecd /mnt # cryptsetup luksClose /dev/mapper/System-root
livecd /mnt # cryptsetup luksClose /dev/mapper/luksroot
livecd /mnt # shutdown -h now
|
When booted with the boot stick inserted, grub should come up and ask you for the passphrase for /boot resp. initramfs - it is not named "/boot", but grub will decrypt the /boot partition, load the initramfs and start the system. Then it should boot up until the login prompt. At least, mine does
Now proceed with finalizing the installation, as described in the handbook.
As mentioned, I spent a lot of time until it worked, and I had learn a lot of things I never ever wanted to know.
I hope it helps another gentoo users.
Last edited by oxensepp on Sat Nov 18, 2023 8:53 am; edited 2 times in total |
|
Back to top |
|
|
fedeliallalinea Administrator
Joined: 08 Mar 2003 Posts: 31328 Location: here
|
Posted: Sun Nov 05, 2023 10:29 am Post subject: |
|
|
Moved from Installing Gentoo to Documentation, Tips & Tricks. _________________ Questions are guaranteed in life; Answers aren't. |
|
Back to top |
|
|
oxensepp n00b
Joined: 01 May 2020 Posts: 42
|
Posted: Sun Nov 12, 2023 1:11 pm Post subject: Re: how I installed gentoo with a full disk encryption |
|
|
oxensepp wrote: |
Code: |
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@ /dev/mapper/System-root /mnt/gentoo/
livecd ~ # mkdir /mnt/gentoo/home
livecd ~ # mkdir /mnt/gentoo/.snapshots
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@home /dev/mapper/System-root /mnt/gentoo/home
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /mnt/gentoo/.snapshots
|
|
After using genfstab, you get an /etc/fstab with these mount options.
I had a really severe performance issue with the new system and tracked it down to a filesystem problem.
Replacing "discard" with "discard=async" solved the problem.
"discard=async" will become default in kernel 6.2, so it should be save. |
|
Back to top |
|
|
oxensepp n00b
Joined: 01 May 2020 Posts: 42
|
Posted: Sun Nov 12, 2023 2:23 pm Post subject: Re: how I installed gentoo with a full disk encryption |
|
|
Some annotations about the boot stick:
Since I use luks with a detached header, all credentials for decrypting the system are saved on the boot stick.
If this boot stick is damaged or lost, there is no possibillity to access the SSD.
Because the header is also on the boot stick (and only there!), adding a second key slot with a passphrase does not work in this scenario.
Therefore, I duplicated the boot stick, and addtitionally made a backup from the luks header and the luks key.
Duplicating the stick is not really difficult. I created the same partition layout on the second (and third...) USB stick and adapted the UUIDs, PARTUUIDs, LABELs, etc.
lsblk -o +UUID,PARTUUID,LABEL shows the data. fdisk can change the disk identifier, set the gpt flag, etc. PARTUUID and LABEL can be set when creating the filesystem.
A brute force method is simply dd-ing the partitions from the working stick to it's duplicate, I did this with the encrypted /boot partition (/dev/sda2 in my installation).
After creating the partitons in the second stick and dd-ing sda2, I opened and mounted /boot and /boot/EFI.
Then I rerun grub-mkconfig and grub-install, but I am unsure if that is really mandatory. Maybe copying /boot/EFI/EFI/BOOT/BOOTX64.EFI is enough?
But do not simply rerun genkernel:
kernel and modules seem sensitive to a certain build, i.e. if genkernel is run once more, the newly created kernel will not load kernel modules (/lib/modules)
from the first run, even if the version is the same, and vice versa.
If you have more than one boot stick, there are chances for mixing up kernel/initramfs and /lib/modules from different builds - this did not work on my computer.
So use always kernel, initramfs and modules from the same build, and ensure that this is the case over all your boot sticks.
But if /boot is mounted, you can simply copy System.map, initramfs and kernel to it. grub-mkconfig should find it and create a valid grub.cfg.
I keep recent copies of Systemmap, initramfs and kernel in /home.
Note: I am not yet using secure boot, so I can not say if it works also with secure boot.
for decrypting and mounting the boot stick I created a shell script. the boot stick must be /dev/sda
Code: |
#!/bin/bash
##
## handle bootstick - mount, unmount
##
LUKSBOOT=luksboot
BOOTSTICK=/dev/sda
ERR_ALLREADYOPEN=1
ERR_NOBOOTDEVICE=2
ERR_NOEFI=3
ERR_CRYPTBOOT=4
ERR_DECRYPT=5
ERR_MOUNT=6
ERR_INVALIDARG=7
ERR_ACCESS=8
if [ $# -ne 1 ]
then
echo "usage $0 [open|close]"
exit 0
fi
if [ $1 = close ]
then
me=$(whoami)
if [ "$me" != root ]
then
echo "you must be root to operate this program!"
exit $ERR_ACCESS
fi
umount /boot/EFI
retval=$?
if [ $retval -ne 0 ]
then
echo "unmounting /boot/EFI failed, but proceeding anyway!"
fi
umount /boot
retval=$?
if [ $retval -ne 0 ]
then
echo "unmounting /boot failed, but proceeding anyway!"
fi
cryptsetup close /dev/mapper/$LUKSBOOT
retval=$?
if [ $retval -ne 0 ]
then
echo "closing luks container /dev/mapper/$LUKSBOOT failed"
exit $ERR_DECRYPT
fi
elif [ $1 = open ]
then
me=$(whoami)
if [ "$me" != root ]
then
echo "you must be root to operate this program!"
exit $ERR_ACCESS
fi
if [ -e /dev/mapper/$LUKSBOOT ]
then
echo "/dev/mapper/$LUKSBOOT already exists, exit!"
exit $ERR_ALLREADYOPEN
fi
if [ ! -b $BOOTSTICK ]
then
echo "no boot device found at $BOOTSTICK."
echo "boot device must be present at $BOOTSTICK! exit"
exit $ERR_NOBOOTDEVICE
fi
if [ ! -b "$BOOTSTICK"1 ]
then
echo "no EFI partition found at $BOOTSTICK"1
echo "EFI partition must be present at $BOOTSTICK"1"! exit"
exit $ERR_NOEFI
fi
if [ ! -b "$BOOTSTICK"2 ]
then
echo "no encrypted boot partition found at $BOOTSTICK2"
echo "encrypted boot partition must be present at $BOOTSTICK"2"! exit"
exit $ERR_CRYPTBOOT
fi
cryptsetup open "$BOOTSTICK"2 $LUKSBOOT
retval=$?
if [ $retval -ne 0 ]
then
echo "decrypting $BOOTSTICK"2" failed!"
exit $ERR_DECRYPT
fi
mount /dev/mapper/$LUKSBOOT /boot
retval=$?
if [ $retval -ne 0 ]
then
echo "mounting /dev/mapper/$LUKSBOOT to /boot failed, exit!"
exit $ERR_MOUNT
fi
mount "$BOOTSTICK"1 /boot/EFI
retval=$?
if [ $retval -ne 0 ]
then
echo "mounting $BOOTSTICK"2" to /boot/EFI failed, exit!"
exit $ERR_MOUNT
fi
else
echo "argument must be open or close"
exit $ERR_INVALIDARG
fi
|
(not to buggy, I hope...)
The other thing is backing up the luks key/header without copying the whole kernel, initramfs, etc. Of course, the backup should be encrypted too.
I decided to use again cryptsetup, since it can not only handle partitions and filesystems, but also just files.
So I created a file with a luks container with a file system with a copy of key and header in it. This method is described in the wiki, I think.
create file:
Code: |
schubert ~ # dd if=/dev/zero of=data.bin count=131072
|
create a luks2 container inside the file:
Code: |
schubert ~ # cryptsetup luksFormat --type=luks2 --offset=16384 data.bin
|
open the container and create a filesystem:
Code: |
schubert ~ # cryptsetup luksOpen data.bin headerkey
Geben Sie die Passphrase für »data.bin« ein:
schubert ~ # mkfs.ext2 /dev/mapper/headerkey
|
Mount it and copy the luks key file/header into it.
As you see from the lsblk output, the boot stick is already mounted
Code: |
schubert ~ # mount /dev/mapper/headerkey /mnt/luks/
schubert ~ # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 64M 0 loop
└─headerkey 254:3 0 56M 0 crypt /mnt/luks
sda 8:0 1 14,3G 0 disk
├─sda1 8:1 1 512M 0 part /boot/EFI
├─sda2 8:2 1 5G 0 part
│ └─luksboot 254:4 0 5G 0 crypt /boot
└─sda3 8:3 1 5G 0 part
[...]
schubert ~ # cp -r /boot/luks/mnt/ /mnt/luks/
|
ensure, the the files have been copied correctly.
Then you ca umount/close the luks container as usual:
Code: |
chubert ~ # umount /mnt/luks
schubert ~ # cryptsetup luksClose /dev/mapper/headerkey
schubert ~ # ls -l data.bin
-rw-r--r-- 1 root root 67108864 5. Nov 08:50 data.bin
|
This file you can backup even on unencrypted backups, without revealing your key.
Additionally, you can open and access the key with cryptsetup on a second computer without storing the key on a maybe unencrypted disc, since the filesystem is mapped by /dev/mapper. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|