You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After setting up a Debian system which did not choose to use encryption during the installer, do these steps to encrypt sda3 partition so we have encrypted rootfs. Follow these steps when booted from another disk so we can off-line encrypt the rootfs:
Mount the btrfs rootfs to /mnt: mount /dev/sda3 /mnt
See the current size and devid of the btrfs filesystem (likely your filesystem will be devid 1): btrfs filesystem show --mbytes /mnt
Resize the filesystem to be 32MiB smaller so we can fit a LUKS header at the end of the partition: btrfs filesystem resize 1:-32M /mnt
Verify that the filesystem is actually smaller now: btrfs filesystem show --mbytes /mnt
Unmount the filesystem: umount /mnt
Check the filesystem to ensure no errors: btrfs check /dev/sda3
Encrypt the filesystem in-place (this will take a while): cryptsetup reencrypt --encrypt --verify-passphrase --reduce-device-size 32M /dev/sda3
Unlock the partition and name it "ssd" so we can mount it: `cryptsetup open /de
PGP Bootable USB Flash Drive Creation and Operation
Create a bootable USB flash drive for generating and managing PGP keys. The keys will be generated and stored, encrypted,
on the drive but then also transferred to Yubikeys for general use. Unless a Yubikey is lost or damaged, use of the flash
drive should be extremely limited, if it is used at all.
A master certifying and signing (CS) key will be created, then sub-key signing (S), encrypting (E), and authenticating (A) keys will
be created and signed by the C key. The C key will be archived with a password to the flash drive as well
as transferred to a Yubikey 4. The SE&A sub keys will also be archived to the flash drive as part of the C key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I have 2 Yubikeys which support the OpenPGP card capability. I want to have a robust GnuPG solution which allows me to store one of the keys in a safe place and to carry the other key with me daily on my physical keychain.
I want to be able to fairly easily survive having the daily carry Yubikey be stolen, lost, or simply fail, by revoking those keys. I also want to be able to survive having the safely stored key fail by revoking those keys.
My original plan was to create a main key pair and 2 sets of encryption and authentication subkeys (4 total, 2 enc and 2 auth). The main key pair and one set of the encryption and authentication keys would be transferred to each Yubikey, so each Yubikey would share the common main key pair but have a different set of encryption and authentication subkeys.
This turns out to be quite difficult to implement in a secure way due to how GnuPG's key-to-card functionality works. GnuPG expects if you transfer a key to a card that you want that key to only live on that card an
Need OVMF UEFI firmware for 64 bit machines installed. Be sure guest is using UEFI firmware! You can't change this after you create a machine in virt-manager!
Be sure using i440FX chipset.
Enable a qemu-ga channel for guest. Make a VirtIO serial controller.
Make sure your hard disk is using VirtIO, not IDE.
Be sure you have the VirtIO floppy image for Windows 7 install, you'll need to load drivers so installer can see the VirtIO disk.
Bridging to main Ethernet interface works fine, depsite the warnings. Use the VirtIO ethernet type.
The VirtIO 0.1.141 drivers work well for me in Win 7 Pro 64 bit.
To avoid the NVIDIA "Code 43" error, see the Arch Linux wiki about modifying the hypervisor name. Or somehow find older NVIDIA drivers prior to version 337 that work with your card.
Remove the "sound" device, sound pass through sucks. Just pass through a USB sound card/device but this isn't needed at install time.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters