Skip to content

Instantly share code, notes, and snippets.

@firecat53

firecat53/EncryptedLaptopSetup.rst

Last active March 25, 2024 15:02
Show Gist options
  • Star 12 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save firecat53/17b3d309ea54a0ed0cd4 to your computer and use it in GitHub Desktop.
Save firecat53/17b3d309ea54a0ed0cd4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
EncryptedLaptopSetup.rst

Encrypted laptop setup

  • Btrfs on main drive, replacing GPT/MBR
  • Encrypted main drive using key file on flash drive. Add backup passphrase
  • No swap, swap files (limitation of Btrfs) or swap partition (so no suspend-to-disk)
  • Boot directory and grub on flash drive
  • 1st flash drive partition is Vfat partition to allow for cross-platform file transfers
  • Ext4 ISO partition for Linux-only data/ISO files, if desired.
  • TODO - edit grub to allow booting ISOs stored on the flash drive.

  • TODO - investigate and fix journalctl entries for failed fsck on missing BOOT partition:

    Jun 15 09:02:09 scotty systemd[1]: Dependency failed for File System Check on /dev/disk/by-label/BOOT.
Jun 15 09:02:09 scotty systemd[1]: Dependency failed for /boot.
Jun 15 09:02:09 scotty systemd[1]: Timed out waiting for device Cruzer BOOT.

Flash drive setup

  • Partition flash drive like this (for GPT): (create partition #4 last even though it's first on the disk):

    # gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.10

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.
Disk /dev/sdb: 15633408 sectors, 7.5 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 4D45181A-6297-4DB6-8F74-A2BB18E7BBDE
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 15633374
Partitions will be aligned on 2-sector boundaries
Total free space is 0 sectors (0 bytes)

Number  Start (sector)    End (sector)  Size       Code  Name
   1            2048         8390655   4.0 GiB     0700  Microsoft basic data
   2         8390656         8800255   200.0 MiB   EF00  EFI System
   3         8800256        15633374   3.3 GiB     8300  Linux filesystem
   4              34            2047   1007.0 KiB  EF02  BIOS boot partition
  • Use parted to toggle the bootable flag if necessary on partition #2 (BOOT) and make sure #4 is bios_grub

  • Create labelled filesystems:

    • #1 vfat DATA mkfs.vfat -n DATA /dev/sdb1
    • #2 ext4 BOOT mkfs.ext4 -L BOOT /dev/sdb2
    • #3 ext4 ISO mkfs.ext4 -L ISO /dev/sdb3
  • Copy existing /boot directory (or use grub-install with --dir) to the BOOT partition
  • Install grub to the flash drive: grub-install --recheck /dev/sdx
  • Copy keyfile (along with any other desired files) to the ISO partition. Could be to anywhere, but the ISO part won't automount when I plug it into Windows machines. A little obscurity.
  • Repeat for 2 or 3 different flash drives so YOU HAVE A BACKUP!!

Encrypted disk

  • Prepare (erase) disk:
    • Create temporary container: cryptsetup open --type plain /dev/sdb tmp_container
    • dd if=/dev/zero of=/dev/mapper/tmp_container
    • cryptsetup close tmp_container
  • Encrypt disk cryptsetup -v -c aes-xts-plain64 -s 512 -i 5000 -h sha512 --use-urandom luksFormat /dev/sdb <path/to/keyfile>
  • Add backup passphrase: cryptsetup --key-file <path/to/keyfile> luksAddKey /dev/sdb

  • Create and mount filesystem:

    cryptsetup --key-file <path to keyfile>  luksOpen /dev/sdb root
mkfs.btrfs -L SCOTTY /dev/mapper/root
mount -o noatime,compress=lzo,ssd,discard,space_cache,autodefrag,inode_cache /dev/mapper/root /mnt/<mountpoint>
  • Mount the USB BOOT partition to <mountpoint>/boot

  • Copy current installtion to new disk or use pacstrap to chroot and setup new installation :

    rsync -aAXv /* /path/to/mountpoint --exclude={/dev/\*,/proc/\*,/sys/\*,/tmp/\*,/run/\*,/mnt/\*,/media/\*,/lost+found}

  • Edit <mountpoint>/etc/mkinitcpio.conf to add the correct modules for booting from the USB drive and the correct hooks:

    MODULES="nls_cp437 ext4"
....
HOOKS="base udev autodetect modconf block encrypt resume filesystems keyboard fsck"

  • Edit <mountpoint>/etc/default/grub:

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-label/SCOTTY:root:allow-discards cryptkey=/dev/disk/by-label/ISO:ext4:/<path/to/keyfile/on/flash drive>"

  • Chroot into <mountpoint> and run (the users and nofail options allow unmounting and removal of the drive without issues) :

    genfstab -L . > /etc/fstab (and edit)
  -> /dev/disk/by-label/BOOT /boot      ext4        rw,users,noatime,data=ordered,nofail    0 2
mkinitcpio -p linux
grub-mkconfig > /boot/grub/grub.cfg

  • To install the kernel image on the backup flash drives:

    1. Unmount and remove the original flash drive
    2. Plug in and mount the /boot partition on the BACKUP flash drive
    3. Run pacman -S linux to install the kernel image to the flash drive
    4. grub-mkconfig > /boot/grub/grub.cfg
    5. Unmount and repeat as necessary

Kernel upgrades

  • Repeat for each flash drive:

    1. Ensure /boot partition is mounted
    2. pacman -S linux
    3. Unmount and remove
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment