kokel/hetzner-debian-buster-crypto.txt

## hetzner-debian-buster-crypto.txt
# getestet mit Debian Buster auf nem Hetzner SB38
# Im rescue mode
/tmp/config
---
DRIVE1 /dev/sda
DRIVE2 /dev/sdb

SWRAID 1
SWRAIDLEVEL 1

BOOTLOADER grub

HOSTNAME Debian-stable-64-minimal

PART /boot ext4 1024M
PART swap  swap 16G
PART lvm   vg_host   all

LV vg_host host_root /    ext4  20G
LV vg_host host_var /var    ext4  20G
LV vg_host host_home /home ext4   10G

IMAGE /root/images/Debian-stable-64-minimal.tar.gz
---
installimage -c /tmp/config -a

# nach reboot auf frisch installiertem system
# pakete installieren
apt install busybox dropbear-initramfs

# initramfs konfigurieren
/etc/initramfs-tools/initramfs.conf
---
BUSYBOX=y
---

# altes interface namensschema erzwingen
/etc/default/grub
---
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
---

# netzwerk config
/etc/initramfs-tools/conf.d/ip
---
export IP=<ip>::<gateway>:<netmask>:<hostname>:<network-interface>:off
---

touch /etc/dropbear-initramfs/authorized_keys
#ssh public keys hinterlegen"

/etc/dropbear-initramfs/config
---
DROPBEAR_OPTIONS="-s -j -k -I 60"
---

#-> ins rescue booten

mkdir /oldroot
pvscan
vgscan
vgchange -a y
lvscan

mount /dev/mapper/vg_host-host_root /mnt/
mount /dev/mapper/vg_host-host_home /mnt/home/
mount /dev/mapper/vg_host-host_var /mnt/var

rsync -a /mnt/ /oldroot/

umount /mnt/home/
umount /mnt/var
umount /mnt/

vgcfgbackup vg_host -f vg_host.freespace
vgremove vg_host -f

cryptsetup --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 6000 luksFormat /dev/md2
cryptsetup luksOpen /dev/md2 crypthost

pvcreate /dev/mapper/crypthost
blkid /dev/mapper/crypthost
cp vg_host.freespace /etc/lvm/backup/vg_host
# id + device von pv0 anpassen
vgcfgrestore vg_host
vgchange -a y vg_host

mkfs.ext4 /dev/mapper/vg_host-host_root
mkfs.ext4 /dev/mapper/vg_host-host_home
mkfs.ext4 /dev/mapper/vg_host-host_var

mount /dev/mapper/vg_host-host_root /mnt/
mkdir /mnt/home /mnt/var /mnt/hostlvm /mnt/hostudev
mount /dev/mapper/vg_host-host_home /mnt/home/
mount /dev/mapper/vg_host-host_var /mnt/var

rsync -a /oldroot/ /mnt/

mount /dev/md0 /mnt/boot
mount -t proc proc /mnt/proc/
mount -t sysfs sys /mnt/sys/
mkdir -p -m 755 /mnt/dev/pts
mount -t devtmpfs -o mode=0755,nosuid devtmpfs /mnt/dev
mount -t devpts -o gid=5,mode=620 devpts /mnt/dev/pts
mount --bind /run/udev /mnt/hostudev
mount --bind /run/lvm /mnt/hostlvm

chroot /mnt
ln -s /hostudev /run/udev
ln -s /hostlvm /run/lvm

vim /etc/crypttab
---
crypthost UUID=xxx none luks
cryptswap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256
---

vim /etc/fstab
---
/dev/mapper/cryptswap none swap sw 0 0
---

update-initramfs -u
update-grub2
grub-install /dev/sda
grub-install /dev/sdb

exit
umount /mnt/boot
umount /mnt/dev/pts
umount /mnt/dev
umount /mnt/sys
umount /mnt/proc
umount /mnt/home
umount /mnt/var
umount /mnt/hostlvm
umount /mnt/hostudev
umount /mnt

lvchange -an /dev/mapper/vg_host-host_home
lvchange -an /dev/mapper/vg_host-host_var
lvchange -an /dev/mapper/vg_host-host_root
vgchange -an vg_host

cryptsetup luksClose crypthost

reboot

# im preboot eingeben:
cryptroot-unlock

--------
NAME                      FSTYPE            LABEL     UUID                                   MOUNTPOINT
sda
├─sda1                    linux_raid_member rescue:0  3679f485-50f4-467e-0b1c-a461c93d968b
│ └─md0                   ext4                        0cefbb1d-c7b4-41ac-9ef2-74208edfa528   /boot
├─sda2                    linux_raid_member rescue:1  5db99ebc-f7ad-1b30-4f86-d49cef2ecce9
│ └─md1                   ext2              cryptswap ccb632d7-d6f8-4579-a426-0652bce342e4
│   └─cryptswap           swap                        46811423-bb8f-405f-99db-766a05ce984b   [SWAP]
├─sda3                    linux_raid_member rescue:2  c8af66d3-2844-2d8e-720a-516d5fc50fe3
│ └─md2                   crypto_LUKS                 107e9d41-bfa8-4906-9b76-cc1866be4065
│   └─crypthost           LVM2_member                 09rQK4-RuyZ-2D63-Ou00-ID5v-CHas-w3VriJ
│     ├─vg_host-host_root ext4                        4c42de4c-7436-4642-92de-219f62b6a421   /
│     ├─vg_host-host_var  ext4                        5b41e29b-8993-47d7-a7c4-059c64714b73   /var
│     └─vg_host-host_home ext4                        87691a65-cb07-47e1-8354-a957c429fd13   /home
└─sda4
sdb
├─sdb1                    linux_raid_member rescue:0  3679f485-50f4-467e-0b1c-a461c93d968b
│ └─md0                   ext4                        0cefbb1d-c7b4-41ac-9ef2-74208edfa528   /boot
├─sdb2                    linux_raid_member rescue:1  5db99ebc-f7ad-1b30-4f86-d49cef2ecce9
│ └─md1                   ext2              cryptswap ccb632d7-d6f8-4579-a426-0652bce342e4
│   └─cryptswap           swap                        46811423-bb8f-405f-99db-766a05ce984b   [SWAP]
├─sdb3                    linux_raid_member rescue:2  c8af66d3-2844-2d8e-720a-516d5fc50fe3
│ └─md2                   crypto_LUKS                 107e9d41-bfa8-4906-9b76-cc1866be4065
│   └─crypthost           LVM2_member                 09rQK4-RuyZ-2D63-Ou00-ID5v-CHas-w3VriJ
│     ├─vg_host-host_root ext4                        4c42de4c-7436-4642-92de-219f62b6a421   /
│     ├─vg_host-host_var  ext4                        5b41e29b-8993-47d7-a7c4-059c64714b73   /var
│     └─vg_host-host_home ext4                        87691a65-cb07-47e1-8354-a957c429fd13   /home
└─sdb4
	# getestet mit Debian Buster auf nem Hetzner SB38
	# Im rescue mode
	/tmp/config
	---
	DRIVE1 /dev/sda
	DRIVE2 /dev/sdb

	SWRAID 1
	SWRAIDLEVEL 1

	BOOTLOADER grub

	HOSTNAME Debian-stable-64-minimal

	PART /boot ext4 1024M
	PART swap swap 16G
	PART lvm vg_host all

	LV vg_host host_root / ext4 20G
	LV vg_host host_var /var ext4 20G
	LV vg_host host_home /home ext4 10G

	IMAGE /root/images/Debian-stable-64-minimal.tar.gz
	---
	installimage -c /tmp/config -a

	# nach reboot auf frisch installiertem system
	# pakete installieren
	apt install busybox dropbear-initramfs

	# initramfs konfigurieren
	/etc/initramfs-tools/initramfs.conf
	---
	BUSYBOX=y
	---

	# altes interface namensschema erzwingen
	/etc/default/grub
	---
	GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
	---

	# netzwerk config
	/etc/initramfs-tools/conf.d/ip
	---
	export IP=<ip>::<gateway>:<netmask>:<hostname>:<network-interface>:off
	---

	touch /etc/dropbear-initramfs/authorized_keys
	#ssh public keys hinterlegen"

	/etc/dropbear-initramfs/config
	---
	DROPBEAR_OPTIONS="-s -j -k -I 60"
	---

	#-> ins rescue booten

	mkdir /oldroot
	pvscan
	vgscan
	vgchange -a y
	lvscan

	mount /dev/mapper/vg_host-host_root /mnt/
	mount /dev/mapper/vg_host-host_home /mnt/home/
	mount /dev/mapper/vg_host-host_var /mnt/var

	rsync -a /mnt/ /oldroot/

	umount /mnt/home/
	umount /mnt/var
	umount /mnt/

	vgcfgbackup vg_host -f vg_host.freespace
	vgremove vg_host -f

	cryptsetup --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 6000 luksFormat /dev/md2
	cryptsetup luksOpen /dev/md2 crypthost

	pvcreate /dev/mapper/crypthost
	blkid /dev/mapper/crypthost
	cp vg_host.freespace /etc/lvm/backup/vg_host
	# id + device von pv0 anpassen
	vgcfgrestore vg_host
	vgchange -a y vg_host

	mkfs.ext4 /dev/mapper/vg_host-host_root
	mkfs.ext4 /dev/mapper/vg_host-host_home
	mkfs.ext4 /dev/mapper/vg_host-host_var

	mount /dev/mapper/vg_host-host_root /mnt/
	mkdir /mnt/home /mnt/var /mnt/hostlvm /mnt/hostudev
	mount /dev/mapper/vg_host-host_home /mnt/home/
	mount /dev/mapper/vg_host-host_var /mnt/var

	rsync -a /oldroot/ /mnt/

	mount /dev/md0 /mnt/boot
	mount -t proc proc /mnt/proc/
	mount -t sysfs sys /mnt/sys/
	mkdir -p -m 755 /mnt/dev/pts
	mount -t devtmpfs -o mode=0755,nosuid devtmpfs /mnt/dev
	mount -t devpts -o gid=5,mode=620 devpts /mnt/dev/pts
	mount --bind /run/udev /mnt/hostudev
	mount --bind /run/lvm /mnt/hostlvm

	chroot /mnt
	ln -s /hostudev /run/udev
	ln -s /hostlvm /run/lvm

	vim /etc/crypttab
	---
	crypthost UUID=xxx none luks
	cryptswap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256
	---

	vim /etc/fstab
	---
	/dev/mapper/cryptswap none swap sw 0 0
	---

	update-initramfs -u
	update-grub2
	grub-install /dev/sda
	grub-install /dev/sdb

	exit
	umount /mnt/boot
	umount /mnt/dev/pts
	umount /mnt/dev
	umount /mnt/sys
	umount /mnt/proc
	umount /mnt/home
	umount /mnt/var
	umount /mnt/hostlvm
	umount /mnt/hostudev
	umount /mnt

	lvchange -an /dev/mapper/vg_host-host_home
	lvchange -an /dev/mapper/vg_host-host_var
	lvchange -an /dev/mapper/vg_host-host_root
	vgchange -an vg_host

	cryptsetup luksClose crypthost

	reboot

	# im preboot eingeben:
	cryptroot-unlock

	--------
	NAME FSTYPE LABEL UUID MOUNTPOINT
	sda
	├─sda1 linux_raid_member rescue:0 3679f485-50f4-467e-0b1c-a461c93d968b
	│ └─md0 ext4 0cefbb1d-c7b4-41ac-9ef2-74208edfa528 /boot
	├─sda2 linux_raid_member rescue:1 5db99ebc-f7ad-1b30-4f86-d49cef2ecce9
	│ └─md1 ext2 cryptswap ccb632d7-d6f8-4579-a426-0652bce342e4
	│ └─cryptswap swap 46811423-bb8f-405f-99db-766a05ce984b [SWAP]
	├─sda3 linux_raid_member rescue:2 c8af66d3-2844-2d8e-720a-516d5fc50fe3
	│ └─md2 crypto_LUKS 107e9d41-bfa8-4906-9b76-cc1866be4065
	│ └─crypthost LVM2_member 09rQK4-RuyZ-2D63-Ou00-ID5v-CHas-w3VriJ
	│ ├─vg_host-host_root ext4 4c42de4c-7436-4642-92de-219f62b6a421 /
	│ ├─vg_host-host_var ext4 5b41e29b-8993-47d7-a7c4-059c64714b73 /var
	│ └─vg_host-host_home ext4 87691a65-cb07-47e1-8354-a957c429fd13 /home
	└─sda4
	sdb
	├─sdb1 linux_raid_member rescue:0 3679f485-50f4-467e-0b1c-a461c93d968b
	│ └─md0 ext4 0cefbb1d-c7b4-41ac-9ef2-74208edfa528 /boot
	├─sdb2 linux_raid_member rescue:1 5db99ebc-f7ad-1b30-4f86-d49cef2ecce9
	│ └─md1 ext2 cryptswap ccb632d7-d6f8-4579-a426-0652bce342e4
	│ └─cryptswap swap 46811423-bb8f-405f-99db-766a05ce984b [SWAP]
	├─sdb3 linux_raid_member rescue:2 c8af66d3-2844-2d8e-720a-516d5fc50fe3
	│ └─md2 crypto_LUKS 107e9d41-bfa8-4906-9b76-cc1866be4065
	│ └─crypthost LVM2_member 09rQK4-RuyZ-2D63-Ou00-ID5v-CHas-w3VriJ
	│ ├─vg_host-host_root ext4 4c42de4c-7436-4642-92de-219f62b6a421 /
	│ ├─vg_host-host_var ext4 5b41e29b-8993-47d7-a7c4-059c64714b73 /var
	│ └─vg_host-host_home ext4 87691a65-cb07-47e1-8354-a957c429fd13 /home
	└─sdb4