Skip to content

Instantly share code, notes, and snippets.

@linux-modder

linux-modder/Interactive LuksCrypt

Last active August 29, 2015 14:12
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save linux-modder/a174ab7c5390b60ab0f0 to your computer and use it in GitHub Desktop.
Save linux-modder/a174ab7c5390b60ab0f0 to your computer and use it in GitHub Desktop.
Download ZIP
PGP key LuksCrypt (with or without LVM) ---adapted from wiki.gentoo.org &
Raw
Interactive LuksCrypt
###### This tutorial is a merge of http://wiki.gentoo.org/wiki/EFI_Gentoo_End_to_End_Install/Preparing_the_LUKS #######
###### LVM_Filesystem_and_Boot_USB_Key and my previous tutorials on the subject #######
For the purpose of this tutorial -- NO RAID / EFI are in play ( I have separate Gist that address these cases)
For all LVM tutorials I assume a default GPT partition table is laid on the target drive however with a few changes can be done on a MBR / MSDOS install as long as the drive is <2 Tb at which point MBR is no longer an option.
Default layout referenced in this write-up is a follows ---the following sample output is the starting point i will explain how
to create it as well. with the luks crypt being an LVM inside sda3.
[linuxdev@linuxdevel ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 596.2G 0 disk
├─sda1 8:1 0 10M 0 part
├─sda2 8:2 0 5.3G 0 part /boot
└─sda3 8:3 0 590.9G 0 part
sda1 is known as bios-grub (and will be flagged as such later any size from 4M to 10M is sufficient ( for dual-boots the higher end is recommended)
sda2 is known as /boot again it will be mounted as such via the installer later
sda3 is for the LVM itself.
#########
In Gparted, once a GPT (or MBR table are laid) create the partitions as outlined above (my /boot is non standard in size 512M is generally sufficient for most users)
Once you have them created right click on sda1 and select "Manage Flags" and check "bios-grub" and apply that marks it properly for later and makes using it as such in an installer much easier
In the event you use several LVM partitions (beyond the standard /, /home, swap, and maybe /opt AND/OR /var), I highly recommend labeling sda2 AS /boot for later same goes for the actual LVM partitions at your desire or need.
#########
To create the luks container you will need cryptsetup (most modern distros come with this installed on the live install media ---if you get option to encrypt /home its there btw..
now there are many options for luks containers and their creation but we will only entertain the most common used ones here (I invite you to visit the man page via 1) "man cryptsetup" in a terminal or navigating to http://linuxmanpages.com/search/cryptsetup)
first lets elevate to some root permisssions for the session with "sudo -s"
but the default syntax is: cryptsetup luksFormat <options> <$device>
(or cryptsetup Create --type luks) more recently both still work)
so by default with no special flags it would look like: cryptsetup luksFormat /dev/sda3
but lets say you wanted to set a timeout and a 3 try limit some iteration time to harden your crypt up and a non default cipher it could look like:
cryptsetup luksFormat -c serpent-xts-plain64 -s 512 -h whirlpool -i 1000000 -t 120 -T 3 /dev/sda3
the above example has the following attributes: serpent cipher using a dual keysize algorithm with a key size of 512b (meaning an effective 1M key size) using the whirlpool hash method 1 min 40 sec of iteration (apparent hang) a timeout of 2 mins (aka you don't enter a pass in two of pass prompt it locked up nice and tight ) and a 3 try limit (again screw up 3 times its reboot and retry time)
IT will ask for a confirmation of desired cipher ( if you screwed up an attribute or 2 or more are incompatiable it wont run it and will display the conflict)
create and confirm a key / passphrase for the above intended crypt.
Now, run cryptsetup luksOpen $device $some mapper (aka namespace)
cryptsetup luksOpen /dev/sda3 testLVM
enter passphrase for /dev/sda3: <enter pass from above that you created>
once the root@hostname # has returned it has completed (you can also confirm this by running:
cryptsetup status /dev/mapper/testLVM
Now you "initialize" or create an LVM then "initialize" it as desired.
to initialize it use dd (bs=1M/4M/8M for faster) if=dev/zero(or urandom) /dev/mapper/testLVM like such:
dd bs=4M if=/dev/urandom /dev/mapper/testLVM ---OR---- dd bs=4M if=/dev/urandom /dev/mapper/testLVM-$LVNAME (for the highest security or if you are just covered in tinfoil and paranoid about previous data recovery or "leakage"
Note: if initializing the individual LVs run the later command ^^ AFTER the next step, but BEFORE any mounting goes on...
##########
now for the actual LVM create....
ANYTHING IN ( ) is either optional or not always needed
vgcreate <options> $VGNAME $device i.e. vgcreate testLVM /dev/sda3
I personally use vgcreate -Ay -d $VGNAME $device for Auto backup and debugging
then
lvcreate (-Ay -d) -L50G -n root testLVM
lvcreate " " -L4G -n swap testLVM
lvcreate " " -L20G -n opt testLVM
lvcreate " " -L20G -n var testLVM
lvcreate " " -l100%FREE -n home testLVM
the above creates 5 partitions in your LVM now lsblk should look like:
[linuxdev@linuxdevel ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 596.2G 0 disk
├─sda1 8:1 0 10M 0 part
├─sda2 8:2 0 5.3G 0 part /boot
└─sda3 8:3 0 590.9G 0 part
├─testLVM-swap 253:1 0 8G 0 lvm
├─testLVM-root 253:2 0 50G 0 lvm
├─testLVM-var 253:8 0 20G 0 lvm
├─testLVM-opt 253:12 0 20G 0 lvm
└─testLVM-home 253:14 0 252.9G 0 lvm
You have now created a LVM from scratch now let's set up the formatting
mkswap /dev/mapper/testLVM-swap
mkfs.ext4 /dev/mapper/testLVM-root
mkfs.ext4 /dev/mapper/testLVM-opt
mkfs.ext4 /dev/mapper/testLVM-var
mkfs.ext4 /dev/mapper/testLVM-home
now when you run the installer select manual partition option and make the freshly formatted partitions (including /boot --sda2) to their respective points in the installer
Now lets say you Bork grub or need to reset/install a driver or pkgs that you cant do the normal way from your installed system
sudo -s
cryptsetup luksOpen /dev/sda3 testLVM (or w/e you crypt is called ----the synatx is cryptsetup luksOpen device $VGNAME
enter the passphrase for /dev/sda3 : <the pass you created for the crypt>
then mount it as normal by running these separately in a terminal to mount the above created system ......the mount point shown is default ubuntu... RPM distros default to /run/media or /mnt/sysimage
mount -t ext4 /dev/mapper/testLVM-root /mnt
mount -t ext4 /dev/mapper/testLVM-opt /mnt/opt
mount -t ext4 /dev/mapper/testLVM-var /mnt/var
mount -t ext4 /dev/mapper/testLVM-home /mnt/home
mount -t ext4 /dev/sda2 /mnt/boot
now for the forgotten partitions:
mount -t ext4 -o bind /dev /mnt/dev
mount -t ext4 -o bind /proc /mnt/proc
mount -t ext4 -o bind /sys /mnt/sys
cp /etc/resolv.conf /mnt/etc/resolv.conf
the top 3 lines we just ran should also now show in a "lsblk" readout and for a little info on /dev, /proc, /sys shall we?
/dev is your device(s) info i.e. all your usb and pci ports eth /wifi etc..
/proc is the same for all your processes (a process simply put is any action run directly off the kernel or as a immediate byproduct of such i.e your log in and graphical desktop are processes (i invite you to type "top" in a terminal sometime and watch it for a few
now a simple chroot is all that's needed to repair grub / allow for a password reset / (un)install drivers or progs.
chroot /mnt
this should give you a listing of the default folders you see when you click on "filesystem" in your file explorer...like such..
[linuxdev@linuxdevel ~]$ ls -l (or from a running system ls -l / or w/e the chroot is .....(this is very helpful for kernel upgrades and the like as well especially when FDE (full disk encryption) or non local drive /boot is in play (aka using a usb key to boot a otherwise non bootable secured disk.
total 88
lrwxrwxrwx. 1 root root 7 Jun 7 11:50 bin -> usr/bin
dr-xr-xr-x. 6 root root 4096 Aug 19 08:11 boot
drwxr-xr-x. 20 root root 3500 Aug 20 05:45 dev
drwxr-xr-x. 152 root root 12288 Aug 20 05:46 etc
drwxr-xr-x. 4 root root 4096 Aug 19 08:11 home
lrwxrwxrwx. 1 root root 7 Jun 7 11:50 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jun 7 11:50 lib64 -> usr/lib64
drwxr-xr-x. 3 root root 4096 Aug 19 08:05 localapps
drwx------. 2 root root 16384 Aug 17 11:02 lost+found
drwxr-xr-x. 2 root root 4096 Jun 7 11:50 media
drwxr-xr-x. 2 root root 4096 Jun 7 11:50 mnt
drwxr-xr-x. 4 root root 4096 Aug 19 14:15 opt
dr-xr-xr-x. 292 root root 0 Aug 20 05:42 proc
dr-xr-x---. 17 root root 4096 Aug 19 14:09 root
drwxr-xr-x. 40 root root 1120 Aug 20 06:04 run
lrwxrwxrwx. 1 root root 8 Jun 7 11:50 sbin -> usr/sbin
drwxr-xr-x. 3 root root 4096 Aug 19 08:05 src
drwxr-xr-x. 3 root root 4096 Jun 7 11:50 srv
dr-xr-xr-x. 13 root root 0 Aug 20 05:44 sys
drwxrwxrwt. 27 root root 4096 Aug 20 06:18 tmp
drwxr-xr-x. 13 root root 4096 Aug 17 11:04 usr
drwxr-xr-x. 23 root root 4096 Aug 19 09:24 var
Now if you need to install or repair grub or other programs/apps you can run the commands as if the system was booted normally (assuming you have internet connection or a local pkgdb and the needed dependencies)
as mentioned earlier you can reset your (or any other users') p/w this way ( USE THIS WISELY AND NOT FOR ILLEGAL OR NONFERROUS MEANS)
passwd <empty> i.e. root@hostname # passwd
will change the ROOT (admin) password
passwd <$someusername> i.e. root@hostname # passwd user1
will change that non root users password
similarly
useradd -/+g admin / sudoers /video /plugdev / audio <$someusername>
would add or remove group permissions for said username
to exit the chroot you can either:
1) press <cntrl+d> twice
--OR--
2) type exit (or logout) twice
please feel free to contact me or comment here on github with comments, requests for corrections/additions or specific write ups for you or someone else..... sheldon.corey@gmail.com, +Corey (or google.com/+CoreySheldon), or any of my linked communities...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment