Arch Linux

soupcan

Member

From: ?

Registered: 2008-10-25

Posts: 268

Help&Suggestions&Criticism wanted: Arch with dm-crypt/btrfs/yubikey

Hi all! I'm currently planning on reinstalling Arch to bring my configuration more in line with the seceure workstation that I can use in my lab or any other professional environment. I've been working on a plan for a few weeks now and I think I've arrived at what I want. I'm looking for ideas and especially constructive criticism on how to improve my process. I'm using a Lenovo W510, and my SSD is an Intel 320 120GB. My plan is as follows:

1. Securely wipe SSD/Data on disk
    Following the directions on this wiki page, I will wipe my SSD and return it to essentialy factory state. Should I zero the drive oor fill it with pseudorandom data after wiping it?

2. Use cryptsetup to create encrypted container(partiton?) on SSD
    I would like to fill the entire drive (120gb) with an encrypted container. Howver, I am unsure if it is possible to boot from a btrfs subvolume inside an encrypted container. If necessary I will create a separate /boot partition (probably extr2). I would like to use LUKS concurrently with cryptsetup to manage my keys/passphrases. I want to use my Yubikey as the key for the data on the disk. I believe that this is possible to do with challenge-reponse mode. I have located a few utilities - ykfde, intramfs_ykfde and mkinitcpio_ykfde. Which of these will best fit my needs? I want my early boot to work like this: Power on, bios, plug in yubikey, prompt for challege response from key, press button on yubikey, drive decrypts and boot continues. I would also like to set a long passphrase as a backup incase the yubikey is ever lost or the like.

3. Btrfs with lzo as filesystem
    I would then like to create a btrfs filesystem with lzo compression enabled in the encrypted container. I would like the root of the filesystem to be a subvolume, with all dirs below that also subvolumes (etc, var, and so on) to allow for full system and targeted rollbacks with snapshots. I would also like to enable TRIM, as I'm not concerned with it possibly compromising my encryption (very unlikely as far as I can tell).

Is there anything I'm forgetting? Does this method seem sound? Hoping for some feeback and tips!

Infinity

Member

From: EU

Registered: 2013-12-16

Posts: 18

Re: Help&Suggestions&Criticism wanted: Arch with dm-crypt/btrfs/yubikey

I've setup my arch linux just yesterday. It uses rEFInd boot loader, an encrypted rootfs with btrfs and a UEFI system partition. The system boots just fine. Personally I used the UEFI system partition as the /boot partition where the kernel resides. If you're really worried it's suggested that you get a brand new SSD. As soon as you write some unencrypted data to it, it will get stored on multiple locations inside Flash, so it's difficult to erase. You should also do something to protect the data on the unencrypted part of the disk. Personally I've never used YubiKey, so I can't help there, but I've widely used cryptsetup.

AFAIK btrfs does not yet support compression options per subvolume, so if you use compression on the rootfs, all subvolumes must also use the same compression.