You are not logged in.

#1 2011-06-04 15:42:51

fabriceb
Member
Registered: 2011-05-13
Posts: 33

System encryption using LUKS and GPG encrypted keys for arch linux

Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
Update: 2013-01-13: Updated the hook files using the corrections by Deth.

Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.

I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome smile

Intro

Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.

Conventions

In this short guide, I use the following disk/partition names:
/dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
/dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
/dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.

Credits

Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!

Guide

1. Boot the arch live cd
I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.

2. Set keymap
Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...

3. Wipe your discs
ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.

shred -v /dev/sda
shred -v /dev/sdb

4. Partitioning
Fire up fdisk and create the following partitions:

  • /dev/sda1, type linux swap.

  • /dev/sda2: type linux

  • /dev/sda3: type linux

  • /dev/sdb1, type linux

Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.

5. Format  and mount the usb stick
Create an ext2 filesystem on /dev/sdb1:

mkfs.ext2 /dev/sdb1
mkdir /root/usb
mount /dev/sdb1 /root/usb
cd /root/usb # this will be our working directory for now.

Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.

6. Configure the network (if not already done automatically)

ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route add default gw 192.168.0.1
echo "nameserver 192.168.0.1" >> /etc/resolv.conf

(this is just an example, your mileage may vary)

7. Install gnupg

pacman -Sy
pacman -S gnupg

Verify that gnupg works by launching gpg.

8. Create the keys
Just to be sure, make sure swap is off:

cat /proc/swaps

should return no entries.

Create gpg encrypted keys (remember, we're still in our working dir /root/usb):

dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a  > root.gpg
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg

Choose a strong password!!

Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!

Note that the default cipher for gpg is cast5, I just chose to use a different one.

9. Create the encrypted devices with cryptsetup
Create encrypted swap:

cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1

You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.

Important: From the Cryptsetup 1.1.2 Release notes:

Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
    if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
      as normal binary file and no new line is interpreted.
    if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
      stop after new line is detected.

If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.

gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2

Check for any errors.

10. Open the luks devices

gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var

If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.

11. Start the installer /arch/setup
Follow steps 1 to 3.
At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.

Select DONE to start formatting.

At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.

Start step 6 (Install packages).

Go to step 7 (Configure System).
By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.

Edit /etc/fstab:

/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/var /var ext4 defaults 0 1
# /dev/sdb1 /boot ext2 defaults 0 1

Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.

Go to step 8 (install boot loader).
Be sure to change the kernel line in menu.lst:

kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg

Don't forget the :root suffix in cryptdevice!

Also, my root line was set to (hd1,0). Had to change that to

root (hd0,0)

Install grub to /dev/sdb (the usb stick).

Now, we can exit the installer.

12. Install mkinitcpio with the etwo hook.
Create /mnt/lib/initcpio/hooks/etwo:

#!/usr/bin/ash

run_hook() {
    /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
    if [ -e "/sys/class/misc/device-mapper" ]; then
        if [ ! -e "/dev/mapper/control" ]; then
            /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
        fi
        [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"

        # Get keyfile if specified
        ckeyfile="/crypto_keyfile"
        usegpg="n"
        if [ "x${cryptkey}" != "x" ]; then
            ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
            ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
            ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
            if poll_device "${ckdev}" ${rootdelay}; then
                case ${ckarg1} in
                    *[!0-9]*)
                        # Use a file on the device
                        # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
                        if [ "${ckarg2#*.}" = "gpg" ]; then
                            ckeyfile="${ckeyfile}.gpg"
                            usegpg="y"
                        fi
                        mkdir /ckey
                        mount -r -t ${ckarg1} ${ckdev} /ckey
                        dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
                        umount /ckey
                        ;;
                    *)
                        # Read raw data from the block device
                        # ckarg1 is numeric: ckarg1=offset, ckarg2=length
                        dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
                        ;;
                esac
            fi
            [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
        fi
        if [ -n "${cryptdevice}" ]; then
            DEPRECATED_CRYPT=0
            cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
            cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
        else
            DEPRECATED_CRYPT=1
            cryptdev="${root}"
            cryptname="root"
        fi

        warn_deprecated() {
            echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
            echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
        }

        if  poll_device "${cryptdev}" ${rootdelay}; then
            if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
                dopassphrase=1
                # If keyfile exists, try to use that
                if [ -f ${ckeyfile} ]; then
                    if [ "${usegpg}" = "y" ]; then
                        # gpg tty fixup
                        if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
                        cp -a /dev/console /dev/tty
                        while [ ! -e /dev/mapper/${cryptname} ];
                        do
                            sleep 2
                            /usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
                            dopassphrase=0
                        done
                        rm /dev/tty
                        if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
                    else
                        if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
                            dopassphrase=0
                        else
                            echo "Invalid keyfile. Reverting to passphrase."
                        fi
                    fi
                fi
                # Ask for a passphrase
                if [ ${dopassphrase} -gt 0 ]; then
                    echo ""
                    echo "A password is required to access the ${cryptname} volume:"

                    #loop until we get a real password
                    while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
                        sleep 2;
                    done
                fi
                if [ -e "/dev/mapper/${cryptname}" ]; then
                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                        export root="/dev/mapper/root"
                    fi
                else
                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
                    exit 1
                fi
            elif [ -n "${crypto}" ]; then
                [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
                msg "Non-LUKS encrypted device found..."
                if [ $# -ne 5 ]; then
                    err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
                    err "Non-LUKS decryption not attempted..."
                    return 1
                fi
                exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
                tmp=$(echo "${crypto}" | cut -d: -f1)
                [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f2)
                [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f3)
                [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f4)
                [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
                tmp=$(echo "${crypto}" | cut -d: -f5)
                [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
                if [ -f ${ckeyfile} ]; then
                    exe="${exe} --key-file ${ckeyfile}"
                else
                    exe="${exe} --verify-passphrase"
                    echo ""
                    echo "A password is required to access the ${cryptname} volume:"
                fi
                eval "${exe} ${CSQUIET}"

                if [ $? -ne 0 ]; then
                    err "Non-LUKS device decryption failed. verify format: "
                    err "      crypto=hash:cipher:keysize:offset:skip"
                    exit 1
                fi
                if [ -e "/dev/mapper/${cryptname}" ]; then
                    if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
                        export root="/dev/mapper/root"
                    fi
                else
                    err "Password succeeded, but ${cryptname} creation failed, aborting..."
                    exit 1
                fi
            else
                err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
            fi
        fi
        rm -f ${ckeyfile}
    fi
}

Create /mnt/lib/initcpio/install/etwo:

#!/bin/bash

build() {
    local mod

    add_module dm-crypt
    if [[ $CRYPTO_MODULES ]]; then
        for mod in $CRYPTO_MODULES; do
            add_module "$mod"
        done
    else
        add_all_modules '/crypto/'
    fi
    add_dir "/dev/mapper"
    add_binary "cryptsetup"
    add_binary "dmsetup"
    add_binary "/usr/bin/gpg"
    add_file "/usr/lib/udev/rules.d/10-dm.rules"
    add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
    add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
    add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"

    add_runscript
}
help ()
{
cat<<HELPEOF
  This hook allows for an encrypted root device with support for gpg encrypted key files.
  To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
  to your BINARIES var in /etc/mkinitcpio.conf.
HELPEOF
}

Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):

MODULES=”ext2 ext4” # not sure if this is really nessecary.
BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)

Copy the initcpio stuff over to the live cd:

cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
cp /mnt/etc/mkinitcpio.conf /etc/

Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!

Now reinstall the initcpio:

mkinitcpio -g /mnt/boot/kernel26.img

Make sure there were no errors and that all hooks were included.

13. Decrypt the "var" key to the encrypted root

mkdir /mnt/keys
chmod 500 /mnt/keys
gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
chmod 400 /mnt/keys/var

14. Setup crypttab
Edit /mnt/etc/crypttab:

swap    /dev/sda1    SWAP    -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
var /dev/sda2    /keys/var

15. Reboot
We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. big_smile. If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names.  I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.

Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...

Last edited by fabriceb (2013-01-15 22:36:23)

Offline

#2 2011-06-04 16:13:28

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: System encryption using LUKS and GPG encrypted keys for arch linux

This belongs on the Wiki, not in a forum post.

Offline

#3 2011-06-06 14:15:21

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

falconindy wrote:

This belongs on the Wiki, not in a forum post.

I'm not sure if this is detailed enough / has enough quality for a new wiki entry. It is very specific and doesn't mention a lot of things that are assumed to be known by the user. Not sure if I'll find the time to flesh it out. Should I publish it nonetheless?

Offline

#4 2011-06-06 18:27:59

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 835
Website

Re: System encryption using LUKS and GPG encrypted keys for arch linux

I always wanted to set up a fully encrypted arch linux server

But data is available all the time?


You need to install an RTFM interface.

Offline

#5 2011-06-06 18:42:13

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

anrxc wrote:

I always wanted to set up a fully encrypted arch linux server

But data is available all the time?

What do you mean? This isn't very specific...

Offline

#6 2011-06-10 23:41:45

anrxc
Member
From: Croatia
Registered: 2008-03-22
Posts: 835
Website

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Sorry, well it's a server in your own words. So to serve the encrypted data is always mounted. Readable.


You need to install an RTFM interface.

Offline

#7 2011-06-11 06:55:53

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

anrsxc, in this guide I concern myself with hard disk encryption only. Once the server is running, the disks will be "open" (for root at least) and data will be decypted/encrypted on the fly by the kernel.

What you do to further secure it once it is running is up to you. A few suggestions:

  • Protect the system from physical access

  • Close all unnecessary ports

  • Use the netfilter firewall (iptables)

  • Install security updates regularly

  • Backup your data, but not unprotected (e.g. backup to an encrypted hard disk that uses a different key/password)

  • Harden your kernel using grsecurity/selinux/apparmor,...

  • Use ipsec to encrypt all network traffic

  • Install an intrusion detection system like snort

  • Install a data integrity tool like tripwire

  • Check your security with bastille-linux

  • Don't pretend that you can effectively protect against the government (or other powerful entities) using this guide if you have really important things to hide!

  • ...

The list goes on and I'm not a security expert. I'm just doing it for fun smile

Last edited by fabriceb (2011-06-11 07:02:43)

Offline

#8 2011-06-11 09:02:24

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: System encryption using LUKS and GPG encrypted keys for arch linux

anxrc makes a valid point. Hard drive encryption isn't useful if you have the computer running all the time, and the data decrypted. It protects data on the hard drive when the computer isn't running, or at least, the data not mounted.

Furthermore, if you're still going to protect it 100% from physical access then hard drive encryption is unnecessary. If you're not going to protect it from physical access then hard drive encryption won't save you when the system is running and the drive decrypted.


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#9 2011-06-11 09:27:11

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

moljac024 wrote:

anxrc makes a valid point. Hard drive encryption isn't useful if you have the computer running all the time, and the data decrypted. It protects data on the hard drive when the computer isn't running, or at least, the data not mounted.

Furthermore, if you're still going to protect it 100% from physical access then hard drive encryption is unnecessary. If you're not going to protect it from physical access then hard drive encryption won't save you when the system is running and the drive decrypted.

Did you read me last post? Of course my guide doesn't protect against any network exploits, because those thing are out of the scope of this guide! But that doesn't seem to be clear, so here's what it does protect against:

People won't be able to access the encrypted partition without both the usb stick and the password or a working exploit on the running system (e.g. over the network). This gives data protection in the following cases:

  • When someone tries to bypass your root password by booting from a live cd

  • When someone steals your pc or harddrive and tries to access your data somewhere else

  • When someone tries to modify the boot sector / boot loader / kernel in order to get access to your data. Doesn't work because everything needed for boot is on the usb stick

  • When you dispose / sell / throw away your disks, noone will be able to read your private data

Possible ways to bypass security:

  • Physical access to your usb stick and getting your password by installing a hardware keylogger/camera/whatever

  • Getting the encryption key off the RAM by freezing, then quickly reading it

  • Weak password

  • Social engineering

  • Everything that can be done to hack a running system

By the way, absolute physical security is just as impossible as absolute security in general. However, having encryption in addition to good physical security is better than only the latter.

I won't make a list of specific thing it doesn't protect against, because that list would be very long.

Sorry for the edits, my typos have a habit of avoiding the preview smile

Last edited by fabriceb (2011-06-11 09:36:16)

Offline

#10 2011-06-11 11:11:21

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: System encryption using LUKS and GPG encrypted keys for arch linux

You make valid points. Those are the same reasons I set up my drives pretty much the same way (only except the gpg part, that's a nice bonus).
My point was that you still need physical security because if the data is sensitive enough to warrant that level of protection then most likely the attacker(s) are serious enough to freeze RAM, read it directly while the system is running with FireWire or install cameras/mics/keyloggers/etc.

So this pretty much protects from the moron who snatches the drive out and runs away.
It's all besides the point, because rubber hose defeats all encryption like it was never there big_smile


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#11 2011-06-11 12:20:59

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

moljac024 wrote:

It's all besides the point, because rubber hose defeats all encryption like it was never there big_smile

Exactly smile

Still, I think using encryption and securing your system is a good idea. It's always a choice between usability and security and there's a degree between no protection at all to hyper secure that is worth exploring. You might not be able to protect against big brother spying on you, but you probably can protect against your big brother (literally) spying on you or misusing your pr0n collection big_smile. Or even against your local police who might not have the know how and ressources to extract your data (I'm not implying that you should hide illegal things from the police ^^). It's just like online shopping - of course a hacker might be able to get at your credit card number even with ssl encryption but that doesn't mean we shouldn't use secured connections at all.

I guess that's why you set up your drives too.

Last edited by fabriceb (2011-06-12 20:44:21)

Offline

#12 2011-06-12 18:17:06

maxim_
Member
From: Asia/Omsk
Registered: 2009-08-26
Posts: 12

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Maybe it's better to use openssl rather than gpg? It doesn't create ~/.gnupg stuff smile

Offline

#13 2011-06-12 18:50:26

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

maxim_ wrote:

Maybe it's better to use openssl rather than gpg? It doesn't create ~/.gnupg stuff smile

Thank you for the suggestion. However, GPG is executed inside the initital ram filesystem, the real root filesystem gets mounted over it and - since it exists in ram - it gets completely deleted on reboot. I don't see a problem at all with that .gnupg dir. In my opinion, openssl is a pain to use, but if you'd like to add openssl support to the guide, feel free to post the changes in a reply and I'll add them to the original post. I might also add the guide to the wiki or maybe add gpg support to the existing "system encryption" article, if I get the time.

Last edited by fabriceb (2011-06-12 18:51:00)

Offline

#14 2011-06-14 07:43:10

maxim_
Member
From: Asia/Omsk
Registered: 2009-08-26
Posts: 12

Re: System encryption using LUKS and GPG encrypted keys for arch linux

This is openssl implemetation compatible with 'encrypt' hook. Maybe it will be useful for somebody. smile Copy this files to your root. Run "mkinitcpio -H ssldec" for help. Put 'ssldec' hook in your "/etc/mkinitcpio.conf" before 'encrypt' and after 'usb'. You can customize strings in 'ssldec' for your personal taste. smile

To encrypt keyfile with openssl use:

$ openssl aes256 -in src.file -out dst.file

/lib/initcpio/hooks/ssldec:

# vim: set ft=sh:

run_hook ()
{
    local encfile decfile attempts prompt badpassword poweroffmsg dev arg1 arg2 retcode password

    if [ "x${ssldec}" != "x" ]; then
        encfile="/enc_keyfile.bin"
        decfile="/crypto_keyfile.bin"

        attempts="3"

        prompt="Enter password: "
        badpassword="Password incorrect"
        poweroffmsg="Try again later. Power off."

        dev="$(echo "${ssldec}" | cut -d: -f1)"
        arg1="$(echo "${ssldec}" | cut -d: -f2)"
        arg2="$(echo "${ssldec}" | cut -d: -f3)"

        if poll_device "${dev}" "${rootdelay}"; then
            case "${arg1}" in
                *[!0-9]*)
                    mkdir /mntkey
                    mount -r -t "${arg1}" "${dev}" /mntkey
                    dd if="/mntkey/${arg2}" of="${encfile}" >/dev/null 2>&1
                    umount /mntkey
                    rm -rf /mntkey
                    ;;
                *)
                    dd if="${dev}" of="${encfile}" bs=1 skip="${arg1}" count="${arg2}" >/dev/null 2>&1
                    ;;
            esac
        fi

        if [ -f "${encfile}" ]; then
            while true; do
                read -rsp "${prompt}" password
                openssl aes256 -pass pass:"${password}" -d -in "${encfile}" -out "${decfile}" >/dev/null 2>&1
                retcode="$?"
                if [ "${retcode}" != "0" ]; then
                    sleep 2
                    attempts=$(( ${attempts} - 1 ))
                    [ "${attempts}" == "0" ] && echo -e "\n${poweroffmsg}" && poweroff -f
                    echo -e "\n${badpassword}\n"
                else
                    break
                fi
            done

            rm -f "${encfile}"
        else
            echo "Encrypted keyfile could not be opened. Reverting to 'encrypt' hook."
        fi
    fi
}

/lib/initcpio/install/ssldec:

# vim: set ft=sh:

install ()
{
    MODULES=""
    FILES=""
    SCRIPT="ssldec"
    add_binary "/usr/bin/openssl"
}

help ()
{
cat<<HELPEOF
  This hook allows for an openssl (aes-256-cbc) encrypted keyfile for LUKS.
  It relies on standard 'encrypt' hook providing decrypted '/crypto_keyfile.bin' for it.
  The number of password input attempts is hard-coded (3 by default followed by poweroff).

  Kernel Parameters:
  Two options are supported:
  1) Using a file on the device:
     ssldec=<device>:<fs-type>:<path>
  2) Reading raw data from the block device:
     ssldec=<device>:<offset>:<size>
HELPEOF
}

Last edited by maxim_ (2011-06-18 16:44:09)

Offline

#15 2011-12-28 01:31:34

Fallback
Member
From: Austria
Registered: 2009-12-26
Posts: 25

Re: System encryption using LUKS and GPG encrypted keys for arch linux

I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885

Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.

any idea ?


#!/bin/bash

# This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.

# prereqs:
# --------------------
# EFI "BIOS" set to boot *only* from EFI
# successful EFI boot of Archboot USB
# mount /dev/sdb1 /src

set -o nounset
#set -o errexit

# ------------------------------------------------------------------------
# Host specific configuration
# ------------------------------------------------------------------------
# this whole script needs to be customized, particularly disk partitions
# and configuration, but this section contains global variables that
# are used during the system configuration phase for convenience
HOSTNAME=daniel
USERNAME=user

# ------------------------------------------------------------------------
# Globals
# ------------------------------------------------------------------------
# We don't need to set these here but they are used repeatedly throughout
# so it makes sense to reuse them and allow an easy, one-time change if we
# need to alter values such as the install target mount point.

INSTALL_TARGET="/install"
HR="--------------------------------------------------------------------------------"
PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
FILE_URL="file:///packages/core-$(uname -m)/pkg"
FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'

# ------------------------------------------------------------------------
# Functions
# ------------------------------------------------------------------------
# I've avoided using functions in this script as they aren't required and
# I think it's more of a learning tool if you see the step-by-step 
# procedures even with minor duplciations along the way, but I feel that
# these functions clarify the particular steps of setting values in config
# files.

SetValue () { 
# EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
sed -i "s+^#\?\(${VALUENAME}\)=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
}

CommentOutValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^\(${VALUENAME}.*\)$/#\1/" "${FILEPATH}"
}

UncommentValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^#\(${VALUENAME}.*\)$/\1/" "${FILEPATH}"
}

# ------------------------------------------------------------------------
# Initialize
# ------------------------------------------------------------------------
# Warn the user about impending doom, set up the network on eth0, mount
# the squashfs images (Archboot does this normally, we're just filling in
# the gaps resulting from the fact that we're doing a simple scripted
# install). We also create a temporary pacman.conf that looks for packages
# locally first before sourcing them from the network. It would be better
# to do either *all* local or *all* network but we can't for two reasons.
#     1. The Archboot installation image might have an out of date kernel
#	 (currently the case) which results in problems when chrooting
#	 into the install mount point to modprobe efivars. So we use the
#	 package snapshot on the Archboot media to ensure our kernel is
#	 the same as the one we booted with.
#     2. Ideally we'd source all local then, but some critical items,
#	 notably grub2-efi variants, aren't yet on the Archboot media.

# Warn
# ------------------------------------------------------------------------
timer=9
echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
while [[ $timer -gt 0 ]]
do
	sleep 1
	let timer-=1
	echo -en "$timer seconds..."
done

echo "STARTING"

# Get Network
# ------------------------------------------------------------------------
echo -n "Waiting for network address.."
#dhclient eth0
dhcpcd -p eth0
echo -n "Network address acquired."

# Mount packages squashfs images
# ------------------------------------------------------------------------
umount "/packages/core-$(uname -m)"
umount "/packages/core-any"
rm -rf "/packages/core-$(uname -m)"
rm -rf "/packages/core-any"

mkdir -p "/packages/core-$(uname -m)"
mkdir -p "/packages/core-any"

modprobe -q loop
modprobe -q squashfs
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"

# Create temporary pacman.conf file
# ------------------------------------------------------------------------
cat << PACMANEOF > /tmp/pacman.conf
[options]
Architecture = auto
CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
CacheDir = /packages/core-$(uname -m)/pkg
CacheDir = /packages/core-any/pkg

[core]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}

[extra]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}

#Uncomment to enable pacman -Sy yaourt
[archlinuxfr]
Server = http://repo.archlinux.fr/\$arch
PACMANEOF

# Prepare pacman
# ------------------------------------------------------------------------
[[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
[[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
${PACMAN} -Sy
${TARGET_PACMAN} -Sy

# Install prereqs from network (not on archboot media)
# ------------------------------------------------------------------------
echo -e "\nInstalling prereqs...\n$HR"
#sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg

# ------------------------------------------------------------------------
# Configure Host
# ------------------------------------------------------------------------
# Here we create three partitions:
# 1. efi and /boot (one partition does double duty)
# 2. swap
# 3. our encrypted root
# Note that all of these are on a GUID partition table scheme. This proves
# to be quite clean and simple since we're not doing anything with MBR
# boot partitions and the like.

echo -e "format\n"

# shred -v /dev/sda

# disk prep
sgdisk -Z /dev/sda # zap all on disk
#sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
#sgdisk -a 2048 -o /dev/mmcb1k0

# create partitions
sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
#sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg 

# set partition types
sgdisk -t 1:ef00 /dev/sda
sgdisk -t 2:8200 /dev/sda
sgdisk -t 3:8300 /dev/sda
#sgdisk -t 1:0700 /dev/mmcb1k0

# label partitions
sgdisk -c 1:"UEFI Boot" /dev/sda
sgdisk -c 2:"Swap" /dev/sda
sgdisk -c 3:"LUKS" /dev/sda
#sgdisk -c 1:"Key" /dev/mmcb1k0


echo -e "create gpg file\n"

# create gpg file 
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg

echo -e "format LUKS on root\n"

# format LUKS on root
gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3

echo -e "open LUKS on root\n"

gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root


# NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
# NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf


# make filesystems
# following swap related commands not used now that we're encrypting our swap partition
#mkswap /dev/sda2
#swapon /dev/sda2
#mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
echo -e "\nCreating Filesystems...\n$HR"
# make filesystems
mkfs.ext4 /dev/mapper/root
mkfs.vfat -F32 /dev/sda1
#mkfs.vfat -F32 /dev/mmcb1k0p1

echo -e "mount targets\n"

# mount target
#mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
mount /dev/mapper/root ${INSTALL_TARGET}
# mount target
mkdir ${INSTALL_TARGET}
# mkdir ${INSTALL_TARGET}/key
# mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
mkdir ${INSTALL_TARGET}/boot
mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot


# ------------------------------------------------------------------------
# Install base, necessary utilities
# ------------------------------------------------------------------------

mkdir -p ${INSTALL_TARGET}/var/lib/pacman
${TARGET_PACMAN} -Sy
${TARGET_PACMAN} -Su base
# curl could be installed later but we want it ready for rankmirrors
${TARGET_PACMAN} -S curl
${TARGET_PACMAN} -S libusb-compat gnupg
${TARGET_PACMAN} -R grub
rm -rf ${INSTALL_TARGET}/boot/grub
${TARGET_PACMAN} -S grub2-efi-x86_64

# ------------------------------------------------------------------------
# Configure new system
# ------------------------------------------------------------------------
SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
sed -i "s/^\(127\.0\.0\.1.*\)$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
#following replaced due to netcfg
#SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf

# ------------------------------------------------------------------------
# write fstab
# ------------------------------------------------------------------------
# You can use UUID's or whatever you want here, of course. This is just
# the simplest approach and as long as your drives aren't changing values
# randomly it should work fine.
cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
# 
# /etc/fstab: static file system information
#
# <file system>		<dir>	<type>	<options>		<dump>	<pass>
tmpfs			/tmp	tmpfs	nodev,nosuid		0	0
/dev/sda1		/boot	vfat	defaults		0	0 
/dev/mapper/cryptswap	none	swap	defaults		0	0 
/dev/mapper/root	/ 	ext4	defaults,noatime	0	1 
FSTAB_EOF

# write etwo 

mkdir -p /lib/initcpio/hooks/
mkdir -p /lib/initcpio/install/ 
cp /src/etwo_hooks /lib/initcpio/hooks/etwo 
cp /src/etwo_install /lib/initcpio/install/etwo 

mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/ 
cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo 
cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo 


# ------------------------------------------------------------------------
# write crypttab
# ------------------------------------------------------------------------
# encrypted swap (random passphrase on boot)
echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab

# ------------------------------------------------------------------------
# copy configs we want to carry over to target from install environment
# ------------------------------------------------------------------------

mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf

mkdir -p ${INSTALL_TARGET}/tmp
cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf

# ------------------------------------------------------------------------
# mount proc, sys, dev in install root
# ------------------------------------------------------------------------

mount -t proc proc ${INSTALL_TARGET}/proc
mount -t sysfs sys ${INSTALL_TARGET}/sys
mount -o bind /dev ${INSTALL_TARGET}/dev

echo -e "umount boot\n"

# we have to remount /boot from inside the chroot
umount ${INSTALL_TARGET}/boot

# ------------------------------------------------------------------------
# Create install_efi script (to be run *after* chroot /install)
# ------------------------------------------------------------------------

touch ${INSTALL_TARGET}/install_efi
chmod a+x ${INSTALL_TARGET}/install_efi
cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF


# functions (these could be a library, but why overcomplicate things
# ------------------------------------------------------------------------
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }

echo -e "mount boot\n"

# remount here or grub et al gets confused
# ------------------------------------------------------------------------
mount -t vfat /dev/sda1 /boot


# mkinitcpio
# ------------------------------------------------------------------------
# NOTE: intel_agp drm and i915 for intel graphics
SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf

mkinitcpio -p linux

# kernel modules for EFI install
# ------------------------------------------------------------------------
modprobe efivars
modprobe dm-mod

# locale-gen
# ------------------------------------------------------------------------
UncommentValue de_AT /etc/locale.gen
locale-gen


# install and configure grub2
# ------------------------------------------------------------------------
# did this above
#${CHROOT_PACMAN} -Sy
#${CHROOT_PACMAN} -R grub
#rm -rf /boot/grub
#${CHROOT_PACMAN} -S grub2-efi-x86_64

# you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
# even omit the cryptdevice altogether, though it will wag a finger at you for using
# a deprecated syntax, so we're using the correct form here
# NOTE: take out i915.modeset=1 unless you are on intel graphics
SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub

# set output to graphical
SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode

# install the actual grub2. Note that despite our --boot-directory option we will still need to move
# the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck

# create our EFI boot entry
# bug in the HP bios firmware (F.08)

efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"

# copy font for grub2
cp /usr/share/grub/unicode.pf2 /boot/grub

# generate config file
grub-mkconfig -o /boot/grub/grub.cfg




exit
EFI_EOF

# ------------------------------------------------------------------------
# Install EFI using script inside chroot
# ------------------------------------------------------------------------
chroot ${INSTALL_TARGET} /install_efi
rm ${INSTALL_TARGET}/install_efi


# ------------------------------------------------------------------------
# Post install steps
# ------------------------------------------------------------------------
# anything you want to do post install. run the script automatically or
# manually

touch ${INSTALL_TARGET}/post_install
chmod a+x ${INSTALL_TARGET}/post_install
cat > ${INSTALL_TARGET}/post_install <<POST_EOF
set -o errexit
set -o nounset

# functions (these could be a library, but why overcomplicate things
# ------------------------------------------------------------------------
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }

# root password
# ------------------------------------------------------------------------
echo -e "${HR}\\nNew root user password\\n${HR}"
passwd

# add user
# ------------------------------------------------------------------------
echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
groupadd sudo
useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
passwd ${USERNAME}

# mirror ranking
# ------------------------------------------------------------------------
echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist

# temporary fix for locale.sh update conflict
# ------------------------------------------------------------------------
mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true

# yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
# ------------------------------------------------------------------------
echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf

# additional groups and utilities
# ------------------------------------------------------------------------
pacman --noconfirm -Syu
pacman --noconfirm -S base-devel
pacman --noconfirm -S yaourt

# sudo
# ------------------------------------------------------------------------
pacman --noconfirm -S sudo
cp /etc/sudoers /tmp/sudoers.edit
sed -i "s/#\s*\(%wheel\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
sed -i "s/#\s*\(%sudo\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers 

# power
# ------------------------------------------------------------------------
pacman --noconfirm -S acpi acpid acpitool cpufrequtils
yaourt --noconfirm -S powertop2
sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
# following requires my acpi handler script
echo "/etc/acpi/handler.sh boot" > /etc/rc.local

# time
# ------------------------------------------------------------------------
pacman --noconfirm -S ntp
sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf

# wireless (wpa supplicant should already be installed)
# ------------------------------------------------------------------------
pacman --noconfirm -S iw wpa_supplicant rfkill
pacman --noconfirm -S netcfg wpa_actiond ifplugd
mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
# make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf

# sound
# ------------------------------------------------------------------------
pacman --noconfirm -S alsa-utils alsa-plugins
sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
mv /etc/asound.conf /etc/asound.conf.orig || true
#if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2

# video
# ------------------------------------------------------------------------
pacman --noconfirm -S base-devel mesa mesa-demos

# x
# ------------------------------------------------------------------------
#pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
#yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
#TODO: cut down the install size
#pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils

# TODO: wacom

# environment/wm/etc.
# ------------------------------------------------------------------------
#pacman --noconfirm -S xfce4 compiz ccsm

#pacman --noconfirm -S xcompmgr
#yaourt --noconfirm -S physlock unclutter
#pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
#pacman --noconfirm -S gtk2 #gtk3 # for taffybar?

#pacman --noconfirm -S ghc

# note: try installing alex and happy from cabal instead
#pacman --noconfirm -S haskell-platform haskell-hscolour
#yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
#yaourt --noconfirm -S xmobar-git
# TODO: edit xfce to use compiz
# TODO: xmonad, but deal with video tearing
# TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
# 	switching to cabal

# fonts
# ------------------------------------------------------------------------
pacman --noconfirm -S terminus-font
yaourt --noconfirm -S webcore-fonts
yaourt --noconfirm -S fontforge libspiro
yaourt --noconfirm -S freetype2-git-infinality
# TODO: sed infinality and change to OSX or OSX2 mode
#	and create the sym link from /etc/fonts/conf.avail to conf.d

# misc apps
# ------------------------------------------------------------------------
#pacman --noconfirm -S htop openssh keychain bash-completion git vim
#pacman --noconfirm -S chromium flashplugin
#pacman --noconfirm -S scrot mypaint bc
#yaourt --noconfirm -S task-git stellarium googlecl
# TODO: argyll

POST_EOF

# ------------------------------------------------------------------------
# Post install in chroot
# ------------------------------------------------------------------------
#echo "chroot and run /post_install"
chroot /install /post_install
rm /install/post_install

# copy grub.efi file to the default HP EFI boot manager path
mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
cp /root/root.gpg ${INSTALL_TARGET}/boot/

# ------------------------------------------------------------------------
# NOTES/TODO
# ------------------------------------------------------------------------

Offline

#16 2012-12-19 16:02:43

olaf.the.lost.viking
Member
Registered: 2011-07-19
Posts: 21

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Since the last update of the initcpio scripts (December 2012), this install hook won't work any longer. You need to add

add_runscript

to the install() function. Simply append this line underneath add_binary. Otherwise the ssldec hook is not copied to your ramdisk and your system becomes unbootable.

HTH

PS: Thank you to fabrice for providing the script!

Last edited by olaf.the.lost.viking (2012-12-19 16:03:50)


I switched to OlafLostViking to match the IRC alias.

Offline

#17 2012-12-19 18:17:24

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

Thank you olaf. I ran into the same problem and my system didn't boot. I updated the original post.

olaf.the.lost.viking wrote:

Since the last update of the initcpio scripts (December 2012), this install hook won't work any longer. You need to add

add_runscript

to the install() function. Simply append this line underneath add_binary. Otherwise the ssldec hook is not copied to your ramdisk and your system becomes unbootable.

HTH

PS: Thank you to fabrice for providing the script!

Last edited by fabriceb (2012-12-19 18:17:42)

Offline

#18 2012-12-29 08:37:23

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: System encryption using LUKS and GPG encrypted keys for arch linux

maxim_ wrote:

This is openssl implemetation compatible with 'encrypt' hook. Maybe it will be useful for somebody. :) Copy this files to your root. Run "mkinitcpio -H ssldec" for help. Put 'ssldec' hook in your "/etc/mkinitcpio.conf" before 'encrypt' and after 'usb'. You can customize strings in 'ssldec' for your personal taste. :)

There is no reason to put the `sleep 2` or poweroff the computer after 3 failed decryption attempts.

An attacker is not going to use this script to bruteforce the password. So, you may as well not bother the user with a `sleep` or poweroff after a # of failed attempts.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#19 2012-12-29 10:06:17

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: System encryption using LUKS and GPG encrypted keys for arch linux

See my modification of the 'ssldec' hook here

https://bbs.archlinux.org/viewtopic.php?id=155393

Last edited by hunterthomson (2012-12-30 09:31:56)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#20 2012-12-29 12:09:44

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: System encryption using LUKS and GPG encrypted keys for arch linux

See my modification here

https://bbs.archlinux.org/viewtopic.php?id=155393

Last edited by hunterthomson (2012-12-30 09:31:16)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#21 2013-01-08 16:33:58

bsdard
Member
From: Surrey, UK
Registered: 2011-01-22
Posts: 15

Re: System encryption using LUKS and GPG encrypted keys for arch linux

The hooks will be discontinued later along with the initscripts. Is there any way to move that to systemd? I am currently struggling getting the systemd to ask for a gpg password during the boot time. Any ideas?

I found this, but it does not work for me sad
http://blog.kdecherf.com/2012/11/06/mou … g-systemd/

Last edited by bsdard (2013-01-08 16:35:31)

Offline

#22 2013-01-08 17:25:08

fabriceb
Member
Registered: 2011-05-13
Posts: 33

Re: System encryption using LUKS and GPG encrypted keys for arch linux

On gentoo, I started using dracut. It's very nice and has a crypt-gpg module.

Offline

#23 2013-01-08 18:22:07

olaf.the.lost.viking
Member
Registered: 2011-07-19
Posts: 21

Re: System encryption using LUKS and GPG encrypted keys for arch linux

bsdard wrote:

The hooks will be discontinued later along with the initscripts. Is there any way to move that to systemd?

Does this mean that systemd is planned to be used even in an initrd? How will it transfer control to a systemd installed on the encrypted computer?


I switched to OlafLostViking to match the IRC alias.

Offline

#24 2013-01-08 22:34:17

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: System encryption using LUKS and GPG encrypted keys for arch linux

There's currently no schedule for putting systemd in early userspace let alone deprecating the current /init and hooks...

Not sure why people think otherwise.

Last edited by falconindy (2013-01-09 00:36:18)

Offline

#25 2013-01-09 10:08:12

bsdard
Member
From: Surrey, UK
Registered: 2011-01-22
Posts: 15

Re: System encryption using LUKS and GPG encrypted keys for arch linux

I was mistaken then. Thanks for confirming.

Offline

Board footer

Powered by FluxBB