Startseite » posts » dm-crypt

Kategorie: dm-crypt

♥ installing Arch Linux ♥

I want to make a guideline for installing  Arch Linux. 

unicorn arch linux install

Boot Arch linux from usb-stick how to create one you will find out,
I’m shure, but at least:
dd bs=1M if=Downloads/archlinux-2014.12.01-dual.iso of=/dev/sdb

erase & create partition table, connect to internet

Easy to use is the commandline patition tool cfdisk.

 

# fdisk -l
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 393215 391168 191M 83 Linux
/dev/sda2 393216 117210239 116817024 55,7G 83 Linux

If you have a german keyboard type:
# loadkeys de-latin1-nodeadkeys.map.gz
Establish WiFi-connection if you don’t have wired access to theInternet:
# wifi-menu
or
# ifconfig
and
dhcpcd your ethdev
check
# ping ccc.de
nice!

encrypt everything except boot

XTS splitts the encryption, to AES 256 bit keylength, use 1024 for a 512bit key.
modprobe dm-crypt (to be sure)
# cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2 (follow YES & pass)
# cryptsetup luksOpen /dev/sda2 archluks

create lvm partitions

# pvcreate /dev/mapper/archluks
# vgcreate archvg /dev/mapper/archluks
# lvcreate -L 8GB -n swap archvg (not for ssd install)
# lvcreate -l 100%FREE -n root archvg

Now we need a filesystem on them:


# mkfs.ext4 -L boot /dev/sda1
# mkfs.ext4 -L root /dev/mapper/archvg-root
# mkswap -L swap /dev/mapper/archvg-swap (not for ssd install)

mount and install

Mount the volumes into the running livesystem:

# mount /dev/mapper/archvg-root /mnt
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

Install the base and base-devel packets to /mnt (Internet-connection required):

# pacstrap /mnt base base-devel joe openssh net-tools wpa_supplicant dialog
# pacstrap /mnt grub-bios

Generate fstab:
# swapon -L swap
# genfstab -p -U /mnt > /mnt/etc/fstab

my ssd fstab:

cat fstab
# /dev/mapper/archvg-root
 UUID=5fd17e1d-6346-43bc-900d-6e6f56b9d40c / ext4
 defaults,discard,noatime,nodiratime,lazytime,commit=600 0 1
# /dev/sda1
 UUID=a9550250-be66-4544-8d42-8b97fedcd7f7 /boot ext4
 defaults,discard,noatime,nodiratime,lazytime,commit=600 0 2

ramfs /tmp tmpfs defaults,relatime,nodev,nosuid,mode=1777 0 0
 tmpfs /var/tmp tmpfs defaults,relatime,nodev,nosuid,mode=0754,size=5% 0 0
 tmpfs /var/log tmpfs defaults,relatime,nodev,nosuid,mode=0754,size=1% 0 0
 tmpfs /var/log/httpd tmpfs defaults,relatime,nodev,nosuid,mode=0754,size=1%
 0 0

chroot and configure

# arch-chroot /mnt

delete the # in front of your language of choise (e.g. de_DE.UTF-8 UTF-8) in locale.gen and generate the locale:

# joe /etc/locale.gen

remove hash# form your language

de_DE.UTF-8 UTF-8
de_DE ISO-8859-1
de_DE@euro ISO-8859-15

then:
# locale-gen
# echo LANG=de_DE.UTF-8 > /etc/locale.conf
# echo LC_COLLATE=C >> /etc/locale.conf
# echo LC_TIME=de_DE.UTF-8 >> /etc/locale.conf
# export LANG=de_DE.UTF-8

Generate /etc/vconsole.conf with the following 3 lines to bind your keys correctly:

# echo KEYMAP=de-latin1 >> /etc/vconsole.conf
# echo FONT=Lat2-Terminus16 >> /etc/vconsole.conf
# echo FONT_MAP=8859-1_to_uni >> /etc/vconsole.conf

Create a symbolic link /etc/localtime to your zone file /usr/share/zoneinfo//:
# ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Define yout hostename:
# echo myhostname > /etc/hostname

 

Edit /etc/mkinitcpio.conf:

Put „keyboard“, “keymap”, “encrypt” and “lvm2″ before “filesystems” in the HOOKS array
# mkinitcpio -p linux

Now install GRUB (part 2), on a device not a partition or a volume:
# grub-install /dev/sda

In /etc/default/grub edit the line GRUB_CMDLINE_LINUX=”” to GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sda2:archvg” then run:

My SSD config:GRUB_CMDLINE_LINUX=“cryptdevice=/dev/sda2:archvg:allow-discards elevator=noop vga=791 splash“

# grub-mkconfig -o /boot/grub/grub.cfg
# systemctl enable dhcpcd.service

set your root password:
# passwd

add youruser

# useradd -m -G wheel -s /bin/bash youruser
# passwd youruser

uncomment in /etc/sudoers
#  %wheel ALL=(ALL) ALL

[deprecated]
type ‚pacman -Suy cronie‘ here my fstrim cronjob for ssd

[root@munin etc]# cat /etc/cron.hourly/trimfs.sh 
#!/bin/sh
/usr/bin/fstrim -v / 1>> /var/log/trim.root
/usr/bin/fstrim -v /home 1>> /var/log/trim.home
/usr/bin/fstrim -v /boot 1>> /var/log/trim.boot

 

Exit the chroot:
# exit
Unmount:
# umount /mnt/boot
# umount /mnt

reboot

♥ installing Arch Linux raid1 ♥

unicorn arch linux installI want to make a guideline for installing Arch Linux with a raid1 and two sata discs.

Clean devices:

# dd if=/dev/urandom of=/dev/sd[a,b]

Boot Arch linux from usb-stick how to create one you will find out,
I’m shure, but at least:
dd bs=4M if=Downloads/archlinux-2015.5.01-dual.iso of=/dev/sdb

create partition table, connect to internet

Easy to use is the commandline patition tool cfdisk.

# fdisk -l

Festplatte /dev/sda: 153,4 GiB, 164696555520 Bytes, 321672960 Sektoren
Einheiten: Sektoren von 1 * 512 = 512 Bytes
Sektorgröße (logisch/physikalisch): 512 Bytes / 512 Bytes
E/A-Größe (minimal/optimal): 512 Bytes / 512 Bytes
Festplattenbezeichnungstyp: dos
Festplattenbezeichner: 0x1f66ae0c

Gerät Boot Anfang Ende Sektoren Größe Kn Typ
/dev/sda1 * 2048 393215 391168 191M 83 Linux
/dev/sda2 393216 321672959 321279744 153,2G fd Linux raid autodetect

Device Start End Sectors Size Type
/dev/sda1 2048 294911 292864 143M Linux RAID
/dev/sda2 294912 1953525134 1953230223 931.4G Linux RAID

# sfdisk -d /dev/sda > part-table
# sfdisk /dev/sdb < part-table

If you have a german keyboard type:

# loadkeys de-latin1-nodeadkeys.map.gz

Establish WiFi-connection if you don’t have wired access to theInternet:

call wifi-menu, or  ifconfig and dhcpcd your ethdev
check with „ping ccc.de“

to setup raid arrys load modules

# modprobe raid1 && modprobe dm-mod

and

# mdadm --create /dev/md0 --level=1 --raid-devices=2 --metadata=0.90 /dev/sd[ab]1
# mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sd[ab]2
check the sync status with
 # watch -n1 cat /proc/mdstat
and
 # mdadm --misc --detail /dev/md[01] | less

press q to quit

encrypt everything except boot

XTS splitts the encryption, to AES 256 bit keylength, use 1024 for a 512bit key.

# modprobe dm-crypt
# cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/md1
# cryptsetup luksOpen /dev/md1 duoluks

create lvm partitions

# pvcreate /dev/mapper/duoluks
# vgcreate duovg /dev/mapper/duoluks
# lvcreate -L 200GB -n root duovg
# lvcreate -L 12GB -n swap duovg
# lvcreate -l 100%FREE -n home duovg

Now we need a filesystem on them:

# mkfs.ext4 -L boot /dev/md0
# mkfs.ext4 -L root /dev/mapper/duovg-root
# mkfs.ext4 -L home /dev/mapper/duovg-home
# mkswap -L swap /dev/mapper/duovg-swap

mount and install

Mount the volumes into the running livesystem:

# mount /dev/mapper/duovg-root /mnt
# mkdir /mnt/boot
# mount /dev/md0 /mnt/boot

Install the base and base-devel packets to /mnt (Internet-connection required):

# pacstrap /mnt base base-devel joe openssh net-tools
# pacstrap /mnt grub-bios

Generate fstab:

# swapon -L swap
# genfstab -p -U /mnt > /mnt/etc/fstab

After succesfully setting up the drives, install the base packages and then, once that is complete, switch TTYs and update your Raid configuration prior to configuring your system. This means that when your initrd is regenerated, it will inlcude the correct Raid information:

mdadm --examine --scan > /mnt/etc/mdadm.conf

chroot and configure

# arch-chroot /mnt

delete the # in front of your language of choise
(e.g. de_DE.UTF-8 UTF-8) in locale.gen and generate the locale:

# joe /etc/locale.gen

remove hash# form your language

de_DE.UTF-8 UTF-8
de_DE ISO-8859-1
de_DE@euro ISO-8859-15 

then:

# locale-gen
# echo LANG=de_DE.UTF-8 > /etc/locale.conf
# echo LC_COLLATE=C >> /etc/locale.conf
# echo LC_TIME=de_DE.UTF-8 >> /etc/locale.conf
# export LANG=de_DE.UTF-8

Generate /etc/vconsole.conf with the following 3 lines to bind your keys correctly:

# echo KEYMAP=de-latin1 >> /etc/vconsole.conf
# echo FONT=Lat2-Terminus16 >> /etc/vconsole.conf
# echo FONT_MAP=8859-1_to_uni >> /etc/vconsole.conf

Create a symbolic link /etc/localtime to your zone file /usr/share/zoneinfo//:

# ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Define yout hostename:

# echo myhostname > /etc/hostname

Edit /etc/mkinitcpio.conf: Put „keyboard“, “keymap”, “encrypt” and “lvm2″ before “filesystems” in the HOOKS array. HOOKS=“base udev mdadm autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck“

# mkinitcpio -p linux

Now install GRUB (part 2), on a device not a partition or a volume:

grub-install --target=i386-pc --recheck --debug /dev/sda

In /etc/default/grub edit the line GRUB_CMDLINE_LINUX=”” to GRUB_CMDLINE_LINUX=”cryptdevice=/dev/md1:duovg” then run:
# grub-mkconfig -o /boot/grub/grub.cfg

make sure to have

# (0) Arch
title Arch Linux
root (hd0,0)
kernel /vmlinuz26 root=/dev/mapper/duovg-root
cryptdevice=/dev/md1:duovg ro
initrd /kernel26.img

# (1) Arch Fallback
title Arch Linux Fallback
root (hd0,0)
kernel /vmlinuz26 root=/dev/mapper/duovg-root
cryptdevice=/dev/md1:duovg ro
initrd /kernel26-fallback.img

# systemctl enable dhcpcd.service

set your root password:
# passwd
Exit the chroot:
# exit

Unmount:

# umount /mnt/boot
# umount /mnt/home
# umount /mnt