Full disk encryption
-
- Posts: 56
- Joined: Wed Dec 20, 2017 10:41 am
Re: Full disk encryption
and yes, it is the LVM/LUKS combo, I cannot remember the order.
Re: Full disk encryption
Boot from live medium and gain root at the terminal.
You need to create 2 partitions. First partition for boot with approximately 512MB and a second with the rest of the disk.
Format the boot partition with ext2 and the second partition unformatted.
Looks like this:
Code: Select all
root@mx1:/home/demo# fdisk -l
Disk /dev/sda: 119.2 GiB, 128035675648 bytes, 250069679 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7b703775
Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 1050623 1048576 512M 83 Linux
/dev/sda2 1050624 250068991 249018368 118.8G 83 Linux
Code: Select all
root@mx1:/home/demo# dd if=/dev/urandom of=/dev/sda2 bs=4k status=progress
You need to install lvm2:
Code: Select all
root@mx1:/home/demo# apt-get install lvm2
Code: Select all
root@mx1:/home/demo# cryptsetup luksFormat /dev/sda2
WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
Mount crypt disk:
Code: Select all
root@mx1:/home/demo# cryptsetup luksOpen /dev/sda2 sda2_crypt
Enter passphrase for /dev/sda2:
Code: Select all
root@mx1:/home/demo# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Jun 19 05:43 control
lrwxrwxrwx 1 root root 7 Jun 19 06:13 sda2_crypt -> ../dm-0
Code: Select all
root@mx1:/home/demo# pvcreate /dev/mapper/sda2_crypt
Physical volume "/dev/mapper/sda2_crypt" successfully created.
Code: Select all
root@mx1:/home/demo# vgcreate diskLVM /dev/mapper/sda2_crypt
Volume group "diskLVM" successfully created
Code: Select all
root@mx1:/home/demo# lvcreate -n root -L 15G diskLVM -Z n
WARNING: Logical volume diskLVM/root not zeroed.
Logical volume "root" created.
root@mx1:/home/demo# lvcreate -n swap -L 5g diskLVM -Z n
WARNING: Logical volume diskLVM/swap not zeroed.
Logical volume "swap" created.
root@mx1:/home/demo# lvcreate -n home -l 100%FREE diskLVM -Z n
WARNING: Logical volume diskLVM/home not zeroed.
Logical volume "home" created.
Code: Select all
root@mx1:/home/demo# lvdisplay
--- Logical volume ---
LV Path /dev/diskLVM/root
LV Name root
VG Name diskLVM
LV UUID 30kSyu-0yN2-thzx-URY3-GyAf-x7Eg-7LgICf
LV Write Access read/write
LV Creation host, time mx1, 2018-06-19 06:37:54 -0400
LV Status available
# open 0
LV Size 15.00 GiB
Current LE 3840
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 254:1
--- Logical volume ---
LV Path /dev/diskLVM/swap
LV Name swap
VG Name diskLVM
LV UUID QXCWmj-xYQ6-M0eE-Pt89-ujMg-mI4k-s5wHjU
LV Write Access read/write
LV Creation host, time mx1, 2018-06-19 06:39:17 -0400
LV Status available
# open 0
LV Size 5.00 GiB
Current LE 1280
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 254:2
--- Logical volume ---
LV Path /dev/diskLVM/home
LV Name home
VG Name diskLVM
LV UUID OvMVTo-EkIg-FNmb-H81Z-q1mD-qp6g-Sctie7
LV Write Access read/write
LV Creation host, time mx1, 2018-06-19 06:40:51 -0400
LV Status available
# open 0
LV Size 98.74 GiB
Current LE 25277
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 254:3
Code: Select all
root@mx1:/home/demo# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Jun 19 05:43 control
lrwxrwxrwx 1 root root 7 Jun 19 06:40 diskLVM-home -> ../dm-3
lrwxrwxrwx 1 root root 7 Jun 19 06:37 diskLVM-root -> ../dm-1
lrwxrwxrwx 1 root root 7 Jun 19 06:44 diskLVM-swap -> ../dm-2
lrwxrwxrwx 1 root root 7 Jun 19 06:40 sda2_crypt -> ../dm-0
dd if=/dev/urandom of=/dev/mapper/diskLVM-... bs=4k
If it was a new disk don't waste your time.
Format and activate your swap volume:
Code: Select all
root@mx1:/home/demo# mkswap /dev/mapper/diskLVM-swap
Setting up swapspace version 1, size = 5 GiB (5368705024 bytes)
no label, UUID=fe655c35-f51b-434e-b793-3ac00475f2ec
root@mx1:/home/demo# swapon /dev/mapper/diskLVM-swap
Code: Select all
root@mx1:/home/demo# mkfs -t ext4 /dev/mapper/diskLVM-root
mke2fs 1.43.4 (31-Jan-2017)
Creating filesystem with 3932160 4k blocks and 983040 inodes
Filesystem UUID: eff44206-ffab-4cca-b78a-b8c1954307dc
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
root@mx1:/home/demo# mkfs -t ext4 /dev/mapper/diskLVM-home
mke2fs 1.43.4 (31-Jan-2017)
Creating filesystem with 25883648 4k blocks and 6471680 inodes
Filesystem UUID: 443a74f0-8b04-437d-a7b5-1d27a55ac46b
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done
Writing inode tables: done
Creating journal (131072 blocks): done
Writing superblocks and filesystem accounting information: done
Code: Select all
root@mx1:/home/demo# mount /dev/mapper/diskLVM-root /mnt
Code: Select all
root@mx1:/home/demo# mkdir /mnt/boot /mnt/home
Code: Select all
root@mx1:/home/demo# mount /dev/sda1 /mnt/boot/
root@mx1:/home/demo# mount /dev/mapper/diskLVM-home /mnt/home/
Code: Select all
root@mx1:/home/demo# cp -a /live/aufs/* /mnt/
Code: Select all
root@mx1:/home/demo# ls -l /dev/disk/by-uuid/
total 0
lrwxrwxrwx 1 root root 9 Jun 19 06:06 2017-05-05-08-16-50-00 -> ../../sdb
lrwxrwxrwx 1 root root 10 Jun 19 06:06 23cd3220-553c-49af-ac5a-91e88ec8abed -> ../../sda1
lrwxrwxrwx 1 root root 10 Jun 19 06:47 443a74f0-8b04-437d-a7b5-1d27a55ac46b -> ../../dm-3
lrwxrwxrwx 1 root root 10 Jun 19 06:06 8D6C-E184 -> ../../sdb1
lrwxrwxrwx 1 root root 10 Jun 19 06:13 bd662f4e-01d4-4ac4-82fb-b68c1e5a20f7 -> ../../sda2
lrwxrwxrwx 1 root root 10 Jun 19 06:47 eff44206-ffab-4cca-b78a-b8c1954307dc -> ../../dm-1
lrwxrwxrwx 1 root root 10 Jun 19 06:44 fe655c35-f51b-434e-b793-3ac00475f2ec -> ../../dm-2
Code: Select all
# /etc/fstab: static file system information
#
# Created by make-fstab on Tue Jun 19 05:43:39 EDT 2018
# <file system> <mount point> <type> <options> <dump/$
# My root LVM
/dev/mapper/diskLVM-root / ext4 errors=remount-ro 0 1
# My UUID /boot device with should be pointed to /dev/sda1
UUID=23cd3220-553c-49af-ac5a-91e88ec8abed /boot ext2 defaults 0 2
# My swap volume
/dev/mapper/diskLVM-swap none swap sw 0 0
# My home volume
/dev/mapper/diskLVM-home /home ext4 defaults 0 2
Code: Select all
# <target name> <source device> <key file> <options>
sda2_crypt UUID=bd662f4e-01d4-4ac4-82fb-b68c1e5a20f7 none luks,discard
Copy your current resolv.conf if different (not in my case):
Code: Select all
root@mx1:/home/demo# cp /etc/resolv.conf /mnt/etc
cp: '/etc/resolv.conf' and '/mnt/etc/resolv.conf' are the same file
Code: Select all
root@mx1:/home/demo# mount -o bind /run /mnt/run/
root@mx1:/home/demo# mount -o bind /dev /mnt/dev
root@mx1:/home/demo# mount -o bind /sys /mnt/sys
root@mx1:/home/demo# mount -t proc /proc /mnt/proc
Code: Select all
root@mx1:/home/demo# cp /proc/mounts /mnt/etc/mtab
cp: '/proc/mounts' and '/mnt/etc/mtab' are the same file
Code: Select all
root@mx1:/home/demo# chroot /mnt /bin/bash
Code: Select all
root@mx1:/# grub-install /dev/sda
Installing for i386-pc platform.
Installation finished. No error reported.
Also need to change special setting for me:
Code: Select all
root@mx1:/# dpkg-reconfigure keyboard-configuration
root@mx1:/# dpkg-reconfigure console-setup
root@mx1:/# dpkg-reconfigure locales
root@mx1:/# dpkg-reconfigure tzdata
Code: Select all
root@mx1:/# update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.15.0-1-amd64
Code: Select all
root@mx1:/# update-grub
Generating grub configuration file ...
using custom appearance settings
Found background image: .background_cache.png
Found linux image: /boot/vmlinuz-4.15.0-1-amd64
Found initrd image: /boot/initrd.img-4.15.0-1-amd64
Found memtest86+ image: /memtest86+.bin
Found memtest86+ multiboot image: /memtest86+_multiboot.bin
Code: Select all
root@mx1:/# grub-install /dev/sda
Installing for i386-pc platform.
Installation finished. No error reported.
Code: Select all
root@mx1:/# deluser --remove-home demo
Looking for files to backup/remove ...
Removing files ...
Removing user `demo' ...
Warning: group `demo' has no more members.
Done.
Code: Select all
root@mx1:/# adduser c4os
Adding user `c4os' ...
Adding new group `c4os' (1000) ...
Adding new user `c4os' (1000) with group `c4os' ...
Creating home directory `/home/c4os' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for c4os
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
Adding new user `c4os' to extra groups ...
Adding user `c4os' to group `dialout' ...
Adding user `c4os' to group `dip' ...
adduser: The group `fuse' does not exist.
Adding user `c4os' to group `cdrom' ...
Adding user `c4os' to group `audio' ...
Adding user `c4os' to group `video' ...
Adding user `c4os' to group `plugdev' ...
Adding user `c4os' to group `users' ...
Adding user `c4os' to group `floppy' ...
Adding user `c4os' to group `netdev' ...
Adding user `c4os' to group `scanner' ...
Adding user `c4os' to group `lp' ...
Adding user `c4os' to group `lpadmin' ...
Adding user `c4os' to group `sudo' ...
Adding user `c4os' to group `vboxsf' ...
Code: Select all
root@mx1:/# passwd -l root
Exit chroot with CRTL+D.
Unmount all mounts:
Code: Select all
root@mx1:/home/demo# umount /mnt/proc
root@mx1:/home/demo# umount /mnt/sys
root@mx1:/home/demo# umount /mnt/run
root@mx1:/home/demo# umount /mnt/dev
root@mx1:/home/demo# umount /mnt/home
root@mx1:/home/demo# umount /mnt/boot
root@mx1:/home/demo# umount /mnt
Issues:
Message at boot
Code: Select all
WARNING : Failed to connect to lvmetad. Falling back to device scanning
To get rid of this message, disable lvmetad in /etc/lvm/lvm.conf
use_lvmetad=0
Update the initramfs for the current kernel your system uses :
update-initramfs -k $(uname -r) -u; sync
Code: Select all
$ sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.15.0-1-amd64
I: The initramfs will attempt to resume from /dev/dm-2
I: (UUID=fe655c35-f51b-434e-b793-3ac00475f2ec)
I: Set the RESUME variable to override this.
Additionally, don't know where to set the RESUME variable!
Maybe this depend the message when shutdown:
Code: Select all
Stopping remaining crypto disks ... sda2_crypt (busy) ... failed
Have a nice weekend and happy testing my friends!
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]
Re: Full disk encryption
As mentioned before if you have a new laptop and want to keep your windows the partitions should be:c4os wrote: ↑Wed Jun 20, 2018 4:21 am ...
This manual is for an empty disk, but it also works behind a Windows installation, if Windows has only 3 partitions created.
Normally Windows use a boot, a system and a recovery disk, which are primary disks. In this case the fourth should be an extended partition, which include boot and the rest of LVM partitions.
But we speak about an empty disk and this is only for information.
Also the numbers of partitions into the LVM are not limited. You can create as much as you want. In my manual I created only root, home and swap.
...
/dev/sda1 windows system
/dev/sda2 windows recovery
/dev/sda3 windows boot
/dev/sda4 extended partition
/dev/sda5 /boot
/dev/sda6 unformated for LUKS
The only problem could be, if your manufacturer adds a additional windows partition for diagnostic.
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]
Re: Full disk encryption
On my second test installation I hadn't this error!c4os wrote: ↑Fri Jun 22, 2018 3:55 am Message at bootThis message is displayed, whether running Debian stable or Debian testing.Code: Select all
WARNING : Failed to connect to lvmetad. Falling back to device scanning
To get rid of this message, disable lvmetad in /etc/lvm/lvm.conf
use_lvmetad=0
To disable the "use_lvmetad" brings me an error:
Code: Select all
root@mx1:/# update-grub
Generating grub configuration file ...
using custom appearance settings
Found background image: .background_cache.png
WARNING: Not using lvmetad because config setting use_lvmetad=0.
WARNING: To avoid corruption, rescan devices to make changes visible (pvscan --cache).
WARNING: Not using lvmetad because config setting use_lvmetad=0.
WARNING: To avoid corruption, rescan devices to make changes visible (pvscan --cache).
Found linux image: /boot/vmlinuz-4.15.0-1-amd64
Found initrd image: /boot/initrd.img-4.15.0-1-amd64
WARNING: Not using lvmetad because config setting use_lvmetad=0.
WARNING: To avoid corruption, rescan devices to make changes visible (pvscan --cache).
WARNING: Not using lvmetad because config setting use_lvmetad=0.
WARNING: To avoid corruption, rescan devices to make changes visible (pvscan --cache).
Found memtest86+ image: /memtest86+.bin
Found memtest86+ multiboot image: /memtest86+_multiboot.bin
WARNING: Not using lvmetad because config setting use_lvmetad=0.
WARNING: To avoid corruption, rescan devices to make changes visible (pvscan --cache).
Found Windows 10 on /dev/sda1
done
And this error still exits:
Code: Select all
Stopping remaining crypto disks ... sda2_crypt (busy) ... failed
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]
Re: Full disk encryption
Re: Full disk encryption
Is the path /live/aufs/ the same what the installer uses? I found the configured lvm dir after my lvm setup.
If you have something to check or test, please let me know.
For the last issue:
Code: Select all
Stopping remaining crypto disks ... sda2_crypt (busy) ... failed
MX line 669:
Code: Select all
elif [ "$opencount" != "0" ]; then
device_msg "$dst" "busy"
if [ "$INITSTATE" = "early" ] || [ "$INITSTATE" = "manual" ]; then
return 1
elif [ "$INITSTATE" = "remaining" ]; then
return 2
fi
return 0
Code: Select all
elif [ "$opencount" != "0" ]; then
device_msg "$dst" "busy"
if [ "$INITSTATE" = "early" ] || [ "$INITSTATE" = "manual" ]; then
return 1
fi
return 0
Code: Select all
# Removes all mappings in crypttab
do_stop () {
local dst src key opts opencount major minor
dmsetup mknodes
log_action_begin_msg "Stopping $INITSTATE crypto disks"
egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
for i in 1 2 4 8 16 32; do
handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 && break || ret=$?
if [ $ret -eq 1 ] || [ $ret -eq 2 -a $i -gt 16 ]; then
log_action_end_msg $ret
break
fi
log_action_cont_msg "$dst busy..."
sleep $i
done 3<&1
done
log_action_end_msg 0
}
Code: Select all
do_stop () {
local dst src key opts opencount major minor
dmsetup mknodes
log_action_begin_msg "Stopping $INITSTATE crypto disks"
egrep -v "^[[:space:]]*(#|$)" "$TABFILE" | while read dst src key opts; do
handle_crypttab_line_stop "$dst" "$src" "$key" "$opts" <&3 || log_action_end_msg $?
done 3<&1
log_action_end_msg 0
}
This needs to be fixed, because such error looks not good with system installation!
Which installation method uses the MX-Installer?
He streams the /live/aufs or /live/linux content direct to the formated disk?
And what are the partition commands?
Sorry, but I'm not so familiar with cpp programming.
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]
Re: Full disk encryption
Code: Select all
QString cmd = QString("/bin/cp -a /live/aufs/bin /live/aufs/boot /live/aufs/dev");
cmd.append(" /live/aufs/etc /live/aufs/lib /live/aufs/lib64 /live/aufs/media /live/aufs/mnt");
cmd.append(" /live/aufs/opt /live/aufs/root /live/aufs/sbin /live/aufs/selinux /live/aufs/usr");
cmd.append(" /live/aufs/var /live/aufs/home /mnt/antiX");
Re: Full disk encryption
Why copy all these folder and not "/bin/cp -a /live/aufs /mnt/antiX"?
Doesn't matter, main thing it works.
I got a couble of questions. How do you calculate the swap space, or do you create a swap file?
Can you send me the correct github link for the installer? I found mx-test-installer and mx-installer.
Can you recommend a good code reader/editor?
About the issues, changing the /lib/cryptsetup/cryptdisk.functions makes no sense, because it will be overwritten on updates.
I saw the installed version is 1.7.3. The actual version is 2.0.3.
https://gitlab.com/cryptsetup/cryptsetup
May we have to update to fix the "remaining" warning.
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]
- dolphin_oracle
- Developer
- Posts: 20012
- Joined: Sun Dec 16, 2007 1:17 pm
Re: Full disk encryption
lenovo ThinkPad X1 Extreme Gen 4 - MX-23
FYI: mx "test" repo is not the same thing as debian testing repo.
Re: Full disk encryption
Hardware: Dell Latitude E4300 - CPU: Intel Core 2 Duo P9600 (2) @ 2.535GHz - Memory: 4GB
Style: Resolution: 1280x800 - WM Theme: Balou - Theme: Blackbird [GTK2/3] - Icons: Papirus-Dark [GTK2]