Differences

This shows you the differences between two versions of the page.

--- computing:encryption [2018/10/16 21:14] – oemb1905
+++ computing:encryption [2024/01/29 18:01] – oemb1905
@@ Line 1: / Line 1: @@
 -------------------------------------------
   * **encryption**
@@ Line 8: / Line 7: @@
 -------------------------------------------
-Boot into the ncurses installer, when prompted to set up disks for partitioning, select Manual.  Scroll down to the free space you left for the OS you desire to install.  Press return and select it, create new partition, select 1.01GB for its size, specify for it to be used as /boot, and finally finish changes to partition.  Use the remaining free space for the root of the file system.  Select the remaining space, create new partition with desired space amount (using the remaining is fine), then select use as Logical Volume Management, select finish changes.  When back at the overview screen, select Configure Logical Volume Management from the options above, then Create Logical Volume group with name debgroup, then create logical volume called root, say yes to remaining dialogues.  When back at the overview screen, you should now see an LV group for root.  Select configure encrypted volumes from the options above, select the LVM group and volume you created above.  Put in your passphrase for your encrypted volume, specify the file system, then select that it should be mounted at root ("/").  You should now be done, select finish and install.
+Creating a encrypted partition for your workstation using cryptsetup.
+  sudo apt-get install cryptsetup libpam-mount
+  cryptsetup luksFormat /dev/sdaX
+  cryptsetup luksOpen /dev/sdaX vault
+  mkfs.xfs -L vault /dev/mapper/vault
+To manually mount the vault, you can perform:
+  mkdir /mnt/vault
+  mount /dev/mapper/vault /mnt/vault
+After you reboot, the crypt will no longer be open, so you will need to open it first before mounting
+  cryptsetup luksOpen /dev/sdaX vault
+  mount /dev/mapper/vault /mnt/vault
+Okay, so if mounting manually proves to be too tedious, here is how you can mount at boot.  First, create a keyfile that you can use to unlock the crypt (only store this on an encrypted drive):
+  sudo dd if=/dev/urandom of=/etc/lukskeys/vaultkey bs=512 count=8
+Add the keyfile to the crypt so that it can be used to open the crypt:
+  sudo cryptsetup -v luksAddKey /dev/sdb1 /etc/lukskeys/vaultkey
+Now, we need to get the partition's block identifier, to use in crypttab and fstab because it is more reliable than the name.  Do this as follows:
+  sudo cryptsetup luksDump /dev/sdb1 | grep "UUID"
+Open crypttab up, and add the example below, adjusting as necessary.
+  sudo nano /etc/crypttab
+  <sdb1_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks>
+Now that crypttab is setup, this means you you can open the crypt as follows:
+  sudo cryptdisks_start sdb1_crypt
+But, since this only opens it and does not mount it, you will need to add an entry to fstab similar to the one provided below:
+  sudo nano /etc/fstab
+  </dev/mapper/sdb1_crypt /media/vault     xfs    defaults      0     2>
+Alternately, you may want to let pam_mount manage the crypt mounting and/or map the crypt to your home partition. If you do this, make sure the crypt password matches your user login password.
+  rsync -av /home /backup
+  umount /home/
+  cryptsetup luksFormat /dev/sdaX
+  cryptsetup luksOpen /dev/sdaX home
+  mkfs.xfs -L home /dev/mapper/home
+  mount /dev/mapper/home /home/
+  rsync -av /backup/home/ /home
+  sudo nano /etc/security/pam_mount.conf.xml
+  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/>
+Remove the error "HXproc_run_async: pmvarrun: No such file or directory" by declaring /usr/sbin path for regular users.
+  sudo nano /etc/security/pam_mount.conf.xml
+  <pmvarrun>/usr/sbin/pmvarrun -u %(USER)</pmvarrun>
+ --- //[[jonathan@haacksnetworking.org|oemb1905]] 2024/01/29 17:55//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools