User Tools

Site Tools


computing:encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
computing:encryption [2018/10/16 21:14] oemb1905computing:encryption [2024/01/29 18:20] (current) oemb1905
Line 1: Line 1:
- 
 ------------------------------------------- -------------------------------------------
   * **encryption**    * **encryption** 
Line 8: Line 7:
 ------------------------------------------- -------------------------------------------
  
-Boot into the ncurses installer, when prompted to set up disks for partitioning, select Manual.  Scroll down to the free space you left for the OS you desire to install.  Press return and select itcreate new partitionselect 1.01GB for its sizespecify for it to be used as /bootand finally finish changes to partition.  Use the remaining free space for the root of the file system.  Select the remaining space, create new partition with desired space amount (using the remaining is fine), then select use as Logical Volume Management, select finish changes.  When back at the overview screenselect Configure Logical Volume Management from the options abovethen Create Logical Volume group with name debgroup, then create logical volume called rootsay yes to remaining dialogues.  When back at the overview screenyou should now see an LV group for root.  Select configure encrypted volumes from the options aboveselect the LVM group and volume you created above.  Put in your passphrase for your encrypted volumespecify the file system, then select that it should be mounted at root ("/").  You should now be done, select finish and install  +To use pam_mount to mount a LUKS crypt and map it to your home partition. Note: make sure the crypt password matches your user login password. 
 + 
 +  sudo apt-get install cryptsetup libpam-mount rsync 
 +  rsync -av /home /backup 
 +  umount /home/ 
 +  cryptsetup luksFormat /dev/sdaX 
 +  cryptsetup luksOpen /dev/sdaX home 
 +  mkfs.xfs -L home /dev/mapper/home 
 +  mount /dev/mapper/home /home/ 
 +  rsync -av /backup/home/ /home 
 +  sudo nano /etc/security/pam_mount.conf.xml 
 +  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/home" options="noatime,exec,fsck,nodev,nosuid"/> 
 +   
 +To use pam_mount to mount a LUKS crypt to a non-home directory partition, then adjust as follows: 
 + 
 +  cryptsetup luksFormat /dev/sdaX 
 +  cryptsetup luksOpen /dev/sdaX vault 
 +  mkfs.xfs -L vault /dev/mapper/vault 
 +  mkdir /mnt/vault 
 +  mount /dev/mapper/vault /mnt/vault 
 +  sudo nano /etc/security/pam_mount.conf.xml 
 +  <volume user="username" fstype="crypt" path="/dev/disk/by-uuid/21sdsd" mountpoint="/mnt/vault" options="noatime,exec,fsck,nodev,nosuid"/> 
 +   
 +You may optionally mount the LUKS crypt manually as well. To do so, create a mount pointand then map the LUKS partion to your mount point. 
 +   
 +  mkdir /mnt/vault 
 +  mount /dev/mapper/vault /mnt/vault 
 + 
 +After you reboot, the crypt will no longer be openbut your mount point will still be thereso you just need to open the LUKS crypt and then map the LUKS partition to your mount point again as follows: 
 + 
 +  cryptsetup luksOpen /dev/sdaX vault 
 +  mount /dev/mapper/vault /mnt/vault  
 + 
 +Users might also to prefer to use crypttab and fstab to handle the mounting and mapping. To do solet's create a keyfile in a secure location that you can use to unlock the crypt. 
 + 
 +  sudo dd if=/dev/urandom of=/path/to/secure/location/vaultkey bs=512 count=8 
 + 
 +Add the keyfile to the LUKS crypt so that it can be used to open the crypt: 
 + 
 +  sudo cryptsetup -v luksAddKey /dev/sdaX /path/to/secure/location/vaultkey 
 +   
 +After adding the key to the cryptlet'now grab the UUID of the crypt. 
 + 
 +  sudo cryptsetup luksDump /dev/sdaX | grep "UUID" 
 +   
 +Now that we have the UUID of the cryptwe can add a reliable crypttab entry for the crypt. 
 +   
 +  sudo nano /etc/crypttab 
 +  <sdaX_crypt UUID=7b8975bg-5902-733c-a7b8-fbeb18945c85 /etc/lukskeys/vaultkey luks> 
 +   
 +Now that crypttab is setup, this means you you can open the crypt as follows. 
 + 
 +  sudo cryptdisks_start sdaX_crypt 
 +   
 +If you want, however, the crypt to mount on its own, then add an entry to fstab as well. 
 + 
 +  sudo nano /etc/fstab 
 +  </dev/mapper/sdaX_crypt /media/vault     xfs    defaults      0     2> 
 +   
 +Okay, your LUKS crypt should now be open and mapped to your mount point at bootSince Debian 12, there's an error that states "HXproc_run_async: pmvarrun: No such file or directory." This is caused by regular users' shell not having /usr/sbin in their path. To fix this, add the following to your config:
  
 +  sudo nano /etc/security/pam_mount.conf.xml
 +  <pmvarrun>/usr/sbin/pmvarrun -u %(USER)</pmvarrun>
  
 + --- //[[jonathan@haacksnetworking.org|oemb1905]] 2024/01/29 18:01//
computing/encryption.1539724445.txt.gz · Last modified: 2018/11/25 01:33 (external edit)