]]>]]>#LUKS on a partition
#LUKS on a partition with TPM2 and Secure Boot
#LVM on LUKS
#LUKS on LVM
#LUKS on software RAID
#Plain dm-crypt
#Encrypted boot partition (GRUB)
#Root on ZFS
I read a little about OpeBSD, there is no such complex boot system as in LInux, I mean:
The bootloader finds and starts the kernel, and the kernel starts the operating system, attaches device drivers to the hardware, and performs other operating system configurations. Finally, the kernel runs init(8), which starts various processes and includes user programs, network interfaces, daemons, etc.
For example, openbsd does not have a /boot partition, like Linux, and there is no initramfs. The kernel is located only in the root partition.
]]>Don't use Luks1 it is not safe, use Luks2+argon2id today!
Since version 2.4.0 (released August 18, 2021), cryptsetup uses Argon2id by default. You can read why in detail in this article.
https://mjg59.dreamwidth.org/66429.html
Insert your USB from Hyperbola Media Live into your PC. Turn on your PC and press ESC until the menu appears,
press the number corresponding to your USB with Hyperbola Media Live, then you will be taken to Hyperbola Media Live
Enlarge the text to make it easier to see)
root@hyperiso # cd /usr/share/consolefonts
root@hyperiso # setfonts sun12X22.psfu.gzNow the font size is normal, you can move on))
# lsblkuse dd for erase data
# dd if=/dev/urandom of=/dev/sdb bs=1M status=progressCreate partitions
cfdisk /dev/sdb
/dev/sdb -> The rest of the disk (LVM) # To be encrypted
now we have sdb1 # lsblk (check)Connect internet,
# ip -c a
# rc-service dcpcd start
# ip link set enp0s35 up
# dhcpd enp0s35
Let's set up encryption
# pacman -Syy cryptsetup
# rc-update add lvm boot
# rc-update add dmcrypt boot
# modprobe dm-modConfiguring LUKS (luks2)
# cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id
--use-urandom --verify-passphrase luksFormat --type luks2 /dev/sdb2
Unlock the LUKS partition
# cryptsetup open /dev/sdb1 lvmCreate a physical volume on top of the opened LUKS container
# pvcreate /dev/mapper/lvm# pvs (check) Create the volume group, adding the physical volume to it
# vgcreate matrix /dev/mapper/lvm# vgs (check) Create logical volumes on the volume group (the size of the volumes are meant as examples)
# lvcreate -L 10G -n root matrix
# lvcreate -l 100%FREE -n home matrixFormat the filesystems on each logical volume
# mkfs.ext4 /dev/mapper/matrix-root
# mkfs.ext4 /dev/mapper/matrix-homeMount the filesystems
# mount /dev/mapper/matrix-root /mnt
# mkdir /mnt/home
# mount /dev/mapper/matrix-home /mnt/homePrepare the boot partition:
Insert USB into PC. (for me it's sdd)
use dd for erase data
# dd if=/dev/urandom of=/dev/sdd bs=1M status=progress
# mkfs.ext2 /dev/sdd
# mkdir /mnt/boot
# mount /dev/sdd /mnt/boot# lsblk (check)Select installation mirror by editing the mirrorlist
# nano /etc/pacman.d/mirrorlistInstall the base system using pacstrap
# pacstrap /mntGenerate a fstab file
# genfstab -U -p /mnt >> /mnt/etc/fstab
# cat /mnt/etc/fstab (check)Enter the new system
# arch-chroot /mntor
# arch-chroot /mnt /bin/bashConfigure /etc/mkinitcpio.conf for encryption and LVM
# nano /etc/mkinitcpio.conf
MODULES=i915
HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown" Update Kernel
# mkinitcpio -p linux-libre-lts==>ERROR Hook 'encrypt'...
==>WARNING missing isci..
OK,
# pacman -S cryptsetup
# pacman -S core/isci-lts-firmware
# mkinitcpio -p linux-libre-lts Set the hostname
# echo "hyperbola" > /etc/hostname# nano /etc/hosts
127.0.0.1 localhost.localdomain localhost hyperbola
::1 localhost.localdomain localhost hyperbolaSet password for root
# passwd
****************************
****************************Install and configure GRUB
# pacman -S grub Install GRUB on the USB drive:
# grub-install /dev/sdd --forceI received this warning:
grub-install: warning: File system `ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged..
The Internet answers us)))) https://superuser.com/questions/936889/ … and-prompt
You are getting the warning because you are installing grub to a partition instead of the MBR. This means grub can not be embedded in the unused space between the MBR and the first partition. Instead it has to have the list of blocks that /boot/grub/core.img resides in placed into the MBR. This setup is subject to being broken by things like defrag and so is not recommended, hence the warning. Since it is only a warning, you can ignore it.
If you know a better solution on this issue, please post here.
All files are in place))))
# cd /bootGenerate grub.cfg
# grub-mkconfig -o /boot/grub/grub.cfg# nano /boot/grub/grub.cfg
You will find these two lines in the configuration file
linux /vmlinuz-linux-libre-lts root=/dev/mapper/matrix-root rw quiet
This is what they should look like after correction:
linux /vmlinuz-linux-libre-lts root=/dev/mapper/matrix-root cryptdevice=/dev/sdb1:matrix rw quietSave.
Add a user
# useradd -m -g users -G wheel -s /bin/bash jim
# passwd jimUnmount all partition and reboot
# exit
# umount -R /mnt
# lvchange -an /dev/matrix/root
# lvchange -an /dev/matrix/home
# cryptsetup close lvm
# openrc-shutdown -p now
or
# poweroffInsert your USB with GRUB. Turn on your PC, press ESC, you will see a menu in which you need to select “Payload [grub2]” click on this number!
Next, select “Search for GRUB configuration on external media [s]” and press enter.
You will see Hyperbola GNU/Linex-libre, Liux-libre-lts kernel, press enter and your system will boot.
You can remove your USB from GRUB. After re-enabling, your GRUB will be on the flash drive.
After this, you will be asked to enter your password for the encrypted volume!
cat /proc/cmdline (check)Use T400, it is freer than T440P))
]]>