1 Topic by jim (edited by jim 2024-02-01 09:00:10)

  • jim
  • Guest

Topic: Install Full disk encryption (including /boot ) on Virtual Machine

Hi all . I decided to check how installing an encrypted disk and the /boot partition works

to a virtual machine (qemu)

Below you will see my results, I did not write in detail about each command, sorry if it is poorly written, I was just testing))

This example uses luksFormat --type luks1 /dev/sdb1 . Don't use Luks1 it is not safe, use Luks2+argon2id today!
Since version 2.4.0 (released August 18, 2021), cryptsetup uses Argon2id by default. You can read why in detail in this article.
https://mjg59.dreamwidth.org/66429.html


If you see errors or better solutions, better command , write here.

I checked, everything works!

It is assumed that the user is not currently using HyperbolaGNU
as a main computer.


Download the necessary programs, an iso image https://wiki.hyperbola.info/doku.php?id … redirect=1  and install the virtual machine.


$ sudo apt install qemu qemu-kvm  qemu-system-x86_64


$ qemu-img create -f qcow2  hyperbola.qcow2  15G


$ qemu-system-x86_64 -hda hyperbola.qcow2 -boot d -cdrom hyperbola-milky-way-v0.4.3-dual.iso -m 2048 -smp 2 -enable-kvm -nic user,hostfwd=tcp::10037-:4571

We have booted the virtual machine with HyperbolaGNU now let's increase the font (optional)

# сd /usr/share/kbd/consolefonts


# setfont sun12*22.psfu.gz   enter

Let's enable ssh on the local machine (PC)


$ sudo service ssh start

  (systemD)

or

$ sudo rc-service ssh start

( OpenRC)

Check the firewall on your local machine to see if it is blocking ssh, etc.

$ sudo  ufw status numbered

Let's create a password on the virtual machine (Hyperbola Live Media)

# passwd root

Let's enable ssh on the virtual machine (Hyperbola Live Media)

# rc-service sshd start

Change port 22 to 4571 (example) 

# nano  /etc/ssh/sshd_config 

# nano  /etc/ssh/ssh_config

Restart SSH on virtual machine (Hyperbola Live Media)

# rc-service sshd restart

Check port 

# netstat -tulpena

Create normal user on  Hyperbola Live Media and password

# useradd  test

# passwd   test

Connect from your local machine to the virtual machine (Hyperbola Live Media ) via ssh  

$ ssh test@localhost  -p 10037

check 

# whoami 

# uname -a 

# lsblk

sda                      8:0    0    15G  0 disk

Now you can copy and paste the commands from this instruction into your terminal)

use dd for erase data

# dd if=/dev/urandom  of=/dev/sda bs=1M status=progress

(171.235 s)

# cfdisk /dev/sda  ( select dos > primary etc)

Now you have sda1 partition

# ip -c a

# dhclient your adapter (ens2 example)

# ping -c 3 gnu.org 

# pacman -Syy cryptsetup

# rc-update add lvm boot

# rc-update add dmcrypt boot 

# modprobe dm-mod

# cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash whirlpool --iter-time 500 --use-random --verify-passphrase luksFormat --type luks1 /dev/sda1

Check next time ))

cryptsetup --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id
                                --use-urandom --verify-passphrase luksFormat --type luks2 /dev/sda


Notice: name disk -sda1 ,not sda !
type luks1 not luks2 !

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda1:
Verify passphrase:
Key slot 0 created.
Command successful.

Check

# lsblk -f
# cryptsetup open /dev/sda1  lvm

# pvcreate /dev/mapper/lvm

# pvs
  PV              VG Fmt  Attr PSize   PFree
  /dev/mapper/lvm    lvm2 ---  <15.00g <15.00g

# vgcreate matrix /dev/mapper/lvm

# vgs
  VG     #PV #LV #SN Attr   VSize   VFree
  matrix   1   0   0 wz--n- <15.00g <15.00g
  
# lvcreate -l +100%FREE  matrix -n rootvol

# lvs
  LV      VG     Attr       LSize   Pool Origin Data%  Meta%  Move Log Cpy%Sync Convert
  rootvol matrix -wi-a----- <15.00g

# mkfs.ext4 /dev/mapper/matrix-rootvol

# lsblk -f(check)
 
# mount  /dev/matrix/rootvol  /mnt

Create the  /boot  and   /home directories

# mkdir -p /mnt/home
# mkdir -p /mnt/boot

Install the base system

# pacstrap  /mnt

Generate an Fstab

# genfstab -U -p /mnt >> /mnt/etc/fstab
# cat /mnt/etc/fstab  (check)

Chroot

# arch-chroot  /mnt

Setting up clock...

Setting up time zone..

Setting up the consolefont ...

Setting up Kernel Modules

# nano /etc/mkinitcpio.conf 

MODULES=i915  (I wrote without quotes)

HOOKS="base udev autodetect modconf block keyboard keymap consolefont encrypt lvm2 filesystems fsck shutdown"

Update Kernel

# mkinitcpio -p linux-libre-lts

==>ERROR Hook 'encrypt'...
==>WARNING missing isci..

OK,

# pacman -S cryptsetup 
# pacman -S core/isci-lts-firmware
# mkinitcpio -p linux-libre-lts

Setting up hostname 

# echo " hyperbola" > /etc/hostname 

# nano /etc/hosts

127.0.0.1        localhost.localdomain     localhost   hyperbola
::1              localhost.localdomain     localhost   hyperbola

Set the root password

#passwd

****************************
****************************

Installing Grub

# pacman -S grub
# nano /etc/default/grub


GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
# grub-install /dev/sda

Installing for i386-pc platform.
Installation finished. No error reported.
# grub-mkconfig -o /boot/grub/grub.cfg

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux-libre-lts
Found initrd image: /boot/initramfs-linux-libre-lts.img
Found fallback initramfs image: /boot/initramfs-linux-libre-lts-fallback.img
done
# exit
# umount -R /mnt

# lvchange -an /dev/matrix/rootvol

# cryptsetup close lvm

# openrc-shutdown -p now

Start your new HyperbolaGNU. 

$ qemu-system-x86_64 -hda hyperbola.qcow2 -m 2048 -smp 2 -enable-kvm

exit the virtual machine ctrl+alt +g


Below are screenshots of my virtual machine after installation. You will need to enter your password twice.

Try it and write how it turned out for you.


https://lufi.ethibox.fr/r/00U2Xyh4rJ#Zw … Z/gIxPt5k=

https://lufi.ethibox.fr/r/LHDMCM6xbc#Yp … 1hpE31Pxw=

https://lufi.ethibox.fr/r/ZsUZQPZNm1#3V … +ox4FX5Jg=

https://lufi.ethibox.fr/r/S8cnJcJeoU#8z … lcxZTG+GQ=

https://lufi.ethibox.fr/r/Ce9gznPnS3#Bo … MAXKK8hDI=

2 Reply by jim

  • jim
  • Guest

Re: Install Full disk encryption (including /boot ) on Virtual Machine

I don’t know how to attach a photo)) if it’s not difficult for someone, please download and attach it here so that other users can see.

3 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 1,075

Re: Install Full disk encryption (including /boot ) on Virtual Machine

Appreciate you writing this up. But the stuff you didn't specify, such as:
time zone
clock
consolefont
kernel modules

Could you write that out if its not the same as the FDE + /Boot guide that Hyperbola currently has?

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

4 Reply by jim

  • jim
  • Guest

Re: Install Full disk encryption (including /boot ) on Virtual Machine

Addition to this manual.

If you accidentally entered the password incorrectly, there are two ways (that I know))) to solve this issue:

1. Reboot the virtual machine and enter the password correctly.

2. Second, do it manually, below I described how to do it, checked, everything works, the system boots.


Set an environment variable. If issued with no arguments, the command prints the list of all environment variables and their values.

grub rescue>  set

Display the contents of a directory or partition.

grub rescue>  ls

Access an encrypted file system (you will be asked to enter a password) https://www.gnu.org/software/grub/manua … mount.html


grub rescue>  cryptomount -a

 

or

grub rescue>  cryptomount hd0,msdos1

hd0 is sda

hd0,msdos1 is sda1 our encrypted volume

Next we will see our disks using the command «ls»  :

grub rescue> ls

list of files in directory "/" (optional)

grub rescue>  ls (lvm/matrix-rootvol)/

list of files in the /boot directory (optional)
        

grub rescue>  ls (lvm/matrix-rootvol)/boot

   

Set the boot partition as the value of the root variable

grub rescue>  grub> set root='lvm/matrix-rootvol'

load module linux.mod

grub rescue>  insmod linux

Load the Linux kernel using the linux command

grub rescue>  linux /boot/vmlinuz-linux-libre-lts  root=/dev/mapper/matrix-rootvol cryptdevice=/dev/sda1:lvm

specify which file system image in RAM to use when booting the computer

grub> initrd /boot/initramfs-linux-libre-lts.img

Now, to boot our system, type "boot" and hit "Enter."

grub> boot

After this, you will be prompted to enter the password for the encrypted volume sda1


This information is located in 

 /boot/grub/grub.cfg

5 Reply by jim

  • jim
  • Guest

Re: Install Full disk encryption (including /boot ) on Virtual Machine

zapper wrote:

Appreciate you writing this up. But the stuff you didn't specify, such as:
time zone
clock
consolefont
kernel modules

Could you write that out if its not the same as the FDE + /Boot guide that Hyperbola currently has?

Yes, I skipped that as I was more interested in the encryption, whether it would work or not.
When I wrote this instruction, of course, I looked at the Hyperbola wiki, but in my opinion, the Parabola wiki is more detailed and there I also looked at the information, plus the answers of users who are here on the forum.

6 Reply by Other_Cody

  • Other_Cody
  • Guest

Re: Install Full disk encryption (including /boot ) on Virtual Machine

jim wrote:

https://lufi.ethibox.fr/r/00U2Xyh4rJ#Zw … Z/gIxPt5k=

https://lufi.ethibox.fr/r/LHDMCM6xbc#Yp … 1hpE31Pxw=

https://lufi.ethibox.fr/r/ZsUZQPZNm1#3V … +ox4FX5Jg=

https://lufi.ethibox.fr/r/S8cnJcJeoU#8z … lcxZTG+GQ=

https://lufi.ethibox.fr/r/Ce9gznPnS3#Bo … MAXKK8hDI=

I do not know if these links still have any of your images.

I do not know if these websites work with only free as in freedom software, but maybe

https://imgbb.com/

and

https://archive.org/web

could help keep images up.

As saving a webpage with https://archive.org/web
can help keep the image around even if the other site you post at does not keep the image.

Or torrent files.

Unless there is some way to save images for a longer time.

I think

https://lufi.ethibox.fr/

deletes images after 1, 7, or 30 days.

7 Reply by jim

  • jim
  • Guest

Re: Install Full disk encryption (including /boot ) on Virtual Machine

Hello . At this moment, I have not yet found a permanent ethical service for storing photos and posting them here, but the commands are saved, I recently repeated everything that was written here, everything worked, so I will be glad to answer your questions. The options that such services advertise do not suit me.
https://files.catbox.moe/n70t9u.png

8 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 1,075

Re: Install Full disk encryption (including /boot ) on Virtual Machine

jim wrote:

Hello . At this moment, I have not yet found a permanent ethical service for storing photos and posting them here, but the commands are saved, I recently repeated everything that was written here, everything worked, so I will be glad to answer your questions. The options that such services advertise do not suit me.
https://files.catbox.moe/n70t9u.png


upload.disroot.org

is another one you can use.

Btw, unrelated, but for you and others, if you want to store stuff in a cloud, which is discouraged by gnu  its recommended you do two things,

one: encrypt files before uploading

two: use a service like disroot or better.

Albeit, its probably better to avoid that altogether.

Anywho just my two cents.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

9 Reply by jim (edited by jim 2024-03-21 06:47:28)

  • jim
  • Guest

Re: Install Full disk encryption (including /boot ) on Virtual Machine

Hello Zapper
Thanks for the recommendations, GNU also does not recommend disroot.org ))  https://www.fsf.org/resources/webmail-systems

10 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 1,075

Re: Install Full disk encryption (including /boot ) on Virtual Machine

jim wrote:

Hello Zapper
Thanks for the recommendations, GNU also does not recommend disroot.org ))  https://www.fsf.org/resources/webmail-systems


Yeah, but its not due to surveillance/selling info issues, its due to non-free javascript.

I do however wonder how updated that page is. Last I checked it was very outdated.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!