dede/ykfde
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add prepare volumes and install Arch chapters

Browse Source
This commit is contained in:
Sandro Keil
2018-07-23 23:03:08 +02:00
parent 6e3f45dac7
commit 1982046b99
6 changed files with 231 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
book/arch/01-getting-started.md
View File

@@ -1,19 +1,19 @@
# Getting Started
For common stuff, the Arch Wiki is a good starting point. We need a bootable Arch Linux medium. Please take a look
at the Arch Installtion Guide [en](https://wiki.archlinux.org/index.php/installation_guide#Pre-installation "Download and boot the installation medium") / [de](https://wiki.archlinux.de/title/Anleitung_für_Einsteiger#Das_neueste_ISO-Abbild_beziehen "Das neueste ISO-Abbild beziehen").
For common stuff, the Arch Wiki is a good starting point. You need a bootable Arch Linux medium. Please take a look
at the Arch installation guide [en](https://wiki.archlinux.org/index.php/installation_guide#Pre-installation "Download and boot the installation medium") / [de](https://wiki.archlinux.de/title/Anleitung_für_Einsteiger#Das_neueste_ISO-Abbild_beziehen "Das neueste ISO-Abbild beziehen").
Ok, you've create a bootable Arch Linux medium, now it's time to boot into the Arch Linux UEFI system.
German users should execute `loadkeys de` (QWERTZ keyboard layout) in the tty prompt first.
Let's install minimal packages to get started with our full disk encryption with YubiKey.
Let's install minimal packages to get started of full disk encryption with YubiKey.
```
pacman -Sy yubikey-manager yubikey-personalization pcsc-tools libu2f-host make json-c cryptsetup
```
Now we must start the [smartcard service](https://wiki.archlinux.org/index.php/Smartcards "Smartcards")
Now start the [smartcard service](https://wiki.archlinux.org/index.php/Smartcards "Smartcards")
```
systemctl start pcscd.service

4
book/arch/02-prepare-disk.md
View File

@@ -10,7 +10,7 @@ List your disks with `lsblk` and run `gdisk /dev/[your disk]` e.g. `gdisk /dev/n
> It's crucial to use `gdisk` because GPT is needed for UEFI boot.
Please create 4 partition like described in the Arch Wiki above with `gdisk`. Use the codes for the partition type.
Don't format the partitions at this time, we will do it later with the YubiKey. It should look similar like this.
Don't format the partitions at this time, you will do it later with the YubiKey. It should look similar like this.
```
Number Start (sector) End (sector) Size Code Name
@@ -23,7 +23,7 @@ Number Start (sector) End (sector) Size Code Name
The second partition contains the EFI System and must be of type FAT32. Format the second partition e.g. `/dev/nvme0n1p2` with:
```
mkfs.fat -F32 /dev/[disk 2nd partition]
mkfs.fat -F32 /dev/[device 2nd partition]
```
The next chapter describes how to prepare the YubiKey.

23
book/arch/03-prepare-yubikey.md
View File

@@ -3,19 +3,23 @@
Download or mount [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) and install it
in your Arch Linux Live environment. This is needed because we will format the 4rd partition with YubiKey.
Open the yubikey-full-disk-encryption folder and run `make`.
## Installation
Open the *yubikey-full-disk-encryption* folder and run `make`.
```
cd yubikey-full-disk-encryption
make install
```
## Prepare 2nd slot
Now it's time prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled.
```
ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
```
## Configure ykfde
Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot.
Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Feel free to modify it tou your needs
e.g. enable TRIM (but be warned, there are potential security implications) support.
@@ -63,19 +67,14 @@ YKFDE_CHALLENGE_SLOT="2"
#DBG="1"
```
Next step is to format the 4rd partition. You can modify the arguments if you know what you are doing.
Ensure that you use the 4rd partition e.g. `nvme0n1p4`
## Encrypt 4th partition
Next step is to format the 4th partition. You can modify the arguments if you know what you are doing.
> Ensure that you use the 4th partition, replace `[device 4rd partition]` with e.g. `nvme0n1p4`
```
ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4rd partition]
ykfde-open -d /dev/[device 4rd partition] -n cryptlvm
ykfde-open -d /dev/[device 4th partition] -n cryptlvm
```
Display the crypt volume with `ls /dev/mapper`. Next step is to [preparing the logical volumes](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes "preparing the logical volumes")
for `/` and `/home` directory.
```
mount /dev/MyVolGroup/root /mnt
mkdir /mnt/home
mount /dev/MyVolGroup/home /mnt/home
```
Display the crypt volume with `ls -la /dev/mapper/`. Next step is to prepare the logical volumes.

58
book/arch/04-prepare-volumes.md
View File

@@ -1,3 +1,59 @@
# Prepare Volumes
TBD
Please take a look at the Arch Wiki page [Preparing the logical volumes](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes "preparing the logical volumes")
to create `/` and `/home` directory/partitions. In short you do this (without swap).
> The filesystem *ext4* is used.
```
pvcreate /dev/mapper/cryptlvm
vgcreate MyVolGroup /dev/mapper/cryptlvm
lvcreate -L 30G MyVolGroup -n root
lvcreate -l 100%FREE MyVolGroup -n home
mkfs.ext4 /dev/MyVolGroup/root
mkfs.ext4 /dev/MyVolGroup/home
mount /dev/MyVolGroup/root /mnt
mkdir /mnt/home
mount /dev/MyVolGroup/home /mnt/home
```
## Encrypted `/boot` partition
The last volume is `/boot` which should also be encrypted. We can not use a YubiKey here, but it is protected with a password.
The Arch Wiki page [Preparing the boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_boot_partition_5 "Preparing the boot partition")
describes this in more detail. The `efi` partition will be mounted to `/boot/efi`.
> Be aware, GRUB boot loader uses US keyboad layout. Consider this for your password!
Execute the following commands and replace `[device 3rd partition]` with the 3rd partition of your device e.g. `nvme0n1p3`
and replace `[device 2nd partition]` with the 2nd partition of your device e.g. `nvme0n1p2`.
```
cryptsetup luksFormat /dev/[device 3rd partition]
cryptsetup open /dev/[device 3rd partition] cryptboot
ls /dev/mapper
mkfs.ext4 /dev/mapper/cryptboot
mkdir /mnt/boot
mount /dev/mapper/cryptboot /mnt/boot
mkdir /mnt/boot/efi
mount /dev/[device 2nd partition] /mnt/boot/efi
```
## Keyfile for initramfs
[With a keyfile embedded in the initramfs](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs "With a keyfile embedded in the initramfs")
we don't have to unlock the `/boot` partition twice. The `/boot` partition will be mounted if the system starts, so updates can be performed.
Create a randomized generated key file with the following lines and add this keyfile to the 3rd LUKS partition (replace `[device 3rd partition]` with e.g. `nvme0n1p3`).
```
dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
chmod 000 /mnt/crypto_keyfile.bin
cryptsetup luksAddKey /dev/[device 3rd partition] /mnt/crypto_keyfile.bin
```

153
book/arch/05-install-arch.md
View File

@@ -1,3 +1,154 @@
# Install Arch Linux
TBD
This chapter describes how to install a minimal Arch Linux. You will find an appropriated page in the Arch Wiki
[en](https://wiki.archlinux.org/index.php/installation_guide) / [de](https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger).
## Basic stuff
The *base* package and some additional packages for the YubiKey and full disk encryption will be installed to the `/mnt` folder.
If you want to know more about the individual package, please take a look at the [Arch package site](https://www.archlinux.org/packages/).
```
pacstrap /mnt base yubikey-manager yubikey-personalization pcsc-tools libu2f-host acpid dbus grub-efi-x86_64 efibootmgr lvm2
```
## Generate fstab
The following command will generate the *fstab* entries of the currently mounted partitions.
```
genfstab -U -p /mnt >> /mnt/etc/fstab
```
Check it out with `cat /mnt/etc/fstab` and verify it.
## YubiKey Full Disk Encryption
Next step is to copy the [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) folder
to the `/mnt` folder because it will be installed later. The YubiKey challenge is stored in a file to make it
available inside the new system. More on that later.
```
cp -r yubikey-full-disk-encryption /mnt/home/
echo "export YKFDE_CHALLENGE=$YKFDE_CHALLENGE" > /mnt/home/challenge.txt
```
Copy `/etc/ykde.conf` to `/mnt/home` so you can use this file later in your new environment.
## Mount `/run`
When running `grub-mkconfig` you will see the error `/run/lvm/lvmetad.socket: connect failed: No such file or directory`.
That's why the host `/run` folder must be available inside the `chroot` environment. This is prepared with the following
lines and finished later on.
```
mkdir /mnt/hostrun/
mount --bind /run /mnt/hostrun
```
## chroot
It's time to switch into your new system with `arch-chroot /mnt` and prepare some stuff. After successfully changed root to
the new system, execute the following lines to make the hosts *lvm* available here for `grub-mkconfig`.
```
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm
```
Next step is to install the *yubikey-full-disk-encryption* helper scripts. If they are not already copied in your home
folder, you can it download from the GitHub repository [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption).
```
cd /home/yubikey-full-disk-encryption
make install
```
Copy `/home/ykde.conf` to `/etc/ykde.conf` so you have your previous settings or configure the file as described
in [chapter 3 - Prepare YubiKey](03-prepare-yubikey.md). The YubiKey challenge will now be stored in the `ykde.conf`
file. The environment variable with the YubiKey challenge is loaded into the environment so it can be set
into the `ykde.conf` file with the command `sed`.
```
source /home/challenge.txt
sed -i "s/#YKFDE_CHALLENGE=/YKFDE_CHALLENGE=$YKFDE_CHALLENGE/g" /etc/ykde.conf
```
Check that the YubiKey challenge was successfully saved to `/etc/ykde.conf` with `cat /etc/ykde.conf`.
## mkinitcpio
The next step is to prepare the `mkinitcpio.conf` to encrypt the partition at boot. Open the file with
`vi /etc/mkinitcpio.conf` and replace the *HOOKS* line with the following content.
> Don't add `encrypt` hook, because we ues ykfde !!!
```
HOOKS=(base udev autodetect consolefont modconf block keymap lvm2 filesystems fsck keyboard ykfde)
```
Additionally the *ext4* module is needed. Add *ext4* to the *MODULES*. It should look like this line:
```
MODULES=(ext4)
```
## GRUB
The next part is a bit tricky, because you have to figure out the correct device UUIDs. First, get a list of your device
IDs with `lsblk -f` it should look something like this:
```
NAME FSTYPE LABEL UUID MOUNTPOINT
nvme0n1
├─nvme0n1p1
├─nvme0n1p2 vfat AB24-1550 /boot/efi
├─nvme0n1p3 crypto_LUKS 434a512a-1b76-449e-8cb0-f93aee46e85c
│ └─cryptboot ext4 5fe2b9c5-ac2b-4f6e-8f3e-5e45c45d0b02 /boot
└─nvme0n1p4 crypto_LUKS a86c6534-6643-4afa-b3ae-c78a0a5dc50f
└─cryptlvm LVM2_member heTIE6-0pLH-8J8Y-67T7-1vPW-4f1V-SqHeOA
├─MyVolGroup-root ext4 49a833a2-4a3b-4a1b-a7d9-75ab50910a8e /
└─MyVolGroup-home ext4 ec626537-c6a5-4df9-9ad9-3a344bc8c86f /home
```
You will need the UUID from the *device 4th partition* (in this example *a86c6534-6643-4afa-b3ae-c78a0a5dc50f*) and the
UUID of *MyVolGroup-root* (in this example *49a833a2-4a3b-4a1b-a7d9-75ab50910a8e*). Open the GRUB config file with `vi /etc/default/grub`
and add these two lines with your UUIDs.
```
GRUB_CMDLINE_LINUX="cryptdevice=UUID=[4th partition UUID]:cryptlvm root=UUID=[MyVolGroup-root UUID]"
GRUB_ENABLE_CRYPTODISK=y
```
Finally the *GRUB_CMDLINE_LINUX* line should look like this line with your UUIDs.
```
GRUB_CMDLINE_LINUX="cryptdevice=UUID=a86c6534-6643-4afa-b3ae-c78a0a5dc50f:cryptlvm root=UUID=49a833a2-4a3b-4a1b-a7d9-75ab50910a8e"
```
## Generate initramfs
The last step is to generate a new *initramfs* and the GRUB boot loader. The first one is done with `mkinitcpio -p linux`
and the second one with the following lines (replace `[your device]` with your device e.g. `nvme0n1`):
```
grub-install --target=i386-pc --recheck /dev/[your device]
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --recheck
grub-mkconfig -o /boot/grub/grub.cfg
```
Add the `crypto_keyfile.bin` to the *crypttab*, otherwise you have to unlock the boot partition twice. Open the file with
`vi /etc/crypttab` and add the following line (replace `[UUID 3rd partition]` with the UUID of the 3rd partition e.g. `434a512a-1b76-449e-8cb0-f93aee46e85c `).
```
cryptboot UUID=[UUID 3rd partition] /crypto_keyfile.bin luks
```
It should look like this with your UUID of the 3rd partition.
```
cryptboot UUID=434a512a-1b76-449e-8cb0-f93aee46e85c /crypto_keyfile.bin luks
```
It's time to check you settings with a graceful reboot. If you have done all things right you will be asked for your
boot parition password to see the GRUB boot menu and after that the YubiKey password with YubiKey touch button to unlock
the root partition.
Good luck! Don't worry if something doesn't work, simply boot from the Arch Linux medium, install the necessary software
to mount your encrypted partitions and check the configs. Maybe an UUID is wrong.