dede/ykfde
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve chapter

Browse Source
This commit is contained in:
Sandro Keil
2018-07-23 23:50:37 +02:00
parent 1982046b99
commit 2a34b33f09
4 changed files with 66 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
book/arch/04-prepare-volumes.md
View File

@@ -20,13 +20,13 @@ mkdir /mnt/home
mount /dev/MyVolGroup/home /mnt/home
```
## Encrypted `/boot` partition
## Encrypted boot partition
The last volume is `/boot` which should also be encrypted. We can not use a YubiKey here, but it is protected with a password.
The last volume is `/boot` which should also be encrypted. You can not use a YubiKey here, but it is protected with a password.
The Arch Wiki page [Preparing the boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_boot_partition_5 "Preparing the boot partition")
describes this in more detail. The `efi` partition will be mounted to `/boot/efi`.
> Be aware, GRUB boot loader uses US keyboad layout. Consider this for your password!
> Be aware, GRUB boot loader uses US keyboard layout. Consider this for your password!
Execute the following commands and replace `[device 3rd partition]` with the 3rd partition of your device e.g. `nvme0n1p3`
and replace `[device 2nd partition]` with the 2nd partition of your device e.g. `nvme0n1p2`.
@@ -48,9 +48,10 @@ mount /dev/[device 2nd partition] /mnt/boot/efi
## Keyfile for initramfs
[With a keyfile embedded in the initramfs](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs "With a keyfile embedded in the initramfs")
we don't have to unlock the `/boot` partition twice. The `/boot` partition will be mounted if the system starts, so updates can be performed.
you don't have to unlock the `/boot` partition twice. The `/boot` partition will be mounted if the system starts, so updates can be performed.
Create a randomized generated key file with the following lines and add this keyfile to the 3rd LUKS partition (replace `[device 3rd partition]` with e.g. `nvme0n1p3`).
Create a randomized generated key file with the following lines and add this keyfile to the 3rd LUKS partition (replace `[device 3rd partition]` with the 3rd partition of your device e.g. `nvme0n1p3`).
The keyfile is copied in the root folder of the new Arch linux environment.
```
dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin