Improve Arch guide with more hints

2018-12-29 13:22:32 +01:00
parent f27e6a0bf8
commit cb4d1cd60d
7 changed files with 142 additions and 63 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1 +1,19 @@
 # Changelog
+
+## 2018-12-29
+
+- Add Arch helper scripts
+- Improve Arch guide with more hints
+
+## 2018-12-18
+
+- Add Security chapter
+
+## 2018-09-23
+
+- Add backup note and single YubiKey warning
+
+## 2018-07-24
+
+- Add Arch YubiKey login chapter
+- Add Arch Secure Boot chapter
--- a/book/arch/01-getting-started.md
+++ b/book/arch/01-getting-started.md
@@ -1,5 +1,7 @@
 # Getting Started

+> You can use the file `scripts/arch/01-init.sh`
+
 For common stuff, the Arch Wiki is a good starting point. You need a bootable Arch Linux medium. Please take a look
 at the Arch installation guide [en](https://wiki.archlinux.org/index.php/installation_guide#Pre-installation "Download and boot the installation medium") / [de](https://wiki.archlinux.de/title/Anleitung_für_Einsteiger#Das_neueste_ISO-Abbild_beziehen "Das neueste ISO-Abbild beziehen").

--- a/book/arch/02-prepare-disk.md
+++ b/book/arch/02-prepare-disk.md
@@ -5,7 +5,7 @@ This chapter describes [LVM on LUKS with encrypted boot partition](https://wiki.
 Because we want to unlock all volumes at once.

 List your disks with `lsblk` and run `gdisk /dev/[your disk]` e.g. `gdisk /dev/nvme0n1`. You can take a look at the
-`gdisk` Arch Wiki [en](https://wiki.archlinux.org/index.php/Fdisk#gdisk) / [de](https://wiki.archlinux.de/title/GPT#Partitionieren_mit_gdisk)
+`gdisk` Arch Wiki [en](https://wiki.archlinux.org/index.php/Gdisk) / [de](https://wiki.archlinux.de/title/GPT#Partitionieren_mit_gdisk)

 > It's crucial to use `gdisk` because GPT is needed for UEFI boot.

--- a/book/arch/03-prepare-yubikey.md
+++ b/book/arch/03-prepare-yubikey.md
@@ -1,5 +1,7 @@
 # Prepare YubiKey

+> You can use the file `scripts/arch/03-ykfde.sh`.
+
 Download or mount [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) and install it
 in your Arch Linux Live environment. This is needed because we will format the 4th partition with YubiKey.

@@ -14,16 +16,18 @@ make install

 ## Prepare 2nd slot
 Now it's time to prepare the second slot of your YubiKey for the [challenge response authentication](https://wiki.archlinux.org/index.php/yubikey#Challenge-Response "Setup YubiKey Challenge-Response").
-Touch will be also enabled. You can also install the package `yubikey-personalization-gui`. It allows for customization of the secret key, 
+Touch will be also enabled. You can also install the package [`yubikey-personalization-gui`](https://www.kryptel.com/articles/yubikey_setup.php). It allows for customization of the secret key,
 creation of secret key backup and writing the same secret key to multiple YubiKeys which allows for using them interchangeably for creating
 same *ykfde* passphrases.

-> Securely save the 20 byte length secret key from the output, so you can use it to initialize another YubiKey as backup.
+> Securely save the 20 byte length secret **key** from the output, so you can use it to initialize another YubiKey as backup.

 ```
 ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
 ```

+The output contains the secret **key** e.g. `7fb21c407f0693ab30259664680a047f8c462ccb` to replace a faulty YubiKey.
+
 ## Configure ykfde
 Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot.
 Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Leave other settings as is, it will be changed
@@ -32,7 +36,9 @@ later.
 > Please compare it carefully with the latest version you have downloaded.

 ```ini
-# Configuration for yubikey-full-disk-encryption. ("") means an empty value.
+### Configuration for 'yubikey-full-disk-encryption'.
+### Remove hash (#) symbol and set non-empty ("") value for chosen options to
+### enable them.

 ### *REQUIRED* ###

@@ -40,35 +46,45 @@ later.
 #YKFDE_CHALLENGE=""

 # Use 'Manual mode with secret challenge (2FA)'.
-YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
+#YKFDE_CHALLENGE_PASSWORD_NEEDED="1"

-# Choose YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. Possible values are "1" or "2".
-YKFDE_CHALLENGE_SLOT="2"
+# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode.
+# Possible values are "1" or "2". Defaults to "2".
+#YKFDE_CHALLENGE_SLOT="2"

 ### OPTIONAL ###

-# Set partition UUID. Leave empty to use 'cryptdevice' kernel parameter.
+# UUID of device to unlock with 'cryptsetup'.
+# Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_DISK_UUID=""

-# Set LUKS encrypted volume name. Leave empty to use 'cryptdevice' kernel parameter.
+# LUKS encrypted volume name after unlocking.
+# Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_NAME=""

-# If left empty this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID" -- device to unlock with 'cryptsetup luksOpen'.
+# Device to unlock with 'cryptsetup'. If left empty and 'YKFDE_DISK_UUID'
+# is enabled this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID".
+# Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_DEV=""

-# Optional flags passed to 'cryptsetup luksOpen'. Example: "--allow-discards" for TRIM support. Leave empty to use cryptdevice kernel parameter.
+# Optional flags passed to 'cryptsetup'. Example: "--allow-discards" for TRIM
+# support. Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_OPTIONS=""

-# Number of times to assemble passphrase and run 'cryptsetup luksOpen'. Defaults to "5".
+# Number of times to try assemble 'ykfde passphrase' and run 'cryptsetup'.
+# Defaults to "5".
 #YKFDE_CRYPTSETUP_TRIALS="5"

-# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. Defaults to "30".
+# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'.
+# Defaults to "30".
 #YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30"

-# Number of seconds passed to 'sleep' after succesful decryption. Defaults to empty, meaning NO sleep.
+# Number of seconds to wait after successful decryption.
+# Defaults to empty, meaning NO wait.
 #YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""

-# Enable verbose output. It will print all secrets to terminal. Use only for debugging.
+# Verbose output. It will print all secrets to terminal.
+# Use only for debugging.
 #DBG="1"
 ```

@@ -77,6 +93,10 @@ Next step is to format the 4th partition. You can modify the arguments if you kn

 > Ensure that you use the 4th partition, replace `[device 4th partition]` with the 4th partition of your device e.g. `nvme0n1p4`

+The command `ykfde-format` will prompt to enter your challenge (2FA) password. Use a strong password which you can remember.
+You have to type this password every time to get access via YubiKey and to decrypt your disk. The command `ykfde-open`
+will unlock a LUKS encrypted volume on a running system.
+
 ```
 ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4th partition]
 ykfde-open -d /dev/[device 4th partition] -n cryptlvm
--- a/book/arch/04-prepare-volumes.md
+++ b/book/arch/04-prepare-volumes.md
@@ -1,5 +1,7 @@
 # Prepare Volumes

+> You can use the file `scripts/arch/04-prepare-volumes.sh`
+
 Please take a look at the Arch Wiki page [Preparing the logical volumes](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes "preparing the logical volumes")
 to create `/` and `/home` directory/partitions. In short you do this (without swap).

@@ -9,7 +11,7 @@ to create `/` and `/home` directory/partitions. In short you do this (without sw
 pvcreate /dev/mapper/cryptlvm
 vgcreate MyVolGroup /dev/mapper/cryptlvm

-lvcreate -L 30G MyVolGroup -n root
+lvcreate -L 20G MyVolGroup -n root
 lvcreate -l 100%FREE MyVolGroup -n home

 mkfs.ext4 /dev/MyVolGroup/root
@@ -26,11 +28,14 @@ The last volume is `/boot` which should also be encrypted. You can not use a Yub
 The Arch Wiki page [Preparing the boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_boot_partition_5 "Preparing the boot partition")
 describes this in more detail. The `efi` partition will be mounted to `/boot/efi`.

-> Be aware, GRUB boot loader uses US keyboard layout. Consider this for your password!
-
 Execute the following commands and replace `[device 3rd partition]` with the 3rd partition of your device e.g. `nvme0n1p3`
 and replace `[device 2nd partition]` with the 2nd partition of your device e.g. `nvme0n1p2`.

+The command `cryptsetup luksFormat` will prompt to enter your password to decrypt the boot partition at boot.
+Use a strong password which you can remember.
+
+> Be aware, GRUB boot loader uses US keyboard layout. German users should execute `loadkeys us` before running `cryptsetup` commands.
+
 ```
 cryptsetup luksFormat /dev/[device 3rd partition]
 cryptsetup open /dev/[device 3rd partition] cryptboot
@@ -58,3 +63,5 @@ dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
 chmod 000 /mnt/crypto_keyfile.bin
 cryptsetup luksAddKey /dev/[device 3rd partition] /mnt/crypto_keyfile.bin
 ```
+
+Now it's time to install Arch. You have made a great progress!
--- a/book/arch/05-install-arch.md
+++ b/book/arch/05-install-arch.md
@@ -1,5 +1,7 @@
 # Install Arch Linux

+> You can use the file `scripts/arch/05-install.sh`.
+
 This chapter describes how to install a minimal Arch Linux. You will find an appropriated page in the Arch Wiki
 [en](https://wiki.archlinux.org/index.php/installation_guide) / [de](https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger).

@@ -28,10 +30,10 @@ available inside the new system. More on that later. Replace `[Your YubiKey pass

 ```
 cp -r yubikey-full-disk-encryption /mnt/home/
-echo "export YKFDE_CHALLENGE=$(printf [Your YubiKey password] | sha256sum | awk '{print $1}')" > /mnt/home/challenge.txt
+echo "export YKFDE_CHALLENGE=$(printf '[Your YubiKey password]' | sha256sum | awk '{print $1}')" > /mnt/home/challenge.txt
 ```

-Copy `/etc/ykde.conf` to `/mnt/home` so you can use this file later in your new environment.  
+Copy `/etc/ykfde.conf` to `/mnt/home` so you can use this file later in your new environment.

 ## Mount run folder

@@ -46,9 +48,17 @@ mount --bind /run /mnt/hostrun

 ## chroot

+> You can use the file `scripts/arch/05-chroot.sh`.
+
 It's time to switch into your new system with `arch-chroot /mnt` and prepare some stuff. After successfully changed root to
 the new system, execute the following lines to make the hosts *lvm* available here for `grub-mkconfig`.

+You will need the same packages like in chapter *01: Getting Started*.
+
+```
+pacman -Sy yubikey-manager yubikey-personalization pcsc-tools libu2f-host make json-c cryptsetup
+```
+
 ```
 mkdir /run/lvm
 mount --bind /hostrun/lvm /run/lvm
@@ -62,17 +72,17 @@ cd /home/yubikey-full-disk-encryption
 make install
 ```

-Copy `/home/ykde.conf` to  `/etc/ykde.conf` so you have your previous settings or configure the file as described 
-in chapter *Prepare YubiKey*. The YubiKey challenge will now be stored in the `ykde.conf` 
+Copy `/home/ykfde.conf` to  `/etc/ykfde.conf` so you have your previous settings or configure the file as described
+in chapter *Prepare YubiKey*. The YubiKey challenge will now be stored in the `ykfde.conf`
 file. The environment variable with the YubiKey challenge is loaded into the environment so it can be set
-into the `ykde.conf` file with the command `sed`.
+into the `ykfde.conf` file with the command `sed`.

 ```
 source /home/challenge.txt
-sed -i "s/#YKFDE_CHALLENGE=/YKFDE_CHALLENGE=$YKFDE_CHALLENGE/g" /etc/ykde.conf
+sed -i "s/#YKFDE_CHALLENGE=\"/YKFDE_CHALLENGE=\"$YKFDE_CHALLENGE/g" /etc/ykfde.conf
 ```

-Check that the YubiKey challenge was successfully saved to `/etc/ykde.conf` with `cat /etc/ykde.conf`.
+Check that the YubiKey challenge was successfully saved to `/etc/ykfde.conf` with `cat /etc/ykfde.conf`.

 ## mkinitcpio
 The next step is to prepare the `mkinitcpio.conf` to detect and unlock an encrypted partition at boot. Open the file with
@@ -90,9 +100,17 @@ Additionally the *ext4* module is needed. Add *ext4* to the *MODULES*. It should
 MODULES=(ext4)
 ```

+### German users
+German users have to configure german keyboard layout, otherwise YubiKey passphrase will be wrong.
+
+```
+echo KEYMAP=de-latin1 > /etc/vconsole.conf
+echo FONT=lat9w-16 >> /etc/vconsole.conf
+```
+
 ## GRUB
 The next part is a bit tricky, because you have to figure out the correct device UUIDs. First, get a list of your device
-IDs with `lsblk -f` it should look something like this:
+IDs with `lsblk -f`. Alternative `blkid` can be used. It should look something like this:

 ```
 NAME                  FSTYPE      LABEL UUID                                   MOUNTPOINT
@@ -145,14 +163,16 @@ It should look like this with your UUID of the 3rd partition.
 cryptboot      UUID=434a512a-1b76-449e-8cb0-f93aee46e85c    /crypto_keyfile.bin                    luks
 ```

-## Configure ykde.conf
-Open the file with `vi /etc/ykde.conf` and enable/set `YKFDE_LUKS_NAME="cryptlvm"` and  `YKFDE_DISK_UUID=[4th partition UUID]` 
+## Configure ykfde.conf
+Open the file with `vi /etc/ykfde.conf` and enable/set `YKFDE_LUKS_NAME="cryptlvm"` and  `YKFDE_DISK_UUID=[4th partition UUID]`
 (replace `[4th partition UUID]` with the UUID of the 4th partition e.g. `a86c6534-6643-4afa-b3ae-c78a0a5dc50f`).
 Feel free to modify it to your needs e.g. enable TRIM (but be warned, there are potential security implications) support.
 It should look something like this

 ```ini
-# Configuration for yubikey-full-disk-encryption. ("") means an empty value.
+### Configuration for 'yubikey-full-disk-encryption'.
+### Remove hash (#) symbol and set non-empty ("") value for chosen options to
+### enable them.

 ### *REQUIRED* ###

@@ -160,41 +180,51 @@ It should look something like this
 YKFDE_CHALLENGE="8fa0acf6233b92d2d48a30a315cd213748d48f28eaa63d7590509392316b3016"

 # Use 'Manual mode with secret challenge (2FA)'.
-YKFDE_CHALLENGE_PASSWORD_NEEDED="1"
+#YKFDE_CHALLENGE_PASSWORD_NEEDED="1"

-# Choose YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode. Possible values are "1" or "2".
+# YubiKey slot configured for 'HMAC-SHA1 Challenge-Response' mode.
+# Possible values are "1" or "2". Defaults to "2".
 YKFDE_CHALLENGE_SLOT="2"

 ### OPTIONAL ###

-# Set partition UUID. Leave empty to use 'cryptdevice' kernel parameter.
+# UUID of device to unlock with 'cryptsetup'.
+# Leave empty to use 'cryptdevice' boot parameter.
 YKFDE_DISK_UUID="a86c6534-6643-4afa-b3ae-c78a0a5dc50f"

-# Set LUKS encrypted volume name. Leave empty to use 'cryptdevice' kernel parameter.
+# LUKS encrypted volume name after unlocking.
+# Leave empty to use 'cryptdevice' boot parameter.
 YKFDE_LUKS_NAME="cryptlvm"

-# If left empty this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID" -- device to unlock with 'cryptsetup luksOpen'.
+# Device to unlock with 'cryptsetup'. If left empty and 'YKFDE_DISK_UUID'
+# is enabled this will be set as "/dev/disk/by-uuid/$YKFDE_DISK_UUID".
+# Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_DEV=""

-# Optional flags passed to 'cryptsetup luksOpen'. Example: "--allow-discards" for TRIM support. Leave empty to use cryptdevice kernel parameter.
+# Optional flags passed to 'cryptsetup'. Example: "--allow-discards" for TRIM
+# support. Leave empty to use 'cryptdevice' boot parameter.
 #YKFDE_LUKS_OPTIONS=""

-# Number of times to assemble passphrase and run 'cryptsetup luksOpen'. Defaults to "5".
+# Number of times to try assemble 'ykfde passphrase' and run 'cryptsetup'.
+# Defaults to "5".
 #YKFDE_CRYPTSETUP_TRIALS="5"

-# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'. Defaults to "30".
+# Number of seconds to wait for inserting YubiKey, "-1" means 'unlimited'.
+# Defaults to "30".
 #YKFDE_CHALLENGE_YUBIKEY_INSERT_TIMEOUT="30"

-# Number of seconds passed to 'sleep' after succesful decryption. Defaults to empty, meaning NO sleep.
+# Number of seconds to wait after successful decryption.
+# Defaults to empty, meaning NO wait.
 #YKFDE_SLEEP_AFTER_SUCCESSFUL_CRYPTSETUP=""

-# Enable verbose output. It will print all secrets to terminal. Use only for debugging.
+# Verbose output. It will print all secrets to terminal.
+# Use only for debugging.
 #DBG="1"
 ```

 ## Test it
-It's time to check you settings with a graceful reboot. If you have done all things right you will be asked for your 
-boot parition password to see the GRUB boot menu and after that the YubiKey password with YubiKey touch button to unlock 
+It's time to check your settings with a graceful reboot. If you have done all things right, you will be asked for your
+boot partition password to see the GRUB boot menu and after that, the YubiKey password with YubiKey touch button to unlock
 the root partition.

 Good luck! Don't worry if something doesn't work, simply boot from the Arch Linux medium, install the necessary software
--- a/book/arch/06-secure-boot.md
+++ b/book/arch/06-secure-boot.md
@@ -1,5 +1,7 @@
 # Setup secure boot

+> You can use the file `scripts/arch/06-secure-boot.sh`.
+
 This chapter describes how to configure secure boot because no one should modify the bootloader or boot from another medium.
 Gerke Max Preussner describes this very detailed in his post [Fully Encrypted ArchLinux with Secure Boot on Yoga 920](https://gmpreussner.com/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920?#secureboot)
 Please read his chapter about secure boot and come back to enable it.