163 lines
4.7 KiB
Plaintext
163 lines
4.7 KiB
Plaintext
# This outline of a CRUX installation for full-disk encryption is provided
|
|
# based on the experience of one user. There are many other possible ways
|
|
# to set up an encrypted disk. At every stage of the installation, you have a
|
|
# number of different options. It is easy to get overwhelmed by all the decisions
|
|
# involved.
|
|
#
|
|
# Extra packages: lz4 if you choose this compression mode for the kernel,
|
|
# dracut and lvm2 to access the logical volumes when booting
|
|
|
|
parted -s -a optimal /dev/sda \
|
|
mklabel gpt \
|
|
mkpart primary fat32 0% 500MiB \
|
|
name 1 esp \
|
|
set 1 esp on \
|
|
mkpart primary 500MiB 4GiB \
|
|
name 2 swap \
|
|
mkpart primary 4GiB 100% \
|
|
name 3 ENCRYPTED
|
|
|
|
mkfs.vfat /dev/sda1
|
|
|
|
cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
|
|
mkswap -f /dev/mapper/swap
|
|
swapon /dev/mapper/swap
|
|
|
|
##### For AES Encryption
|
|
##### cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3
|
|
|
|
cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3
|
|
|
|
##### The device node is now set up, but it needs a mapping to be usable as disk space
|
|
##### Replace 'ENCRYPTED' with whatever name you want
|
|
cryptsetup luksOpen /dev/sda3 ENCRYPTED
|
|
pvcreate /dev/mapper/ENCRYPTED
|
|
|
|
##### On the newly-mapped physical volume, create the desired logical volumes
|
|
vgcreate ENCRYPTED /dev/mapper/ENCRYPTED
|
|
|
|
lvcreate -L 30G ENCRYPTED -n root
|
|
lvcreate -L 4G ENCRYPTED -n var
|
|
lvcreate -L 50G ENCRYPTED -n usr
|
|
lvcreate -L 3G ENCRYPTED -n opt
|
|
lvcreate -l 100%FREE ENCRYPTED -n home
|
|
|
|
##### Format each logical volume with the desired filesystem
|
|
##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible)
|
|
mkfs.f2fs /dev/mapper/ENCRYPTED-root
|
|
mkfs.f2fs /dev/mapper/ENCRYPTED-var
|
|
mkfs.f2fs /dev/mapper/ENCRYPTED-usr
|
|
mkfs.f2fs /dev/mapper/ENCRYPTED-opt
|
|
mkfs.f2fs /dev/mapper/ENCRYPTED-home
|
|
|
|
##### Mount the root FS where the CRUX installer expects it
|
|
mount /dev/mapper/ENCRYPTED-root /mnt
|
|
|
|
##### Do the same for any partitions that will be written to during CRUX installation
|
|
mkdir /mnt/{var,usr,opt,home,boot}
|
|
|
|
mount /dev/mapper/ENCRYPTED-var /mnt/var
|
|
mount /dev/mapper/ENCRYPTED-usr /mnt/usr
|
|
mount /dev/mapper/ENCRYPTED-opt /mnt/opt
|
|
mount /dev/mapper/ENCRYPTED-home /mnt/home
|
|
mount /dev/sda1 /mnt/boot
|
|
|
|
setup # --> Install these extra packages (cryptsetup lvm2 syslinux dracut lz4)
|
|
|
|
setup-chroot
|
|
passwd
|
|
localedef -i en_US -f UTF-8 en_US.UTF-8
|
|
|
|
cat <<EOF > /etc/fstab
|
|
|
|
/dev/mapper/ENCRYPTED-root / f2fs defaults 0 0
|
|
#/dev/mapper/swap swap swap defaults 0 0
|
|
/dev/sda1 /boot vfat defaults 0 0
|
|
/dev/mapper/ENCRYPTED-var /var f2fs defaults 0 0
|
|
/dev/mapper/ENCRYPTED-usr /usr f2fs defaults 0 0
|
|
/dev/mapper/ENCRYPTED-opt /opt f2fs defaults 0 0
|
|
/dev/mapper/ENCRYPTED-home /home f2fs defaults 0 0
|
|
EOF
|
|
|
|
##### Now write a custom initscript to create an encrypted swap partition with
|
|
##### randomized cipher on each boot
|
|
cat <<EOF > /etc/rc.d/swap
|
|
#!/bin/sh
|
|
|
|
PROG="/usr/sbin/cryptsetup"
|
|
SWAP="swap"
|
|
CIPH="aes-cbc-essiv:sha256"
|
|
PART="/dev/sda2"
|
|
|
|
case $1 in
|
|
start)
|
|
if [ -e /dev/mapper/swap ] ; then
|
|
if swapon --show | grep -qs partition ; then
|
|
exit 0
|
|
else
|
|
swapon /dev/mapper/${SWAP}
|
|
exit 0
|
|
fi
|
|
else
|
|
${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART}
|
|
mkswap -f /dev/mapper/${SWAP}
|
|
swapon /dev/mapper/${SWAP}
|
|
exit 0
|
|
fi
|
|
;;
|
|
stop)
|
|
swapoff -a
|
|
sleep 1
|
|
${PROG} close /dev/mapper/${SWAP}
|
|
;;
|
|
status)
|
|
swapon --show
|
|
;;
|
|
*)
|
|
echo "usage: $0 [start|stop|status]"
|
|
;;
|
|
esac
|
|
EOF
|
|
|
|
##### Make the above initscript executable, and add it to the SERVICES array
|
|
chmod +x /etc/rc.d/swap
|
|
|
|
vi /etc/rc.conf
|
|
|
|
SERVICES=(swap lo net crond)
|
|
|
|
##### Continue configuring the network and building the kernel
|
|
vi /etc/rc.d/net
|
|
|
|
vi /etc/dracut.conf.d/modules.conf
|
|
|
|
add_dracutmodules+=" crypt lvm "
|
|
|
|
cd /usr/src/linux-5.15.55
|
|
make menuconfig
|
|
make all && make modules_install
|
|
|
|
##### Install the kernel, syslinux bootloader, and initramfs
|
|
mkdir -p /boot/efi/BOOT
|
|
cp arch/x86/boot/bzImage /boot/efi/BOOT/vmlinuz-5.15.55
|
|
cp System.map /boot/efi/BOOT/System.map-5.15.55
|
|
cp .config /boot/efi/BOOT/config-5.15.55
|
|
|
|
dracut --kver 5.15.55 /boot/initramfs-5.15.55.img
|
|
|
|
cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/BOOT/bootx64.efi
|
|
cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/BOOT
|
|
|
|
vi /boot/efi/BOOT/syslinux.cfg
|
|
|
|
PROMPT 1
|
|
TIMEOUT 10
|
|
DEFAULT CRUX
|
|
|
|
LABEL CRUX
|
|
LINUX vmlinuz-5.15.55
|
|
APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1
|
|
INITRD initramfs-5.15.55.img
|
|
|
|
##### Reboot, and enjoy your new CRUX installation!
|