3.7 Appendix: prefer a locally-hosted url for the full-disk-encryption instructions

2022-08-06 10:45:22 -04:00 · 2022-08-06 10:45:22 -04:00 · 7827c73446
parent d31b2d4846
commit 7827c73446
2 changed files with 160 additions and 1 deletions
--- a/crux-wiki/CRUX-3.7-Encrypted.txt
+++ b/crux-wiki/CRUX-3.7-Encrypted.txt
@ -0,0 +1,159 @@
+# crux-3.7.iso needs a kernel with CONFIG_CRYTPO_USER_API_SKCIPHER set for serpent cipher
+# extra packages lz4 if you choose this compression mode for the kernel
+# dracut and lvm2 needed to access the logical volumes when booting
+
+parted -s -a optimal /dev/sda         \
+       mklabel gpt                    \
+       mkpart primary fat32 0% 500MiB \
+       name 1 esp                     \
+       set 1 esp on                   \
+       mkpart primary 500MiB 4GiB     \
+       name 2 swap                    \
+       mkpart primary 4GiB 100%       \
+       name 3 ENCRYPTED
+
+mkfs.vfat /dev/sda1
+
+cryptsetup -q -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
+mkswap -f /dev/mapper/swap
+swapon  /dev/mapper/swap
+
+##### For AES Encryption
+##### cryptsetup luksFormat --type luks2 -c aes-cbc-essiv:sha256 /dev/sda3
+
+cryptsetup luksFormat --type luks2 -c serpent-xts-plain64 -s 512 /dev/sda3
+
+##### The device node is now set up, but it needs a mapping to be usable as disk space
+cryptsetup luksOpen /dev/sda3 ENCRYPTED
+pvcreate /dev/mapper/ENCRYPTED
+
+##### On the newly-mapped physical volume, create the desired logical volumes
+vgcreate ENCRYPTED /dev/mapper/ENCRYPTED
+
+lvcreate -L 30G ENCRYPTED -n root
+lvcreate -L  4G ENCRYPTED -n var
+lvcreate -L 50G ENCRYPTED -n usr
+lvcreate -L  3G ENCRYPTED -n opt
+lvcreate -l 100%FREE ENCRYPTED -n home
+
+##### Format each logical volume with the desired filesystem
+##### ("flash-friendly" FS works well with the encryption overhead, but btrfs or ext4 are also possible)
+mkfs.f2fs /dev/mapper/ENCRYPTED-root
+mkfs.f2fs /dev/mapper/ENCRYPTED-var
+mkfs.f2fs /dev/mapper/ENCRYPTED-usr
+mkfs.f2fs /dev/mapper/ENCRYPTED-opt
+mkfs.f2fs /dev/mapper/ENCRYPTED-home
+
+##### Mount the root FS where the CRUX installer expects it
+mount /dev/mapper/ENCRYPTED-root  /mnt
+
+##### Do the same for any partitions that will be written to during CRUX installation
+mkdir /mnt/{var,usr,opt,home,boot}
+
+mount /dev/mapper/ENCRYPTED-var   /mnt/var
+mount /dev/mapper/ENCRYPTED-usr   /mnt/usr
+mount /dev/mapper/ENCRYPTED-opt   /mnt/opt
+mount /dev/mapper/ENCRYPTED-home  /mnt/home
+mount /dev/sda1                   /mnt/boot
+
+setup # --> Install these extra packages (cryptsetup lvm2 syslinux dracut lz4)
+
+setup-chroot
+passwd
+localedef -i en_US -f UTF-8 en_US.UTF-8
+
+cat <<EOF > /etc/fstab 
+
+  /dev/mapper/ENCRYPTED-root  /      f2fs defaults 0 0
+  #/dev/mapper/swap            swap   swap defaults 0 0
+  /dev/sda1                   /boot  vfat defaults 0 0
+  /dev/mapper/ENCRYPTED-var   /var   f2fs defaults 0 0
+  /dev/mapper/ENCRYPTED-usr   /usr   f2fs defaults 0 0
+  /dev/mapper/ENCRYPTED-opt   /opt   f2fs defaults 0 0
+  /dev/mapper/ENCRYPTED-home  /home  f2fs defaults 0 0
+EOF
+
+##### Now write a custom initscript to handle the encrypted swap partition,
+cat <<EOF > /etc/rc.d/swap
+  #!/bin/sh
+
+  PROG="/usr/sbin/cryptsetup"
+  SWAP="swap"
+  CIPH="aes-cbc-essiv:sha256"
+  PART="/dev/sda2"
+
+  case $1 in
+  start)
+    if [ -e /dev/mapper/swap ] ; then
+      if swapon --show | grep -qs partition ; then
+         exit 0
+       else
+        swapon /dev/mapper/${SWAP}
+        exit 0
+      fi
+    else
+      ${PROG} -q -c ${CIPH} -d /dev/urandom create ${SWAP} ${PART}
+      mkswap -f /dev/mapper/${SWAP}
+      swapon  /dev/mapper/${SWAP}
+      exit 0
+    fi
+    ;;
+  stop)
+    swapoff -a
+    sleep 1
+    ${PROG} close /dev/mapper/${SWAP}
+    ;;
+  status)
+    swapon --show
+    ;;
+  *)
+    echo "usage: $0 [start|stop|status]"
+    ;;
+  esac
+EOF
+
+##### Make the above initscript executable, and add it to the SERVICES array
+chmod +x /etc/rc.d/swap
+
+vi /etc/rc.conf
+
+  SERVICES=(swap lo net crond)
+
+##### Continue configuring the network and building the kernel
+vi /etc/rc.d/net
+
+vi /etc/dracut.conf.d/modules.conf
+
+  add_dracutmodules+=" crypt lvm "
+
+cd /usr/src/linux-5.15.55
+make menuconfig
+make all && make modules_install
+
+##### Install the kernel, syslinux bootloader, and initramfs
+mkdir -p /boot/efi/BOOT
+cp arch/x86/boot/bzImage /boot/efi/BOOT/vmlinuz-5.15.55
+cp System.map /boot/efi/BOOT/System.map-5.15.55
+cp .config /boot/efi/BOOT/config-5.15.55
+
+dracut --kver 5.15.55
+mv /boot/initramfs-5.15.55.img /boot/efi/BOOT/
+
+cp /usr/share/syslinux/efi64/syslinux.efi /boot/efi/BOOT/bootx64.efi
+cp /usr/share/syslinux/efi64/ldlinux.e64 /boot/efi/BOOT
+
+vi /boot/efi/BOOT/syslinux.cfg
+
+  PROMPT  1
+  TIMEOUT 10
+  DEFAULT CRUX
+
+    LABEL  CRUX
+    LINUX  vmlinuz-5.15.55
+    APPEND root=/dev/mapper/ENCRYPTED-root rw rd.auto=1 
+    INITRD initramfs-5.15.55.img
+
+##### Display the EFI variables to verify that the boot order has an entry for the hard disk
+efibootmgr
+
+##### Reboot, and enjoy your new CRUX installation!
--- a/crux-wiki/Handbook3-7-Appendix
+++ b/crux-wiki/Handbook3-7-Appendix
@ -249,7 +249,7 @@ full-disk encryption in CRUX. But preparation for this setup begins at the
 partitioning stage, when you need to call commands from the '''lvm2''' and
 '''cryptsetup''' packages before creating and mounting your filesystems. So this
 section of the appendix just points to a separate document, where an
-[[https://gitlab.com/SiFuh/Documentation/-/blob/master/CRUX-3.6-Encrypted.txt | outline for installing CRUX with full-disk encryption]]
+[[CRUX-3.7-Encrypted.txt | outline for installing CRUX with full-disk encryption]]
 is given from beginning to end. Even if full-disk encryption is not your desired
 endpoint and you just want to learn more about highly-modular kernel configs,
 the need for an initramfs is easier to motivate by considering a specific use