Ben Stienstra

Linux, Unix, network, radio and more...

User Tools

Site Tools


apu-arch-encrypted

PC Engines APU - Arch Linux with LUKS encryption

Set-up

  • Host PC user (on Fedora) needs to be member of dialout and disk group to access serial port and be able to write to the USB drive. Or use sudo.
  • Connect to the PC Engines APU's serial port.
    screen /dev/ttyUSB0 115200 # to select: boot from USB
    screen /dev/ttyUSB0 38400  # to continue Arch Linux installation
  • Connect the APU to Ethernet / internet for updates and access to the repo's.

Bootable USB drive

  • Download the latest image from https://www.archlinux.org/download/.
  • Verify the download:
    SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9
    
    $ sha1sum archlinux-2017.05.01-x86_64.iso
    91a195bf1395694151fc3f7f766e9d1233e2aed9  archlinux-2017.05.01-x86_64.iso
  • Copy image to USB:
    sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync

Boot Arch Linux from USB

  • Boot the APU en press F12, select USB boot.
  • Switch console to 38400 baud. Press 'ctrl-l' to redraw the screen.
  • Select the Boot Arch Linux option and press TAB.
  • Add console=ttyS0,38400 to the kernel line and press enter
  • Log in with user root (no password).
  • If you connected the network cable after booting, request an IP-address
    # dhclient enp1s0
  • Install and run SSHd to complete the installation over SSH:
    select nearby mirror in: /etc/pacman.d/mirrorlist
    
    # pacman -Sy
    # pacman -S openssh
    # passwd root
    # systemctl start sshd

Install Arch Linux

The next steps will install Arch Linux on a encrypted root filesystem.

Partitions and filesystems

  • Secure erase SSD
    • Check that device is not frozen:
      # hdparm -I /dev/sdX
      Security: 
      	Master password revision code = 65534
      		supported
      	not	enabled
      	not	locked
      	not	frozen
      	not	expired: security count
      		supported: enhanced erase
      	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
    • Set password, any password will do, it will be reset to NULL after erasing.
      # hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX
      security_password: "Meu3lieY43"
      
      /dev/sda:
       Issuing SECURITY_SET_PASS command, password="Meu3lieY43", user=user, mode=high
    • Check that password is enabled:
      # hdparm -I /dev/sdX
      Security: 
      	Master password revision code = 65534
      		supported
      		enabled
    • Secure erase SSD:
      # hdparm --user-master u --security-erase Meu3lieY43 /dev/sdX
      security_password: "Meu3lieY43"
      
      /dev/sda:
       Issuing SECURITY_ERASE command, password="Meu3lieY43", user=user
    • Check that master password is supported, but not enabled:
      # hdparm -I /dev/sdX
      Security: 
      	Master password revision code = 65534
      		supported
      
  • Partition the SSD:
    (
    echo o     # Create a new empty DOS partition table
    echo n     # Add a new partition
    echo p     # Primary partition
    echo 1     # Partition number
    echo       # First sector (Accept default: 1)
    echo +256M # Last sector (Accept default: varies)
    echo n     # Add a new partition
    echo p     # Primary partition
    echo 2     # Partition number
    echo       # First sector (Accept default)
    echo       # Last sector (Accept default, rest of the drive)
    echo w     # Write changes
    ) | sudo fdisk /dev/sdX
  • You might reboot if you cannot use the new partitions yet:
    # partprobe /dev/sda                                                                                  :(
    Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will remain in use.  You should reboot now before making further changes.
  • Create the /boot and root filesystems:
    
    # cryptsetup -y -v luksFormat /dev/sdX2
    # cryptsetup open /dev/sdX2 cryptroot
    # mkfs.ext4 /dev/mapper/cryptroot
    # mount /dev/mapper/cryptroot /mnt
    
    # mkfs.ext4 /dev/sdX1
    # mkdir /mnt/boot
    # mount /dev/sdX1 /mnt/boot

Install Arch Linux

  • Copy Arch Linux to the new filesystems:
    # pacstrap /mnt base
  • Generate a fstab:
    # genfstab -L /mnt >> /mnt/etc/fstab
  • Chroot into the new system:
    # arch-chroot /mnt
  • Set root password:
    # passwd root
  • Setup system clock:
    # ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
    # hwclock --systohc --utc
  • Set the hostname:
    # echo MYHOSTNAME > /etc/hostname
  • Update locale:
    # vi /etc/locale.gen
    # locale-gen
  • Add encryption hook:
    # vi /etc/mkinitcpio.conf 
    HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems keyboard fsck"
  • Generate new initramfs:
    # mkinitcpio -p linux
  • Install bootloader:
    # pacman -S grub
    # grub-install /dev/sda
    # grub-mkconfig -o /boot/grub/grub.cfg
  • Modify kernel options for decrypting the root filesystem:
    # vi /etc/default/grub
    GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:cryptroot"
    
  • Configure serial port:
    # vi /etc/default/grub   # add options below
    GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"
  • Configure grub and serial:
    # vi /etc/default/grub   # add options below
    
    ## Serial console
    GRUB_TERMINAL=serial
    GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
  • Make new grub config:
    # grub-mkconfig -o /boot/grub/grub.cfg
  • Reboot and connect with 115200 baud.

Post install

  • Configure network:
    # cp /etc/netctl/examples/ethernet-static /etc/netctl
    
    # vi /etc/netctl/ethernet-static
    
    # netctl list
    # netctl start ethernet-static
    # netctl enable ethernet-static
  • Add users
  • Enable SSH:
    # pacman -S openssh
    # systemctl enable sshd
    # systemctl start sshd
  • Configure simple firewall:
    # pacman -S ufw
    # ufw default deny
    # ufw allow SSH
    # ufw enable
  • Configure timekeeping:
    vi /etc/systemd/timesyncd.conf
    # timedatectl set-ntp true
apu-arch-encrypted.txt · Last modified: 2017/05/26 20:37 by admin