Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace: apu-arch-encrypted
apu-arch-encrypted

Table of Contents

, , , ,

PC Engines APU - Arch Linux with LUKS encryption

Set-up

  • Host PC user (on Fedora) needs to be member of dialout and disk group to access serial port and be able to write to the USB drive. Or use sudo.
  • Connect to the PC Engines APU's serial port. 
    screen /dev/ttyUSB0 115200 # to select: boot from USB
screen /dev/ttyUSB0 38400  # to continue Arch Linux installation
  • Connect the APU to Ethernet / internet for updates and access to the repo's.

Bootable USB drive

  • Download the latest image from https://www.archlinux.org/download/.
  • Verify the download:
    SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9

$ sha1sum archlinux-2017.05.01-x86_64.iso
91a195bf1395694151fc3f7f766e9d1233e2aed9  archlinux-2017.05.01-x86_64.iso
  • Copy image to USB:
    sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync

Boot Arch Linux from USB

  • Boot the APU en press F12, select USB boot.
  • Switch console to 38400 baud. Press 'ctrl-l' to redraw the screen.
  • Select the Boot Arch Linux option and press TAB.
  • Add console=ttyS0,38400 to the kernel line and press enter
  • Log in with user root (no password).
  • If you connected the network cable after booting, request an IP-address 
    # dhclient enp1s0
  • Install and run SSHd to complete the installation over SSH:
    select nearby mirror in: /etc/pacman.d/mirrorlist

# pacman -Sy
# pacman -S openssh
# passwd root
# systemctl start sshd

Install Arch Linux

The next steps will install Arch Linux on a encrypted root filesystem.

Partitions and filesystems

  • Secure erase SSD
    • Check that device is not frozen:
      # hdparm -I /dev/sdX
Security: 
	Master password revision code = 65534
		supported
	not	enabled
	not	locked
	not	frozen
	not	expired: security count
		supported: enhanced erase
	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
    • Set password, any password will do, it will be reset to NULL after erasing.
      # hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX
security_password: "Meu3lieY43"

/dev/sda:
 Issuing SECURITY_SET_PASS command, password="Meu3lieY43", user=user, mode=high
    • Check that password is enabled:
      # hdparm -I /dev/sdX
Security: 
	Master password revision code = 65534
		supported
		enabled
    • Secure erase SSD:
      # hdparm --user-master u --security-erase Meu3lieY43 /dev/sdX
security_password: "Meu3lieY43"

/dev/sda:
 Issuing SECURITY_ERASE command, password="Meu3lieY43", user=user
    • Check that master password is supported, but not enabled:
      # hdparm -I /dev/sdX
Security: 
	Master password revision code = 65534
		supported
  • Partition the SSD:
    (
echo o     # Create a new empty DOS partition table
echo n     # Add a new partition
echo p     # Primary partition
echo 1     # Partition number
echo       # First sector (Accept default: 1)
echo +256M # Last sector (Accept default: varies)
echo n     # Add a new partition
echo p     # Primary partition
echo 2     # Partition number
echo       # First sector (Accept default)
echo       # Last sector (Accept default, rest of the drive)
echo w     # Write changes
) | sudo fdisk /dev/sdX
  • You might reboot if you cannot use the new partitions yet:
    # partprobe /dev/sda                                                                                  :(
Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will remain in use.  You should reboot now before making further changes.
  • Create the /boot and root filesystems:
    
# cryptsetup -y -v luksFormat /dev/sdX2
# cryptsetup open /dev/sdX2 cryptroot
# mkfs.ext4 /dev/mapper/cryptroot
# mount /dev/mapper/cryptroot /mnt

# mkfs.ext4 /dev/sdX1
# mkdir /mnt/boot
# mount /dev/sdX1 /mnt/boot

Install Arch Linux

  • Copy Arch Linux to the new filesystems:
    # pacstrap /mnt base
  • Generate a fstab:
    # genfstab -L /mnt >> /mnt/etc/fstab
  • Chroot into the new system:
    # arch-chroot /mnt
  • Set root password:
    # passwd root
  • Setup system clock:
    # ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
# hwclock --systohc --utc
  • Set the hostname:
    # echo MYHOSTNAME > /etc/hostname
  • Update locale:
    # vi /etc/locale.gen
# locale-gen
  • Add encryption hook:
    # vi /etc/mkinitcpio.conf 
HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems keyboard fsck"
  • Generate new initramfs:
    # mkinitcpio -p linux
  • Install bootloader:
    # pacman -S grub
# grub-install /dev/sda
# grub-mkconfig -o /boot/grub/grub.cfg
  • Modify kernel options for decrypting the root filesystem:
    # vi /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:cryptroot"
  • Configure serial port:
    # vi /etc/default/grub   # add options below
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"
  • Configure grub and serial:
    # vi /etc/default/grub   # add options below

## Serial console
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
  • Make new grub config:
    # grub-mkconfig -o /boot/grub/grub.cfg
  • Reboot and connect with 115200 baud.

Post install

  • Configure network:
    # cp /etc/netctl/examples/ethernet-static /etc/netctl

# vi /etc/netctl/ethernet-static

# netctl list
# netctl start ethernet-static
# netctl enable ethernet-static
  • Add users
  • Enable SSH:
    # pacman -S openssh
# systemctl enable sshd
# systemctl start sshd
  • Configure simple firewall:
    # pacman -S ufw
# ufw default deny
# ufw allow SSH
# ufw enable
  • Configure timekeeping: 
    vi /etc/systemd/timesyncd.conf
# timedatectl set-ntp true
apu-arch-encrypted.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1