apu-arch-encrypted
Table of Contents
PC Engines APU - Arch Linux with LUKS encryption
Set-up
- Host PC user (on Fedora) needs to be member of
dialout
anddisk
group to access serial port and be able to write to the USB drive. Or use sudo. - Connect to the PC Engines APU's serial port.
screen /dev/ttyUSB0 115200 # to select: boot from USB screen /dev/ttyUSB0 38400 # to continue Arch Linux installation
- Connect the APU to Ethernet / internet for updates and access to the repo's.
Bootable USB drive
- Download the latest image from https://www.archlinux.org/download/.
- Verify the download:
SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9 $ sha1sum archlinux-2017.05.01-x86_64.iso 91a195bf1395694151fc3f7f766e9d1233e2aed9 archlinux-2017.05.01-x86_64.iso
- Copy image to USB:
sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync
Boot Arch Linux from USB
- Boot the APU en press F12, select USB boot.
- Switch console to 38400 baud. Press 'ctrl-l' to redraw the screen.
- Select the
Boot Arch Linux
option and pressTAB
. - Add
console=ttyS0,38400
to the kernel line and pressenter
- Log in with user
root
(no password). - If you connected the network cable after booting, request an IP-address
# dhclient enp1s0
- Install and run SSHd to complete the installation over SSH:
select nearby mirror in: /etc/pacman.d/mirrorlist # pacman -Sy # pacman -S openssh # passwd root # systemctl start sshd
Install Arch Linux
The next steps will install Arch Linux on a encrypted root filesystem.
Partitions and filesystems
- Secure erase SSD
- Check that device is not frozen:
# hdparm -I /dev/sdX Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
- Set password, any password will do, it will be reset to NULL after erasing.
# hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX security_password: "Meu3lieY43" /dev/sda: Issuing SECURITY_SET_PASS command, password="Meu3lieY43", user=user, mode=high
- Check that password is
enabled
:# hdparm -I /dev/sdX Security: Master password revision code = 65534 supported enabled
- Secure erase SSD:
# hdparm --user-master u --security-erase Meu3lieY43 /dev/sdX security_password: "Meu3lieY43" /dev/sda: Issuing SECURITY_ERASE command, password="Meu3lieY43", user=user
- Check that master password is supported, but not enabled:
# hdparm -I /dev/sdX Security: Master password revision code = 65534 supported
- Partition the SSD:
( echo o # Create a new empty DOS partition table echo n # Add a new partition echo p # Primary partition echo 1 # Partition number echo # First sector (Accept default: 1) echo +256M # Last sector (Accept default: varies) echo n # Add a new partition echo p # Primary partition echo 2 # Partition number echo # First sector (Accept default) echo # Last sector (Accept default, rest of the drive) echo w # Write changes ) | sudo fdisk /dev/sdX
- You might reboot if you cannot use the new partitions yet:
# partprobe /dev/sda :( Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use. As a result, the old partition(s) will remain in use. You should reboot now before making further changes.
- Create the /boot and root filesystems:
# cryptsetup -y -v luksFormat /dev/sdX2 # cryptsetup open /dev/sdX2 cryptroot # mkfs.ext4 /dev/mapper/cryptroot # mount /dev/mapper/cryptroot /mnt # mkfs.ext4 /dev/sdX1 # mkdir /mnt/boot # mount /dev/sdX1 /mnt/boot
Install Arch Linux
- Copy Arch Linux to the new filesystems:
# pacstrap /mnt base
- Generate a fstab:
# genfstab -L /mnt >> /mnt/etc/fstab
- Chroot into the new system:
# arch-chroot /mnt
- Set root password:
# passwd root
- Setup system clock:
# ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime # hwclock --systohc --utc
- Set the hostname:
# echo MYHOSTNAME > /etc/hostname
- Update locale:
# vi /etc/locale.gen # locale-gen
- Add encryption hook:
# vi /etc/mkinitcpio.conf HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems keyboard fsck"
- Generate new initramfs:
# mkinitcpio -p linux
- Install bootloader:
# pacman -S grub # grub-install /dev/sda # grub-mkconfig -o /boot/grub/grub.cfg
- Modify kernel options for decrypting the root filesystem:
# vi /etc/default/grub GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:cryptroot"
- Configure serial port:
# vi /etc/default/grub # add options below GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"
- Configure grub and serial:
# vi /etc/default/grub # add options below ## Serial console GRUB_TERMINAL=serial GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
- Make new grub config:
# grub-mkconfig -o /boot/grub/grub.cfg
- Reboot and connect with 115200 baud.
Post install
- Configure network:
# cp /etc/netctl/examples/ethernet-static /etc/netctl # vi /etc/netctl/ethernet-static # netctl list # netctl start ethernet-static # netctl enable ethernet-static
- Add users
- Enable SSH:
# pacman -S openssh # systemctl enable sshd # systemctl start sshd
- Configure simple firewall:
# pacman -S ufw # ufw default deny # ufw allow SSH # ufw enable
- Configure timekeeping:
vi /etc/systemd/timesyncd.conf # timedatectl set-ntp true
apu-arch-encrypted.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1