Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools

Trace:
apu-arch-encrypted
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


Last revision
apu-arch-encrypted [2017/05/26 20:37] – created admin
Line 1: Line 1:
 +{{tag>[hardware apu arch linux encrypted]}}
 +~~TOC~~
  
 +=====PC Engines APU - Arch Linux with LUKS encryption=====
 +
 +====Set-up====
 +  * Host PC user (on Fedora) needs to be member of ''dialout'' and ''disk'' group to access serial port and be able to write to the USB drive. Or use sudo.
 +  * Connect to the PC Engines APU's serial port. <code>
 +screen /dev/ttyUSB0 115200 # to select: boot from USB
 +screen /dev/ttyUSB0 38400  # to continue Arch Linux installation</code>
 +  * Connect the APU to Ethernet / internet for updates and access to the repo's.
 +
 +====Bootable USB drive====
 +  * Download the latest image from [[https://www.archlinux.org/download/]].
 +  * Verify the download:<code>
 +SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9
 +
 +$ sha1sum archlinux-2017.05.01-x86_64.iso
 +91a195bf1395694151fc3f7f766e9d1233e2aed9  archlinux-2017.05.01-x86_64.iso
 +</code>
 +  * Copy image to USB:<code>
 +sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync
 +</code>
 +====Boot Arch Linux from USB====
 +  * Boot the APU en press F12, select USB boot.
 +  * Switch console to 38400 baud. Press 'ctrl-l' to redraw the screen.
 +  * Select the ''Boot Arch Linux'' option and press ''TAB''.
 +  * Add ''console=ttyS0,38400'' to the kernel line and press ''enter'' {{:private:screenshot_from_2017-05-26_19-14-16.png?nolink|}}
 +  * Log in with user ''root'' (no password).
 +  * If you connected the network cable after booting, request an IP-address <code># dhclient enp1s0</code>
 +  * Install and run SSHd to complete the installation over SSH:<code>
 +select nearby mirror in: /etc/pacman.d/mirrorlist
 +
 +# pacman -Sy
 +# pacman -S openssh
 +# passwd root
 +# systemctl start sshd</code>
 +
 +====Install Arch Linux====
 +The next steps will install Arch Linux on a encrypted root filesystem.
 +
 +===Partitions and filesystems===
 +  * Secure erase SSD
 +    * Check that device is not frozen:<code># hdparm -I /dev/sdX
 +Security: 
 + Master password revision code = 65534
 + supported
 + not enabled
 + not locked
 + not frozen
 + not expired: security count
 + supported: enhanced erase
 + 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
 +</code>
 +    * Set password, any password will do, it will be reset to NULL after erasing.<code>
 +# hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX
 +security_password: "Meu3lieY43"
 +
 +/dev/sda:
 + Issuing SECURITY_SET_PASS command, password="Meu3lieY43", user=user, mode=high
 +</code>
 +    * Check that password is ''enabled'':<code>
 +# hdparm -I /dev/sdX
 +Security: 
 + Master password revision code = 65534
 + supported
 + enabled</code>
 +    * Secure erase SSD:<code># hdparm --user-master u --security-erase Meu3lieY43 /dev/sdX
 +security_password: "Meu3lieY43"
 +
 +/dev/sda:
 + Issuing SECURITY_ERASE command, password="Meu3lieY43", user=user</code>
 +    * Check that master password is supported, but not enabled:<code>
 +# hdparm -I /dev/sdX
 +Security: 
 + Master password revision code = 65534
 + supported
 +
 +</code>
 +  * Partition the SSD:<code>
 +(
 +echo o     # Create a new empty DOS partition table
 +echo n     # Add a new partition
 +echo p     # Primary partition
 +echo 1     # Partition number
 +echo       # First sector (Accept default: 1)
 +echo +256M # Last sector (Accept default: varies)
 +echo n     # Add a new partition
 +echo p     # Primary partition
 +echo 2     # Partition number
 +echo       # First sector (Accept default)
 +echo       # Last sector (Accept default, rest of the drive)
 +echo w     # Write changes
 +) | sudo fdisk /dev/sdX
 +</code>
 +  * You might reboot if you cannot use the new partitions yet:<code>
 +# partprobe /dev/sda                                                                                  :(
 +Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will remain in use.  You should reboot now before making further changes.
 +</code>
 +  * Create the /boot and root filesystems:<code>
 +
 +
 +# cryptsetup -y -v luksFormat /dev/sdX2
 +# cryptsetup open /dev/sdX2 cryptroot
 +# mkfs.ext4 /dev/mapper/cryptroot
 +# mount /dev/mapper/cryptroot /mnt
 +
 +# mkfs.ext4 /dev/sdX1
 +# mkdir /mnt/boot
 +# mount /dev/sdX1 /mnt/boot
 +</code>
 +
 +===Install Arch Linux===
 +  * Copy Arch Linux to the new filesystems:<code># pacstrap /mnt base</code>
 +  * Generate a fstab:<code># genfstab -L /mnt >> /mnt/etc/fstab</code>
 +  * Chroot into the new system:<code># arch-chroot /mnt</code>
 +  * Set root password:<code># passwd root</code>
 +  * Setup system clock:<code>
 +# ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
 +# hwclock --systohc --utc</code>
 +  * Set the hostname:<code># echo MYHOSTNAME > /etc/hostname</code>
 +  * Update locale:<code># vi /etc/locale.gen
 +# locale-gen</code>
 +  * Add encryption hook:<code># vi /etc/mkinitcpio.conf 
 +HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems keyboard fsck"
 +</code>
 +  * Generate new initramfs:<code># mkinitcpio -p linux</code>
 +  * Install bootloader:<code># pacman -S grub
 +# grub-install /dev/sda
 +# grub-mkconfig -o /boot/grub/grub.cfg
 +</code>
 +  * Modify kernel options for decrypting the root filesystem:<code>
 +# vi /etc/default/grub
 +GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:cryptroot"
 +
 +</code>
 +  * Configure serial port:<code>
 +# vi /etc/default/grub   # add options below
 +GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"
 +</code>
 +  * Configure grub and serial:<code>
 +# vi /etc/default/grub   # add options below
 +
 +## Serial console
 +GRUB_TERMINAL=serial
 +GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
 +</code>
 +  * Make new grub config:<code># grub-mkconfig -o /boot/grub/grub.cfg</code>
 +  * Reboot and connect with 115200 baud.
 +
 +====Post install====
 +  * Configure network:<code>
 +# cp /etc/netctl/examples/ethernet-static /etc/netctl
 +
 +# vi /etc/netctl/ethernet-static
 +
 +# netctl list
 +# netctl start ethernet-static
 +# netctl enable ethernet-static
 +</code>
 +  * Add users
 +  * Enable SSH:<code>
 +# pacman -S openssh
 +# systemctl enable sshd
 +# systemctl start sshd
 +</code>
 +  * Configure simple firewall:<code>
 +# pacman -S ufw
 +# ufw default deny
 +# ufw allow SSH
 +# ufw enable
 +</code>
 +  * Configure timekeeping: <code>
 +vi /etc/systemd/timesyncd.conf
 +# timedatectl set-ntp true
 +</code>
apu-arch-encrypted.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1