apu-arch-encrypted
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
Last revision | |||
— | apu-arch-encrypted [2017/05/26 20:37] – created admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | {{tag> | ||
+ | ~~TOC~~ | ||
+ | =====PC Engines APU - Arch Linux with LUKS encryption===== | ||
+ | |||
+ | ====Set-up==== | ||
+ | * Host PC user (on Fedora) needs to be member of '' | ||
+ | * Connect to the PC Engines APU's serial port. < | ||
+ | screen / | ||
+ | screen / | ||
+ | * Connect the APU to Ethernet / internet for updates and access to the repo' | ||
+ | |||
+ | ====Bootable USB drive==== | ||
+ | * Download the latest image from [[https:// | ||
+ | * Verify the download:< | ||
+ | SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9 | ||
+ | |||
+ | $ sha1sum archlinux-2017.05.01-x86_64.iso | ||
+ | 91a195bf1395694151fc3f7f766e9d1233e2aed9 | ||
+ | </ | ||
+ | * Copy image to USB:< | ||
+ | sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync | ||
+ | </ | ||
+ | ====Boot Arch Linux from USB==== | ||
+ | * Boot the APU en press F12, select USB boot. | ||
+ | * Switch console to 38400 baud. Press ' | ||
+ | * Select the '' | ||
+ | * Add '' | ||
+ | * Log in with user '' | ||
+ | * If you connected the network cable after booting, request an IP-address < | ||
+ | * Install and run SSHd to complete the installation over SSH:< | ||
+ | select nearby mirror in: / | ||
+ | |||
+ | # pacman -Sy | ||
+ | # pacman -S openssh | ||
+ | # passwd root | ||
+ | # systemctl start sshd</ | ||
+ | |||
+ | ====Install Arch Linux==== | ||
+ | The next steps will install Arch Linux on a encrypted root filesystem. | ||
+ | |||
+ | ===Partitions and filesystems=== | ||
+ | * Secure erase SSD | ||
+ | * Check that device is not frozen:< | ||
+ | Security: | ||
+ | Master password revision code = 65534 | ||
+ | supported | ||
+ | not enabled | ||
+ | not locked | ||
+ | not frozen | ||
+ | not expired: | ||
+ | supported: | ||
+ | 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT. | ||
+ | </ | ||
+ | * Set password, any password will do, it will be reset to NULL after erasing.< | ||
+ | # hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX | ||
+ | security_password: | ||
+ | |||
+ | /dev/sda: | ||
+ | | ||
+ | </ | ||
+ | * Check that password is '' | ||
+ | # hdparm -I /dev/sdX | ||
+ | Security: | ||
+ | Master password revision code = 65534 | ||
+ | supported | ||
+ | enabled</ | ||
+ | * Secure erase SSD:< | ||
+ | security_password: | ||
+ | |||
+ | /dev/sda: | ||
+ | | ||
+ | * Check that master password is supported, but not enabled:< | ||
+ | # hdparm -I /dev/sdX | ||
+ | Security: | ||
+ | Master password revision code = 65534 | ||
+ | supported | ||
+ | |||
+ | </ | ||
+ | * Partition the SSD:< | ||
+ | ( | ||
+ | echo o # Create a new empty DOS partition table | ||
+ | echo n # Add a new partition | ||
+ | echo p # Primary partition | ||
+ | echo 1 # Partition number | ||
+ | echo # First sector (Accept default: 1) | ||
+ | echo +256M # Last sector (Accept default: varies) | ||
+ | echo n # Add a new partition | ||
+ | echo p # Primary partition | ||
+ | echo 2 # Partition number | ||
+ | echo # First sector (Accept default) | ||
+ | echo # Last sector (Accept default, rest of the drive) | ||
+ | echo w # Write changes | ||
+ | ) | sudo fdisk /dev/sdX | ||
+ | </ | ||
+ | * You might reboot if you cannot use the new partitions yet:< | ||
+ | # partprobe / | ||
+ | Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use. As a result, the old partition(s) will remain in use. You should reboot now before making further changes. | ||
+ | </ | ||
+ | * Create the /boot and root filesystems:< | ||
+ | |||
+ | |||
+ | # cryptsetup -y -v luksFormat /dev/sdX2 | ||
+ | # cryptsetup open /dev/sdX2 cryptroot | ||
+ | # mkfs.ext4 / | ||
+ | # mount / | ||
+ | |||
+ | # mkfs.ext4 /dev/sdX1 | ||
+ | # mkdir /mnt/boot | ||
+ | # mount /dev/sdX1 /mnt/boot | ||
+ | </ | ||
+ | |||
+ | ===Install Arch Linux=== | ||
+ | * Copy Arch Linux to the new filesystems:< | ||
+ | * Generate a fstab:< | ||
+ | * Chroot into the new system:< | ||
+ | * Set root password:< | ||
+ | * Setup system clock:< | ||
+ | # ln -s / | ||
+ | # hwclock --systohc --utc</ | ||
+ | * Set the hostname:< | ||
+ | * Update locale:< | ||
+ | # locale-gen</ | ||
+ | * Add encryption hook:< | ||
+ | HOOKS=" | ||
+ | </ | ||
+ | * Generate new initramfs:< | ||
+ | * Install bootloader:< | ||
+ | # grub-install /dev/sda | ||
+ | # grub-mkconfig -o / | ||
+ | </ | ||
+ | * Modify kernel options for decrypting the root filesystem:< | ||
+ | # vi / | ||
+ | GRUB_CMDLINE_LINUX=" | ||
+ | |||
+ | </ | ||
+ | * Configure serial port:< | ||
+ | # vi / | ||
+ | GRUB_CMDLINE_LINUX_DEFAULT=" | ||
+ | </ | ||
+ | * Configure grub and serial:< | ||
+ | # vi / | ||
+ | |||
+ | ## Serial console | ||
+ | GRUB_TERMINAL=serial | ||
+ | GRUB_SERIAL_COMMAND=" | ||
+ | </ | ||
+ | * Make new grub config:< | ||
+ | * Reboot and connect with 115200 baud. | ||
+ | |||
+ | ====Post install==== | ||
+ | * Configure network:< | ||
+ | # cp / | ||
+ | |||
+ | # vi / | ||
+ | |||
+ | # netctl list | ||
+ | # netctl start ethernet-static | ||
+ | # netctl enable ethernet-static | ||
+ | </ | ||
+ | * Add users | ||
+ | * Enable SSH:< | ||
+ | # pacman -S openssh | ||
+ | # systemctl enable sshd | ||
+ | # systemctl start sshd | ||
+ | </ | ||
+ | * Configure simple firewall:< | ||
+ | # pacman -S ufw | ||
+ | # ufw default deny | ||
+ | # ufw allow SSH | ||
+ | # ufw enable | ||
+ | </ | ||
+ | * Configure timekeeping: | ||
+ | vi / | ||
+ | # timedatectl set-ntp true | ||
+ | </ |
apu-arch-encrypted.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1