Ben Stienstra

Linux, Unix, network, radio and more...

User Tools

Site Tools


apu-arch-encrypted

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

apu-arch-encrypted [2017/05/26 22:37] (current)
admin created
Line 1: Line 1:
 +{{tag>​[hardware apu arch linux encrypted]}}
 +~~TOC~~
  
 +=====PC Engines APU - Arch Linux with LUKS encryption=====
 +
 +====Set-up====
 +  * Host PC user (on Fedora) needs to be member of ''​dialout''​ and ''​disk''​ group to access serial port and be able to write to the USB drive. Or use sudo.
 +  * Connect to the PC Engines APU's serial port. <​code>​
 +screen /​dev/​ttyUSB0 115200 # to select: boot from USB
 +screen /​dev/​ttyUSB0 38400  # to continue Arch Linux installation</​code>​
 +  * Connect the APU to Ethernet / internet for updates and access to the repo'​s.
 +
 +====Bootable USB drive====
 +  * Download the latest image from [[https://​www.archlinux.org/​download/​]].
 +  * Verify the download:<​code>​
 +SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9
 +
 +$ sha1sum archlinux-2017.05.01-x86_64.iso
 +91a195bf1395694151fc3f7f766e9d1233e2aed9 ​ archlinux-2017.05.01-x86_64.iso
 +</​code>​
 +  * Copy image to USB:<​code>​
 +sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync
 +</​code>​
 +====Boot Arch Linux from USB====
 +  * Boot the APU en press F12, select USB boot.
 +  * Switch console to 38400 baud. Press '​ctrl-l'​ to redraw the screen.
 +  * Select the ''​Boot Arch Linux''​ option and press ''​TAB''​.
 +  * Add ''​console=ttyS0,​38400''​ to the kernel line and press ''​enter''​ {{:​private:​screenshot_from_2017-05-26_19-14-16.png?​nolink|}}
 +  * Log in with user ''​root''​ (no password).
 +  * If you connected the network cable after booting, request an IP-address <​code>#​ dhclient enp1s0</​code>​
 +  * Install and run SSHd to complete the installation over SSH:<​code>​
 +select nearby mirror in: /​etc/​pacman.d/​mirrorlist
 +
 +# pacman -Sy
 +# pacman -S openssh
 +# passwd root
 +# systemctl start sshd</​code>​
 +
 +====Install Arch Linux====
 +The next steps will install Arch Linux on a encrypted root filesystem.
 +
 +===Partitions and filesystems===
 +  * Secure erase SSD
 +    * Check that device is not frozen:<​code>#​ hdparm -I /dev/sdX
 +Security: ​
 + Master password revision code = 65534
 + supported
 + not enabled
 + not locked
 + not frozen
 + not expired:​ security count
 + supported:​ enhanced erase
 + 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
 +</​code>​
 +    * Set password, any password will do, it will be reset to NULL after erasing.<​code>​
 +# hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX
 +security_password:​ "​Meu3lieY43"​
 +
 +/dev/sda:
 + ​Issuing SECURITY_SET_PASS command, password="​Meu3lieY43",​ user=user, mode=high
 +</​code>​
 +    * Check that password is ''​enabled'':<​code>​
 +# hdparm -I /dev/sdX
 +Security: ​
 + Master password revision code = 65534
 + supported
 + enabled</​code>​
 +    * Secure erase SSD:<​code>#​ hdparm --user-master u --security-erase Meu3lieY43 /dev/sdX
 +security_password:​ "​Meu3lieY43"​
 +
 +/dev/sda:
 + ​Issuing SECURITY_ERASE command, password="​Meu3lieY43",​ user=user</​code>​
 +    * Check that master password is supported, but not enabled:<​code>​
 +# hdparm -I /dev/sdX
 +Security: ​
 + Master password revision code = 65534
 + supported
 +
 +</​code>​
 +  * Partition the SSD:<​code>​
 +(
 +echo o     # Create a new empty DOS partition table
 +echo n     # Add a new partition
 +echo p     # Primary partition
 +echo 1     # Partition number
 +echo       # First sector (Accept default: 1)
 +echo +256M # Last sector (Accept default: varies)
 +echo n     # Add a new partition
 +echo p     # Primary partition
 +echo 2     # Partition number
 +echo       # First sector (Accept default)
 +echo       # Last sector (Accept default, rest of the drive)
 +echo w     # Write changes
 +) | sudo fdisk /dev/sdX
 +</​code>​
 +  * You might reboot if you cannot use the new partitions yet:<​code>​
 +# partprobe /​dev/​sda ​                                                                                 :(
 +Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will remain in use.  You should reboot now before making further changes.
 +</​code>​
 +  * Create the /boot and root filesystems:<​code>​
 +
 +
 +# cryptsetup -y -v luksFormat /dev/sdX2
 +# cryptsetup open /dev/sdX2 cryptroot
 +# mkfs.ext4 /​dev/​mapper/​cryptroot
 +# mount /​dev/​mapper/​cryptroot /mnt
 +
 +# mkfs.ext4 /dev/sdX1
 +# mkdir /mnt/boot
 +# mount /dev/sdX1 /mnt/boot
 +</​code>​
 +
 +===Install Arch Linux===
 +  * Copy Arch Linux to the new filesystems:<​code>#​ pacstrap /mnt base</​code>​
 +  * Generate a fstab:<​code>#​ genfstab -L /mnt >> /​mnt/​etc/​fstab</​code>​
 +  * Chroot into the new system:<​code>#​ arch-chroot /​mnt</​code>​
 +  * Set root password:<​code>#​ passwd root</​code>​
 +  * Setup system clock:<​code>​
 +# ln -s /​usr/​share/​zoneinfo/​Europe/​Stockholm /​etc/​localtime
 +# hwclock --systohc --utc</​code>​
 +  * Set the hostname:<​code>#​ echo MYHOSTNAME > /​etc/​hostname</​code>​
 +  * Update locale:<​code>#​ vi /​etc/​locale.gen
 +# locale-gen</​code>​
 +  * Add encryption hook:<​code>#​ vi /​etc/​mkinitcpio.conf ​
 +HOOKS="​base udev autodetect modconf keyboard keymap block encrypt filesystems keyboard fsck"
 +</​code>​
 +  * Generate new initramfs:<​code>#​ mkinitcpio -p linux</​code>​
 +  * Install bootloader:<​code>#​ pacman -S grub
 +# grub-install /dev/sda
 +# grub-mkconfig -o /​boot/​grub/​grub.cfg
 +</​code>​
 +  * Modify kernel options for decrypting the root filesystem:<​code>​
 +# vi /​etc/​default/​grub
 +GRUB_CMDLINE_LINUX="​cryptdevice=UUID=<​device-UUID>:​cryptroot"​
 +
 +</​code>​
 +  * Configure serial port:<​code>​
 +# vi /​etc/​default/​grub ​  # add options below
 +GRUB_CMDLINE_LINUX_DEFAULT="​console=tty0 console=ttyS0,​115200n8"​
 +</​code>​
 +  * Configure grub and serial:<​code>​
 +# vi /​etc/​default/​grub ​  # add options below
 +
 +## Serial console
 +GRUB_TERMINAL=serial
 +GRUB_SERIAL_COMMAND="​serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"​
 +</​code>​
 +  * Make new grub config:<​code>#​ grub-mkconfig -o /​boot/​grub/​grub.cfg</​code>​
 +  * Reboot and connect with 115200 baud.
 +
 +====Post install====
 +  * Configure network:<​code>​
 +# cp /​etc/​netctl/​examples/​ethernet-static /etc/netctl
 +
 +# vi /​etc/​netctl/​ethernet-static
 +
 +# netctl list
 +# netctl start ethernet-static
 +# netctl enable ethernet-static
 +</​code>​
 +  * Add users
 +  * Enable SSH:<​code>​
 +# pacman -S openssh
 +# systemctl enable sshd
 +# systemctl start sshd
 +</​code>​
 +  * Configure simple firewall:<​code>​
 +# pacman -S ufw
 +# ufw default deny
 +# ufw allow SSH
 +# ufw enable
 +</​code>​
 +  * Configure timekeeping:​ <​code>​
 +vi /​etc/​systemd/​timesyncd.conf
 +# timedatectl set-ntp true
 +</​code>​
apu-arch-encrypted.txt ยท Last modified: 2017/05/26 22:37 by admin