Difference between revisions of "Encrypted funtoo on linode"

From Funtoo
Jump to navigation Jump to search
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This howto describes how to setup a complete Funtoo Encrypted Install ( Root File System and SWAP ) using LUKS and LVM on '''LINODE VPS'''
This howto describes how to setup a complete Funtoo Encrypted Install ( Root File System and SWAP ) using LUKS and LVM on '''LINODE VPS'''


{{Note|Use [[Install|Funtoo Installation Guide]] for reference.}}
<br />
 
{{Important|This howto is a compilation of steps. If you find any discrepancy  blame <code>pfctl</code> on <code>#Funtoo</code> @ Freenode.
<br /> Work smarter not Harder.}}


<big>'''Setting  Linode'''</big>
<big>'''Setting  Linode'''</big>
Line 35: Line 32:
<br />
<br />


<big>'''Prepare Hard Disk and Partitions'''</big>
{{Note| Use [[Install|Funtoo Install Guide]] for Reference.}}
<console>
# ##i##sgdisk --zap-all /dev/sda ↵
# ##i##sgdisk --zap-all /dev/sdb ↵


Creating new GPT entries.
* '''MBR Partition layout'''
GPT data structures destroyed! You may now partition the disk using fdisk or
<pre>
other utilities.
Device    Boot  Start      End  Sectors  Size Id Type
</console>
/dev/sda1  *      2048  206847  204800  100M 83 Linux
/dev/sda2      206848 48021503 47814656 22.8G 83 Linux
</pre>


<br />
<pre>
Now we will use <code>fdisk</code> to create the MBR partition table and partitions:
Device    Boot Start    End Sectors  Size Id Type
 
/dev/sdb1        2048 2318335 2316288  1.1G 83 Linux
<console>
</pre>
# ##i##fdisk /dev/sda ↵
</console>
 
<br />
Within <code>fdisk</code>, follow these steps:
<br />
 
'''Empty the partition table:'''
<console>
Command (m for help): ##i##o ↵
</console>
<br />
 
'''Create Partition 1 (boot):'''
<console>
Command (m for help): ##i##n ↵
Partition type (default p): ##i##p ↵
Partition number (1-4, default 1): ##i##1 ↵
First sector: ##i##↵
Last sector: ##i##+100M ↵
</console>
<br />
 
'''Create Partition 2 (root):'''
<console>
Command (m for help): ##i##n ↵
Partition type (default p): ##i##p ↵
Partition number (2-4, default 2): ##i##2 ↵
First sector: ##i##↵
Last sector: ##i##↵
Command (m for help): ##i## w ↵
Command (m for help): ##i## q ↵
</console>
<br />
<br />


'''Create Swap Partition'''
* '''Encrypting Partitions ( root /dev/sda2 and swap /dev/sdb1 )'''
<console>
<console>
# ##i##fdisk /dev/sdb
# ##i##cryptsetup --cipher aes-xts-plain64 --hash sha512 --key-size 512  --iter-time 2500 --use-urandom luksFormat /dev/sda2
 
# ##i##cryptsetup --cipher aes-xts-plain64 --hash sha512 --key-size 512  --iter-time 2500 --use-urandom luksFormat /dev/sdb1
Command (m for help): ##i##n ↵
Partition type (default p): ##i##p ↵
Partition number (1-4, default 1): ##i##1 ↵
First sector: ##i##↵
Last sector: ##i##↵
Command (m for help): ##i## w ↵
Command (m for help): ##i## q
</console>
</console>
<br />
<br />


<big>'''Encrypting Partitions ( root /dev/sda2 and swap /dev/sdb1 )'''</big>
* '''Initializing Encrypted Partitions'''
<console>
# ##i##cryptsetup --cipher aes-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sda2 ↵
# ##i##cryptsetup --cipher aes-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sdb1 ↵
</console>
<br />
 
<big>'''Initializing Encrypted Partitions'''</big>
<console>
<console>
# ##i##cryptsetup luksOpen /dev/sda2 cryptroot ↵
# ##i##cryptsetup luksOpen /dev/sda2 cryptroot ↵
Line 112: Line 61:
<br />
<br />


<big>'''Creating Logical Volumes'''</big>
* '''Creating Logical Volumes'''
<console>
<console>
# ##i##pvcreate /dev/mapper/cryptroot ↵
# ##i##pvcreate /dev/mapper/cryptroot ↵
Line 127: Line 76:
<br />
<br />


<big>'''Creating FileSystems and Mounting them'''</big>
* '''Creating FileSystems and Mounting them'''
<console>
<console>
# ##i##mkfs.ext2 /dev/sda1 ↵
# ##i##mkfs.ext2 /dev/sda1 ↵
Line 140: Line 89:
<br />
<br />


'''<big>Installing the Stage 3 tarball and chrooting</big>'''
* '''Install the Stage 3 tarball and chroot'''  
<console>
# ##i##cd /mnt/funtoo ↵
# ##i##wget http://build.funtoo.org/funtoo-current/x86-64bit/generic_64/stage3-latest.tar.xz ↵
# ##i##tar xpf stage3-latest.tar.xz ↵
# ##i##cp /etc/resolv.conf etc/ ↵
# ##i##mount -t proc none proc ↵
# ##i##mount --rbind /dev dev ↵
# ##i##mount --rbind /sys sys↵
# ##i##chroot . bash -l ↵
</console>
<br />


= Editing the fstab =
<console>
# ##i##nano /etc/fstab ↵
</console>
{{file|name=/etc/fstab|desc= |body=
{{file|name=/etc/fstab|desc= |body=
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
Line 165: Line 99:
<br />
<br />


<big>'''Get the Funtoo Portage three'''</big>
* '''Update the System'''
<console>
<console>
# ##i##emerge --sync ↵
# ##i##echo "sys-kernel/debian-sources -binary" >> /etc/portage/package.use
</console>
# ##i##emerge --sync
<br/>
# ##i##emerge -uDavN --with-bdeps=y @world
 
<big>/etc/localtime</big>
 
<code>/etc/localtime</code> is used to specify the timezone that your machine is in, and defaults to UTC. If you would like your Funtoo Linux system to use local time, you should replace /etc/localtime with a symbolic link to the timezone that you wish to use.
<br />
 
<console>
# ##i##ln -sf /usr/share/zoneinfo/America/Sao_Paulo ↵
</console>
</console>
<br />
<big>'''/etc/portage/make.conf'''</big>
<pre>
MAKEOPTS="-j2"
</pre>
<br />
<br />


<big>'''Updating Entire System'''</big>.
* '''Building the kernel'''
<console>
# ##i##echo "sys-kernel/debian-sources -binary" >> /etc/portage/package.use ↵
# ##i##emerge -uDavN @world
</console>
<br />


<big>'''Building the kernel'''</big>
{{Note| This step is very important}}
{{Note| This step is very imporant pay attention}}


<console>
<console>
Line 208: Line 122:
       [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
       [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
       [*]  Support initial ramdisks compressed using gzip
       [*]  Support initial ramdisks compressed using gzip
      [*]  Support initial ramdisks compressed using bzip2
      [*]  Support initial ramdisks compressed using LZMA
      [*]  Support initial ramdisks compressed using XZ
      [*]  Support initial ramdisks compressed using LZO
      [*]  Support initial ramdisks compressed using LZ4
}}
}}
{{kernelop
{{kernelop
Line 252: Line 160:
<br />
<br />


<big>'''Compile and install'''</big>
* '''Install GRUB2 and boot-update ebuild'''
<console>
# ##i##make && make modules_install ↵
# ##i##rm /boot/*
# ##i## make install ↵
</console>
<br />
 
<big>'''Installing GRUB2 and boot-update ebuild'''</big>
<console>
# ##i## emerge grub boot-update
</console>
<br />


= Editing the boot.conf =
<console>
# ##i##nano /etc/boot.conf ↵
</console>
{{file|name=/etc/boot.conf|desc= |body=
{{file|name=/etc/boot.conf|desc= |body=
boot {
boot {
Line 280: Line 172:
         kernel vmlinuz[-v]
         kernel vmlinuz[-v]
         initrd initramfs.cpio.gz
         initrd initramfs.cpio.gz
        params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/data-root rootfstype=ext4 quiet
}
}


"Funtoo Linux genkernel" {
        kernel kernel[-v]
        initrd initramfs[-v]
        params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/data-root rootfstype=ext4 quiet
}
}}
}}
<br />
<br />


<big>'''Better-Initramfs'''</big>
* '''Better-Initramfs'''
<console>
<console>
# ##i## cd /opt/ ↵
# ##i##cd /root && git clone https://github.com/slashbeast/better-initramfs ↵
# ##i## git clone https://github.com/slashbeast/better-initramfs ↵
# ##i##cd better-initramfs && make bootstrap-all && make prepare &&  make image && mv output/initramfs.cpio.gz /boot/
# ##i##cd better-initramfs
# ##i##make -j2 bootstrap-all
# ##i##make prepare
# ##i##make image
# ##i##cp output/initramfs.cpio.gz /boot/
</console>
</console>
<br />


<big>'''Check if cryptsetup and lvm ebuilds are installed if not emerge them'''</big>
* '''Install cryptsetup and lvm ebuilds'''
<console>
<console>
# ##i##emerge -s crypsetup lvm2
# ##i##emerge -va cryptsetup lvm2
</console>
</console>
<br />


<big>'''Configuring Swap to be mounted during boot'''</big>
* '''Configuring Swap to be mounted during boot'''
'''''The key file will be stored on encrypted file system'''''
'''''The key file will be stored on encrypted file system'''''
<console>
<console>
# ##i##dd bs=512 count=4 if=/dev/urandom of=/etc/.swapkey iflag=fullblock
# ##i##dd bs=512 count=4 if=/dev/urandom of=/etc/.swapkey iflag=fullblock
# ##i##cryptsetup luksAddKey /dev/sdb1 /etc/.swapkey
# ##i##cryptsetup luksAddKey /dev/sdb1 /etc/.swapkey
</console>
</console>
<br />
<br />


= Editing the dmcrypt =
<console>
# ##i##nano /etc/conf.d/dmcrypt ↵
</console>
{{file|name=/etc/conf.d/dmcrypt|desc= |body=
{{file|name=/etc/conf.d/dmcrypt|desc= |body=
target=cryptswap
target=cryptswap
Line 327: Line 205:
<br />
<br />


<big>'''Installing bootloader to MBR and adjusting some stuff'''</big>
* '''Installing bootloader to MBR and adjusting some stuff'''
 
<console>
<console>
# ##i##grub-install --target=i386-pc --no-floppy /dev/sda ↵
# ##i##grub-install --target=i386-pc --no-floppy /dev/sda ↵
Line 340: Line 219:
<br />
<br />


<big>'''Configuring Networking'''</big>
* '''Configuring Networking'''
* ''Get IP Addresses from [https://manager.linode.com Linode Manager] '''Remote Access Tab'''''
* ''Get IP Addresses from [https://manager.linode.com Linode Manager] '''Remote Access Tab'''''


Line 346: Line 225:
# ##i##cd /etc/init.d ↵
# ##i##cd /etc/init.d ↵
# ##i##ln -s netif.tmpl net.eth0 ↵
# ##i##ln -s netif.tmpl net.eth0 ↵
# ##i##rc-update add net.eth0 default ↵
</console>
</console>
= Editing the net.eth0 =
 
<console>
# ##i##nano /etc/conf.d/net.eth0 ↵
</console>
{{file|name=/etc/conf.d/net.eth0|desc= |body=
{{file|name=/etc/conf.d/net.eth0|desc= |body=
template="interface"
template="interface"
Line 361: Line 238:


<big>'''Show time!'''</big>
<big>'''Show time!'''</big>
<console>
 
## ##i##exit ↵
# ##i##cd
# ##i##umount /mnt/funtoo/boot
# ##i##umount /mnt/funtoo/proc
# ##i##umount /mnt/funtoo/sys
# ##i##umount /mnt/funtoo/dev
# ##i##umount /mnt/funtoo/
</console>
<br />


* From [https://manager.linode.com/ Linode Manager], On '''Dashboard''' tab click '''Shutdown''' and '''Edit Configuration Profile'''
* From [https://manager.linode.com/ Linode Manager], On '''Dashboard''' tab click '''Shutdown''' and '''Edit Configuration Profile'''
Third picture from top of this HOWTO


And Set:
* Boot Settings -> Set Kernel to '''Direct Disc'''
 
* Filesystem/Boot Helpers -> '''Disable ALL Helpers'''


''* Boot Settings -> Set Kernel to "'''Direct Disc'''"''
<br />


''* Filesystem/Boot Helpers -> '''Disable ALL Helper'''s''
Boot your Line


Boot Your line, type your password and Have an Encrypted Funtoo on Linode VPS
[[Category:HOWTO]]
[[Category:HOWTO]]

Latest revision as of 15:15, March 4, 2017

This howto describes how to setup a complete Funtoo Encrypted Install ( Root File System and SWAP ) using LUKS and LVM on LINODE VPS


Setting Linode

  • From Linode Manager create a new Linode. Under the Disks section of the Linode Dashboard, click on "Create a new Disk:"

New_Disk


  • Label your new disk image and choose an appropriate size. Here we will create "two disks" the first for root partition and another for swap. Set appropriate size for each one.

Edit_Disk


  • Select the Create a New Configuration Profile option. Assign a label, and select your disk images under Block Device Assignment.

Config_Profile


Click on Save Changes once your profile is complete.


  • Return to the Linode DashBoard, and select the Rescue tab. From there, click the Reboot Into Rescue Mode button. Your Linode will now boot into the Finnix recovery image. Use the Lish shell to access your Linode.
  • Run the following set of commands to create a root password and enable SSH server:


root # passwd ↵
root # service ssh start ↵
   {{{title}}}
{{{body}}}


   Note
Use Funtoo Install Guide for Reference.
  • MBR Partition layout
Device     Boot  Start      End  Sectors  Size Id Type
/dev/sda1  *      2048   206847   204800  100M 83 Linux
/dev/sda2       206848 48021503 47814656 22.8G 83 Linux
Device     Boot Start     End Sectors  Size Id Type
/dev/sdb1        2048 2318335 2316288  1.1G 83 Linux


  • Encrypting Partitions ( root /dev/sda2 and swap /dev/sdb1 )
root # cryptsetup --cipher aes-xts-plain64 --hash sha512 --key-size 512  --iter-time 2500 --use-urandom luksFormat /dev/sda2 ↵
root # cryptsetup --cipher aes-xts-plain64 --hash sha512 --key-size 512  --iter-time 2500 --use-urandom luksFormat /dev/sdb1 ↵


  • Initializing Encrypted Partitions
root # cryptsetup luksOpen /dev/sda2 cryptroot ↵
root # cryptsetup luksOpen /dev/sdb1 cryptswap ↵


  • Creating Logical Volumes
root # pvcreate /dev/mapper/cryptroot ↵
root # vgcreate data /dev/mapper/cryptroot ↵
root # lvcreate -l 100%FREE -nroot data ↵


root # pvcreate /dev/mapper/cryptswap ↵
root # vgcreate cswap /dev/mapper/cryptswap ↵
root # lvcreate -l 100%FREE -nswap cswap ↵


  • Creating FileSystems and Mounting them
root # mkfs.ext2 /dev/sda1 ↵
root # mkswap /dev/mapper/cswap-swap ↵
root # mkfs.ext4 /dev/mapper/data-root ↵
root # swapon /dev/mapper/cswap-swap ↵
root # mkdir /mnt/funtoo ↵
root # mount /dev/mapper/data-root /mnt/funtoo ↵
root # mkdir /mnt/funtoo/boot ↵
root # mount /dev/sda1 /mnt/funtoo/boot ↵


  • Install the Stage 3 tarball and chroot
   /etc/fstab
# <fs>                  <mountpoint>  <type>    <opts>                          <dump/pass>
/dev/sda1               /boot         ext2      noauto,noatime                  1 2
/dev/mapper/cswap-swap     none          swap      sw                              0 0
/dev/mapper/data-root     /             ext4      noatime,nodiratime,defaults     0 1


  • Update the System
root # echo "sys-kernel/debian-sources -binary" >> /etc/portage/package.use ↵
root # emerge --sync
root # emerge -uDavN --with-bdeps=y @world


  • Building the kernel
   Note
This step is very important
root #  cd /usr/src/linux ↵
root #  make menuconfig ↵


General setup --->
      [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
      [*]   Support initial ramdisks compressed using gzip
Device Drivers --->
      Generic Driver Options ---> 
      [*] Maintain a devtmpfs filesystem to mount at /dev
Device Drivers --->
  SCSI device support --->
        {*} SCSI device support
        <*> SCSI disk support
        <*> SCSI generic support 
        [*] SCSI low-level drivers  --->
                <*>   virtio-scsi support
  [*] Multiple devices driver support --->
      <*>Device Mapper Support
       <*> Crypt target support
  Virtio drivers  --->
           <*> PCI driver for virtio devices
            [*]   Support for legacy virtio draft 0.9.X and older devices
           <*> Virtio balloon driver
           <*> Virtio input driver
Cryptographic API --->
      <*> XTS support
      -*-AES cipher algorithms
      <*>   SHA256 digest algorithm (SSSE3/AVX/AVX2/SHA-NI)
      <*>   SHA512 digest algorithm (SSSE3/AVX/AVX2)


  • Install GRUB2 and boot-update ebuild
   /etc/boot.conf
boot {
        generate grub
        default "Funtoo Linux"
        timeout 3
}

"Funtoo Linux" {
        kernel vmlinuz[-v]
        initrd initramfs.cpio.gz
         params += enc_root=/dev/sda2 lvm luks root=/dev/mapper/data-root rootfstype=ext4 quiet
}


  • Better-Initramfs
root # cd /root && git clone https://github.com/slashbeast/better-initramfs ↵
root # cd better-initramfs  && make bootstrap-all && make prepare &&  make image && mv output/initramfs.cpio.gz /boot/ ↵
  • Install cryptsetup and lvm ebuilds
root # emerge -va cryptsetup lvm2 ↵
  • Configuring Swap to be mounted during boot

The key file will be stored on encrypted file system

root # dd bs=512 count=4 if=/dev/urandom of=/etc/.swapkey iflag=fullblock  ↵
root # cryptsetup luksAddKey /dev/sdb1 /etc/.swapkey  ↵


   /etc/conf.d/dmcrypt
target=cryptswap
source='/dev/sdb1'
key='/etc/.swapkey'


  • Installing bootloader to MBR and adjusting some stuff
root # grub-install --target=i386-pc --no-floppy /dev/sda ↵
root # boot-update ↵
root # emerge rsyslog dnscrypt-proxy ↵
root # rc-update add rsyslog default ↵
root # rc-update add dnscrypt-proxy default ↵
root # rc-update add dmcrypt boot ↵
root # rc-update add lvm boot ↵
root # rc-update -u ↵


  • Configuring Networking
  • Get IP Addresses from Linode Manager Remote Access Tab
root # cd /etc/init.d ↵
root # ln -s netif.tmpl net.eth0 ↵
root # rc-update add net.eth0 default ↵
   /etc/conf.d/net.eth0
template="interface"
ipaddrs="200.230.240.45/24  2001:948:7:7::140/64"
nameservers="127.0.0.1"
gateway="200.230.240.1"
gateway6='fe80::1'


Show time!


  • From Linode Manager, On Dashboard tab click Shutdown and Edit Configuration Profile
  • Boot Settings -> Set Kernel to Direct Disc
  • Filesystem/Boot Helpers -> Disable ALL Helpers


Boot your Line