API tools faq
paste
Advertisement
xtiansimon

Luks-Anaconda_checklist

xtiansimon
Jun 21st, 2012
431
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.62 KB | None | 0 0
raw download clone embed print report
  1. Luks-ANaconda_checklist
  2.  
  3. --
  4. Note, This is my drive's configuration. I've substituted /dev/sda3 for <device> in many instances.
  5. # sudo lsblk -fa // List block devices. -a, list all devices; -f, include file system info.
  6. loop7
  7. sda
  8. |-- sda1 vfat xxxx-xxxx
  9. |-- sda2
  10. |-- sda3
  11.  
  12. 1) Install LUKS from LIVE Media
  13. 1.2) Optional[1]: Fill the device with random data:
  14. Filling <device> (eg: /dev/sda3) with random data before encrypting it greatly increases the strength of the encryption. The downside is that it can take a very long time.
  15. Warning. The commands below will destroy any existing data on the device.
  16. * The best way, which provides high quality random data but takes a long time (several minutes per gigabyte on most systems):
  17. # dd if=/dev/urandom of=<device>
  18.  
  19. * Fastest way, which provides lower quality random data:
  20. # badblocks -c 10240 -s -w -t random -v <device>
  21.  
  22. 1.3) Make Luks
  23. # cryptsetup luksFormat -y --cipher aes-xts-plain --key-size 512 /dev/sda3
  24.  
  25. WARNING!
  26. ========
  27. This will overwrite data on /dev/sda3 irrevocably.
  28.  
  29. Are you sure? (Type uppercase yes): YES
  30. Enter LUKS passphrase:
  31. Verify passphrase:
  32.  
  33. 1.4) Verify Luks is successfully installed,
  34. 1.4.1)
  35. #lsblk -fa
  36. loop7
  37. sda
  38. |-- sda1 vfat 6087-9C99
  39. |-- sda2
  40. |-- sda3 crypto_LUK 93b3841a-917c-4266-ae14-df6f145b2c72
  41.  
  42. 1.4.2)
  43. # cryptsetup isLuks /dev/sda3 && echo Success
  44. Success
  45.  
  46. 1.4.3)
  47. # cryptsetup luksDump /dev/sda3
  48. LUKS header information for /dev/sda3
  49. Version: 1
  50. Cipher name: aes
  51. Cipher mode: xts-plain
  52. Hash spec: sha1
  53. Payload offset: 4096
  54. MK bits: 512
  55. MK digest: bc 8e e0 da 62 3c f8 f5 2a 5a 5f e2 f6 da da 29 5c 5f d6 2c
  56. MK salt: a0 e0 10 09 f0 61 1d ca a6 04 09 3d ef 76 5b 09
  57. 5c 13 11 ef 58 90 3e d6 33 31 4c 85 04 49 a8 8e
  58. MK iterations: 9500
  59. UUID: 93b3841a-917c-4266-ae14-df6f145b2c72
  60.  
  61. Key Slot 0: ENABLED
  62. Iterations: 38201
  63. Salt: 08 90 39 c0 bd 95 ab e2 bf 93 25 59 4f fe a5 8b
  64. f2 11 2a 90 8b de 33 7a ce 2b b8 ca ca 0c e6 c0
  65. Key material offset: 8
  66. AF stripes: 4000
  67. Key Slot 1: DISABLED
  68. Key Slot 2: DISABLED
  69. Key Slot 3: DISABLED
  70. Key Slot 4: DISABLED
  71. Key Slot 5: DISABLED
  72. Key Slot 6: DISABLED
  73. Key Slot 7: DISABLED
  74.  
  75. 2) Create LVM from LIVE media
  76. 2.1) Open Luks partition,
  77. # cryptsetup luksOpen /dev/sda3 crypt*
  78. Enter passphrase for /dev/sda3:
  79.  
  80. *This setup uses <mapper name> "crypt". The LUKS_install instructions[1] suggest "name" should be luks-[UUID]. To use Luks-[UUID], get the value with these commands,
  81. # cryptsetup luksUUID /dev/sda3
  82.  
  83. 2.2)
  84. # pvcreate /dev/mapper/crypt
  85. Writing physical volume data to disk "/dev/mapper/crypt"
  86. Physical volume "/dev/mapper/crypt" successfully created
  87.  
  88. 2.3)
  89. # vgcreate cryptVG /dev/mapper/crypt
  90. Volume group "cryptVG" successfully created
  91.  
  92. 2.4) Create LVM partitions,
  93. 2.4.1) Logical volume "root" created
  94. # lvcreate -n root -L 25G cryptVG
  95.  
  96. 2.4.2) Logical volume "swap" created
  97. # lvcreate -n swap -L 5G cryptVG
  98.  
  99. 2.4.3) Logical volume "home" created
  100. # lvcreate -n home -l 100%FREE cryptVG
  101.  
  102. 2.4.4) Verify LVM is successful,
  103. # lsblk -fa
  104. [...]
  105. loop7
  106. sda
  107. |-- sda1 vfat xxxx-xxxx
  108. |-- sda2
  109. |-+ sda3 crypto_LUK xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  110. |-+ crypt (dm-2) LVM2_membe xxxxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxxxx
  111. |-- cryptVG-root (dm-3)
  112. |-- cryptVG-swap (dm-4)
  113. |-- cryptVG-home (dm-5)
  114.  
  115. 3) Optional: Make file systems
  116. 3.1) partition formatting,
  117. # mke2fs -c -t ext4 -L home /dev/mapper/cryptVG-home
  118. # mke2fs -c -t ext4 -L root /dev/mapper/cryptVG-root
  119.  
  120. 3.2) boot partition formatting,
  121. # mke2fs -c -t ext4 -L boot /dev/sda2
  122.  
  123. 3.3) swap partition formatting,
  124. #mkswap -c /dev/mapper/cryptVG-swap
  125.  
  126. 3.4) Close the LUKS
  127. [NOTE, I can't recall if I performed this step last time or not. It is however listed in the help post [2]
  128. # cryptsetup luksClose crypt
  129. Device crypt is busy.
  130. I just restarted...I think...
  131. ]
  132.  
  133. 4) open Luks and mount partitions for Anaconda installer,
  134. 4.1) Access Luks to mount the drives,
  135. # cryptsetup luksOpen /dev/sda[n] [cryptname]
  136. You will be asked for the passphrase for the device.
  137.  
  138. 4.2) Allow the kernel to access the Volume Group, "vgchange allowa you to change the attributes of one or more volume groups. ... Only active volume grups are subject to changes and allow access to their logical volumes. [see (Q) below]
  139. # vgchange -ay [volgroup]
  140.  
  141. 4.3) Make directories
  142. # mkdir /mnt/[mountpoint]
  143.  
  144. 4.4) Mount the partitions,
  145. # mount /dev/mapper/[volume_group-logical-volume] /mnt/[mount point]
  146. // Repeat this command for each logical volume
  147.  
  148. 5.) Anaconda installer (this is an outline of the steps for discussion and my notes, I've used the notation: <selected> //with a note at key steps.
  149. 5.1) Language
  150. 5.2) Device Type
  151. 5.3) Select Drive
  152. 5.3.1) Examining Storage Devices Progress Bar
  153. 5.4) Hostname
  154. 5.5) Time zone
  155. 5.6) Root password
  156. 5.7) What type of install?
  157. 5.7.1) Use all space
  158. 5.7.2) Replace Existing Linux System
  159. 5.7.3) Shrink current system
  160. 5.7.4) Use free space
  161. 5.7.5) Create Custom layout, <selected>
  162. [New screen displays physical volume, and logical volume partitions made above 4.5.7-4.5.8.
  163. Each partition is individually selectable. To edit the mount point, select partition from the list and "edit"]
  164. 5.7.6) Edit partition,
  165. 5.7.6.1) Set the mount points to the LVM partitions, //I set the home, root and boot partitions. swap was already recognized
  166. /, /home, /tmp, /var, /usr/local, /opt
  167. 5.7.6.2) Format the partition, //All partitions were made as ext4, save for swap.
  168. ext2, ext3, ext4, pv, raid, swap, xfs
  169. [NOTE, All paritions have the option to maintian the original formatting, but not the root mount point. This requires formatting for a new system installation.]
  170. 5.7.6.3) Encryption, //I set this in the above steps
  171. 5.7.7) Create Custom layout Options, //These options are greyed out when you select 7.5
  172. 5.7.7.1) Use LVM
  173. 5.7.7.2) Encrypt
  174. 5.7.7.3) Review settings
  175. 5.7.8) Examining Storage Devices Progress Bar
  176. 5.8) Boot loader device Options,
  177. 5.8.1) Boot loader,
  178. 5.8.1.1) Master Boot Record /dev/sda
  179. 5.8.1.2) First sector of boot partition /dev/sda2 <selected>
  180. 5.8.2) BIOS Drive Order
  181. 5.8.3) Boot loader password //I've tried this both ways as a trouble shooting effort to no effect
  182.  
  183.  
  184. -----
  185. [1]: http://docs.fedoraproject.org/en-US/Fedora/17/html/Installation_Guide/randomize_device.html
  186. [2]: http://forums.fedoraforum.org/showpost.php?p=1496052&postcount=14
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!