Rootfs criptografado com LUKS usando LVM: mudanças entre as edições
Criou página com '== Encrypting the drive == Read more about different cipher options here: [http://blog.wpkg.org/2009/04/23/cipher-benchmark-for-dm-crypt-luks/ (1)] # cryptsetup --cipher aes...' |
Sem resumo de edição |
||
| Linha 204: | Linha 204: | ||
[[Categoria:Segurança]] | [[Categoria:Segurança]] | ||
[[Categoria:Deploy Linux]] | [[Categoria:Deploy Linux]] | ||
[[Categoria:CryptoProjects]] | |||
Edição atual tal como às 22h58min de 26 de abril de 2021
Encrypting the drive
Read more about different cipher options here: (1)
# cryptsetup --cipher aes-xts-plain64 luksFormat /dev/sda3
Or use SHA512 for increase security. Do NOT use SHA-1: LUKS disk encryption. As the cryptography expert Bruce Schneier already told in year 2005, do not use SHA-1 because its broken. See his article here: (2)
# cryptsetup --cipher twofish-xts-plain64 --hash sha512 --key-size 256 luksFormat /dev/sda
Initializes the volume
Initializes the volume, and sets an initial key or passphrase:
# cryptsetup luksOpen /dev/sda3 dmcrypt_root
There you'll be prompted to enter your password phrase for encrypted drive, type your paranoid password there. :D
Create logical volumes
# pvcreate /dev/mapper/dmcrypt_root # vgcreate vg /dev/mapper/dmcrypt_root # lvcreate -L10G --name root vg # lvcreate -L2G --name swap vg # lvcreate -L5G --name portage vg # lvcreate -l 100%FREE -nhome vg
Feel free to specify your desired size by altering the numbers after the -L flag. For example, to make your portage dataset 20GB's, use the flag -L20G instead of -L5G.
OBS: Please, notice that above mentioned partitioning scheme is an example and not a default recommendation, change it accordingly to desired scheme.
Create a filesystem on volumes
# mkfs.ext2 /dev/sda1 # mkswap /dev/mapper/vg-swap # mkfs.ext4 /dev/mapper/vg-root # mkfs.ext4 /dev/mapper/vg-portage # mkfs.ext4 /dev/mapper/vg-home
Basic system setup
# swapon /dev/mapper/vg-swap
# mkdir /mnt/funtoo
# mount /dev/mapper/vg-root /mnt/funtoo
# mkdir -p /mnt/funtoo/{boot,usr/portage,home}
# mount /dev/sda1 /mnt/funtoo/boot
# mount /dev/mapper/vg-portage /mnt/funtoo/usr/portage
# mount /dev/mapper/vg-home /mnt/funtoo/home
Now perform all the steps required for basic system install, please follow [4] don't forget to emerge the following before your install is finished:
- cryptsetup
- lvm2
- a bootloader (Grub2 recommended)
- kernel sources (hardened/grsec recommended)
Editing the fstab
Fire up your favorite text editor to edit /etc/fstab. You want to put the following in the file:
cat /etc/fstab
# <fs> <mountpoint> <type> <opts> <dump/pass> /dev/sda1 /boot ext2 noauto,noatime 1 2 /dev/mapper/vg-swap none swap sw 0 0 /dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1 /dev/sr0 /mnt/cdrom auto noauto,ro 0 0 /dev/mapper/vg-portage /usr/portage ext4 noatime,nodiratime 0 0 /dev/mapper/vg-home /home ext4 noatime,nodiratime 0 0
Kernel options
Note: If you are using debian-sources as included in mid-May 2015 and later Funtoo stages, you do not need to rebuild the kernel. The following instructions are for other kernels that you may choose to install.
General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev
Device Drivers --->
[*] Multiple devices driver support --->
<*>Device Mapper Support
<*> Crypt target support
Cryptographic API --->
<*> XTS support
-*-AES cipher algorithms
Initramfs setup and configuration
Better-initramfs
# cd /opt # git clone git://github.com/slashbeast/better-initramfs.git # cd better-initramfs # less README.rst # bootstrap/bootstrap-all # make prepare # make image
Copy resulting initramfs.cpio.gz to /boot:
# cp output/initramfs.cpio.gz /boot
Alternatively, a pre-compiled binary initramfs is available at https://bitbucket.org/piotrkarbowski/better-initramfs/downloads
# wget https://bitbucket.org/piotrkarbowski/better-initramfs/downloads/release-x86_64-v0.7.2.tar.bz2 # tar xf release-x86_64-v0.5.tar.bz2 # cd release* # gzip initramfs.cpio # cp initramfs.cpio.gz /boot
Remember, better-initramfs project is a work in progress, so you need to update from time to time. It can be done easily with git. Go to the better-initramfs source dir and follow:
# cd /opt/better-initramfs # git pull # less ChangeLog
Bootloader Configuration
Grub2 configuration
Emerge Grub2 with device-mapper support:
# echo 'sys-boot/grub device-mapper' >> /etc/portage/package.use/grub # emerge grub
better-initramfs with HARDENED kernel
An example /etc/boot.conf for better-initramfs:
boot {
generate grub
default "Funtoo Linux Hardened"
timeout 3
}
"Funtoo Linux Hardened" {
kernel vmlinuz[-v]
initrd /initramfs.cpio.gz
params += enc_root=UUID="5b9ef51d-525e-4141-ad9f-7de802d1cdcf" lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet video.allow_duplicates=1 iomem=relaxed
}
better-initramfs with default kernel
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel vmlinuz[-v]
initrd /initramfs.cpio.gz
params += enc_root=/dev/sda3 lvm luks root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
better-initramfs with genkernel
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel kernel-genkernel-x86_64-3.13.0
initrd initramfs-genkernel-x86_64-3.13.0
params += crypt_root=/dev/sda3 dolvm real_root=/dev/mapper/vg-root rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
Now, run boot-update to write the configuration files to /boot/grub/grub.cfg
# boot-update
More infos: http://www.funtoo.org/Rootfs_over_encrypted_lvm