ArchLinux:LUKS: Difference between revisions
m (→Title Icon) |
mNo edit summary |
||
| Line 5: | Line 5: | ||
Use an SD Card or USB flash drive in order to bolster your disk space is never a bad idea. It can be a great place to storage things that you need between machines (files too big for constant transfer over the network) or for just general storage. This will take you through adding one with LUKS and {{mono|ext4}} in order to hopefully keep your data safe and free from corruption.<br/> | Use an SD Card or USB flash drive in order to bolster your disk space is never a bad idea. It can be a great place to storage things that you need between machines (files too big for constant transfer over the network) or for just general storage. This will take you through adding one with LUKS and {{mono|ext4}} in order to hopefully keep your data safe and free from corruption.<br/> | ||
First re-partition the drive, for all of the examples in this tutorial I will be using an SD Card. If I refer to something as SD Card just think of this as the drive you are using. You will also need to locate the proper device node for the drive you are using, mine just so happens to be {{mono|/dev/mmcblk0}}. You can find the device node with {{mono|lsblk}}. | First re-partition the drive, for all of the examples in this tutorial I will be using an SD Card. If I refer to something as SD Card just think of this as the drive you are using. You will also need to locate the proper device node for the drive you are using, mine just so happens to be {{mono|/dev/mmcblk0}}. You can find the device node with {{mono|lsblk}}. | ||
= | ={{Icon24|sitemap}} Partitioning= | ||
Begin by partitioning the disk, for simplicity I will do a single partition scheme. | Begin by partitioning the disk, for simplicity I will do a single partition scheme. | ||
| Line 12: | Line 12: | ||
Create the necessary partition and give it a label. | Create the necessary partition and give it a label. | ||
{{Console|1=sudo sgdisk -n 1:0:-0 -t 1:8300 /dev/mmcblk0|2=sudo sgdisk -c 1:"SD Card" /dev/mmcblk0}} | {{Console|1=sudo sgdisk -n 1:0:-0 -t 1:8300 /dev/mmcblk0|2=sudo sgdisk -c 1:"SD Card" /dev/mmcblk0}} | ||
= | ={{Icon24|sitemap}} LUKS= | ||
Setup LUKS on the SD Card; confirm to erase by typing {{mono|YES}} (take note of the caps) and then set a password. | Setup LUKS on the SD Card; confirm to erase by typing {{mono|YES}} (take note of the caps) and then set a password. | ||
{{Console|1=sudo cryptsetup luksFormat /dev/mmcblk0p1}} | {{Console|1=sudo cryptsetup luksFormat /dev/mmcblk0p1}} | ||
| Line 18: | Line 18: | ||
Decrypt the LUKS partition, giving it a name. For the tutorial I will use {{mono|sdcard}}. | Decrypt the LUKS partition, giving it a name. For the tutorial I will use {{mono|sdcard}}. | ||
{{Console|1=sudo cryptsetup luksOpen /dev/mmcblk0p1 sdcard}} | {{Console|1=sudo cryptsetup luksOpen /dev/mmcblk0p1 sdcard}} | ||
= | ={{Icon24|sitemap}} Formatting= | ||
For the filesystem I will be using [[archwiki:F2FS|F2FS]] (Flash-Friendly File System). | For the filesystem I will be using [[archwiki:F2FS|F2FS]] (Flash-Friendly File System). F2FS, originally developed by Samsung, is a file system intended for NAND-based flash memory equipped with Flash Transition Layer. However if you would like to use ext4 instead that option is available. | ||
== | =={{Icon|notebook}} F2FS== | ||
First make sure {{mono|f2fs-tools}} is installed. | First make sure {{mono|f2fs-tools}} is installed. | ||
{{Console|1=yaourt -S f2fs-tools}} | {{Console|1=yaourt -S f2fs-tools}} | ||
Then format the decrypted LUKS container. | Then format the decrypted LUKS container. | ||
{{Console|1=sudo mkfs.f2fs /dev/mapper/sdcard}} | {{Console|1=sudo mkfs.f2fs /dev/mapper/sdcard}} | ||
== | =={{Icon|notebook}} ext4== | ||
First format the decrypted LUKS container. | First format the decrypted LUKS container. | ||
{{Console|1=sudo mkfs.ext4 /dev/mapper/sdcard}} | {{Console|1=sudo mkfs.ext4 /dev/mapper/sdcard}} | ||
| Line 31: | Line 31: | ||
{{Console|1=sudo tune2fs -o journal_data_writeback /dev/mapper/sdcard|2=sudo tune2fs -O ^has_journal /dev/mapper/sdcard|3=sudo e2fsck -f /dev/mapper/sdcard}} | {{Console|1=sudo tune2fs -o journal_data_writeback /dev/mapper/sdcard|2=sudo tune2fs -O ^has_journal /dev/mapper/sdcard|3=sudo e2fsck -f /dev/mapper/sdcard}} | ||
= | ={{Icon24|sitemap}} Keyfile= | ||
If you are already using LUKS for full system encryption you can store a keyfile on your encrypted system to auto-unlock your removable media. | If you are already using LUKS for full system encryption you can store a keyfile on your encrypted system to auto-unlock your removable media. | ||
| Line 38: | Line 38: | ||
Then add the keyfile to the LUKS partition. | Then add the keyfile to the LUKS partition. | ||
{{Console|1=sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile}} | {{Console|1=sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile}} | ||
= | ={{Icon24|sitemap}} Decrypt/Mount on Boot= | ||
Make a folder for your drive and set your current user to the owner. | Make a folder for your drive and set your current user to the owner. | ||
{{Console|1=sudo mkdir /mnt/sdcard && sudo chown kyau:users /mnt/sdcard}} | {{Console|1=sudo mkdir /mnt/sdcard && sudo chown kyau:users /mnt/sdcard}} | ||
| Line 44: | Line 44: | ||
{{Console|1=lsblk -f|2=echo -e "sdcard\tUUID{{=}}XXXXUUID-LUKS-SDXX-CARD-XXXXXXXXXXXX\t/root/keyfile" {{!}} sudo tee --append /etc/crypttab}} | {{Console|1=lsblk -f|2=echo -e "sdcard\tUUID{{=}}XXXXUUID-LUKS-SDXX-CARD-XXXXXXXXXXXX\t/root/keyfile" {{!}} sudo tee --append /etc/crypttab}} | ||
Finally add a line to {{mono|/etc/fstab}} so that it also gets automatically mounted on boot. | Finally add a line to {{mono|/etc/fstab}} so that it also gets automatically mounted on boot. | ||
{{Console|1=sudo vim /etc/fstab}}<br/> | |||
'''F2FS:'''<br/> | '''F2FS:'''<br/> | ||
{{Console|1= | {{Console|1=<mark class"white2">/dev/mapper/sdcard /mnt/sdcard</mark> <mark class="magenta">f2fs rw</mark><mark class="magenta2">,<mark><mark class="blue2">noatime</mark><mark class="magenta2">,<mark><mark class="magenta">nodiratime</mark><mark class="magenta2">,<mark>active_logs=6 0 0</mark>|prompt=false}} | ||
'''ext4:'''<br/> | '''ext4:'''<br/> | ||
{{Console|1= | {{Console|1=<mark class"white2">/dev/mapper/sdcard /mnt/sdcard</mark> <mark class="magenta">ext4 defaults</mark><mark class="magenta2">,<mark><mark class="blue2">noatime</mark><mark class="magenta2">,<mark><mark class="magenta">nodiratime</mark><mark class="magenta2">,<mark>data{{=}}writeback 0 0</mark>|prompt=false}} | ||
[[Category:Arch Linux]] | [[Category:Arch Linux]] | ||
Revision as of 09:44, 23 July 2017
 | UNDER CONSTRUCTION: The document is currently being modified! |
Back to Category:Arch LinuxUse an SD Card or USB flash drive in order to bolster your disk space is never a bad idea. It can be a great place to storage things that you need between machines (files too big for constant transfer over the network) or for just general storage. This will take you through adding one with LUKS and ext4 in order to hopefully keep your data safe and free from corruption.
First re-partition the drive, for all of the examples in this tutorial I will be using an SD Card. If I refer to something as SD Card just think of this as the drive you are using. You will also need to locate the proper device node for the drive you are using, mine just so happens to be /dev/mmcblk0. You can find the device node with lsblk.
Partitioning
PartitioningBegin by partitioning the disk, for simplicity I will do a single partition scheme.
Wipe the current partition table and create a new GPT partition table with protected MBR.
| # sudo sgdisk -Z -o /dev/mmcblk0 |
Create the necessary partition and give it a label.
| # sudo sgdisk -n 1:0:-0 -t 1:8300 /dev/mmcblk0 # sudo sgdisk -c 1:"SD Card" /dev/mmcblk0 |
LUKS
Setup LUKS on the SD Card; confirm to erase by typing YES (take note of the caps) and then set a password.
| # sudo cryptsetup luksFormat /dev/mmcblk0p1 |
 | WARNING: DO NOT forget the password to the partition or all of the data inside will be irretrievable! |
Decrypt the LUKS partition, giving it a name. For the tutorial I will use sdcard.
| # sudo cryptsetup luksOpen /dev/mmcblk0p1 sdcard |
Formatting
For the filesystem I will be using F2FS (Flash-Friendly File System). F2FS, originally developed by Samsung, is a file system intended for NAND-based flash memory equipped with Flash Transition Layer. However if you would like to use ext4 instead that option is available.
F2FS
F2FSFirst make sure f2fs-tools is installed.
| # yaourt -S f2fs-tools |
Then format the decrypted LUKS container.
| # sudo mkfs.f2fs /dev/mapper/sdcard |
ext4
First format the decrypted LUKS container.
| # sudo mkfs.ext4 /dev/mapper/sdcard |
Tune the filesystem to remove the journal and put it into writeback mode.
| # sudo tune2fs -o journal_data_writeback /dev/mapper/sdcard # sudo tune2fs -O ^has_journal /dev/mapper/sdcard # sudo e2fsck -f /dev/mapper/sdcard |
Keyfile
If you are already using LUKS for full system encryption you can store a keyfile on your encrypted system to auto-unlock your removable media.
Create a keyfile for the SD Card in the root folder and set the proper permissions.
| # sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 # sudo chmod 0400 /root/keyfile |
Then add the keyfile to the LUKS partition.
| # sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile |
Decrypt/Mount on Boot
Make a folder for your drive and set your current user to the owner.
| # sudo mkdir /mnt/sdcard && sudo chown kyau:users /mnt/sdcard |
Get the UUID of the partition and add a line to /etc/crypttab so that it gets decrypted on boot.
| # lsblk -f # echo -e "sdcard\tUUID=XXXXUUID-LUKS-SDXX-CARD-XXXXXXXXXXXX\t/root/keyfile" | sudo tee --append /etc/crypttab |
Finally add a line to /etc/fstab so that it also gets automatically mounted on boot.
| # sudo vim /etc/fstab |
F2FS:
| /dev/mapper/sdcard /mnt/sdcard f2fs rw,noatime,nodiratime,active_logs=6 0 0 |
ext4:
| /dev/mapper/sdcard /mnt/sdcard ext4 defaults,noatime,nodiratime,data=writeback 0 0 |
