GNU/Linux Edition

GNU/Linux Edition Encryption

Pars Enterprise GNU/Linux edition full platform encryption method including Boot system and password on the top with physical token.

Using LVM Method

Pars Enterprise GNU/Linux edition full encryption with EXT filesystem

Required package:

cryptsetup-initramfs: disk encryption support - initramfs integration

Default values for the current existing customized operating system:

### loading Linux operating system from live environment

# /dev/sdx-current (root-ext4-100GB)

# /dev/sdx-current (home-btrfs-100GB)

Creating temporary folders to clone the current volumes and moving home:

# mkdir /mnt/temp0 /mnt/temp1 /mnt/backup

Mounting the current root, home and backup volumes:

# mount /dev/sdx(root) /mnt/temp0

# mount /dev/sdx(home) /mnt/temp1

# mount /dev/sdx(backup) /mnt/backup

Moving the current home folder contents before cloning:

# mv /mnt/temp0/home/* /mnt/temp1

Unmounting the current root and home volumes after moving:

# umount /dev/sdx(root) /dev/sdx(home)

Cloning the current custom, root and home volumes:

# fsarchiver savefs /mnt/backup/image.fsa /dev/sdx1 /dev/sdx2 /dev/sdx3

Unmounting backup volume after cloning:

# umount /dev/sdx(backup)

Removing created folders when volumes were unmounted successfully:

# rm -rf /mnt/temp0 /mnt/temp1 /mnt/backup

Full formatting storage before encryption:

# dd if=/dev/urandom of=/dev/sda bs=1M (optional)

Performing the partitioning scenario after full formatting:

# sdx1 (memory-ext2-boot)

# sda1 (bios_grub) cleared 1MB EF02 hidden

# sda2 (lvm) cleared 100% 8E00 hidden

# /dev/mapper/PEOSG-swapvol (swap-32GB)

# /dev/mapper/PEOSG-rootvol (ext4-100GB)

# /dev/mapper/PEOSG-homevol (ext4-100%)

Starting platform encryption with the following parameters:

# cryptsetup -v -c aes-xts-plain64 -s 256 -h sha256 -i 5000 --use-random luksFormat /dev/sda2(--type luks1 (after Format - for supporting grub2))

# cryptsetup luksOpen /dev/sda2 system

Managing logical volumes before restoration:

# pvcreate /dev/mapper/system

# vgcreate PEOSG /dev/mapper/system

# lvcreate -L 32G PEOSG -n swapvol

# lvcreate -L 100G PEOSG -n rootvol

# lvcreate -l +100%FREE PEOSG -n homevol

Formatting created logical volumes with the following types:

# mkswap /dev/mapper/PEOSG-swapvol

# mkfs.ext4 /dev/mapper/PEOSG-rootvol

# mkfs.btrfs /dev/mapper/PEOSG-homevol

Creating temporary folders to restore cloned volumes and chrooting:

# mkdir /mnt/root /mnt/home /mnt/backup /mnt/token

Mounting backup volume before restoration:

# mount /dev/sdx(backup) /mnt/backup

Restoring cloned volumes to created logical volumes:

# fsarchiver restfs /mnt/backup/image.fsa id=0,dest=/dev/mapper/PEOSG-rootvol id=1,dest=/dev/mapper/PEOSG-homevol

Mounting restored volumes for the modifications:

# swapon /dev/mapper/PEOSG-swapvol

# mount /dev/mapper/PEOSG-rootvol /mnt/root

# mount /dev/mapper/PEOSG-homevol /mnt/home

Mounting prepared volume for using it as physical token:

# mount /dev/sdx(token) /mnt/token

Generating physical token and adding it to the current encrypted storage:

# dd if=/dev/urandom of=/mnt/token/.PEOST bs=1024 count=4

# chmod 000 /mnt/token/.PEOST

# cryptsetup luksAddKey /dev/sda2 /mnt/token/.PEOST

Chrooting the current new created root volume:

# mount -t proc none /mnt/root/proc

# mount -t sysfs none /mnt/root/sys

# mount --bind /dev /mnt/root/dev

# chroot /mnt/root /bin/bash

Changing user password for the current new restored operating system:

# passwd root

# passwd (username)

Editing fstab entries with the following contents:

# nano /etc/fstab

# /dev/mapper/PEOSG-rootvol / ext4 defaults 0 1

# /dev/mapper/PEOSG-homevol /home ext4 defaults 0 2

# /dev/mapper/PEOSG-swapvol none swap sw 0 0

Editing crypttab entries with the following contents:

# nano /etc/crypttab

# system UUID=(sda2 by blkid command) /dev/disk/by-label/BOOT:.PEOST luks,nofail,tries=3,timeout=180,verify,keyscript=/lib/cryptsetup/scripts/passdev

Editing initramfs entries with the following modules:

# nano /etc/initramfs-tools/modules

# dm-crypt dm-mod aes-x86_64 xts sha256

Editing grub entries with the following contents:

# nano /etc/default/grub

# GRUB_CMDLINE_LINUX="cryptdevice=UUID=(sda2 by blkid command):system"

# GRUB_ENABLE_CRYPTODISK=y

# GRUB_PRELOAD_MODULES="cryptodisk luks lvm"

Editing swap entries with the following contents:

# nano /etc/initramfs-tools/conf.d/resume (replacing UUID to the current active swap by lvdisplay command)

# nano /etc/uswsusp.conf (replacing UUID to the current active swap by lvdisplay command)

Updating initramfs and grub configurations via:

# update-initramfs -k all -u -v

# grub-mkconfig -o /boot/grub/grub.cfg

# grub-install /dev/sda

# update-grub /dev/sda

Clearing command line interface history and exiting:

# history -cw

Or

# cat /dev/null > ~/.bash_history && history -c && exit

Changing boot folder permission for the new current restored operating system:

# chmod 000 /mnt/root/boot

Unmounting filesystems after modifications:

# umount /mnt/root/proc

# umount /mnt/root/sys

# umount /mnt/root/dev

# umount /dev/mapper/PEOSG-rootvol

# umount /dev/mapper/PEOSG-homevol

# umount /dev/sdx(backup)

# umount /dev/sdx(token)

Removing created folders when volumes were unmounted successfully:

# rm -rf /mnt/root /mnt/home /mnt/backup /mnt/token

Closing the new current encrypted storage and rebooting:

# cryptsetup luksClose /dev/sda2 system

# sync && reboot

 

BSD Documentation License

Copyright Ā© 2015, Pars Enterprise [info@parsenterprise.com] All rights reserved.

Redistribution and use in source (ParsEnterprise.PDF) and ā€˜compiledā€™ forms (SGML, HTML, PDF, PostScript, RTF and so forth) with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code (ParsEnterprise.PDF) must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified.

2. Redistributions in compiled form (converted to PDF, HTML, RTF and other formats) must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The name of the author may not be used to endorse or promote products derived from this documentation without specific prior written permission.

THIS DOCUMENTATION IS PROVIDED BY MAHDI MONTAZERI AND CONTRIBUTORS ā€œAS ISā€ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MAHDI MONTAZERI BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Page Term Reference